By David F. Carr
Oracle Executive Chairman and CTO Larry Ellison discusses security in the cloud at an Oracle OpenWorld 2015 keynote. (1:08:44)
Oracle wants to remove the “off” switch from security, building it into computing by default at an ever-lower level of the technology stack, Oracle Executive Chairman and CTO Larry Ellison said Tuesday 27 October during a keynote address at Oracle OpenWorld 2015.
His focus was on security in the cloud, although not only in the cloud. For the IT industry and consumers, security is the biggest concern about cloud computing – and computing in general, he said. “We need much better security. We need a next generation of security. We are not winning a lot of these cyber-battles. We are losing a lot of these battles.”
As if it weren’t bad enough that retail credit card databases are being pilfered on a regular basis, this year the US government had to admit it lost 20 million personnel records, which included background checks and fingerprints. The CIA had to pull personnel out of embassies for fear that their cover had been blown, Ellison noted.
Security is being built into computing at ever-lower levels of the technology stack, stated Larry Ellison.
Making security features optional may have made sense at one point, when security features like encryption had a greater impact on processing speed, but it doesn’t make sense anymore, Ellison said. One of the advantages of Oracle’s cloud services is that security will always be enabled by default, he said.
One of the ways to make security better is to make it more fundamental to computing, Ellison argued. It’s better to have security at the database level than in the application (although it’s OK to have both) because all applications can inherit that security, he said. Similarly, it’s better to have security at the level of the processor than the operating system because silicon is more tamper-proof. “That’s better than having it in software because software can be changed,” he said.
Oracle is acting on that belief with the SPARC M7, the latest generation of the processor family Oracle acquired with its purchase of Sun Microsystems in 2010. Beyond hardware-based encryption, which is enabled by default, the SPARC M7 is distinguished by a technology called “Silicon Secured Memory”, which blocks a widely exploited category of security bugs known as buffer overflows. In a buffer overflow, a rogue program gains control of data that should properly be under the control of another program. This was a factor in both last year’s Heartbleed SSL security vulnerability and the more recent Venom bug. Silicon Secured Memory can also weed out more innocent buffer overflows caused by programming errors, Ellison noted.
One of the ways to make security better is to make it more fundamental to computing, Ellison said.
The memory security works by "locking" allocations of memory assigned to a given program and supplying the program with the "key", Ellison said. If a program tries to access a region of memory without having the required mathematical key, access is denied and an alert can be sent to security monitoring software.
"If Silicon Secured Memory had been around at the time of Heartbleed, it would have discovered Heartbleed and stopped Heartbleed,” Ellison said, and the same would have been true of Venom. “It would just shut them down in real time."
While replacing all the processors in a data centre may not be realistic, if even 3 to 5 per cent of the servers in a cloud have this feature, the data centre operator will quickly know that it is under attack. That is how Oracle plans to begin using the processors in its own cloud, Ellison said. "Once we know we’re under attack, we can do something."
Also during the keynote, Ellison announced "Oracle Private Cloud Machine for PaaS and IaaS", another member of Oracle’s engineered systems family. Oracle Engineered Systems are high-end servers preconfigured for specific purposes. In this case, the idea is to assist customers who want to begin working with Oracle’s public cloud while reserving the option to move software back and forth between their data centres and the cloud. The private cloud machine includes hardware, operating system, database and middleware configurations identical to those used in Oracle’s public cloud, Ellison said. "It’s like we took a piece of the cloud out of the cloud, and plunked it down in your data centre."