Larry Ellison, Oracle’s chief technology officer and chairman, has identified security as the IT industry’s biggest concern as it moves towards cloud computing, and wants to push it down the application stack to the silicon level to win the cyber battle against hackers.
Long-time observers of the information security field will remember similar arguments being put forward in the earlier part of the past decade for a trusted computing platform, associated with Microsoft, Intel and HP, among others.
Speaking in his second keynote address at Oracle’s 2015 OpenWorld event in San Francisco, Ellison said: “We need next-generation security because we are not winning the cyber battles. We have not yet lost the war. But this is a technology confrontation, sometimes at the country level.
“Especially if we are going to move lots of data to the cloud, we have to make sure it is secure.”
Ellison invoked Oracle’s history – its first, second and third customers were the CIA, the NSA and the US Department of Defense – to stress its security ethos.
He also outlined what he called some “rules of thumb on security”. They were as follows: “Database security is better than applications security, and security should be always-on. You should always push security down, all the way down, and to the silicon level. Push it as low down the stack as possible.
“It is better to have it at the database layer than at the application layer, and better at the silicon level than at the OS [operating system] level.
“The last time I checked, even the best hackers have not figured out a way to download changes to your microprocessor. You cannot alter the silicon.
“The always-on rule of thumb means it should be impossible to turn off encryption. The idea of turning on and off security features makes no sense.”
Once credit card details have been stolen, he said, in the tens of millions, they can end up on servers in Russia, not even on the dark net, and still be verified as working. “We don’t work with them,” he joked.
M7 intrusion detection
Oracle’s contribution to solving the security problem will, he said, take the form of always-on intrusion detection, in memory, on its M7 microprocessor. The supplier is calling the technology silicon-secured memory.
“You’ll see us implementing more security features in silicon,” he said. “You will see us making more chips. Only we are doing this.”
The principle is to deny a program access to memory that belongs to another program. The M7 hardware will issue a real-time alert if such an attempt is being made. Only a percentage of servers will need the chip for it to be effective in a customer’s Oracle cloud, Ellison said. “You’ll know the system is under attack and then you can do something about it.”
That way, data encryption is always on, he said. “Ask all SaaS companies if they can access your data: we can’t.”
Silicon alone not sufficient
Asked for his response to the new Oracle security strategy, Iain Patterson, chief technology officer at the DVLA, on secondment from the Cabinet Office, said: “As I see it, in the Oracle world, you have security running from top to bottom in the stack. What I’d say is you can’t rest on your laurels having implemented security at the silicon layer, you still have to look at the security in your applications at every point of the stack. You alone are responsible for that; you can’t rely on a third party.”
Read more about database security
- Database applications are often the epicentre of a company's sensitive data, so security is paramount, but maintaining a balance between security and business use can be tricky.
- A review of Oracle Database Vault.
- A guide to Oracle database security.