An energized Larry Ellison, addressing a rapt audience for the second time at Oracle OpenWorld 2015, explained how Oracle has approached some of the security issues bedeviling the industry. “The current state of the art [in security] is not getting it done,” Ellison said. “We haven’t lost the war, but we’re losing a lot of the battles.”
Larry Ellison, executive chairman and CTO of Oracle, speaks at Oracle OpenWorld 2015.
Ellison was jazzed about an engineering breakthrough, “an advance in the state of the art in security,” that Oracle unveiled at the conference. Called Silicon Secured Memory, it’s a security function hardwired directly into Oracle’s new microprocessor, the SPARC M7. It recognizes—and immediately prevents—a persistent programming problem known as illegal memory access, which can cause vulnerabilities like those exploited by the infamous “Heartbleed” bug that wreaked cyber havoc last year. Had Silicon Secured Memory (SSM) been around at the time, Ellison said, “it would have discovered Heartbleed and stopped Heartbleed in real time.”
It’s not an incidental concern. Illegal memory access could let hackers not just invade computer systems but rewrite applications, a very troubling proposition. “You can imagine what happens when [they] start changing data, versus just making copies and stealing it,” Ellison said.
The new processor’s advanced features are impressive. The sixth iteration of the chip technology Oracle acquired when it bought Sun five years ago, the SPARC M7 is not only a flame-thrower in terms of processing power (32 cores, 256 threads, 10 billion transistors) but also an engineering marvel, incorporating several so-called “software in silicon” features that speed up database processing as well as enhance security.
Always-On Security
Where and how to implement computer security was Ellison’s overall theme. First, security should be elemental. “You should always push your security features as low in the stack as possible,” he said several times. Second, security should be “on” all the time. “This idea of turning on and off security features makes no sense,” he said.
Take data encryption. The new SPARC M7 features very high-speed encryption hardwired into the processor, which translates to almost no performance overhead—and it’s always turned on.
Ellison related a strategy debate he and his engineers had several years ago about incorporating encryption into backup devices, and whether they should allow customers, for performance reasons, to turn it off. They did then. They won’t now. “I’m arguing that’s a bad idea,” he said. “In that case, customer choice is a bad idea, because maybe someone will forget to turn on encryption” and lose 10 million credit card numbers as a result, he said.
Built-In Defenses
By incorporating both SSM and data encryption directly into the processor—the lowest level of the computing “stack”—Oracle is making good on Ellison’s strategy of elemental and “always on” security. Such built-in defenses will increase in importance as more and more IT processing, and therefore more and more data, migrates to the cloud. That’s especially true in hybrid cloud environments, where data will pass back and forth between public and private systems.
In a large cloud environment it would require only a relative few SPARC M7-based servers to alert a company to a hacker attack attempting to exploit illegal memory references, Ellison pointed out. “The second that attack hits the M7, we immediately detect it,” he said. “We've just got to discover the attack, and we need to discover the attack as early as possible.
Today, Oracle can provide encryption across all levels of the computing stack: processor, operating system, network, database, and applications. And Oracle walks that walk in its public cloud, Ellison said, where all customer data is encrypted. “We think encryption should always be on, and that's the policy in our cloud,” he said.
Only Customers Hold the Keys
That ubiquitous encryption isn’t only a security feature but a privacy feature as well, Ellison pointed out. That’s because, even though their data is stored in Oracle’s systems, only customers have the encryption keys needed to unscramble it. “Nobody at Oracle—not our DBAs, not our engineers, not the head of engineering—can read our customers' data in the cloud,” Ellison asserted.
To that end Ellison touted a feature called Oracle Key Vault, which lets customers manage their encryption keys in a single, secure container. And Oracle Key Vault can reside either in customers’ own on-premises systems or in Oracle’s Public Cloud.
Oracle’s privacy advantage prompted Ellison to challenge his audience to quiz other cloud providers about their customer data access policies: “Ask this one simple question—do your engineers have access to all of your data?” Ellison said he knew the most likely answer—yes—which made him wonder out loud again about the status quo of computer security. “You guys have a lot of trust,” he said.
If Ellison’s security push pans out, they won’t need it.
Find out more on Oracle.com:
