The cloud needs next-gen security
28 October 2015 | 0
“We need a next generation of security because we are not winning a lot of these cyberbattles,” said Larry Ellison at Oracle OpenWorld 2015. “And it is a technology confrontation.”
In a battle between nation states, between businesses, and hackers, Ellison said, security features should be always on and pushed as low in the technology stack as possible, so that they can have maximum effect.
Security in silicon, said Ellison, is inherited by all software.
When you sign up for a service, ask if the provider’s technical staff can see your data, Larry Ellison, Oracle
To that end, Oracle has included security capabilities at the silicon level in its new M7 processor, which it claims, has near zero performance impact.
Security in silicon
The M7 boasts always-on security at the silicon level, such as memory intrusion detection. It has high speed encryption and SQL performance enhancements too, such as memory decompression which accelerates in-memory computing.
Oracle asserts that this is the first hardware-based memory intrusion protection of its kind. The always-on approach while having near zero performance impact, stops programs from accessing other applications in memory. These measures, Ellison said, would have stopped malicious programs such as HeartBleed and Venom.
The M7 achieves this by assigning a key to memory spaces requested by a program. The program is then assigned a corresponding key. If a program requests access to a memory space outside of that which matches its assigned key, it generates a signal.
This prevents access off end of structure, stale pointer access and malicious attacks, said Ellison, and also helps developers find bugs before they get incorporated into applications.
Based on this, Ellison claims that both the Heartbleed and Venom exploits would have been detected in real time.
An organisation need not be running entirely on M7 processors, said Ellison, to see the benefits of these new capabilities. Even a few deployed M7 systems can detect an attack on the entire compute cloud, he said. Once discovered, the other unprotected machines can then be patched.
Oracle Ksplice for Userspace allows users to patch Oracle Linux with zero downtime, which would allow rapid response and mitigation of vulnerabilities such as the new mentioned previously. Support for other Linux distributions is also on the way.
Always-on encryption prevents clear-text data loss, and to manage this Oracle has introduced Oracle Key Vault, which is a centralised, on-premises key manager for enterprise. Key creation, sharing, rotation and expiration can all be managed, auditing all access to keys and key lifecycle changes.
This prompts an interesting question for users signing up to a service, said Ellison. When you sign up for a service, ask if the provider’s technical staff can see your data, said Ellison. With always-on encryption, this could not happen.
Furthermore, Oracle now provides the ability to mask and subset data to further protect it or to allow systems to be tested with representative, but not genuine data.
The Oracle Audit Vault allows users to have an audit trail they can manage themselves, that would also allow breaches to be detected earlier by revealing anomalous behaviour.
All of these measures and services, combine, said Ellison, to provide the next generation of security that is required to allow organisations to migrate to, and leverage cloud services safely.
However, to further facilitate users in doing so, Ellison also announced the availability of a new engineered system, the Private Cloud Machine, which is identical in terms of hardware and software to the building blocks of Oracle’s public service platforms. This allows organisations to build their own private cloud infrastructure to the same standards of performance, reliability and security as Oracle’s service offerings, but also facilitating easier hybrid operation.
To manage all of this, there is also now available the Oracle Management Cloud, which is a cloud-based monitoring and analytics solution which stores all types of machine data and is automatically correlated. It can manage on-premises systems and cloud resources.
A low cost archive service, just 0.1 cent per gigabyte per month, was also announced, aimed at large datasets and the like, offering encryption and multiple redundant copies.
Ellison rounded off by saying that 2015 had been a year of innovation for Oracle, across software, platform and infrastructure as a service offerings. Under SaaS, Oracle has delivered a complete set of enterprise cloud applications, which it claims is a first. Under PaaS, it has delivered easy migration of applications and databases to the public cloud. On IaaS, it has delivered always-on security and fault-tolerant reliability at commodity prices.