Oracle’s Autonomous Cloud Security Claims Met with Skepticism
Is it really possible to eliminate data breaches by eliminating human operators, and would Oracle be the one to do it?
September 25, 2019
Last week, Oracle co-founder and CTO Larry Ellison claimed that Oracle's new autonomous systems will eliminate all data breaches. Not everyone's buying it.
"Autonomous systems eliminate human labor," Ellison said in a keynote address. "And when you eliminate human labor, you eliminate pilot error."
For example, this summer's Capital One data breach was caused by a configuration error within its Amazon Web Services cloud infrastructure.
"Amazon takes a very reasonable position," said Ellison. "Saying, 'Hey, you misconfigured the system, that's your mistake, we at Amazon can't be responsible.' If you spend the night drinking and get into your Ford 150 and crash it, that's not Ford's problem. But if you get into an autonomous Tesla, it should drive you home safely."
Oracle, with its autonomous, self-configuring, self-tuning database, operating system, and cloud infrastructure is the self-driving car in this example.
"So, in the Amazon cloud, if you make an error and it leads to catastrophic data loss, that's on you," he said. "In the Oracle cloud... the system is responsible for preventing data loss. Not you. Us. Or, more precisely, our automated systems. No human labor. No human error. No data loss. That's a big difference between us and AWS."
But if any cloud company was to become first to roll out a fully autonomous, self-configuring system, would it be Oracle?
Oracle currently has less than 1.8 percent of the cloud market, according to Gartner’s latest estimate, putting it behind Amazon, Microsoft, Alibaba, Google, and IBM. All those other companies are better known for their machine learning technology than Oracle is.
"If I was in their shoes, I'd be less about trying to complete in the AI world but double down on what they do best and drive value in the enterprise market," said Brian Johnson, CEO and co-founder at DivvyCloud, a cloud security vendor and an Oracle partner.
Oracle has a lot of experience working with large enterprises, something which Amazon and Google aren't always good at, he said.
"If you're going to bet on AI, you're going to bet on Google," he said. "Or you might bet on Amazon. You're not going to bet on Oracle."
And even if Oracle did get the machine learning right, it wouldn’t stop data breaches, he added.
"That would be an amazing feat, and I wish them the best of luck," he said. "But the next level of attacks is most certainly coming. The autonomous cloud, or whatever they call it, will also have problems and holes that can be exploited. The more complex you make a system the more potential you have for security vulnerabilities."
In addition, there's only so much a cloud provider can do if a client insists on running insecure applications, said Sid Nag, VP of cloud research at Gartner.
"Are they going to say, you can't put these kinds of workloads on the cloud?" he asked. "If the customer doesn't comply, are they going to reject the business of that customer?"
There's also a lack of details about how, specifically, Oracle plans to use machine learning to automate security.
"They're saying that other clouds aren't secure, and their cloud is secure," said Nag. "But it's not clear how. I'm not saying that they don't have a unique technology. I just don't know what it is."
He's not the only one who wants to see more details.
"Oracle needs to show how it is more secure, rather than say it’s more secure," said Marty Puranik, CEO at Atlantic.Net, a data center provider. "Oracle is pushing their autonomous database technology, but once again we need to see proof that it works compared to alternative solutions."
Mike Lloyd, CTO of cybersecurity vendor RedSeal, called Oracle's latest promises an example of "hyperbolic marketing."
"People find clouds inherently confusing, not least when trying to understand who is responsible for what," he said. "Of course, if you think your cloud vendor is responsible for some aspect of security, but they think you’re responsible for it, then you’re on a road to a bad place."
Whether or not it makes a difference that some of the responsibility for cloud configurations is being shifted from the customer to the provider is a matter of opinion, he said – but it's not revolutionary change.
I talked to Fred Kost, VP of security product marketing at Oracle, to get some clarification on these issues.
He admitted that Oracle's new autonomous approach to cloud securing isn't going to eliminate all breaches.
"Information security is very much a cat-and-mouse game," he said. "You shore up your defenses, and the attacker thinks differently and pokes a hole through in a different way. But I think we can be better at configuring and operating systems."
For example, he said, the self-patching, encryption-by-default, and self-optimizing capabilities are already available in Oracle's cloud databases. The new Oracle Data Safe, a unified control center for automating database security, is already shipping.
Oracle's new autonomous distribution of Linux is also already available for customers, including automatic patching and other intelligent security capabilities.
The other two big cybersecurity improvements – Oracle Maximum Security Zones and Oracle Cloud Guard will be available next year, he said.
The combination of these security technologies should dramatically reduce cloud security risks, he said – even if customers use the cloud to run their own insecure applications.
The Capital One breach, for example, involved several different points of failure, he said.
"If a customer brings something into the environment that's vulnerable, let's say they're running something that isn't patched, the attacker won't get any further," he said. "We've done all the work to lock down the environment, so the attacker doesn't get very far."
About the Author
You May Also Like