Oracle’s Autonomous Cloud Security Claims Met with Skepticism

Is it really possible to eliminate data breaches by eliminating human operators, and would Oracle be the one to do it?

Maria Korolov

September 25, 2019

5 Min Read
Oracle co-founder, chairman, and CTO speaking at Oracle OpenWorld 2019 in San Francisco
Oracle co-founder, chairman, and CTO speaking at Oracle OpenWorld 2019 in San FranciscoJustin Sullivan/Getty Images

Last week, Oracle co-founder and CTO Larry Ellison claimed that Oracle's new autonomous systems will eliminate all data breaches. Not everyone's buying it.

"Autonomous systems eliminate human labor," Ellison said in a keynote address. "And when you eliminate human labor, you eliminate pilot error."

For example, this summer's Capital One data breach was caused by a configuration error within its Amazon Web Services cloud infrastructure.

"Amazon takes a very reasonable position," said Ellison. "Saying, 'Hey, you misconfigured the system, that's your mistake, we at Amazon can't be responsible.' If you spend the night drinking and get into your Ford 150 and crash it, that's not Ford's problem. But if you get into an autonomous Tesla, it should drive you home safely."

Oracle, with its autonomous, self-configuring, self-tuning database, operating system, and cloud infrastructure is the self-driving car in this example.

"So, in the Amazon cloud, if you make an error and it leads to catastrophic data loss, that's on you," he said. "In the Oracle cloud... the system is responsible for preventing data loss. Not you. Us. Or, more precisely, our automated systems. No human labor. No human error. No data loss. That's a big difference between us and AWS."

Related:Oracle Cloud Puts Data Center Expansion Pedal to the Metal

But if any cloud company was to become first to roll out a fully autonomous, self-configuring system, would it be Oracle?

Oracle currently has less than 1.8 percent of the cloud market, according to Gartner’s latest estimate, putting it behind Amazon, Microsoft, Alibaba, Google, and IBM. All those other companies are better known for their machine learning technology than Oracle is.

"If I was in their shoes, I'd be less about trying to complete in the AI world but double down on what they do best and drive value in the enterprise market," said Brian Johnson, CEO and co-founder at DivvyCloud, a cloud security vendor and an Oracle partner.

Oracle has a lot of experience working with large enterprises, something which Amazon and Google aren't always good at, he said.

"If you're going to bet on AI, you're going to bet on Google," he said. "Or you might bet on Amazon. You're not going to bet on Oracle."

And even if Oracle did get the machine learning right, it wouldn’t stop data breaches, he added.

"That would be an amazing feat, and I wish them the best of luck," he said. "But the next level of attacks is most certainly coming. The autonomous cloud, or whatever they call it, will also have problems and holes that can be exploited. The more complex you make a system the more potential you have for security vulnerabilities."

In addition, there's only so much a cloud provider can do if a client insists on running insecure applications, said Sid Nag, VP of cloud research at Gartner.

"Are they going to say, you can't put these kinds of workloads on the cloud?" he asked. "If the customer doesn't comply, are they going to reject the business of that customer?"

There's also a lack of details about how, specifically, Oracle plans to use machine learning to automate security.

"They're saying that other clouds aren't secure, and their cloud is secure," said Nag. "But it's not clear how. I'm not saying that they don't have a unique technology. I just don't know what it is."

He's not the only one who wants to see more details.

"Oracle needs to show how it is more secure, rather than say it’s more secure," said Marty Puranik, CEO at Atlantic.Net, a data center provider. "Oracle is pushing their autonomous database technology, but once again we need to see proof that it works compared to alternative solutions."

Mike Lloyd, CTO of cybersecurity vendor RedSeal, called Oracle's latest promises an example of "hyperbolic marketing."

"People find clouds inherently confusing, not least when trying to understand who is responsible for what," he said. "Of course, if you think your cloud vendor is responsible for some aspect of security, but they think you’re responsible for it, then you’re on a road to a bad place."

Whether or not it makes a difference that some of the responsibility for cloud configurations is being shifted from the customer to the provider is a matter of opinion, he said – but it's not revolutionary change.

I talked to Fred Kost, VP of security product marketing at Oracle, to get some clarification on these issues.

He admitted that Oracle's new autonomous approach to cloud securing isn't going to eliminate all breaches.

"Information security is very much a cat-and-mouse game," he said. "You shore up your defenses, and the attacker thinks differently and pokes a hole through in a different way. But I think we can be better at configuring and operating systems."

For example, he said, the self-patching, encryption-by-default, and self-optimizing capabilities are already available in Oracle's cloud databases. The new Oracle Data Safe, a unified control center for automating database security, is already shipping.

Oracle's new autonomous distribution of Linux is also already available for customers, including automatic patching and other intelligent security capabilities.

The other two big cybersecurity improvements – Oracle Maximum Security Zones and Oracle Cloud Guard will be available next year, he said.

The combination of these security technologies should dramatically reduce cloud security risks, he said – even if customers use the cloud to run their own insecure applications.

The Capital One breach, for example, involved several different points of failure, he said.

"If a customer brings something into the environment that's vulnerable, let's say they're running something that isn't patched, the attacker won't get any further," he said. "We've done all the work to lock down the environment, so the attacker doesn't get very far."

About the Author

Maria Korolov

Maria Korolov is an award-winning technology journalist who covers cybersecurity, AI, and extended reality. She also writes science fiction.

https://www.mariakorolov.com/

Subscribe to the Data Center Knowledge Newsletter
Get analysis and expert insight on the latest in data center business and technology delivered to your inbox daily.

You May Also Like