Do Oracle Cloud’s “No-Oracle-Code” Servers Make It More Secure?
Taking a closer look at Larry Ellison’s claim of a superior, “fundamentally different” cloud architecture.
October 1, 2019
At the company’s OpenWorld conference in September, Oracle co-founder and CTO Larry Ellison claimed that Oracle's cloud servers were more secure than those of other cloud providers – including Amazon Web Services – because its dedicated servers had only customer code on them and no Oracle code for managing the cloud platform.
"The dedicated infrastructure is new this year," Ellison said in a keynote at the San Francisco show. "It's a private, reserve pool of resources, machines that only your company is using. You're the one tenant, the only ones there."
The other cloud providers, he said, put their own management code on the servers, even dedicated machines that aren't shared with other customers.
"You might be the only tenant in that computer, but you also share it with Amazon," said Ellison. "Amazon can see your data, and you can see Amazon's code. Both are really bad ideas. You should not be able to access cloud control code. They shouldn't be able to access your data."
Ellison said that Oracle had a "fundamentally different cloud configuration."
"In our case, you have a dedicated computer, and our control code is in another computer with a different memory system," he said. "That forms secure isolation zones, so threats can't get into the cloud. And if someone comes in with a credit card and malice on their mind, they can't get out of their zone and into your zones."
The Maximum Security Zones, announced at OpenWorld, aren't available yet. Fred Kost, VP of product marketing for security at Oracle, said these cloud servers, which only have customer information on them, will be available next year.
Also coming is another architectural aspect that Oracle claims makes its cloud platform uniquely secure: use of Layer 2 software-defined networking, which allows access to servers without the need for virtualization agents on them.
"We were the first public cloud to offer bare metal, and we will be the first public cloud to offer pervasive Layer 2 networking," Clay Magouyrk, senior VP for Oracle Cloud Infrastructure, said in another presentation at the show.
Amazon confirmed that there's a layer of AWS code on both dedicated and bare-metal servers it offers.
"Dedicated tenancy instances are instances where the customer is the only one using the hardware, which can help satisfy compliance and licensing requirements," an AWS spokesperson said. "Bare-metal instances are also dedicated — no other customer is using the hardware, and the customer gets the full capacity of the hardware, as the AWS network, storage, and security virtualization is running entirely on a separate Nitro System.”
The AWS code running on this customer hardware is different from Ellison’s characterization, however. Both dedicated and bare-metal instances “run a very thin layer of AWS code… but this is not a management tool. This layer is low-level, non-interactive, and is logically no different from other non-customer code, such as the firmware, BMC, bios, memory initialization, and controller code that is running on a system. In fact, that layer allows AWS to verify that non-customer code has not been subverted or replaced by malware.”
Oracle also has firmware on their machines, the spokesperson said, and that firmware can carry security risks in and of itself.
So, does Oracle's infrastructure offer any significant security improvements over other cloud providers?
"Not much," said Ramon Peypoch, senior VP at Vera, a Palo Alto-based data security company. The same goes for Layer 2 networking, he said.
"Seasoned security practitioners know that any server can be exploited or compromised," he said.
Meanwhile, customers looking to get completely bare-metal servers can use a specialist like IBM’s ex-SoftLayer infrastructure or Rackspace. Many data center providers will work with a large enterprise customer to give them the level of control they need, Dominic Sartorio, senior VP of products and development at Protegrity, a cloud vendor that uses such services, said.
“We ourselves have a colo down the street from our Stamford, Connecticut, office – in fact, we do it around the world,” he said. “Just think of all the colos out there, all the hosted data centers. You can even bring in your own bare metal, and they'll host it for you.”
About the Author
You May Also Like