For once, Oracle OpenWorld went long on substance. That’s hard to do when you have so many products to discuss and Larry Ellison pontificating but Larry was both under control and substantive though he couldn’t resist taking a few shots at competitors. So he announced that his team hardly ever sees SAP and IBM in deals these days and gave due praise to cloud pioneers NetSuite and Salesforce.
Interestingly, he always mentioned NetSuite, which he owns a considerable share of, before Salesforce, which he invested in back in the day, despite the fact that Salesforce is six times larger than NetSuite by revenues. Both companies are doing just fine thank you veddy much.
Beyond the product revisions and enhancements I saw two real news items: Oracle is now (at last) a cloud company and the company put an important marker down on improving IT security—first things first.
Oracle has always been in a different business than the cloud pioneers in that Oracle has a huge customer base (420,000 customers on one sign) to bring along to the promised land compared to the pioneers who more or less invited customers to start over, in many cases, in the cloud.
That reality permeated the keynotes and discussions led by Ellison, in a Sunday keynote, CEO Mark Hurd, on Monday, Thomas Kurian, President of Product Development, Tuesday, and Ellison in another keynote on Tuesday. Each man offered the view that for the next one to two decades, enterprises would operate in a hybrid—on-premise and cloud model—transition state. Further, each was careful to articulate that Oracle would continue to develop, maintain, and enhance on-premise applications during that time. No hard date for the end of the transition was offered.
It was a delicate balancing act trying to assure big enterprises considering the cloud because their deployments represent a large mass of computing that won’t easily unravel over night. Still, my thinking is that while there might be traces of on-premise applications 15 years from now, most of the transference will happen quicker for two reasons. First, cloud apps will make their users more competitive and second, security improvements will make cloud increasingly attractive.
By itself, cloud is just a delivery mechanism and there’s little about it to recommend it for pure delivery. But layered on top, as most people know, there’s a total cost of ownership advantage to cloud systems. Even more than this, however, is the reality that when businesses transfer to new platforms, most take the time to reimagine the business and the apps. Consequently, the great cloud migration of the rest of this decade will be a moment when businesses ditch some spreadsheet apps that never worked very well so that they can achieve long desired end-to-end process support for their businesses. This migration from transaction systems or systems of record to process oriented systems is where the real payback for moving to the cloud will be found. It is also a real source of competitive differentiation for most companies, which will drive rapid adoption so hang on, it should be an interesting ride.
At the same time, we need to acknowledge that when those businesses start to reimagine their business processes, it will open up many to competitive bidding for those new apps. That’s no surprise and one big reason that Oracle is making a conscious effort to court customers by being with them in their moments of truth as they contemplate their next moves. In my opinion that’s smart, let’s watch how it plays out.
Security—What’s old is new
Many people shook their heads when Oracle bought Sun Microsystems because they saw Sun as playing in a space that was rapidly commoditizing. Some thought it as big a folly as Carly and HP buying Compaq but almost instantly Ellison began inventing differentiated hardware that set new standards for in-memory operations that vastly accelerated business processing. Devices like Xadata, a storage device that leverages flash memory so that storage operations could happen at memory speeds rather than much slower disk speeds led the parade.
At OpenWorld, Ellison announced that the new security direction of IT based on Oracle products is to encrypt all data. He introduced several vaults, like a password vault that stores unique encryption/de-encryption codes that users could keep on their own machines (hopefully a machine not connected to the Internet) or on-line in an Oracle cloud. But that was nothing, the bigger news was a new M7 CPU chip that offers security at the silicon level. This was instantly controversial in my circle and needs some explaining.
Security in silicon
Oracle’s approach to security with the M7 chip will be hotly debated with some people thinking it’s just a speed bump for dedicated hackers while others might see more promise. I think I am in the latter camp though there’s a huge caveat.
Oracle/Ellison discusses the security debate this way. Securing IT should happen at the lowest possible level in the stack, so for instance securing applications and data should happen at the operating system level which is also a logical place for hackers to do their worst. So to secure everything we need to find ways to bring security into silicon a place where hackers can’t make changes because hackers can’t alter chips. The M7 imposes what’s basically a check-in, check-out scheme for memory. It allocates a given amount of memory to tasks and if some piece of malware tries to occupy the memory space, overflowing the set parameters, the system can easily detect the intrusion and alert operators. Software bugs might operate the same way so there might be a few false positives as this paradigm gets going. So what? This is a crude description and for a more detailed explanation check out Oracle’s video cache from the show to see Larry explain it all.
As good as this sounds, and also incorporating M7’s very fast decompression algorithms, this security only operates on servers, it does nothing to protect desktops or handhelds. The advent of the M7 could be an incentive to hackers to turn their attention to smaller machines, which could be infected to do things on behalf of bad guys. If so, M7 technology could be coming to a future PC, laptop or smartphone
On the other hand
While OpenWorld was a good show, it could have been better in some details. Some of the discussions of platform and infrastructure could have been helped along by video animation of some arcane points. I found myself watching demos that went on too long only to show a static screen with one thing changing in a window to indicate an infrastructure accomplishment. Oracle is long overdue for investing in more video for these events and judging by his comments at one point, I think Ellison took undue and perverse pride in his “graphically challenged” slides as one Tweet put it.
A couple of years ago, Oracle shrewdly ditched the CRM badge and called itself a CX or customer experience company and there were enough CX announcements to make front office people happy. However, it should be noted that the Oracle CX event will happen in April in Las Vegas so stay tuned for that. Another post will dive deeper into CX at OpenWorld.
The critique I’d offer on CX is the same I’d give to any CRM vendor today. There’s a big discussion of products but too often it revolves around point solutions for marketing automation, sales enablement, mobile computing or whatever. This represents a transaction mindset and the front office needs to move aggressively to full end-to-end process support because that’s an important marker of the cloud.
My impression of all CRM vendors today is that they’re selling to the lowest common denominator, i.e. aiming for the user that just wants to use CRM as a glorified rolodex. That user represents about half of the market so the orientation is understandable but I wonder how it sits with the more advanced users.
At some point we need to flip a bit and concentrate more on processes that the first half of the market can best use. That’s why I am eager to see what happens in Las Vegas in April and at other CRM vendor events next year.
I’ll close now
Oracle has become a real cloud company with offerings at the software, platform, and infrastructure levels. But it still takes a data center-centric approach to the business especially when trying to reassure existing customers that there’s time for an orderly migration. It is a “new” cloud company in that it has thousands of successful and very reference-able customers and not tens or hundreds of thousands. Nonetheless, it is making strides and forecasts more than a billion dollars of new cloud business in the year ahead.
The company’s ace in the hole as it continues moving to the cloud may be its security through silicon approach, which must still be vetted. I might be in the minority about the security announcements but it strikes me that locking down memory and CPU and encrypting data will enable users to starve any malware that tries to gain a foothold.
Since many cloud and subscription vendors as well as enterprise customers already use Oracle DB and many are buying Xadata devices, we could see a dramatic decline in intrusions and data thefts. But that won’t end the problem; it might simply make the hackers focus more intently on the desktops and smart devices. I don’t think the IoT will take off until security is well in hand and that will ensure the security discussion continues.
It was appropriate that Oracle put a stake in the ground over security at last week’s OpenWorld conference in San Francisco. As the database of choice for more than 420,000 customers, the effort to find ways to better protect their data is one of the clearest signs of customer-centricity the company could have picked.
Fortunately or unfortunately, as you choose to look at it, their logic is that to provide data security you need to move down the stack all the way to hardware. This sounds eminently reasonable to me though I think I can see a wrinkle. First the good news, like Woody Allen once said, “to a knife fight, always bring a gun,” and that neatly summarizes the Oracle plan. The company has decided to make data security and especially encryption a non-negotiable thing.
Currently some oracle database customers have the security option turned off which won’t help anybody so now the default will be always on. But encryption and de-encryption take CPU cycles which cash-strapped IT groups would rather see applied to “real” work. So the new regime will ding some IT budgets if they have to buy more compute power, but what’s the alternative? There’s not much you can do if security is an issue and it is. Oracle’s Xadata, device which moves database operations into flash memory can provide greater performance and therefore make everything better. But the last time I looked, those devices had a million dollar price tag. Perhaps this will be another decision point that drives companies to the cloud.
At the same time, the company is introducing the M7 CPU chip, which has embedded software instructions that allocate memory to legitimate processes. Any process that tries to use more memory because there’s a virus trying to freeload will cause an alarm of sorts and that will signal IT that it is potentially under attack. Since software bugs might also trigger the alarm there will be some false positives to deal with but a false positive is better than a real one.
These two innovations will help to lock down the data center but I wonder if they’ll just push the security problem out to the periphery, to desktops and devices that don’t have M7 technology. Ten thousand devices each asking for 100 customer names will pose a different but related security problem that might be harder to control so it looks to me like M7 technology will need to become a part of all devices for this scheme to be maximally protective.
Given all this, Oracle’s security innovations might not be perfect but I disagree with those who scoff at them. These approaches will definitely strangle malware where it is found though the Internet won’t be completely safe unless the security is ubiquitous. This reminds me of the way that antibiotics work, which include attacking and puncturing the cell wall, disrupting protein synthesis, and disabling DNA transcription and replication. While it’s true that some microbes have become resistant, especially to cell wall agents (i.e. the penicillin strategy), other approaches seem to be holding up. Interestingly, when you make protein or transcribe DNA you’re dealing with de-encrypting information, so I am very interested in seeing where this all goes
Right now, security might be the most important obstacle to greater expansion of the Internet of Things and to utility computing in general. The last things we need are cars and drones that can be hacked so these first attempts are indeed a welcome sign. No matter, this is an arms race and there will likely be setbacks but at least we are engaged.