security

  • October 20, 2017
  • I spent the first week of the month in San Francisco at Oracle’s customer event, OpenWorld 2017 and when I wasn’t drinking from an information fire hose, it was alternately fascinating and exhausting. There were major announcements in database, blockchain, AI, cyber security, and other stuff I have only a tangential association with. For instance my eyes glaze over when they start talking about bare metal servers and going serverless so I’ll limit these observations to database and security with a few dashes of other things.

    But primarily OpenWorld 2017 was a coming out party of sorts in which the culmination of billions of dollars of investments in advanced technologies became unavoidably visible. From here on Oracle might still support its legacy customers but make no mistake, they are legacy and the future is at minimum about moving the datacenter to the cloud and moving your traditional licenses there. Oracle even has a name for that practice BYOL or bring your own lice

    Oracle is making that task as easy as it can be and I spoke with customers who were doing it or just finishing who were pleased with the experience. We don’t often think about it if we keep to the big picture but there are a lot of old systems in the enterprise that need to be replaced because they no longer support their missions. There is no better indication than that for determining that the next few years will be full of stories about cloud migration.

    The key to successful and necessary transfer to the cloud is Oracle’s autonomous database, 18c. The new product will be available by end of year and is supposed to self-provision, self-maintain and self-patch while running thus eliminating the need for most downtime. CTO and founder Larry Ellison said that it takes an average of 13-14 months from when a patch is available to when it is installed in a majority of customer shops. If a patch covers a security problem that leaves bad guys a huge amount of time to steal data, which has become epidemic.

    As Ellison said in his opening night keynote, “People are going to get better at stealing data, and we have to get better at protecting it.” Fair point. The database will be a big part of that protection along with some semi-autonomous security software (that will become autonomous soon enough). Both products rely on Oracle’s AI and machine learning tools as well as advanced database hardware.

    That’s the catch, but it seems eminently reasonable: you have to be on Oracle gear to get the full benefits of the software’s power. Actually it’s less of a catch than you might think. While there are enterprises that are big enough to need and to purchase the hardware, many if not most, customers will receive the full benefits of Oracle’s technology as consumers of its cloud services. So many of these announcements can be rightly seen as further inducements to move to the cloud.

    Ellison is fond of saying, “You can get all of this, but you have to be willing to pay less.” That’s fair if you’re looking at the monthly or annual subscription charge but one suspects that over time many companies will be paying more overall though there’s the issue of refresh that many companies avoid but which are a standard part of the cloud. We’ll see, in the end you get what you pay for.

    Oracle also announced a foray into blockchain, the distributed ledger technology that provides greatly enhanced security, speed, and transparency to inter and intra-company transactions. For instance you will soon be able to use blockchain to track the provenance of parts in a supply chain, and one can only hope that credit reporting adopts similar safeguards in the future. We can also hope to track some customers and their purchases that way, especially in a B2B setting to facilitate sales.

    Lastly, there’s AI and data. Whether it’s called AI or machine learning, the technology requires lots of data to train a model to be useful in predicting the future. Most enterprise data is deficient in one or more axes of data on hand so Oracle’s solution has been to provide clean data to augment private data and deliver the big picture view that’s needed in sales, marketing, service and a lot more. Oracle also introduced a new set of IoT applications aimed at specific business outcomes. It’s impossible not to say more about this later.

    But to summarize, Oracle’s long-term investment in cloud technology has begun to pay off. We’ve seen this in the company’s earnings reports over the last year and OpenWorld was a kind of coming out party for numerous solutions at literally every level of the software (and hardware) stack. The company will be a formidable competitor in the years ahead as its legacy base is up for grabs. They’re all going to move to the cloud at some point and Oracle wants to keep them. Other vendors with good solutions are competing at every level from Amazon and Google to Microsoft, SAP, and Salesforce. At Oracle OpenWorld 2017, Oracle more than made its case. Time for the others to step up.

     

     

     

    Published: 4 months ago


    360230-oracle-openworld-2012For once, Oracle OpenWorld went long on substance. That’s hard to do when you have so many products to discuss and Larry Ellison pontificating but Larry was both under control and substantive though he couldn’t resist taking a few shots at competitors. So he announced that his team hardly ever sees SAP and IBM in deals these days and gave due praise to cloud pioneers NetSuite and Salesforce.

    Interestingly, he always mentioned NetSuite, which he owns a considerable share of, before Salesforce, which he invested in back in the day, despite the fact that Salesforce is six times larger than NetSuite by revenues. Both companies are doing just fine thank you veddy much.

    Beyond the product revisions and enhancements I saw two real news items: Oracle is now (at last) a cloud company and the company put an important marker down on improving IT security—first things first.

    Cloud

    Oracle has always been in a different business than the cloud pioneers in that Oracle has a huge customer base (420,000 customers on one sign) to bring along to the promised land compared to the pioneers who more or less invited customers to start over, in many cases, in the cloud.

    That reality permeated the keynotes and discussions led by Ellison, in a Sunday keynote, CEO Mark Hurd, on Monday, Thomas Kurian, President of Product Development, Tuesday, and Ellison in another keynote on Tuesday. Each man offered the view that for the next one to two decades, enterprises would operate in a hybrid—on-premise and cloud model—transition state. Further, each was careful to articulate that Oracle would continue to develop, maintain, and enhance on-premise applications during that time. No hard date for the end of the transition was offered.

    It was a delicate balancing act trying to assure big enterprises considering the cloud because their deployments represent a large mass of computing that won’t easily unravel over night. Still, my thinking is that while there might be traces of on-premise applications 15 years from now, most of the transference will happen quicker for two reasons. First, cloud apps will make their users more competitive and second, security improvements will make cloud increasingly attractive.

    Competitive angle

    By itself, cloud is just a delivery mechanism and there’s little about it to recommend it for pure delivery. But layered on top, as most people know, there’s a total cost of ownership advantage to cloud systems. Even more than this, however, is the reality that when businesses transfer to new platforms, most take the time to reimagine the business and the apps. Consequently, the great cloud migration of the rest of this decade will be a moment when businesses ditch some spreadsheet apps that never worked very well so that they can achieve long desired end-to-end process support for their businesses. This migration from transaction systems or systems of record to process oriented systems is where the real payback for moving to the cloud will be found. It is also a real source of competitive differentiation for most companies, which will drive rapid adoption so hang on, it should be an interesting ride.

    At the same time, we need to acknowledge that when those businesses start to reimagine their business processes, it will open up many to competitive bidding for those new apps. That’s no surprise and one big reason that Oracle is making a conscious effort to court customers by being with them in their moments of truth as they contemplate their next moves. In my opinion that’s smart, let’s watch how it plays out.

    Security—What’s old is new

    Many people shook their heads when Oracle bought Sun Microsystems because they saw Sun as playing in a space that was rapidly commoditizing. Some thought it as big a folly as Carly and HP buying Compaq but almost instantly Ellison began inventing differentiated hardware that set new standards for in-memory operations that vastly accelerated business processing. Devices like Xadata, a storage device that leverages flash memory so that storage operations could happen at memory speeds rather than much slower disk speeds led the parade.

    At OpenWorld, Ellison announced that the new security direction of IT based on Oracle products is to encrypt all data. He introduced several vaults, like a password vault that stores unique encryption/de-encryption codes that users could keep on their own machines (hopefully a machine not connected to the Internet) or on-line in an Oracle cloud. But that was nothing, the bigger news was a new M7 CPU chip that offers security at the silicon level. This was instantly controversial in my circle and needs some explaining.

    Security in silicon

    Oracle’s approach to security with the M7 chip will be hotly debated with some people thinking it’s just a speed bump for dedicated hackers while others might see more promise. I think I am in the latter camp though there’s a huge caveat.

    Oracle/Ellison discusses the security debate this way. Securing IT should happen at the lowest possible level in the stack, so for instance securing applications and data should happen at the operating system level which is also a logical place for hackers to do their worst. So to secure everything we need to find ways to bring security into silicon a place where hackers can’t make changes because hackers can’t alter chips. The M7 imposes what’s basically a check-in, check-out scheme for memory. It allocates a given amount of memory to tasks and if some piece of malware tries to occupy the memory space, overflowing the set parameters, the system can easily detect the intrusion and alert operators. Software bugs might operate the same way so there might be a few false positives as this paradigm gets going. So what? This is a crude description and for a more detailed explanation check out Oracle’s video cache from the show to see Larry explain it all.

    As good as this sounds, and also incorporating M7’s very fast decompression algorithms, this security only operates on servers, it does nothing to protect desktops or handhelds. The advent of the M7 could be an incentive to hackers to turn their attention to smaller machines, which could be infected to do things on behalf of bad guys. If so, M7 technology could be coming to a future PC, laptop or smartphone

    On the other hand

    While OpenWorld was a good show, it could have been better in some details. Some of the discussions of platform and infrastructure could have been helped along by video animation of some arcane points. I found myself watching demos that went on too long only to show a static screen with one thing changing in a window to indicate an infrastructure accomplishment. Oracle is long overdue for investing in more video for these events and judging by his comments at one point, I think Ellison took undue and perverse pride in his “graphically challenged” slides as one Tweet put it.

    Customer experience

    A couple of years ago, Oracle shrewdly ditched the CRM badge and called itself a CX or customer experience company and there were enough CX announcements to make front office people happy. However, it should be noted that the Oracle CX event will happen in April in Las Vegas so stay tuned for that. Another post will dive deeper into CX at OpenWorld.

    The critique I’d offer on CX is the same I’d give to any CRM vendor today. There’s a big discussion of products but too often it revolves around point solutions for marketing automation, sales enablement, mobile computing or whatever. This represents a transaction mindset and the front office needs to move aggressively to full end-to-end process support because that’s an important marker of the cloud.

    My impression of all CRM vendors today is that they’re selling to the lowest common denominator, i.e. aiming for the user that just wants to use CRM as a glorified rolodex. That user represents about half of the market so the orientation is understandable but I wonder how it sits with the more advanced users.

    At some point we need to flip a bit and concentrate more on processes that the first half of the market can best use. That’s why I am eager to see what happens in Las Vegas in April and at other CRM vendor events next year.

    I’ll close now

    Oracle has become a real cloud company with offerings at the software, platform, and infrastructure levels. But it still takes a data center-centric approach to the business especially when trying to reassure existing customers that there’s time for an orderly migration. It is a “new” cloud company in that it has thousands of successful and very reference-able customers and not tens or hundreds of thousands. Nonetheless, it is making strides and forecasts more than a billion dollars of new cloud business in the year ahead.

    The company’s ace in the hole as it continues moving to the cloud may be its security through silicon approach, which must still be vetted. I might be in the minority about the security announcements but it strikes me that locking down memory and CPU and encrypting data will enable users to starve any malware that tries to gain a foothold.

    Since many cloud and subscription vendors as well as enterprise customers already use Oracle DB and many are buying Xadata devices, we could see a dramatic decline in intrusions and data thefts. But that won’t end the problem; it might simply make the hackers focus more intently on the desktops and smart devices. I don’t think the IoT will take off until security is well in hand and that will ensure the security discussion continues.

    Published: 2 years ago