security

  • April 3, 2018
  • Ok, this is kind of long. Go get a cup of coffee.

    Amid the anxiety and revelations of the Russia scandal including the Cambridge Analytica story that showed how easy it was to steal 50 million Facebook user profiles, it’s easy to mix up cause and effect. Importantly, Facebook wasn’t hacked or broken into but it was used as it was designed.

    This has led some to question whether Facebook as such can exist at all in our pluralistic society while others believe the problem of surreptitious psychographic profiling will blow over once everyone plays by the same rules. After all, others have argued, other entities do the same thing. They point to Google, Amazon and even the traditional print industry as culprits for gathering personal data for analysis and, it should be said, weaponization.

    Of course, the issue is manipulating and weaponizing the data. If we can’t trust the data, then we are disassembling one of the pillars of democracy, the acceptance of scientific rationalism. Boiled down, it means facts are facts even if you don’t like them.

    If you remember a time before social media when identities were not so readily stolen and you think that reality was good, you might also recoil at the thought that those were the good old days, that things are now permanently different. There is a third option though and there are probably many that seek to balance the benefits of new technology with the protections we’ve grown accustomed to.

    This article can’t be all things to all those people but it attempts to find safe harbor in a storm and therefore makes accommodations. If we can’t live with the compromises, perhaps it can at least point out some of the major obstacles to be over come.

    Business model

    It is an article of faith that Facebook’s business model, as well as those of other social networks and search engines, is selling advertising. But it is my contention that this model has run its course. It was effective when the companies were smaller, when their consumers were more innocent to the ways technology can be used for both good and ill purposes. The advertising model was even necessary in a time when the Internet was new and finding people and things was strange.

    The advertising business model was a default that data aggregators took on the way to phenomenal profits and who could blame them. The tech sector has a habit of minting money and the founders of social media and search engines were merely the latest in a long line of prolific brainiacs who struck gold. It is hard to believe that any human in a similar situation would act much differently.

    The latest dustup that dragged social media into the political spotlight now presents two choices to these businesses. They can hobble their products, which could reduce the amount of data they collect making them less interesting to advertisers, or they can change their business models slightly to prevent unethical use of their networks.

    Disruptive innovation

    Anytime a new technology reaches market, it has the possibility that it will disrupt the existing order of things. Disruptive innovations have coexisted with Capitalism since its origins in the Industrial Revolution. Disruptive innovation means making thread and then cloth with high-speed mechanical means, making a steam engine powerful and small enough to be mobile, or making a computer that could fit on a sliver of silicon about the size of your thumbnail.

    The world changed with each of these disruptive innovations and others, because they immediately made an old order irrelevant and they organized whole economies and even civilizations around new driving forces. The Internet and its children are the latest innovations that have rocked the world. In each, humanity has had to grapple with both the benefits and the deficits of the innovations.

    So far, we’ve benefitted enormously from these innovations but recently we discovered their less sanguine side. If history is a guide then regulation in some form is a likely next step. Some leaders in congress have already broached the idea on several occasions but it’s important to get the idea right before pulling the trigger, which is why we need to discuss business models.

    Regulation?

    Regulation could happen in social media and search but there’s much that the technology companies can do to either avert it or ensure that its mandate is as light and congruent with company interests as possible starting with the prevailing business model.

    Although the advertising business model has served many companies well, they’ve morphed into data companies with big responsibilities for safeguarding the data they collect and that’s not something they’re eager for.

    The big data gathering companies like Facebook, Amazon, and Google and their competitors, have become data companies first and advertising vendors second and if this understanding had been realized sooner, many data breeches would in all likelihood have been thwarted. Rule One of business is never give away your product, it’s what you charge for because it pays the bills. Applying the rule should be as obvious as encrypting user data in this case. Additionally, no expectant user of the data should be able to access it in its unencrypted form without, of course paying, but more importantly presenting valid credentials and stating a beneficial and productive purpose of the use.

    I’ve written before about credentialing and how it’s actually harder to pull permits to remodel your kitchen than it is to advertise any message you want on social media so I won’t perseverate. So let’s turn to encryption.

    Security as a business model

    Social and search’s business model must turn from advertising to data management, curation, and selling access to it and we live at precisely the moment when these activities are possible on a very large level. This includes encryption and the same form of certification that applies to other professionals from doctors to beauticians and plumbers.

    Encryption and its reverse take time and require compute and storage resources which have often cut short discussions involving them because of cost considerations. But new, shall we say disruptive, innovations in computer hardware and software are reigniting the discussion.

    In hardware data storage was long accomplished with the hard drives of most computer systems. Data enters and leaves storage on millisecond time scales, which is very fast. However, computer CPUs and memory operate one million times faster at nanosecond speeds. CPU chips spend a lot of time waiting for data to become available even when, as most modern computer systems do, there is memory caching for frequently used data.

    Innovative hardware designs now offer solid-state memory devices that replace disks. This memory operates at nanosecond intervals and eliminates the lag time of older mechanical systems. What should we do with all of this newfound speed? One possibility might be to dedicate a small portion of it to encryption. Typical encryption modes on the market right now could be broken but that would take so many years that the resulting data, when finally available, would be useless and encryption is getting better.

    Encryption would be a good thing but it wouldn’t solve all problems and securing our information infrastructure so that it operates more at utility grade, requires other changes. Bad software, malware, viruses, Trojan Horses, and the like may still get into systems.

    Mark meet Larry

    As luck would have it free markets generate inventions faster than they can be adopted. Often a disruptive innovation exists at the nexus of several disruptions that just need one more critical piece. That’s the case with many of the system level inventions that Oracle has brought to market over the last several years. They’ve pioneered important developments in solid state storage, encryption, chip sets that weed out intrusive malware, and a self-patching autonomous database that just hit the market.

    All of these things turn out to be essential to safeguarding data which will enable the information revolution to continue burrowing its way into our lives and enriching society. They are also the underpinnings of a new business model that turns big data companies into ethical data providers. They might also continue being social media companies but the data tail would now be wagging the dog.

    My two cents

    What do I know? I just read and write a lot. But what I see is an industry about to be regulated and, in my mind, the smart play is for the social media companies to lead the charge to ensure they arrive at something they can live with instead of remaining aloof and having some regulations imposed on them.

    There’s a wild west mentality in Silicon Valley in which what isn’t proscribed is encouraged. But we should keep in mind that the west only remained wild until the pioneers arrived and established towns with roads, schools, and churches. The wild bunch might have disliked the idea of settlement, they might have opposed it, but they were quickly in the minority and civilization won. That’s what’s happening in tech today and we all need to seize the moment.

     

     

     

     

     

     

    Published: 6 years ago


    I spent the first week of the month in San Francisco at Oracle’s customer event, OpenWorld 2017 and when I wasn’t drinking from an information fire hose, it was alternately fascinating and exhausting. There were major announcements in database, blockchain, AI, cyber security, and other stuff I have only a tangential association with. For instance my eyes glaze over when they start talking about bare metal servers and going serverless so I’ll limit these observations to database and security with a few dashes of other things.

    But primarily OpenWorld 2017 was a coming out party of sorts in which the culmination of billions of dollars of investments in advanced technologies became unavoidably visible. From here on Oracle might still support its legacy customers but make no mistake, they are legacy and the future is at minimum about moving the datacenter to the cloud and moving your traditional licenses there. Oracle even has a name for that practice BYOL or bring your own lice

    Oracle is making that task as easy as it can be and I spoke with customers who were doing it or just finishing who were pleased with the experience. We don’t often think about it if we keep to the big picture but there are a lot of old systems in the enterprise that need to be replaced because they no longer support their missions. There is no better indication than that for determining that the next few years will be full of stories about cloud migration.

    The key to successful and necessary transfer to the cloud is Oracle’s autonomous database, 18c. The new product will be available by end of year and is supposed to self-provision, self-maintain and self-patch while running thus eliminating the need for most downtime. CTO and founder Larry Ellison said that it takes an average of 13-14 months from when a patch is available to when it is installed in a majority of customer shops. If a patch covers a security problem that leaves bad guys a huge amount of time to steal data, which has become epidemic.

    As Ellison said in his opening night keynote, “People are going to get better at stealing data, and we have to get better at protecting it.” Fair point. The database will be a big part of that protection along with some semi-autonomous security software (that will become autonomous soon enough). Both products rely on Oracle’s AI and machine learning tools as well as advanced database hardware.

    That’s the catch, but it seems eminently reasonable: you have to be on Oracle gear to get the full benefits of the software’s power. Actually it’s less of a catch than you might think. While there are enterprises that are big enough to need and to purchase the hardware, many if not most, customers will receive the full benefits of Oracle’s technology as consumers of its cloud services. So many of these announcements can be rightly seen as further inducements to move to the cloud.

    Ellison is fond of saying, “You can get all of this, but you have to be willing to pay less.” That’s fair if you’re looking at the monthly or annual subscription charge but one suspects that over time many companies will be paying more overall though there’s the issue of refresh that many companies avoid but which are a standard part of the cloud. We’ll see, in the end you get what you pay for.

    Oracle also announced a foray into blockchain, the distributed ledger technology that provides greatly enhanced security, speed, and transparency to inter and intra-company transactions. For instance you will soon be able to use blockchain to track the provenance of parts in a supply chain, and one can only hope that credit reporting adopts similar safeguards in the future. We can also hope to track some customers and their purchases that way, especially in a B2B setting to facilitate sales.

    Lastly, there’s AI and data. Whether it’s called AI or machine learning, the technology requires lots of data to train a model to be useful in predicting the future. Most enterprise data is deficient in one or more axes of data on hand so Oracle’s solution has been to provide clean data to augment private data and deliver the big picture view that’s needed in sales, marketing, service and a lot more. Oracle also introduced a new set of IoT applications aimed at specific business outcomes. It’s impossible not to say more about this later.

    But to summarize, Oracle’s long-term investment in cloud technology has begun to pay off. We’ve seen this in the company’s earnings reports over the last year and OpenWorld was a kind of coming out party for numerous solutions at literally every level of the software (and hardware) stack. The company will be a formidable competitor in the years ahead as its legacy base is up for grabs. They’re all going to move to the cloud at some point and Oracle wants to keep them. Other vendors with good solutions are competing at every level from Amazon and Google to Microsoft, SAP, and Salesforce. At Oracle OpenWorld 2017, Oracle more than made its case. Time for the others to step up.

     

     

     

    Published: 6 years ago


    360230-oracle-openworld-2012For once, Oracle OpenWorld went long on substance. That’s hard to do when you have so many products to discuss and Larry Ellison pontificating but Larry was both under control and substantive though he couldn’t resist taking a few shots at competitors. So he announced that his team hardly ever sees SAP and IBM in deals these days and gave due praise to cloud pioneers NetSuite and Salesforce.

    Interestingly, he always mentioned NetSuite, which he owns a considerable share of, before Salesforce, which he invested in back in the day, despite the fact that Salesforce is six times larger than NetSuite by revenues. Both companies are doing just fine thank you veddy much.

    Beyond the product revisions and enhancements I saw two real news items: Oracle is now (at last) a cloud company and the company put an important marker down on improving IT security—first things first.

    Cloud

    Oracle has always been in a different business than the cloud pioneers in that Oracle has a huge customer base (420,000 customers on one sign) to bring along to the promised land compared to the pioneers who more or less invited customers to start over, in many cases, in the cloud.

    That reality permeated the keynotes and discussions led by Ellison, in a Sunday keynote, CEO Mark Hurd, on Monday, Thomas Kurian, President of Product Development, Tuesday, and Ellison in another keynote on Tuesday. Each man offered the view that for the next one to two decades, enterprises would operate in a hybrid—on-premise and cloud model—transition state. Further, each was careful to articulate that Oracle would continue to develop, maintain, and enhance on-premise applications during that time. No hard date for the end of the transition was offered.

    It was a delicate balancing act trying to assure big enterprises considering the cloud because their deployments represent a large mass of computing that won’t easily unravel over night. Still, my thinking is that while there might be traces of on-premise applications 15 years from now, most of the transference will happen quicker for two reasons. First, cloud apps will make their users more competitive and second, security improvements will make cloud increasingly attractive.

    Competitive angle

    By itself, cloud is just a delivery mechanism and there’s little about it to recommend it for pure delivery. But layered on top, as most people know, there’s a total cost of ownership advantage to cloud systems. Even more than this, however, is the reality that when businesses transfer to new platforms, most take the time to reimagine the business and the apps. Consequently, the great cloud migration of the rest of this decade will be a moment when businesses ditch some spreadsheet apps that never worked very well so that they can achieve long desired end-to-end process support for their businesses. This migration from transaction systems or systems of record to process oriented systems is where the real payback for moving to the cloud will be found. It is also a real source of competitive differentiation for most companies, which will drive rapid adoption so hang on, it should be an interesting ride.

    At the same time, we need to acknowledge that when those businesses start to reimagine their business processes, it will open up many to competitive bidding for those new apps. That’s no surprise and one big reason that Oracle is making a conscious effort to court customers by being with them in their moments of truth as they contemplate their next moves. In my opinion that’s smart, let’s watch how it plays out.

    Security—What’s old is new

    Many people shook their heads when Oracle bought Sun Microsystems because they saw Sun as playing in a space that was rapidly commoditizing. Some thought it as big a folly as Carly and HP buying Compaq but almost instantly Ellison began inventing differentiated hardware that set new standards for in-memory operations that vastly accelerated business processing. Devices like Xadata, a storage device that leverages flash memory so that storage operations could happen at memory speeds rather than much slower disk speeds led the parade.

    At OpenWorld, Ellison announced that the new security direction of IT based on Oracle products is to encrypt all data. He introduced several vaults, like a password vault that stores unique encryption/de-encryption codes that users could keep on their own machines (hopefully a machine not connected to the Internet) or on-line in an Oracle cloud. But that was nothing, the bigger news was a new M7 CPU chip that offers security at the silicon level. This was instantly controversial in my circle and needs some explaining.

    Security in silicon

    Oracle’s approach to security with the M7 chip will be hotly debated with some people thinking it’s just a speed bump for dedicated hackers while others might see more promise. I think I am in the latter camp though there’s a huge caveat.

    Oracle/Ellison discusses the security debate this way. Securing IT should happen at the lowest possible level in the stack, so for instance securing applications and data should happen at the operating system level which is also a logical place for hackers to do their worst. So to secure everything we need to find ways to bring security into silicon a place where hackers can’t make changes because hackers can’t alter chips. The M7 imposes what’s basically a check-in, check-out scheme for memory. It allocates a given amount of memory to tasks and if some piece of malware tries to occupy the memory space, overflowing the set parameters, the system can easily detect the intrusion and alert operators. Software bugs might operate the same way so there might be a few false positives as this paradigm gets going. So what? This is a crude description and for a more detailed explanation check out Oracle’s video cache from the show to see Larry explain it all.

    As good as this sounds, and also incorporating M7’s very fast decompression algorithms, this security only operates on servers, it does nothing to protect desktops or handhelds. The advent of the M7 could be an incentive to hackers to turn their attention to smaller machines, which could be infected to do things on behalf of bad guys. If so, M7 technology could be coming to a future PC, laptop or smartphone

    On the other hand

    While OpenWorld was a good show, it could have been better in some details. Some of the discussions of platform and infrastructure could have been helped along by video animation of some arcane points. I found myself watching demos that went on too long only to show a static screen with one thing changing in a window to indicate an infrastructure accomplishment. Oracle is long overdue for investing in more video for these events and judging by his comments at one point, I think Ellison took undue and perverse pride in his “graphically challenged” slides as one Tweet put it.

    Customer experience

    A couple of years ago, Oracle shrewdly ditched the CRM badge and called itself a CX or customer experience company and there were enough CX announcements to make front office people happy. However, it should be noted that the Oracle CX event will happen in April in Las Vegas so stay tuned for that. Another post will dive deeper into CX at OpenWorld.

    The critique I’d offer on CX is the same I’d give to any CRM vendor today. There’s a big discussion of products but too often it revolves around point solutions for marketing automation, sales enablement, mobile computing or whatever. This represents a transaction mindset and the front office needs to move aggressively to full end-to-end process support because that’s an important marker of the cloud.

    My impression of all CRM vendors today is that they’re selling to the lowest common denominator, i.e. aiming for the user that just wants to use CRM as a glorified rolodex. That user represents about half of the market so the orientation is understandable but I wonder how it sits with the more advanced users.

    At some point we need to flip a bit and concentrate more on processes that the first half of the market can best use. That’s why I am eager to see what happens in Las Vegas in April and at other CRM vendor events next year.

    I’ll close now

    Oracle has become a real cloud company with offerings at the software, platform, and infrastructure levels. But it still takes a data center-centric approach to the business especially when trying to reassure existing customers that there’s time for an orderly migration. It is a “new” cloud company in that it has thousands of successful and very reference-able customers and not tens or hundreds of thousands. Nonetheless, it is making strides and forecasts more than a billion dollars of new cloud business in the year ahead.

    The company’s ace in the hole as it continues moving to the cloud may be its security through silicon approach, which must still be vetted. I might be in the minority about the security announcements but it strikes me that locking down memory and CPU and encrypting data will enable users to starve any malware that tries to gain a foothold.

    Since many cloud and subscription vendors as well as enterprise customers already use Oracle DB and many are buying Xadata devices, we could see a dramatic decline in intrusions and data thefts. But that won’t end the problem; it might simply make the hackers focus more intently on the desktops and smart devices. I don’t think the IoT will take off until security is well in hand and that will ensure the security discussion continues.

    Published: 8 years ago