Oracle calls for end-to-end data encryption

Jon Tullett
By Jon Tullett, Editor: News analysis
San Francisco, 28 Oct 2015
We are not winning the cyber battles against hackers, says Oracle CTO Larry Ellison.
We are not winning the cyber battles against hackers, says Oracle CTO Larry Ellison.

After millions of data breaches and stolen records, Oracle CTO Larry Ellison says the industry needs to drastically change its approach to safeguarding data.

"We are not winning these cyber battles," Ellison said. Attacks like Heartbleed and Venom have shaken the industry's confidence, but more bugs are inevitable, he added.

"We need to encrypt all our data, all the time, so even if it's stolen the hacker gets nothing of value. Security shouldn't have an on/off switch: it should be always on, all the time. Everything should be encrypted, all the time."

Ellison used the Oracle OpenWorld conference in San Francisco to announce a series of security enhancements to Oracle products, including encryption and memory protection in hardware, crypto key management, and improved security auditing capabilities.

Securing servers

Oracle's new Sparc M7 processors introduce novel memory protection dubbed "silicon secured memory", which extends conventional virtualisation protection.

Individual processes are assigned cryptographic "colour code" keys every time they request memory allocation, and future requests to read the memory back must be accompanied by the matching key. Any attempt to read or write memory without the correct matching code, will result in the offending process being terminated and an alert raised.

"This is always-on memory intrusion detection, in silicon. We want to push the security mechanisms as far down the stack as possible, because doing so makes it that much harder to attack," Ellison said. "Silicon secured memory is always looking for Heartbleed- or Venom-type violations. And you can't turn it off."

Silicon-secured memory is currently exclusive to the Sparc platform, and Ellison recognises that most customers have far more extensive fleets of x86 processors in their data centre; he suggests deploying limited numbers of M7s in an intrusion detection role.

"You can deploy these in small numbers in a scale-out environment. Run the same operating systems and applications as on your x86s, and as soon as a process triggers an alarm, use that to go investigate and terminate the same process everywhere else."

The same M7 processors also include hardware acceleration for encryption and compression. "You should be able to run encryption with no overheads, so there's zero impact on applications," Ellison said.

Securing the cloud

Customers also need to do more to secure their cloud applications, Ellison said. Cloud providers are in a sensitive position regarding data security; cloud providers should be best positioned to build and offer secure environments, but Edward Snowdon's revelations of systematic spying on data centres caused concern among customers and regulators.

Oracle, like other providers, offers key management solutions which ensure cloud data is encrypted without Oracle or its partners having any access to the unencrypted data.

"This is a question you should ask every cloud service provider: can your technical people see our data?" Ellison said. "Can your DBAs read our data? Everything should be encrypted, all the time."