Oracle cloud takes aim at 'nosy neighbours'
It’s well known that organisations are struggling to protect themselves against cyber attacks, but it turns out that they are failing profoundly.
According to consultancy firm Ovum’s ICT Enterprise Insights survey, conducted from 2018 to 2019, just over 14% of respondents said they had a fully developed approach to cybersecurity. This year, this figure has dropped to 11%.
This is a fact not lost on Oracle. At its annual OpenWorld conference, held in London this week, Oracle said it was paying particular attention to securing its customers’ data in its cloud, even at the level of the processor.
Oracle has also paid particular attention to the threats presented by the Meltdown and Spectre vulnerabilities, in which it is possible for a program to steal information from a processor. With co-tenancy of customer data on the same processor, these ‘noisy’, or in this case, ‘nosy neighbours’ are causing disquiet among those considering a move to cloud.
According to Wim Coekaerts, senior vice-president for software development at Oracle, it separates customers’ data from its control plane.
“Cloud was designed around running virtual machines on a server and sharing it with others. When we built our second-generation cloud, we made sure that there’s no code that we own that’s running on the same system as the customer’s.
“The customer has a bunch of central processing units (CPUs), a network connection and storage. We share nothing with them or any of our other customers. The control plane of the entire cloud runs outside of the physical system.”
He says a “really paranoid” customer might not want to adopt cloud because of fears of sharing data.
Asked by ITWeb about the likelihood of this kind of attack, Coekaerts said the threats were real.
“You don’t want it to happen in a cloud environment. It has created enormous concern for many of our large customers,” he said, particularly around sensitive financial or human resources data.
“This prevents them from feeling comfortable about moving to a cloud platform. They want to, but they say they aren’t ready yet because it’s a security concern. For us to have that in the design takes their concerns away, and if it helps us get more customers into our cloud, even if it’s only theoretical, it’s still a limiting factor for many folks.”
He also believes that we have not seen the last of these kinds of exploits.
“That wasn’t the last of it. If you look at the microcode updates that have happened in the last two years, there’s always something in the space that wreaks malware. And when the next one hits, you’ll be safe because we’ve dealt with that problem.”
Maxine Holt, research director: security at Ovum, said at the conference that while organisations are attempting to expand their thinking around security, the threat landscape is also evolving.
“We’ve got on-premises infrastructure and software, and public, hybrid and multi-cloud, and it stretches the challenges that enterprises have to deal with.”
Holt said she’s seen three broad trends emerge: Enterprises are paying closer attention to identity management; they’re shifting more resources towards detection and response; and there is more automation being used in cybersecurity.