Oracle

Dealing with Oracle when you are an analyst is loads of fun. There is no more arrogant company out there. I asked for a briefing on their identity management stuff early this year, and I got the "read our white papers, they'll tell you everything you need to know." It was clear, they didn't have time for analysts that don't have a G or F in their company name.

But that's OK. Oracle has never really been taken seriously in the security space, so it's not like I have a lot of folks asking me about what they are up to. But given the amount of money they've spent on acquiring a space in the Identity Management space and the fact that data security is becoming more real (EMC/RSA being a pretty significant data point), I'll need to suspend disbelief and take another look at what Oracle is up to.

So I was pleased when a little birdie gave me a sneak peek at Oracle's "security strategy" briefing for 100's of analysts customers around the world. Shockingly enough, they claim to be the "leader" in security. That's a laugh. But I'll get to that.

First, what does Oracle consider security? Basically it's the stuff they sort of have. Access Control (but they mean Identity), data privacy (database encryption), and compliance (whatever that means). So they are hovering around in what I call information or data security and Identity in Pragmatic Security lingo.

They make a number of bold claims, including integration amongst the products and that their security works consistently across all of their applications. Huh? So they've gutted PeopleSoft and JD Edwards and Siebel and now have a common security model. Maybe on the PPT, but not in reality. Oracle does have a bunch of crap in a bag. But to say it's integrated is insulting the intelligence of the folks that buy stuff from them. Though I know that Oracle holds their customers in high regard. Kind of like CA in the days of yore.

Basically, all of this cool integration and the like is on a Fusion roadmap. Due to the wonders of federation and standards, many of the products (at least on the IAM side) can work together. But that ain't integration, to be clear.

What about data privacy? Well anyone that's even tried to do sophisticated logging on a high transaction production database knows it kills performance. And to try to do field level encryption? No way. Unless you are running at 10% utilization that is. Then you've got plenty of headroom to drive your DB to 90% utilization. Performance has never been their strong suit. But that's what bigger servers are for, no?

And compliance? As I've said a million times, compliance is a process not a product. It's very easy for Oracle to make it a pillar of their security strategy because it doesn't mean anything. So if you can get logging to work, then you can pull a report on it and BAM! You are compliant. Did I mention that I hate compliance lately?

Now that I've rained all over their parade, I'll begrudgingly admit that Oracle will be a factor in data security. If only due to their market presence. Whether we like it or not, Oracle controls much of the data in the largest enterprises in the world. That's a pretty powerful position to be in, but it's far from a mandate to control information security.

To date, no one has a compelling "big story" as to how data security evolves over time. And that creates opportunity for other big players (like EMC, IBM, Symantec and Microsoft) to codify that story and take the thought leadership high ground. It also creates a window for smaller data security players to gain a foothold and thus become acquisition bait.

But Oracle always has Plan B, just in case they can't tell the big story and their roadmap falters - it's the checkbook. There is the old saying that "the enemy of your enemy is your friend." Well over the past few years, Oracle has bought both their friends and enemies until there isn't much left standing.

But these were mature markets. Very much like the CA of old. They are milking the acquired revenue streams. But data security ain't mature. There are no revenue streams to milk.

So Oracle can crow all they want about being the leader of this or the leader of that. Soon enough they'll figure out that security is different. They'll need a more compelling vision for the customer. They'll need to get some application security technology (like a web app firewall). And they'll need to be more respectful of a heterogeneous world.

Oracle is not Cisco or Microsoft. Applications have inertia, but it's nothing like the inertia of the network or the desktop. With the advent of SOA, applications and data can be and will be anywhere and everywhere. A strong disruptive application is much more likely to be adopted than something new in network plumbing or on the desktop.

Maybe they can learn a lesson from CA, which proved that what goes around, comes around. Even if it takes years. But probably not.

The folks at TechTarget were kind enough to let me republish my posts at the Expert Answer Center here. This post first appeared on July 7. Link here.

On my Security Incite blog, I've made no bones about how sick I am of Patch Tuesday (here and here). Thankfully the preamble to July's festivities happens during a holiday week, so many of the beat reporters that need this stuff for content are MIA. That's a good thing in my book. But it got me thinking, why does Microsoft pre-announce what they are going to fix anyway?

I checked out Microsoft's web site and saw the following explanation:

 

As part of the monthly security bulletin release cycle, Microsoft provides advance notification to our customers on the number of new security updates being released, the products affected, the aggregate maximum severity and information about detection tools relevant to the update. This is intended to help our customers plan for the deployment of these security updates more effectively.

The cynical and devious bastard in me thinks Microsoft is opening holes by pointing out exposures that folks may not have known about. So now the bad guys have roughly six days to get an exploit out there and do some damage.

It's kind of like a bank saying, "We're fortifying the sub-basement under our vault next Tuesday." If you are a bank robber, you know your timetable and where the exposure is. Of course, there is still a lot of work to get in, but you've got a lot more information than you did before. You probably assumed the sub-basement was already fortified, no?

Alas, I also see the other point of view, which is that enterprises (both small and large) need to plan. If Microsoft drops a bomb on Tuesday with a very high profile patch that requires immediate attention, administrators get really pissed. They like to know exactly what is happening and why, even though many of them use automated patching products to "set it and forget it" once it's QA'd by the patch vendor.

The conclusion I come to is that Microsoft is dealing in numbers that mere mortals could only dream about. When they patch something it goes out in volumes of HUNDREDS of millions, not like 10 or 15 or even 1000. They've honed in on a patching process that is far from perfect, but works pretty good over a long period of time. To my knowledge, no one has taken a pre-announced patch and exploited it in the window of opportunity. So they have their bases covered.

There is also a halo effect with most customers about coming clean with issues. Everyone knows that every piece of software has vulnerabilities. Sure Microsoft's software has a lot (relatively more than others), but they acknowledge it and are moving to fix the systemic root causes of the problems.

One man's opinion is that Oracle and Apple should communicate a bit more about things they find. Apple just fixes things, but their software makes the updates relatively transparent and their lack of presence in the data center makes this a non-issue for most enterprises. Oracle, on the other hand, patches once a quarter and doesn't even get to everything. So it's hard to point to Microsoft as a security innovator, but they are eons ahead of the other folks relative to patching problems they created.

Today Oracle announced a number of security products including "Database Vault" (link here) to protect and limit access to sensitive data and applications. Now administrator access can be segmented and protected to ensure that DBA's don't have free reign. They also announced "Secure Backup" that interfaces directly to tape drives, presumably without requiring 3rd party products (release here).

Oracle has been doing security stuff within the database for years, and it hasn't been enough. That created a market opportunity for folks like Application Security and Protegrity to provide more focus on vulnerability scanning, controlling access and encrypting to specific database elements.

This is another example of Oracle's Microsoft envy. Microsoft perfected the art of sucking more and more functionality into the core platform. So as Microsoft has over time subsumed security capabilities into the OS (and that will accelerate dramtically with Vista and Longhorn), now Oracle is doing the same thing on the database.

The impact to the 3rd party vendors could be significant. 3rd parties will survive based on how well end users understand what they do vs. what Oracle does. And priced at $20,000 per CPU, Database Vault is not really priced to move. Nor does Oracle support other DBMS platforms, so that is a point of leverage for the start-ups.

The backup offering also seems a bit strange in that maybe I'm missing something, but backup is usually taken care of on a broader data center basis. So just doing it for Oracle databases seems a bit restrictive.

But these moves validate what we already know, which is what Pragmatic Security calls "information security" (of which database security is a subset) is important. Certainly enough for Oracle to think they can sell a lot of it. And the fact that they are selling distinct capabilities (like label security, encryption, virtual private database, and secure backup) separately indicates the immaturity of this security category.

We'll see more of this security being subsumed into the database. Adding security is an obvious direction for someone like MySQL to continue adding value to the open source database.

End users should be focusing on whether Oracle's death by
1000 (or millions depending on the number of CPU's in use) cuts is the right approach as opposed to going with a start-up that won't have a similarly broad product set, but will be multi-platform.