Oracle has been on a security campaign ever since Larry Ellison openly began discussing the new "autonomous database" -- so called because it can manage itself, including self-patching and upgrading, without human effort.
The hands-off database can eliminate human labor to keep it tuned and running, according to Oracle, greatly reducing the time between availability and implementation. It also significantly reduces mistakes made by database administrators -- errors of omission that happen when humans can't apply a patch soon enough to prevent an intrusion.
Oracle's positioning to a large extent reflects the times we live in. Bad actors troll the Internet seeking vulnerabilities, and Oracle, through its service arm, is at least partially on the hook for helping customers recover from breaches. So the company has a pecuniary interest, both in promoting the autonomous database and associated products for security, integration and apps, and in preventing intrusion in the first place.
All of this came to a head in the last few years during Oracle's litigation against Rimini Street, a third-party service provider for SAP, Oracle, and recently Salesforce systems. The litigation is finally over, and Rimini Street both lost and lost on appeal. It had to pay Oracle for violating 93 Oracle copyrights to support materials.
The Oracle campaign today seems more oriented toward recapturing customers who went elsewhere for support services in order to save 50 percent on the cost of support. Oracle's point has been that third-party providers don't have source code and therefore can't make patches and upgrades so that users of third-party support essentially are frozen in time with aging versions of software. Without updates, their vulnerabilities are more pronounced over time.
The Rimini Street Case
Oracle recently published trial transcripts of testimony given by Rimini Street CEO Seth Ravin on Sept. 16, 2015, which are highly informative in this area.
Following are some excerpts.
Oracle's Counsel: The -- your -- your -- your counsel talked about the term forced upgrades in opening statement, and that's referring to new upgrades to new versions of the software, right?There are hundreds of pages of testimony documenting this long legal process, which took years to resolve, but this passage illustrates some of the points in contention in the litigation.
Mr. Ravin: Yes, that a vendor requires that a customer install in order to be eligible to continue support.
Oracle's Counsel: All right. And Rimini Street, at least until -- at least through 2011, as I understand it, did not provide any security updates to its clients, right?
Mr. Ravin: That's correct.
Oracle's Counsel: And, in fact, you actually told customers that ... they weren't necessary, right?
Mr. Ravin: Yes, because it's an outdated model relative to what we call holistic security today.
Oracle's Counsel: Yeah. All right. Holistic security means don't put security in the software, just put it in the firewall at your place of business, right?
Mr. Ravin: It's actually the most innovative version available today for security people, yes.
Oracle's Counsel: All right. But it involves not putting any security updates in the software to deal with hackers, right?
Mr. Ravin: Right. It's called virtual patching and firewall systems, yes.
Oracle's Counsel: Right. And the firewall systems are systems that are maintained by the client, the customer, not by Rimini Street for the customer right?
Mr. Ravin: That's correct. They're responsible for their own firewalls and their own security protections.
A service vendor told customers to never mind about installing updates. The third party invented a workaround that relied heavily on firewall and other protections, but if a firewall were breached, the customer could face a potentially serious threat. The vendor's action could be construed as a self-serving justification. It couldn't make upgrades because it didn't have source code, so the vendor tried to minimize their importance.
Any customer reluctant to invest the time and effort to install updates and patches -- and there are legitimate reasons, such as time and labor shortages -- might have the same difficulty maintaining firewall software too. So the prescription might not be especially effective.
Quoting from a Rimini Street email, Oracle's Counsel went on:
Oracle's Counsel: "The strategy that we recommend to our clients is to shore up all other aspects of security such as user accounts, network access, firewall rules and system architecture."That amounts to Rimini Street saying to ignore the security aspects of upgrades, since it can't provide them anyway, and to concentrate considerable effort on other security features like firewalls.
You recommend that they handle the security and that you not worry about security upgrades for the software, right?
Mr. Ravin: That's absolutely correct. That's the holistic security model, yes.
Some of the questions this raises: Why would anyone want to skimp on security at all? Will this approach take less effort or more? Will the customer attend to firewall maintenance and other recommended procedures?
0 Comments