Oracle has been on a security campaign ever since Larry Ellison openly began discussing the new “autonomous database” — so called because it can manage itself, including self-patching and upgrading, without human effort.
The hands-off database can eliminate human labor to keep it tuned and running, according to Oracle, greatly reducing the time between availability and implementation. It also significantly reduces mistakes made by database administrators — errors of omission that happen when humans can’t apply a patch soon enough to prevent an intrusion.
Oracle’s positioning to a large extent reflects the times we live in. Bad actors troll the Internet seeking vulnerabilities, and Oracle, through its service arm, is at least partially on the hook for helping customers recover from breaches. So the company has a pecuniary interest, both in promoting the autonomous database and associated products for security, integration and apps, and in preventing intrusion in the first place.
All of this came to a head in the last few years during Oracle’s litigation against Rimini Street, a third-party service provider for SAP, Oracle, and recently Salesforce systems. The litigation is finally over, and Rimini Street both lost and lost on appeal. It had to pay Oracle for violating 93 Oracle copyrights to support materials.
The Oracle campaign today seems more oriented toward recapturing customers who went elsewhere for support services in order to save 50 percent on the cost of support. Oracle’s point has been that third-party providers don’t have source code and therefore can’t make patches and upgrades so that users of third-party support essentially are frozen in time with aging versions of software. Without updates, their vulnerabilities are more pronounced over time.
The Rimini Street Case
Oracle recently published trial transcripts of testimony given by Rimini Street CEO Seth Ravin on Sept. 16, 2015, which are highly informative in this area.
Following are some excerpts.Oracle’s Counsel: The — your — your — your counsel talked about the term forced upgrades in opening statement, and that’s referring to new upgrades to new versions of the software, right?
Mr. Ravin: Yes, that a vendor requires that a customer install in order to be eligible to continue support.
Oracle’s Counsel: All right. And Rimini Street, at least until — at least through 2011, as I understand it, did not provide any security updates to its clients, right?
Mr. Ravin: That’s correct.
Oracle’s Counsel: And, in fact, you actually told customers that … they weren’t necessary, right?
Mr. Ravin: Yes, because it’s an outdated model relative to what we call holistic security today.
Oracle’s Counsel: Yeah. All right. Holistic security means don’t put security in the software, just put it in the firewall at your place of business, right?
Mr. Ravin: It’s actually the most innovative version available today for security people, yes.
Oracle’s Counsel: All right. But it involves not putting any security updates in the software to deal with hackers, right?
Mr. Ravin: Right. It’s called virtual patching and firewall systems, yes.
Oracle’s Counsel: Right. And the firewall systems are systems that are maintained by the client, the customer, not by Rimini Street for the customer right?
Mr. Ravin: That’s correct. They’re responsible for their own firewalls and their own security protections.There are hundreds of pages of testimony documenting this long legal process, which took years to resolve, but this passage illustrates some of the points in contention in the litigation.
A service vendor told customers to never mind about installing updates. The third party invented a workaround that relied heavily on firewall and other protections, but if a firewall were breached, the customer could face a potentially serious threat. The vendor’s action could be construed as a self-serving justification. It couldn’t make upgrades because it didn’t have source code, so the vendor tried to minimize their importance.
Any customer reluctant to invest the time and effort to install updates and patches — and there are legitimate reasons, such as time and labor shortages — might have the same difficulty maintaining firewall software too. So the prescription might not be especially effective.
Quoting from a Rimini Street email, Oracle’s Counsel went on:Oracle’s Counsel: “The strategy that we recommend to our clients is to shore up all other aspects of security such as user accounts, network access, firewall rules and system architecture.”
You recommend that they handle the security and that you not worry about security upgrades for the software, right?
Mr. Ravin: That’s absolutely correct. That’s the holistic security model, yes.That amounts to Rimini Street saying to ignore the security aspects of upgrades, since it can’t provide them anyway, and to concentrate considerable effort on other security features like firewalls.
Some of the questions this raises: Why would anyone want to skimp on security at all? Will this approach take less effort or more? Will the customer attend to firewall maintenance and other recommended procedures?
It’s not a trivial point either. According to an infographic produced by Oracle,
- 65 percent of organizations say their in-house security capabilities are adequate, but
- 80 percent of them have been negatively affected by a cybersecurity attack in the past year.
- The cost of cybercrime is also very high, amounting to US$6 trillion in aggregate by 2021.
The cost of a data breach in 2016 averaged $3.6 million — not counting damage to brands, reputation and employee morale. Some businesses don’t recover from all that.
Lastly, other third parties, like the U.S. Department of Homeland Security, agree on the importance of patching software.It is necessary for all organizations to establish a strong ongoing patch management process to ensure the proper preventive measures are taken against potential threats.Given this, the zeal that Oracle exhibits around the idea of security is understandable.
My Two Bits
Oracle has a reputation for having sharp elbows in the marketplace and the courtroom, but using sharp elbows is a business’ right. The company is completely within its element when pursuing security, and when opposing third parties that attempt to thwart its customers’ security interests, wittingly or not.
Of course, there’s money involved. Losing a support customer is a revenue loss for Oracle, so it has good reason to pursue the outsiders. Still, that pursuit is not automatically a negative for Oracle.
A slightly revised business model, demonstrated by Salesforce and Rimini Street, might go a long way toward correcting this situation. As a cloud software provider, Salesforce takes full responsibility for system patches and upgrades and implements them constantly, not waiting months for an opportunity. The same is true of virtually all other cloud providers.
Cloud providers also bundle level one service into the subscription cost, but there is still room for third parties to offer premium services. Salesforce might lose some revenue for its premium services if customers buy third-party support, but that’s the minor cost associated with having an ecosystem.
That being so, the model of offering conventional support to on-premises systems might be a fading industry being overtaken by cloud computing. This adds another dimension when considering the matrix of costs, pros and cons associated with moving to the cloud.