2017 is shaping up to be the year of the security breach (just like 2016, 2015, and so on). Equifax lost financial data on 145.5 million people—leading to the now-former CEO having to answer tough questions in front of Congress. We also learned that hackers exposed information from over three billion Yahoo accounts. And those were just two of the highest-profile cases. With news like that, it’s no wonder that security is top of mind for everyone, not just CIOs and CSOs. I even received a request recently during an interview to explain software patches.
So what are software patches? Simply put, a patch is a repair to a piece of software, plugging a security hole or fixing an error. When we at Oracle find a security vulnerability in our software, we release a patch that prevents bad guys from taking advantage of the flaw. But the patching process itself is vulnerable: when we release a patch, it can take about a year for all of our customers to install that fix on their on-premises systems. Think about living with a vulnerability for a year. We know about the problem, we’ve patched it, but you’re still at risk.
Why is patching so hard for our customers? On-premises systems are almost always a hodgepodge of systems, running on different platforms with different operating systems and using different databases – even different versions of the Oracle Database. Our customers can literally be running hundreds of different configurations. And that makes those environments very vulnerable. So patching sounds easy, but for most environments, it’s really very difficult. The Equifax case is a great example of how things can go wrong. It has a treasure trove of vital information about a huge number of people in the U.S. They were using open-source software and there was a patch available from the software’s development community, but it took Equifax employees three months to put it in place. By then, it was too late.
Luckily, there are a few solutions that Oracle offers to address this problem. As I discussed at this year’s Web Summit in Lisbon, we’ve just announced the world’s first self-driving database managed by artificial intelligence that auto-patches immediately. If you’re running Oracle Database in the Oracle Cloud, you’ll get the patch as soon as we release it.
Encryption is the next defense. Only about half of one percent of data in on-premises systems is encrypted, but one hundred percent of the customer data in our cloud is encrypted. It’s hard to imagine that you’ll ever be as secure in an on-premises system as you will be in the cloud.
One of my predictions for 2025 at Oracle OpenWorld this year was that enterprise clouds would be the most secure place for IT processing. But that’s not really a prediction – it’s conceivably the reality right now. Complex systems have vulnerabilities that bad people can exploit. And these bad guys are clever and capable; they know how to take advantage of those vulnerabilities. We see that activity and defend ourselves against it every day. Business managers are telling me, ‘I want to move this risk. I want to move this complexity. I want to move this cost.’ They want to move it from their data centers to ours because, while it might sound counterintuitive, simple systems in the cloud can be the most secure systems.