Only Ho-Hum Security Holes Ahead For In-Memory DBOracle's new performance features shouldn't pose any unique risks, experts say
Coming out of its annual conference last week, Oracle made it clear that it's moving to stave off big data vendors' plays for its core database business. Part of that strategy was a visible launch of an in-memory database processing option that Larry Ellison said speeds "query processing by orders of magnitude" and doubles transaction processing rates. But what of security? Often big performance gains can bring with them equally big headaches, but at this point many database security experts say that in-memory functionality won't add too many unique security threats to the enterprise environment.
"I do not foresee any new attack vectors on in-memory databases," says Adrian Lane, analyst and CTO for Securosis. "I believe the motivation is to counter some of the loss of business to customers that are adopting in-memory flavors of big data."
[Your organization's been breached. Now what? See Establishing The New Normal After A Breach.]
In some ways, Oracle's strategy could actually help organizations minimize risk while still reaping comparable performance to big data storage models that may not be as much of a known commodity as the traditional relational database management system. According to an InformationWeek Reports analysis written by Lane earlier this year, big data security is very much different than relational database security due to the "distributed architecture that poses a unique challenge."
According to Josh Shaul, CTO of database security vendor Application Security Inc., the added option of in-memory caching shouldn't change the database model enough to shift any security paradigms.
"I'm speculating that the in-memory 12c database won't have much of a different security profile than your typical disk-based system," Shaul says.
A vocal critic of Oracle's security missteps in the past, Shaul says that Oracle "did a lot of good work" in developing additional security features to Oracle Database 12c.
"Hopefully all of those security features will be present when you run 12c in-memory," he says. "The performance numbers Oracle is touting will be very attractive to many of their clients that struggle to work with massive quantities of data -- it'd be great to see those performance problems solved in a secure environment."
While it is still too early to know where exactly security researchers might set their sights to pick apart the new option, Imperva CTO Amichai Shulman says that beyond the "usual number of bugs" that can be found in complex software like 12c, the new in-memory functionality could potentially pile on additional risk of denial-of-service (DoS).
"I think that from a security perspective, the added risk introduced by such an offering is of DoS due to fast, uncontrolled memory consumption," Shulman says.
But enterprises should remember not to be complacent about those "usual" bugs -- they're probably lurking there in this first iteration of the new feature, says Slavik Markovich, vice president and CTO of database security for McAfee.
"Whenever a company introduces a big new something, they introduce also a lot of security issues with it," says Markovich, explaining that security always comes second to functionality. "Just as recently as the release of Oracle 12c, they introduced a lot of features, and while introducing these great features, they also introduce security issues. I've already personally seen 10 new zero-day vulnerabilities that could really compromise your database that are being reported to Oracle now."
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.
Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading. View Full Bio