In the aftermath of this breach, we evaluate if Oracle’s architectural approach can emerge on top.

Additionally,it appears that the breach was due to a structural weakness that had been known for a while.

The contours of the data breach were similar to what had been suggested by Oracle, last year.

Capital One had employed Amazon as its cloud hosting provider and the hacker was identified as an ex-Amazon employee.

In July 2019, Capital One reported that a data breach had led to unauthorized access to data of over 100 million customers.

The Capital One Financial (NYSE: COF) data breach has brought to limelight the issues that technology can cause. Since Capital One had hosted its data on Amazon (NASDAQ: AMZN) Web Services (AWS), questions about the security of AWS and Capital One’s procedures have also been raised. We try to look through what happened and how it actually could alter the perception around Oracle (NYSE: ORCL) Gen 2 Cloud (OGC).

The incident, as reported by Capital One:

Capital One Financial Corporation announced today that on July 19, 2019, it determined there was unauthorized access by an outside individual who obtained certain types of personal information relating to people who had applied for its credit card products and to Capital One credit card customers. Based on our analysis to date, this event affected approximately 100 million individuals in the United States and approximately 6 million in Canada. Importantly, no credit card account numbers or log-in credentials were compromised and over 99 percent of Social Security numbers were not compromised.

Paige A. Thompson, an ex-AWS employee was charged and arrested for the data breach. Interestingly, Ms Thompson had been quite vocal on Twitter about her finding a lot of data that was supposed to be kept safe on AWS instances across 30 companies. The breach, also called a server-side request forgery (SSRF) attack, involved specialized knowledge of AWS workings and the hacker exploited a particular vulnerability in the web application firewall configuration. It is also becoming increasingly clear that Ms Thompson did not intend to benefit through the sale of Capital One’s (and possibly data from many other organizations), but was using the intrusions to mine cryptocurrencies. While Amazon has defended itself vigorously, stating that the breach did not occur due to infrastructure, industry experts differ.

Evan Johnson, a security engineer at Cloudflare (NET) states:

The impact of SSRF is being worsened by the offering of public clouds, and the major players like AWS are not doing anything to fix it. The problem is common and well-known, but hard to prevent and does not have any mitigations built into the AWS platform.

One may wonder if Evan Johnson has the right set of credentials to question AWS, it may not be possible to question some of the more high-profile AWS customers who have been working to thwart such incidents. The security personnel at Netflix (NASDAQ: NFLX), an AWS customer, had developed a methodology to detect instances of credential compromises on AWS, as far back as August last year.

Per the post by Netflix,

Do bear in mind the “defense in depth” truism: this should only constitute one “layer” of your security tactics in AWS.

Despite having devised a methodology to detect credential compromise in AWS, Netflix still cautions, its just one layer!

The nature of this vulnerability and the knowledge of its existence for such a long time begets the question: Why has no-one tried to talk about cloud security in a loud enough voice? One of the reasons could be the awe of Amazon – healthcare to retail conglomerate, which has been able to sell excess capacity from the ebbs and flows of its underlying business into the world’s leading public cloud company! Make no mistake, AWS is and has been the leader in the public cloud space for a while.

God himself, did try to warn us!

Rewinding to October 2018, a gentleman did try to voice his concerns about the security vulnerabilities in the traditional/erstwhile cloud architectures. While many may not agree with Larry Ellison on a host of issues, his prescience of the situation is worth pondering over.

Ellison had stated that while he and some others were far ahead of the cloud race in the applications market, Oracle was late to the infrastructure party. He acknowledged that AWS was the pioneer and when Oracle tried to ape AWS (similar to what most of the market was doing), they faced many issues ranging from cost to security.

For simple applications such as streaming etc, the security concerns may not be as important as in the case of transaction-based businesses. To Ellison, this has been one of the key reasons why the Gen 1 architecture clouds had taken off so well. They were chasing low hanging fruit and that seems to be getting exhausted, which is evident in the slowing growth across cloud majors.

Ellison raised another important point, of trust. The man had a valid point – anyone paying with a credit card gets access to the Gen1 or traditional cloud, implying that should a bad actor gain access to the Gen 1 cloud provider’s computer they could theoretically damage other customers’ data as well as the public cloud provider’s control code (which is also stored in the same set of machines).

Similarly, all employees have access (at least theoretically) to customer data. This theory did morph into a reality in the case of Capital One.

Then there is the issue of once a vulnerability/breach is discovered, how to fix it. Most attacks or breaches are done through sophisticated code. In the case of Capital One’s SSRF attack, the Capital One server was tricked into running commands that shouldn’t have been permitted. There have been 30 more entities who were subject to this data breach and it took a while to discover and pin down the attacker. Part of the reason was that the investigation was led through human effort – the obviousness of the speed mismatch will cost millions (billions?) of dollars. Oracle’s Gen2 appears to be addressing all of these issues.

Owing to the intelligent bots that OGC employs, Oracle claims that not only can its systems eliminate threats locally but also can deploy patches to its databases on the fly.

In addition to Gen 1 public clouds sharing space to store multiple customers’ code, even the cloud provider’s code it on the same set of machines.

Oracle’s Gen 2 appears to be more secure from a structural standpoint – Oracle’s cloud control code is off limits. Due to the isolated nature of a customer's machine (for folks opting to not share), in case a customer machine does get infected, it doesn’t spread to all.

Growth from migrations

One of the reasons for the rise of hybrid computing has been the unwillingness of customers to move mission-critical workloads the public cloud for the reasons of security. The data breach in case of Capital One could lead to such customers thinking twice before considering the public cloud.

With the isolation that Oracle can provide to customers, Oracle can replicate on-premise like security for customers. Of course, for Oracle, such enterprises could be the right set of audience to be educated about the difference between Gen 1 and Gen 2 architectures making the alliance with Microsoft (NASDAQ: MSFT) for cloud interoperability the right move for Oracle.

In June 2019, Oracle and Microsoft had announced that their clouds will become interoperable or customers will be able to migrate and run their workloads across Microsoft’s Azure and Oracle’s Gen 2 cloud. Considering that Ellison’s warnings on security have almost come true and per Ellison Azure also has a similar architecture to AWS, the partnership with Microsoft may tilt the balance of benefits in favor of Oracle.

Prestige and perception

Furthermore, while AWS is the only public cloud vendor cleared to host confidential government data, earlier this month AWS’ claim to the prestigious Joint Enterprise Defense Infrastructure (JEDI) program also took a hit. (JEDI is a government contract that can be worth up to $10 billion).

Although the Pentagon had shortlisted Amazon and Microsoft as JEDI finalists, on Oracle’s complaint regarding Amazon offering jobs to Pentagon employees working on the JEDI contract, the Pentagon Inspector General has reportedly opened an inquiry into potential misconduct.

In addition, we are investigating whether current or former DoD officials committed misconduct relating to the JEDI acquisition, such as whether any had any conflicts of interest related to their involvement in the acquisition process.

While the Pentagon will be assessing procedural lapses in the award of the contract, should the Capital One data breach surface more damning evidence about how the data was treated for the other impacted 30 corporations, AWS reputation as the de-facto choice for public cloud could be seriously dented.

The company’s troubles could further increase due to it getting named as a defendant in the lawsuit against Capital One.

The new lawsuit, filed this week in federal court in Seattle, is unique because it includes Amazon as a defendant. It argues that Amazon knew about a vulnerability allegedly exploited by the hacker, Seattle-based engineer Paige Thompson, to pull off the attack and “did nothing to fix it.” The alleged attacker, a former AWS employee, hacked into a misconfigured web application firewall.

But is Oracle a white dove?

Maybe not. What can potentially crash the party for Oracle are its internal issues. In addition to Oracle’s questionable selling tactics, Oracle’s directors have recently asked shareholders to go ahead with a multi-billion-dollar suit against the company because Larry Ellison had a conflict of interest when Oracle had bought NetSuite since Ellison was a major shareholder of NetSuite.

Conclusion

We think that in the battle between technological superiority with corporate governance issues, the former is likely to emerge as the winner. Even if the Oracle lawsuit does go through against Ellison (which by the way has a lot of legal hurdles to cross, to happen), it will be a finite cost. In the case of the technical issues discussed, the combined cost to all the affected parties and the cost in other similar attacks would easily dwarf what Ellison would need to pay. Additionally, the risks posed due to technological oversight could cause significant damage to public cloud players still operating around the Gen 1 architecture.

Should Ellison be found guilty of siphoning off money (that’s what an expensive purchase of NetSuite would have led to), no doubt Oracle’s reputation would take a hit. However, an act of financial misappropriation versus willful avoidance of fixing technological issues (akin to selling damaged goods) is much more serious. Thus, we maintain our thesis on Oracle.

