Oracle M7 Enhances CPU-level Security

As summer turned to fall, the IT industry got together at VMworld and then Re:Invent to celebrate cloud computing.  This translated to software-defined everything – data centers, networking, storage, etc.

Yup, we are deep into a hype cycle where the entire industry is in a state of gaga over all things associated with software like flexibility and agility.  Great stuff but software has to run somewhere so there is and always will be market for high-performance hardware. 

This week at Oracle Open World, Oracle (a company synonymous with software) actually introduced a new piece of hardware along these lines, the SPARC M7.  Now any CPU announcement is bound to focus on raw horsepower and this one is no different.  The M7 is a 32-core, 256-thread CPU built for high-performance computing.  Perfect for database queries and big data analytics but Oracle’s new processor also provides some built-in cybersecurity improvements including:

• Hardware-assisted encryption.  Cryptographic operations are hardware-intensive, placing a real burden on off-the-shelf CPUs that can impact overall system performance.  This is especially true for on-line transaction systems and highly-virtualized cloud data centers demanding encrypted communications between VMs.  The M7 is designed for cryptographically-intensive environments by providing hardware-assisted encryption/decryption in all 32 cores.  With this enhancement, Oracle claims that the new M7 much faster end-to-end encryption than any other commercial CPU available today.  Existing applications that already use SPARC-based encryption will automatically gain additional performance from new M7 processors with no modifications to the code.
• Silicon-based memory integrity protection.  Common exploits like buffer overflows write data to a memory buffer, overrun the buffer’s boundary, and then overwrite adjacent memory segments to execute malcode and compromise systems.  With M7, Oracle is adding security controls at the CPU level for real-time checking of access to memory as a countermeasure to this type of attack.  This is especially useful for protecting multi-terabyte in-memory databases that often contain oodles of sensitive data.  The M7’s silicon-secured memory protection is utilized by the Oracle 12c database by default and Oracle is providing APIs so developers can enhance security protection for other types of applications. 
• Tight software integration.  While M7 security resides deep within a CPU, Oracle is making sure to utilize its silicon-based security across its software portfolio.  For example, M7 security is tightly-integrated with the Solaris 11.3 operating system for encryption acceleration across the databases, Java, existing applications, ZFS file system, as well as network, and host virtual machine migration.  M7 encryption is also tightly-coupled with the Oracle key manager.  This is an important detail for highly-secure enterprises.  As the old cybersecurity adage states: ‘Encryption is easy, key management is hard.’  Oracle is also hinting at future hardware/software security additions to create more trustworthy tamper-resistant systems.

Oracle marries the M7 processors with new servers (T7 and M7) and the SuperCluster M7, calling these systems, “the world’s most secure systems for apps and cloud.”  Yes, this is a marketing label, but it’s worth noting that Oracle believes the addressable M7 market spans way beyond just super-charging Oracle databases alone.  The CPU is really designed for today’s enterprise requirements – massive big data analytics systems, burstable cloud applications, and flexible hybrid clouds.

Given today’s cloud computing innovation, it’s easy to follow the herd and believe that hardware no longer matters.  Those of us that have been around the industry for a few years have heard this rhetoric before.  In truth however, there will always be a place for advanced hardware that can offload operations and greatly accelerate overall system performance and throughput.  With its M7 introduction, Oracle is demonstrating that it is one of few companies that still recognizes this artful balance between hardware and software – even in a software-defined world.