Oracle won't let you turn off security ever again

Security should not have an on and off button, according to Oracle CTO Larry Ellison, who said his company's technology will be invulnerable to threats like Heartbleed and Venom.

Speaking at Oracle OpenWorld in San Francisco yesterday, Ellison claimed security should be enabled by default, and said it had been a mistake to allow customers to turn it off.

"People buy Oracle security features and don't turn them on," the founder of the database giant admitted, before adding: "There should be no off and on button on security. It should be always on. Everything should always be encrypted."

His comments came on the same day that mobile operator TalkTalk admitted it had not encrypted customer data that was stolen by hackers last week, and Ellison warned such instances will only increase as companies move to the cloud.

Referencing the 21.5 million employee records stolen from the US government's Office of Personnel Management (OPM) earlier this year, he said: "[This] caused the CIA ... to have to pull a lot of their agents out of various embassies around the world. This will be a bigger and bigger problem as all of our data goes online."

This has prompted a switch in Oracle's security strategy, from training IT professionals in how to manage its security features to automating them and pushing security further down the stack.

Ellison said: "We have just changed our thinking about security [to] make sure that we have technology that can defeat things like Heartbleed and Venom and can prevent an intrusion in the OPM."

Saying that training staff to manage IT security is a "huge problem" for Oracle, he added: "Wouldn't it be nicer if they were always on and always worked, and you didn't have to do anything?"

Whether or not companies will be happy with Oracle removing their responsibility for managing security features, Ellison plans to embed such measures more deeply into Oracle deployments.

"The lower you push security down in the stack the more pieces of technology inherit the benefits as you go up the stack," he said.

More on the company's security plans is expected to be revealed tomorrow, but Oracle co-CEO Mark Hurd today claimed that enterprise cloud will be completely secure by 2025.

He added: "We have full security implemented in our cloud. Many of our customers aren't up to the latest patches - we are. Fully patched, fully secure, fully encrypted, that's our cloud."