"Oracle CloudWorld 2013 - London" in May was a great event. It was great in organisation and the content of presentations - everyone could learn something new. For example, I listened to majority of presentations regarding security and interactions/integration between the client's systems and Oracle's Cloud solutions.
For example, I learned that Oracle offers a virtualised integration between clients' in-house systems and the systems in the Cloud via Oracle agents acting as an ESB. These Agent-ESB are supposed to simplify all integration tasks for the client via replacing integration with external Cloud-located end-points by integration with local, internal end-points. Also, it is assumed that internal client's ESB interact directly with the Agent-ESB in a federated manner.
Sounds simple and straightforward. And it is such, especially if the client opens its border and links with the Oracle's information platform. Particularly, Oracle offers an integrated solution for creating a single sign-on across corporate boundaries that would allow seamless access to the systems and applications in the Cloud from inside of the client's environment and vice verse. The same relates to the access control (authorisation). It is not a big deal that your applications in Cloud are not allowed accessing your in-house file system, RMI or IIOP and that your local DB are also not accessible via JDBC from the Cloud. The fact that this Cloud has established full security integrity with your local systems is much more important.
Well, it is really important to the Cloud but how about you, your systems? Just recall for a moment that Oracle is not your company and its interests are not under your control (you even do not know what will be the next 'big thing' for Oracle and how it affects relationships with you). Oracle is not cheap, which allows to assume that medium-to-large companies use its services. Such companies are capable to create a good defence line around its borders and it is not a fact that this defence is worse than the Oracle Cloud's one. Therefore, when you open your defence line to Oracle for its shared authentication and authorisation systems as well as for its Agent-ESB, you simply acquire uncontrolled (a strange company) and unmitigated (problems with integration) risks. Is this that important to you?
All right, assume that Oracle's defence is not worse than yours but it is still out of your control. Any bad guy who breaks it in Cloud gains a 'green light' road to your internal systems. Is this the type of Cloud solutions you wanted? I do not think so.
We know that Oracle has utilised architectural solutions acquired from WebLogic. The letter had a very good custom to provide secured plugability to its solutions for alternative strange systems if the customer needed. In one presentation I asked Oracle - what if an authorisation system or a Cloud ESB is cheaper from another vendor, can I use them in conjunction with the rest of Oracle's Cloud solution? The response contained a lot of words around commercial policies but it was apparent that the rule was simple - going with Oracle is not assumed any exceptions, alterations or inclusions; client's "economy of scale" was not considered in essence.
If this is the case, we are offered to replace an internal vendor locking with an external Cloud vendor locking. Yes, we learn something new every day.