US government agencies manage critical data at varying sensitivity levels, requiring a variety of comprehensive cloud solutions for data protection. To address the diverse security and compliance needs of US government customers, Oracle Cloud Infrastructure (OCI) offers cloud environments for every US government customer, including accreditations at Federal Risk and Authorization Management Program (FedRAMP) High, Defense Information Systems Agency (DISA) Impact Level (IL) 2/4/5/6, and both Secret and Top Secret/Sensitive Compartmented Information (SCI) for the defense and intelligence community.

These OCI regions built for the US government are operated solely by individuals with the appropriate citizenship and clearance. For example, Oracle US Government Cloud and US Defense Cloud are supported by US citizens operating on US soil. Oracle National Security Regions (ONSRs) are air-gapped environments supported by government-cleared US citizens. ONSRs support Secret, Top Secret, SCI, and SAP workloads. All ONSR operations are performed from securely managed Cloud Network Operations Centers (CNOCs) by staff with TS/SCI clearances.

 

Authorizations for US Gov Cloud, US Defense Cloud, and Oracle National Security Regions

In this blog, we’ll discuss the characteristics of the above cloud realms, network isolation, operations, and more.

What is a realm?

A realm is a physical and logical collection of separate cloud regions. By default, customer content does not traverse realm boundaries to a different realm. A realm enables Oracle to provide defined capabilities across regions that address the specific security and compliance needs of that realm’s customers.

OCI’s unique isolated realm architecture helps simplify and strengthen both data sovereignty and operational sovereignty. Other cloud providers might rely on customer-controlled policies or merely confidential computing. OCI also offers these features, and we aim to make cloud governance simpler and more secure with dedicated infrastructure.

OCI offers a variety of cloud deployment models as part of our Oracle distributed cloud strategy. Oracle’s cloud realms are physically separate from each other, so no matter which deployment model you choose, your workloads are completely isolated and physically separate from other Oracle cloud realms.

Physical realm isolation

Most importantly, the physical isolation of OCI’s realms means that the data within these realms is also isolated from other customers. For US agencies handling sensitive government data, this is crucial in helping to secure data that may concern our national security. Following are the key features of realm isolation.  

  • Dedicated environment: Dedicated hardware and network infrastructure are geographically dispersed within a specific region, creating a fully segregated environment, preventing unauthorized cross-realm access.
  • Enhanced security: Since realms are isolated, the potential attack surface is reduced, minimizing the risk of threats spreading across customer environments.
  • Compliance: OCI has obtained the requisite US government accreditations for each respective realm, helping customers comply with strict compliance requirements.

Physical and logical isolation between realms

Network isolation

While we’re on the subject of isolation, let’s look at networking. In first-generation cloud offerings, if a successful cyberattack compromises a virtual machine instance and subsequently a hypervisor, there are no barriers to prevent an attacker’s attempts to modify the network. The networking function is managed by the same hypervisor that has been compromised so a virtual machine escape that gains access to the hypervisor also has access to the network. This can lead to threats to network hosts on and could expose private tenant data.

Threat containment and reduced risk: a comparison of other cloud service providers and OCI

OCI is built differently using a custom-designed SmartNIC that isolates and virtualizes the network. The SmartNIC is isolated by hardware and software from the host, preventing a compromised instance from compromising the network. OCI maintains greater external control of host network functionality and can help prevent network traversal attacks.

Secure and restricted operations

Customers may bring sensitive data into Oracle US Government Cloud, US Defense Cloud, and classified data into Oracle National Security Regions. Oracle is committed to keeping that data secure and out of the hands of US adversaries. While Oracle employees never have access to customer hosted content in these cloud environments, OCI confirms that anyone with access to the cloud infrastructure, updates, or security patches in our US government and classified cloud environments meets or exceeds citizenship and security clearance requirements.

Everything Everywhere®

With Oracle’s Everything Everywhere® commitment, Oracle’s services, tools, and functionality in commercial public cloud regions are made available in government and classified regions. This commitment provides government customers with access to the full OCI innovation pipeline with controls that help enhance security and help achieve compliance. Each service offered in US government realms undergoes rigorous accreditation processes to meet required standards for security and compliance, including FedRAMP, DISA, or ICD 503. See Oracle Cloud Compliance for more information.

Additionally, while some cloud service providers charge more for government and classified cloud regions, OCI offers our government customers the same consistent pricing as our commercial cloud regions, with no price increase for higher security classification environments.

Conclusion

Oracle is committed to providing secure and compliant cloud solutions to US government, defense, and intelligence customers. Available at all US government security classifications, customers can address their data residency, classification, operational, and security requirements. We’re also committed to offering OCI services at the same, consistent global pricing as our commercial public cloud regions.

For more information, reach out to your Oracle sales representative or try out our sovereign cloud solutions navigator to see what sovereign cloud solution fits your needs.

Resources