The latest cloud infrastructure announcements, technical solutions, and enterprise cloud insights.

Doing the right thing for Security within Oracle Cloud Infrastructure

Paul Toal
Distinguished Solution Engineer - Cyber Security
This is a syndicated post, view the original post here

Oracle is working hard within Oracle Cloud Infrastructure (OCI) to provide security that is on by default and simpler and easier to use.  By making security easier to adopt, Oracle helps ensure that it is accessible to all organisations of all sizes.

It has long been recognised that security is hard. You only have to look at reports such as the Verizon Data Breach Investigations Report, or examine some of the many data breaches and hacks to see how difficult it is to get it right. Indeed, Oracle and KPMG’s own Cloud Threat Report highlights many of the challenges organisations are facing.

Source: https://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

There are many articles and publications discussing how Oracle takes a different approach to security through its second-generation Oracle Cloud Infrastructure (OCI).

When looking at how we approach OCI security, we talk about three areas of focus:

  • Security-first cloud infrastructure – Reducing risks from constant threats with security-first design principles that utilize built-in tenant isolation and least privilege access, using constructs like Isolated Network Virtualisation and Hardware-based Root of Trust.
  • Easy to implement security controls –  Avoiding misconfiguration errors and implementing controls to enforce mandatory security. Oracle Cloud Infrastructure has 24/7 always-on controls, with layered defences. 
  • More than 40 years of experience in global data protection – Helping protect your enterprise data with a cloud security solution that’s backed by decades of experience. Helping address global compliance, data governance, regulatory mandates, and industry requirements. Addressing the  need for data sovereignty, privacy, and transparency with Oracle Cloud Infrastructure.

It is the second area that I want to focus on today. As a Cloud provider, Oracle has a responsibility to help customers be as secure as possible. It is a responsibility that Oracle takes very seriously and is one of the core tenets behind OCI. Security shouldn’t be a cash cow that is only available to organisations with deep pockets. Neither should it be complicated to set up and manage, such that organisations either don’t use it, or get it wrong. No, security must be available to all customers, irrespective of size, knowledge, or IT maturity.

Here at Oracle, we are working hard to deliver on our vision and strategy to help make customers more secure by default, and to utilise Oracle’s expertise to help you achieve strong security. We have a number of services within Oracle Cloud Infrastructure specifically designed to deliver that secure-by-default posture and to help you implement security controls easily and cost-effectively. Let me summarise some of the main OCI security services:

Cloud Guard – Providing Cloud Security Posture Management, Oracle Cloud Guard lets you monitor the security posture of your OCI tenant, identify any problems that might weaken that posture and, optionally, allow Cloud Guard to correct them for you. For monitoring OCI configuration and activity, Cloud Guard is provided at zero-cost.


Cloud Guard identifying problems within your OCI tenancy


Maximum Security Zones (MSZ) – Takes Cloud Guard one step further. For your most sensitive resources and data, deploying them into an MSZ means that OCI enforces a highly secure and restrictive security policy around those resources. For example, it will prevent you from making object storage buckets public or creating networks with internet access. It is very complementary for Cloud Guard. Likewise, Maximum Security Zones is provided at zero-cost.

Maximum Security Zones preventing your from creating weak security


Data Safe – Protecting your sensitive data is at the heart of security and Data Safe provides a set of core capabilities to help you secure your data within the Oracle Database. It is democratizing security by making these tools easy to use and implement. With Data Safe you can run security and user assessments against your database, centrally capture audit data, as well as discover and mask sensitive data. As with Cloud Guard and Maximum Security Zones, Data Safe for Oracle Database running on OCI PaaS is provided at zero-cost*.

Data Safe identifies sensitive data within your Oracle Database

* storage of database audit records beyond 1 million records per month incurs a small storage charge within Data Safe.


Cloud Security AdvisorNot everyone is an IT security expert, but that doesn’t mean you should compromise your security as a result. Cloud Security Advisor within OCI provides a set of guided flows to enable you to create resources securely and correctly the first time, and guess what, just like all of the services discussed above, Cloud Security Advisor is provided at zero-cost.

Creating resources securely from the outset.


OCI Vault Keys – All data stored in Oracle Cloud Infrastructure is encrypted at rest, whether in object storage, boot volumes, block volumes, or file system storage service. You don’t have to worry about key management. We will take care of it. However, if you do want to manage your own keys, then we provide OCI Vault, where you can generate and manage your master encryption keys and associate them with the above-mentioned services, all backed by FIPS 140-2 Level 3 Hardware Security Modules (HSMs) . There are different flavours of Vault depending on your isolation and performance requirements, but if you are starting out, you can use an OCI Virtual Vault with 20 key versions per month at zero-cost.

Using your own customer-managed encryption key for at-rest encryption


OCI Vault Secrets – Do you need to store sensitive values within OCI for use within different cloud services? For example, does your application server need to connect to a database, and you don’t really want to embed those credentials on the application server. OCI Vault offers secrets management where you can securely store any sensitive values and programmatically retrieve them when you need them. And guess what? Yes, you guessed it, OCI Vault Secrets are provided for use at zero-cost.

Storing sensitive secrets within OCI Vault


Hopefully, this will give you an idea of how serious Oracle is taking security, whilst making it accessible and usable for all of our customers, large or small. I haven’t covered all security services here within Oracle Cloud Infrastructure. For example, I haven’t talked about OCI Audit, IAM, Flow Logs, Security Lists, Network Security Groups, or Compartments. All are available for you to use to help you build a secure solution deployed on OCI.

Before I go, have a guess how much we charge for each of the services I have just listed in the previous paragraph? You’ve got it, they are all available at zero-cost!

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.Captcha