Not just for Government customers: Gold standard security and controls with Oracle Government Cloud

April 26, 2021 | 5 minute read
Robert Huie
Partner Architect
Text Size 100%:

Did you know that non-government customers can use the Oracle Government Cloud regions that are FedRAMP High authorized? Non-government customers include organizations working directly with the government, universities, and state agencies. Other non-government organizations require more protections to their infrastructure, such as aerospace and defense customer that provide manufacturing for the government. Finally, highly regulated companies, such as banking, utilities, insurance, and healthcare entities, are looking for more security controls to protect the data they process, in support of US government entities.

For the last group, we can better understand FedRAMP compliance standard. FedRAMP is a US government established and run program that provides a standard approach to authorization, security assessment, and continuous monitoring. It uses the National Institute of Standards and Technology (NIST) Special Publication 800 series (the GOLD standard) as a baseline for security.

What is FedRAMP?

FedRAMP program supports various levels of authorization: Impact level Low, Medium, and High. FedRAMP High indicates that the cloud provider has adhered to controls to protect and minimize the impact of a severe or catastrophic adverse effect on data that involves life, financial ruin, or economic crisis.

A cloud service provider (CSP) that has obtained FedRAMP authorization has met the security standards set by the US government. US government agencies can trust the cloud service provider to store and process their data securely. Achieving FedRAMP High is a long and arduous process. You have to implement over 400 controls within your systems and have them audited by a third-party assessment organization before the US government even reviews your systems to provide the final blessing.

If you’re working with a US government customer and plan to use a cloud service, the contract most likely requires FedRAMP authorization, usually with a FedRAMP High level of compliance. In fact, the US government requires FedRAMP when using a multitenant cloud. If you’re not a US government agency, you can still take advantage of the extra security controls.

In this post, I list a few alternative use cases where non-government entities, such as private corporations, can use Oracle Government Cloud’s FedRAMP authorization to their advantage. Today, we have a comprehensive set of services available in Oracle Government Cloud, and with our Everything Everywhere initiative, we can have parity between Oracle commercial cloud and Oracle Government Cloud soon.

Who else needs FedRAMP?

You might think that only federal, state, and local governments can use our Oracle Government Cloud, but that’s not entirely true. Any company or organization that exclusively supports federal, state, and local agencies (US Public Sector entities) can use the Oracle Government Cloud regions. Let’s look at some examples.

  • Aerospace, Defense, and Systems integrators (SIs): Systems integrators store information about and related to the US government. The US government expects this data to be secured and protected equally to sensitive data related to the US government. So, the business systems that these companies use are better off when running in a FedRAMP High environment. If these environments are Oracle applications, even better. We know that these applications can be easily lifted and shifted on to Oracle Government Cloud. If you’re designing, modeling, or manufacturing parts and require high-performance computing (HPC), you can take advantage of our FedRAMP High HPC offering.

  • Software as a service (SaaS) and independent software vendors (ISVs): If you have a a SaaS or ISV offering and are looking to gain market share with US Public Sector customers, you can take advantage of Oracle Government Cloud’s FedRAMP High authorization. Because Oracle Government Cloud has already achieved this authorization, you can deploy your SaaS offering on top of Oracle Government Cloud Infrastructure. Our infrastructure gets your offering ahead in achieving a FedRAMP authorization without requiring you to invest in a data center yourself and go through the arduous FedRAMP auditing process for your data center. You only need to use Oracle Government Cloud’s security controls and get the SaaS portion of your offering FedRAMP authorized.

  • Managed service providers (MSPs): Similar to SaaS offerings, if you have an MSP offering, such as 24/7 monitoring, backup and disaster recovery, managed security, or a customer application working with US Public Sector agencies, you might need to seek FedRAMP authorization for your offering. As with SaaS, you can be halfway to deploying your managed services onto Oracle’s already FedRAMP High-authorized cloud. Get your services FedRAMP authorized, reducing some of your efforts. If your managed service is Oracle-related, you can work in the same data center instead of managing multiple data centers and having the network traffic traverse through multiple networks and cloud providers.

  • Intellectual property (IP), personally identifiable information (PII), or protected health information (PHI): If you’re a private company that requires protection of IP, PII, or PHI, such as banking, utilities, insurance, and healthcare entities in support of the US government, consider hosting this data in a FedRAMP authorized environment. FedRAMP is considered a gold standard for cloud data security. It offers an extra layer of continuous monitoring, testing, reporting, and auditing, helping you protect your business, financial, or health systems that contain IP, PII, or PHI, with added FedRAMP security controls.

Why Oracle Government Cloud?

With inheriting the extra level of effort to obtain FedRAMP High authorization, Oracle Government Cloud has the following advantages:

  • No extra costs: Oracle Cloud Infrastructure (OCI) provides low, predictable pricing across all regions and services. If you want to take advantage of Oracle Government Cloud, you incur no extra costs.

  • Isolated regions: Unlike some of our competitors, Oracle Government Cloud regions are isolated from our commercial regions. Separate infrastructure, separate support team, and separate management use the same cloud. The Oracle Commercial Cloud team can’t access the Oracle Government Cloud, nor can the Oracle government cloud team access the commercial cloud. If a security breach or attack occurs in the commercial cloud, the Oracle Government Cloud is isolated from that breach or attack.

  • Similar cloud functionality: The Oracle Government Cloud is built on similar principles as the commercial cloud. It uses the same hardware, software, and code. You receive the same type of performance and SLAs. The only thing difference is that the Oracle Government Cloud is FedRAMP High authorized with more security controls in place.

  • Multicloud without multicloud: If you’re looking for a multicloud strategy, we can help satisfy that requirement too. Place your non-sensitive data or public-facing services in the commercial cloud, and place your sensitive data and non-public facing services in the government cloud. Yes, it’s single vendor lock-in, but these cloud regions are separate and isolated. By implementing this strategy, your IT support doesn’t have to learn the nuances of another cloud console. You can take advantages of the same services, such as Oracle Database Cloud services. If you need to move from the commercial cloud to the government cloud, you have no compatibility issues.

What’s next?

Take the Oracle Government Cloud for a spin. It’s the same as the commercial cloud. The extra security controls are not transparent, which means you don’t see the 400+ NIST security controls that we’ve applied. It looks, feels, and works the same way as any of our commercial cloud services and offers the same range of services, including compute, storage, and networking. If you’re a non-government entity and are unsure if you qualify to use the Oracle Government Cloud regions, contact your Oracle sales team for more information

Robert Huie

Partner Architect

Previous Post

Zero trust network access with NetFoundry

Raj Hindocha | 6 min read

Next Post

Redis high availability deployment with HAProxy on Oracle Cloud Infrastructure

Farooq Nafey | 9 min read