Oracle Dedicated Region Cloud@Customer meets data sovereignty and security requirements better than AWS Outposts

March 31, 2021 | 4 minute read
Brian Huynh
Product Marketing
Text Size 100%:

Co-authored by Akshai Parthasarathy

Often organizations want the benefits of the cloud model, but they need the assurance that their confidential information always stays on-premises. Some enterprises remain on-premises because of country-specific laws that the data collected must remain within its borders, such as GPDR. Customers in regulated industries, such as finance and healthcare, have more data compliance requirements, such as PCI and HIPAA. Meanwhile, corporations also have long-established policies for data retention and security.

Cloud@Customer or Outposts?

Customers using Oracle Dedicated Region Cloud@Customer can better meet data sovereignty requirements because the data they generate always stay on-premises. This data is also better protected because Oracle Dedicated Region Cloud@Customer inherits the same rich set of security services from the Oracle public cloud. Oracle Dedicated Region Cloud@Customer can meet requirements in these areas better than Amazon Web Services (AWS) Outposts, for the following reasons:

  • Customer metadata stays local: Customer metadata, such as activity records, time spent, and location, generated on Oracle Dedicated Region Cloud@Customer remains local to the customer’s data center. Unlike Oracle Dedicated Region Cloud@Customer, Outposts’ metadata, such as instance IDs, monitoring metrics, metering records, and tags, flows back to the Amazon Web Services (AWS) Region. Moreover, this metadata is stored in AWS CloudTrail and AWS CloudWatch, two monitoring and logging tools in the AWS public cloud, not in Outposts. AWS CloudWatch records metrics every minute. AWS CloudTrail also records API calls. Although AWS allows customers to delete the trails and stop AWS from logging, customer account activities for the past 90 days are still collected and visible.

  • Database backups and logs: Customers of Oracle Dedicated Region Cloud@Customer choose where to store backups and snapshots of their database for safekeeping. They can stay on-premises or in the public cloud, whereas AWS requires them to be stored in the AWS public cloud. According to AWS, RDS on Outposts stores database backups, logs, and record of changes in the AWS region today and doesn’t support use cases that require all data to remain in a customer’s data center. Other metrics, such as the time that the customer spent using the database are also stored in the AWS public cloud.

  • Control plane location: The control plane of Oracle Dedicated Region Cloud@Customer stays on-premises. Such maximum isolation allows for a secure deployment option. Unlike Oracle Dedicated Region Cloud@Customer, the control plane of AWS Outposts is in the public cloud. So, data, such as instance activity info (launched, stopped, and so on) and other hypervisor info are sent to the AWS public cloud. Other telemetry data, such as Amazon S3 storage bucket names and metrics, are also stored in the AWS public cloud. These facts raise questions about whether AWS Outposts can fully meet requirements in data residency when such data is exposed publicly.

Where Cloud@Customer succeeds

Customers’ workloads running on Oracle Dedicated Region Cloud@Customer are better protected with Oracle’s comprehensive set of security services. Oracle’s security-first design implements strong tenant isolation, least-privilege-everywhere policy, and certifications for leading compliance. Oracle also gives customers the physical control of infrastructure and data to help them meet corporate security policies. With the following features, Oracle Dedicated Region Cloud@Customer can meet requirements in these areas better than AWS Outposts:

  • Solution security: Customers’ workloads are fully protected because Oracle Dedicated Region Cloud@Customer inherits the same rich set of security services from Oracle’s public cloud, such as key management, IDCS, web application firewall (WAF), and Secrets Management. Other features such as hardware root of trust protect against firmware attacks during booting. Unlike Oracle Dedicated Region Cloud@Customer, some security services protecting workloads in the AWS public cloud, including GuardDuty, Inspector, CloudTrail, Macie, and Detective, don’t run on AWS Outposts. Other AWS security services that run in the AWS public cloud are not available on Outposts, including Cognito, WAF, Key Management Service, and Secrets Manage.

  • Data security: Oracle Autonomous Database, a key workload on Oracle Dedicated Region Cloud@Customer, has numerous strong security features, such as privilege analysis, in-database encryption, control over admin access, label security, real application security, and more. Oracle Autonomous Database services are locked down, self-securing, and self-patching. Data Safe offers more security for Oracle Databases, where data is encrypted at rest by default on all services and encrypted in transit. When instances are terminated, all data is deleted and memory is scrubbed. Although Amazon RDS on Outposts, an on-premises managed database service for MySQL and PostgreSQL, supports IAM, VPC, SSL/TLS encryption at rest and in transit, and Database Firewall, it lacks some of the advanced security features found in Oracle Autonomous Database. For example, Amazon RDS on Outposts is missing fine-grained access control, data redaction, data masking and dynamic data masking, audit vault, key vault, database vault, label security, and virtual private database.

  • Control of update policy: Customers of Oracle Dedicated Cloud@Customer have greater control of the software and infrastructure lifecycle, including customizable policies like update schedules and versioning. Customers, not Oracle, decide when data is backed up. Users of AWS Outposts lack full control of their update policy, because AWS retains control over the software update cycle, including version, time, and deferment.

Customer success

Australian Data Centres (ADC), based in Canberra, Australia, provides highly sophisticated services to government and commercial clients. ADC operates a traditional, high-security data center, and this market changed dramatically with the influx of public cloud providers, including Amazon Web Services and Microsoft Azure. To remain relevant to its clients, including Australian federal agencies, the company enabled the adoption of cloud services through its use of Oracle Dedicated Region and partnerships with other Australian companies. In doing so, it now provides sovereign hosted services to the Australian Government.

According to Robert Kelly, CEO of Australian Data Centres, “there was no other [cloud] provider out there that provided the range of services that comes with Oracle Dedicated Region.”

Watch this video about Australian Data Centres and Oracle Dedicated Region:

Forward perspective

Oracle is committed to enabling customers with competitive cloud solution offerings in support of their business requirements and modernization path forward. Learn more about how Oracle is transforming customer data centers with Oracle Dedicated Region Cloud@Customer. Watch the Oracle Cloud Platform Virtual Summit today!

Brian Huynh

Product Marketing

Previous Post

Use Domain Governance to control shadow IT

Neal Myerson | 2 min read

Next Post

How drones and high-performance computing can help protect our public waterways

Sasha Banks-Louie | 5 min read