Cloud Security Perspectives and Insights

  • News
    October 7, 2019

Security Advantages of the Oracle SaaS Stack

David B. Cross
SVP SaaS Security

I would like to share the unique advantages of building a zero-trust environment and a trusted applications environment when you have control of the entire stack.  Let’s discuss what are some of the unique advantages of using a building and managing an application stack on a tightly controlled platform.   
In the Oracle SaaS Cloud, and as I shared at my session at Oracle OpenWorld, we take a “defense in depth” approach in building, deploying, and managing our SaaS applications. We restrict access at each layer in the stack from the hardware platform and firmware to the web and applications presentation layer. We implement and monitor multiple proactive detection points at not just the operating system and hypervisor layer, but also at the network and applications layers as well. In addition, we require and place multiple security operational controls to ensure availability, redundancy, and hardening for all access points. And, last but not least, we perform and leverage graph-based analytics across the entire stack and not just one individual layer.

I want to re-iterate that when you have full control of the hardware, firmware, hypervisor, operating system, network, database, middleware, and applications components, you have a distinct security advantage because you have complete visibility into the data and processing paths. When you have a complex set of variable components, systems, firmware, drivers, and software paths, you always have unknown risks and variability of results. It is difficult, if not impossible, to comprehensively and absolutely threat model and test against all risks or attack surfaces. When the entire stack is static, strictly defined, and monitored with configuration controls, end-to-end security is increased.

In Oracle Cloud, and for Oracle SaaS applications, we continuously define, implement, update, and monitor the state of the cloud stack as part of our DevSecOps principles and engineering culture. Taking a DevSecOps approach to our engineering enables us to ensure security permeates each cloud service lifecycle, and holds the promise of having more agile security.

As a result, we do not encounter surprises, make assumptions of functionality, or deploy at scale with unknown risks due to a heterogenous stack outside our control. Not only does the strict, end-to-end stack definition provide security benefits not possible in other Gen 1 clouds, it also provides the highest reliability, performance, and availability due to well-scripted results parameters that can be continuously validated. Audits and compliance processes can also benefit and be accelerated when a consistent stack and monitored results are in place with no variations or deviations that are easily logged as part of the overall infrastructure.

In closing, it is important to look at and choose cloud-based SaaS applications that are built, deployed, and managed on a holistically controlled stack that is strictly defined, controlled, and owned from the hardware to the applications layer.

Join the discussion

Comments ( 1 )
  • Stefan Jung Monday, February 24, 2020
    And if you need additional authentication security, Oracle's PaaS offers a solution called IDCS (Identity Cloud Service) enabling you to define when, how, who, where a user can access the services.
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.