Part 3 of 4 - Oracle IaaS and Seven Pillars of Trusted Enterprise Cloud Platform
Sanjay Basu
Note: My original blog series was published in ORACLE CLOUD INFRASTRUCTURE blog site. I have republished it here with permission.
Official Disclaimer:
The views and opinions expressed in this blog are those of the author
and do not necessarily reflect the official policy or position of Oracle
Corporation.
This post is the third one in the series in which we are mapping Oracle's seven pillars of a trusted computing platform to Oracle Cloud Infrastructure security capabilities. This post covers the rest of the pillars. The fourth and final installment in this series will highlight some security services and enhancements that have been added to the portfolio.
5: Secure Hybrid Cloud
Oracle Cloud Infrastructure supports SAML 2.0 federation via Oracle Identity Cloud Service (IDCS), Microsoft Active Directory Federation Service (ADFS), and any SAML 2.0 compliant identity provider. Customers can also use Oracle Cloud Infrastructure native IAM for federated access. IDCS is offers broad integration services with various identity providers.
Oracle Cloud Infrastructure also offers two ways to securely connect customers' on-premises data centers or other public cloud providers to Oracle Cloud Infrastructure virtual cloud networks (VCNs).
One way to connect is to use an IPSec VPN over the internet. IPSec is a protocol suite that encrypts the entire IP traffic before the packets are transferred from the source to the destination. IPSec can be configured in tunnel mode and transport mode, although Oracle Cloud Infrastructure supports only the tunnel mode for IPSec VPNs. In tunnel mode, IPSec encrypts and authenticates the entire packet. After encryption, the packet is then encapsulated to form a new IP packet that has different header information. Each Oracle IPSec VPN consists of multiple redundant IPSec tunnels that use static routes to route traffic. Border Gateway Protocol (BGP) is not supported for the Oracle IPSec VPN. For more information, see IPSec VPN Overview.
For a higher bandwidth and more reliable and consistent networking experience compared to internet-based connections, Oracle Cloud Infrastructure FastConnect provides an easy way to create a dedicated, private connection between customers' data center and Oracle Cloud Infrastructure. For more information, see FastConnect Overview.
Additionally, Oracle Cloud Infrastructure is collaborating with various third-party security vendors (for example, FireEye, Fortinet, Symantec, and CheckPoint) to make their solutions accessible on Oracle Cloud Infrastructure so that customers can use their existing security tools when securing data and applications in the cloud. Visit the Oracle Cloud Marketplace for a list of partners who have been successfully tested on Oracle Cloud Infrastructure.
6: High Availability
To provide data availability and durability, Oracle Cloud Infrastructure enables customers to select from infrastructure with distinct geographic and threat profiles.
A region is the top-level component of the infrastructure. Each region is a separate geographic area with multiple, fault-isolated locations called availability domains.
Availability domains are designed to be independent and highly reliable. Each one is built with fully independent infrastructure: buildings, power generators, cooling equipment, and network connectivity. With physical separation comes protection against natural and other disasters.
Availability domains within the same region are connected by a secure, high-speed, low-latency network, which allows customers to build and run highly reliable applications and workloads with minimum impact to application latency and performance. All links between availability domains are encrypted.
Each region in the US has at least three availability domains, which allows customers to deploy highly available applications. Each availability zone is the US has three fault domains.
Because of geographic constraints, some regions contain a single availability domain with multiple fault domains for application redundancies. When resources are placed across fault domains, they are far less likely to fail together. From a customer's perspective, instances placed across fault domains are guaranteed to be on different racks. Each tenancy has its own fault domain identifiers for an availability domain. Instances returned by Compute APIs include these fault domain identifiers.
7: Verifiably Secure Infrastructure
Oracle Cloud Infrastructure's verifiably secure infrastructure is built using multiple security solutions that complement each other.
Oracle is continuously investing time and resources to meet customers’ strict requirements for internal control over financial reporting and data protection across a variety of highly regulated industries.
- ISO 27001
- Regions: Phoenix (Arizona), Ashburn (Virginia), London (United Kingdom), and Frankfurt (Germany)
- Services covered: Block Volumes, Compute, Database, Governance, Load Balancing, Networking, and Object Storage
- SOC 1, SOC 2, and SOC 3
- Regions: Phoenix (Arizona), Ashburn (Virginia), and Frankfurt (Germany)
- Services covered: Block Volumes, Compute, Database, Governance, Load Balancing, Networking, and Object Storage
- PCI DSS Attestation of Compliance
- Services covered: Archive Storage, Block Volumes, Compute, Container Engine for Kubernetes, Data Transfer Service, Database, Exadata, FastConnect, File Storage, Governance, Load Balancing, Networking, Object Storage, and Registry
- HIPAA Attestation
- Services covered: Archive Storage, Block Volumes, Compute, Data Transfer, Database, Exadata, FastConnect, File Storage, Governance, Load Balancing, Networking, and Object Storage
- Strong security controls to meet GDPR requirements
For a complete and updated list of compliance certifications and attestations, please visit https://cloud.oracle.com/en_US/cloud-compliance.
Oracle regularly performs penetration and vulnerability testing and security assessments against the Oracle Cloud infrastructure, platforms, and applications. These tests are intended to validate and improve the overall security of Oracle Cloud Services. However, Oracle does not assess or test any components that customers manage through or introduce into the Oracle Cloud Services. For more information, see Oracle Cloud Security Testing Policy.
Conclusion
Oracle Cloud Infrastructure is gaining the trust of Customer Security teams by having:
- A world-class security team
- Foundational core and edge security capabilities built around seven pillars
- Deeper customer isolation
- Easy-to-use IAM policies
- Geographic security compartmentalization
- Secure access to APIs via asymmetric keys
For more information, visit the following sites:
- Oracle Cloud Infrastructure Security white paper
- Oracle Cloud Infrastructure GDPR white paper
- Oracle Cloud Infrastructure Security Best Practices (provides actionable security guidance, including IAM policies and scripts, for each service)
- Services Security Documentation
- Blog posts
Comments
Post a Comment