Part 3 of 4 - Oracle IaaS and Seven Pillars of Trusted Enterprise Cloud Platform

 Sanjay Basu

Note: My original blog series was published in ORACLE CLOUD INFRASTRUCTURE blog site. I have republished it here with permission.

Official Disclaimer: The views and opinions expressed in this blog are those of the author and do not necessarily reflect the official policy or position of Oracle Corporation.


This post is the third one in the series in which we are mapping Oracle's seven pillars of a trusted computing platform to Oracle Cloud Infrastructure security capabilities. This post covers the rest of the pillars. The fourth and final installment in this series will highlight some security services and enhancements that have been added to the portfolio.  

Links to Part 1 and Part 2.

5: Secure Hybrid Cloud

Oracle Cloud Infrastructure supports SAML 2.0 federation via Oracle Identity Cloud Service (IDCS), Microsoft Active Directory Federation Service (ADFS), and any SAML 2.0 compliant identity provider. Customers can also use Oracle Cloud Infrastructure native IAM for federated access. IDCS is offers broad integration services with various identity providers.

Oracle Cloud Infrastructure also offers two ways to securely connect customers' on-premises data centers or other public cloud providers to Oracle Cloud Infrastructure virtual cloud networks (VCNs).

One way to connect is to use an IPSec VPN over the internet. IPSec is a protocol suite that encrypts the entire IP traffic before the packets are transferred from the source to the destination. IPSec can be configured in tunnel mode and transport mode, although Oracle Cloud Infrastructure supports only the tunnel mode for IPSec VPNs. In tunnel mode, IPSec encrypts and authenticates the entire packet. After encryption, the packet is then encapsulated to form a new IP packet that has different header information. Each Oracle IPSec VPN consists of multiple redundant IPSec tunnels that use static routes to route traffic. Border Gateway Protocol (BGP) is not supported for the Oracle IPSec VPN. For more information, see IPSec VPN Overview.

For a higher bandwidth and more reliable and consistent networking experience compared to internet-based connections, Oracle Cloud Infrastructure FastConnect provides an easy way to create a dedicated, private connection between customers' data center and Oracle Cloud Infrastructure. For more information, see FastConnect Overview.

Additionally, Oracle Cloud Infrastructure is collaborating with various third-party security vendors (for example, FireEye, Fortinet, Symantec, and CheckPoint) to make their solutions accessible on Oracle Cloud Infrastructure so that customers can use their existing security tools when securing data and applications in the cloud. Visit the Oracle Cloud Marketplace for a list of partners who have been successfully tested on Oracle Cloud Infrastructure.

6: High Availability

To provide data availability and durability, Oracle Cloud Infrastructure enables customers to select from infrastructure with distinct geographic and threat profiles.

A region is the top-level component of the infrastructure. Each region is a separate geographic area with multiple, fault-isolated locations called availability domains.

Availability domains are designed to be independent and highly reliable. Each one is built with fully independent infrastructure: buildings, power generators, cooling equipment, and network connectivity. With physical separation comes protection against natural and other disasters.

Availability domains within the same region are connected by a secure, high-speed, low-latency network, which allows customers to build and run highly reliable applications and workloads with minimum impact to application latency and performance. All links between availability domains are encrypted.

Each region in the US has at least three availability domains, which allows customers to deploy highly available applications. Each availability zone is the US has three fault domains.

Because of geographic constraints, some regions contain a single availability domain with multiple fault domains for application redundancies. When resources are placed across fault domains, they are far less likely to fail together. From a customer's perspective, instances placed across fault domains are guaranteed to be on different racks. Each tenancy has its own fault domain identifiers for an availability domain. Instances returned by Compute APIs include these fault domain identifiers.

 

7: Verifiably Secure Infrastructure

Oracle Cloud Infrastructure's verifiably secure infrastructure is built using multiple security solutions that complement each other. 

Oracle is continuously investing time and resources to meet customers’ strict requirements for internal control over financial reporting and data protection across a variety of highly regulated industries.

  • ISO 27001
    • Regions: Phoenix (Arizona), Ashburn (Virginia), London (United Kingdom), and Frankfurt (Germany)
    • Services covered: Block Volumes, Compute, Database, Governance, Load Balancing, Networking, and Object Storage 
  • SOC 1, SOC 2, and SOC 3
    • Regions: Phoenix (Arizona), Ashburn (Virginia), and Frankfurt (Germany)
    • Services covered: Block Volumes, Compute, Database, Governance, Load Balancing, Networking, and Object Storage   
  • PCI DSS Attestation of Compliance
    • Services covered: Archive Storage, Block Volumes, Compute, Container Engine for Kubernetes, Data Transfer Service, Database, Exadata, FastConnect, File Storage, Governance, Load Balancing, Networking, Object Storage, and Registry 
  • HIPAA Attestation
    • Services covered: Archive Storage, Block Volumes, Compute, Data Transfer, Database, Exadata, FastConnect, File Storage, Governance, Load Balancing, Networking, and Object Storage
  • Strong security controls to meet GDPR requirements

For a complete and updated list of compliance certifications and attestations, please visit https://cloud.oracle.com/en_US/cloud-compliance.

Oracle regularly performs penetration and vulnerability testing and security assessments against the Oracle Cloud infrastructure, platforms, and applications. These tests are intended to validate and improve the overall security of Oracle Cloud Services. However, Oracle does not assess or test any components that customers manage through or introduce into the Oracle Cloud Services. For more information, see Oracle Cloud Security Testing Policy.

Conclusion

Oracle Cloud Infrastructure is gaining the trust of Customer Security teams by having:

  • A world-class security team
  • Foundational core and edge security capabilities built around seven pillars 
  • Deeper customer isolation 
  • Easy-to-use IAM policies  
  • Geographic security compartmentalization
  • Secure access to APIs via asymmetric keys

For more information, visit the following sites:

 

Comments

Post a Comment

Popular posts from this blog

OCI Object Storage: Copy Objects Across Tenancies Within a Region

Image
Note : My original blog was published in ORACLE CLOUD INFRASTRUCTURE blog site on April 15th, 2019. I have republished it here with permission. Official Disclaimer : The views and opinions expressed in this blog are those of the author and do not necessarily reflect the official policy or position of Oracle Corporation. This post was developed jointly with Mohamad Charaf, Oracle Enterprise Cloud Architect. If you have two tenancies in the same region, and you want to copy data that is stored in Object Storage from one tenancy to the other without making the buckets public, this action requires some additional types of identity and access management (IAM) policies. This blog post walks you through how to create these policies. For this example, the source tenancy is named ACMEBMCS and the destination tenancy is named ACMEOCISA. In ACMEBMCS, the Object Storage buckets are in the benchmark compartment. In ACMEOCISA, the target compartment is oracleexa . The follow
Read more

The Legal Rights of an Algorithm

Image
  At first glance, you might think how it’s possible for something that doesn’t have a mind, body, or soul to have any legal entitlement. After all, algorithms don’t have physical attributes, and their existence can’t be easily tracked unless you’re a tech specialist responsible for creating them.  However, while algorithms don’t have any physical attributes, they have become smarter over time, mimicking human behaviors and traits to produce actionable results. Initially, algorithms started as simple data sets combined in several valuable ways to create patterns. They generate suggestions and solutions that help guide you, whether you’re on social media or search engines, while also providing insights within several fields, including the legal, medical, and marketing fields. Algorithms also consistently correct their mistakes without requiring human intervention.  Believe it or not, algorithms have legal rights too. While many users are skeptical about algorithms because of security an
Read more

Religious Perspectives on Artificial Intelligence: My views

Image
  I am an Atheist. Born in a Hindu family, I have experimented with Christianity and Buddhism. Jokingly, I describe my journey from Many Gods to One and then None. I followed Hinayana Buddhism for a long time. Lately, I have been studying Lokayata/Carvaka school of the Hindu Darsana (philosophy). I like to be identified as a Hindu Atheist. Why Hindu? Because my birthplace is on the east side of the River Indus.
Read more