Oracle Cloud Infrastructure Security Architecture

Overview 

Oracle Cloud Infrastructure (OCI) is a next-generation infrastructure-as-a-service (IaaS) offering architected on security-first design principles. These principles include isolated network virtualization and pristine physical host deployment, which were previously difficult to achieve with earlier public cloud designs. With these design principles, OCI helps to reduce risk from advanced persistent threats.

Security-First Design 

As the cloud has become more common, security concerns have become more important. From its inception, Oracle Cloud Infrastructure prioritized solving the security issues that grew out of first-generation clouds.

Oracle Cloud Infrastructure—Next-Generation Public Cloud

OCI is a complete IaaS platform. It provides the services needed to build and run applications in a highly secure, hosted environment with high performance and availability. Customers can run the Compute and Database services on bare metal instances, which are customer-dedicated physical servers, or as virtual machines (VM) instances.

Platform Security 

Oracle designed Oracle Cloud Infrastructure architecture for security of the platform through isolated network virtualization, highly secure firmware installation, a controlled physical network, and network segmentation.

Isolated Network Virtualization

Central to the OCI design is isolated network virtualization, which greatly reduces the risk from the hypervisor. 

The hypervisor is the software that manages virtual devices in a cloud environment, handling server and network virtualization. In traditional virtualization environments, the hypervisor manages network traffic, enabling traffic to flow between VM instances and between VM instances and physical hosts.

OCI reduces this risk by decoupling network virtualization from the hypervisor. Oracle has implemented network virtualization as a highly customized hardware and software layer that moves cloud control away from the hypervisor and host and puts it on its own network.

OCI reduces

Oracle Cloud Infrastructure Security Architecture

Hardware

A primary design principle of OCI is protecting tenants from firmware-based attacks. Threats at the firmware level are becoming more common, which raises the potential risks for public cloud providers. To ensure that each server is provisioned with clean firmware, Oracle has implemented a hardware-based root of trust for the process of wiping and reinstalling server firmware. Oracle uses this process every time a new server is provisioned for a tenant or between tenancies, regardless of the instance type.

Hardware

Physical Network

OCI’s physical network architecture adds a layer of defense to the network virtualization by further isolating customer tenancies and limiting the risk of threat proliferation. The physical network components are the racks, routers, and switches that form the physical layer of OCI.

The design of the physical layer is a simple, flat network connected to virtual ports on the virtual cloud network (VCN). This design reduces the complexity of managing allowed traffic paths and heightens the visibility of attempts to circumvent them.

Physical network

Oracle Cloud Infrastructure Security Architecture

Network Segmentation 

Oracle designed OCI’s physical network for customer and service isolation. It’s segmented into enclaves with unique communications profiles. Access into and out of these enclaves is controlled, monitored, and policy driven.

Network isolation diagram

Operational Security 

Oracle maintains a large workforce of security professionals who are dedicated to ensuring the security of Oracle Cloud Infrastructure. Within the workforce, several teams are responsible for securely developing, monitoring, testing, and assuring compliance with regulations and certification programs.

operational security

Conclusion 

Oracle Cloud Infrastructure puts the security of critical workloads at the center of our next-generation public cloud. For customers running security-sensitive workloads, such as financial applications or citizen service applications, Oracle Cloud Infrastructure provides a security-first architecture that reduces the risk and attack surfaces commonly associated with first-generation clouds. Oracle has built security features and controls into the architecture, data-center design, personnel selection, and the processes for provisioning, using, certifying, and maintaining Oracle Cloud Infrastructure. Oracle Cloud Infrastructure is a modern public cloud built for the world’s most critical data with the highest security requirements.

Leave a Reply

Your email address will not be published. Required fields are marked *