Tuesday, 03 December 2019 17:09

Oracle adding to Gen 2 cloud security features

Oracle Cloud Infrastructure CSO Eran Feigenbaum Oracle Cloud Infrastructure CSO Eran Feigenbaum

Oracle isn't resting on its laurels when it comes to the security of its cloud infrastructure.

Oracle has been promoting the security benefits of its second generation cloud infrastructure ever since CTO and chairman Larry Ellison announced it in October 2018.

More recently, Oracle EMEA and APAC senior vice president of systems and technology Andrew Sutherland said there is a pronounced hunger for such services among larger organisations in Australia, because they see the potential for competitive advantage.

Oracle's software is used on premises to protect some of the world's most sensitive applications, Oracle Cloud Infrastructure CSO Eran Feigenbaum told iTWire during a visit to Australia this week, but "Gen 1 cloud was built for a very different type of workload."

Earlier cloud architectures – by implication, those still used by Oracle's competitors – did not fully isolate customers from each other, or from the company providing the service.

So Oracle's Gen 2 cloud was built differently, he said.

Each machine includes separate hardware to run the control plane, and separate networks are used for customer data and control purposes. This makes it harder for intruders to jump between machines even if they are able to break out of the hypervisor, said Feigenbaum.

It also means Oracle is unable to see its customers' data – "you don't have to trust us," Ellison said in 2018.

A third independent network is used to replace all the firmware in a machine before it is used by a different customer. This approach not only protects customers from malicious peers, it also removes the possibility of supply chain vulnerabilities being exploited to introduce malicious firmware.

Although Feigenbaum didn't mention it, Oracle's recent SPARC processors include silicon secured memory, a hardware approach to preventing one thread from accessing memory currently allocated to another. Among other benefits, this helps avoid illegitimate access to in-memory data when two or more customers' applications are running on one physical machine.

Oracle is preparing to introduce two new security features – Cloud Guard and Maximum Security Zones – to its Gen 2 cloud in the coming months.

Feigenbaum described Cloud Guard as a built-in, machine-learning security operations centre that will watch for malicious activity and then alert affected customers and take action. For example, suspicious user behaviour such as logging in from an unlikely location or with a known-bad IP address might be locked out completely or required to use two-factor authentication.

The idea is to take action before it's too late, he said.

Maximum Security Zones are intended for an organisation's most critical information assets, said Feigenbaum. Among other features, data cannot be exposed to the internet.

Cloud storage inadvertently or deliberately left open has led to several significant security incidents involving organisations including Accenture, FedEx, HCL Technologies, the state of Oklahoma, and US health provider Sunshine Behavioural Health.

Maximum Security Zones also require the encryption of all data.

Once applications and data have been put into a Maximum Security Zone, they stay there. The feature cannot be turned off "otherwise that defeats the purpose," he said. But Oracle expects to provide a mechanism that will allow customers to migrate workloads, eg if they decide they should run on premises rather than in the cloud.

Both features are expected to go live in four to six months, Feigenbaum told iTWire.

"We're still finishing testing," he said, adding that this includes making sure that Cloud Guard detects and then takes the correct action against his red team's efforts to break into systems.

The new features will come at no additional cost. "Security should be a right, not something you have to pay for," said Feigenbaum.

"We're fundamentally changing the shared responsibility model" by taking on more responsibility through autonomous systems and always-on security, he said. "We need to make these things easier for customers."

"I think we've built something very unique... a cloud that is security-first."

So "Oracle Cloud Infrastructure is the place for your most critical [and secure] workloads," said Feigenbaum.


26-27 February 2020 | Hilton Brisbane

Connecting the region’s leading data analytics professionals to drive and inspire your future strategy

Leading the data analytics division has never been easy, but now the challenge is on to remain ahead of the competition and reap the massive rewards as a strategic executive.

Do you want to leverage data governance as an enabler?Are you working at driving AI/ML implementation?

Want to stay abreast of data privacy and AI ethics requirements? Are you working hard to push predictive analytics to the limits?

With so much to keep on top of in such a rapidly changing technology space, collaboration is key to success. You don't need to struggle alone, network and share your struggles as well as your tips for success at CDAO Brisbane.

Discover how your peers have tackled the very same issues you face daily. Network with over 140 of your peers and hear from the leading professionals in your industry. Leverage this community of data and analytics enthusiasts to advance your strategy to the next level.

Download the Agenda to find out more


Stephen Withers

joomla visitors

Stephen Withers is one of Australia¹s most experienced IT journalists, having begun his career in the days of 8-bit 'microcomputers'. He covers the gamut from gadgets to enterprise systems. In previous lives he has been an academic, a systems programmer, an IT support manager, and an online services manager. Stephen holds an honours degree in Management Sciences and a PhD in Industrial and Business Studies.



Recent Comments