New security enhancements should make Oracle Cloud Infrastructure (OCI) even more resistant to attack. It aims to do this without making it more complicated for end users than it already is.
If you have ever attended a keynote or other presentation from Oracle about OCI, you must have noticed the emphasis the company places on security. The Autonomous Database on OCI is perhaps the best example of this. This database is designed so that people have to do as little configuration and management to it as possible. It does things like provisioning, as well as fixing any errors, completely autonomously. The idea behind this is that people are the primary source of things like misconfigurations, and therefore also of vulnerabilities. If people don’t get involved, that problem is gone.
However, Oracle also places considerable emphasis on the inherent security that OCI itself offers. According to the company, the Gen2 variant of OCI is fundamentally more secure than the offerings of other public cloud providers. Whether that is actually the case when compared to the most recent versions of those competitors is something we could write a whole book about. That’s not our goal here. For now, it’s important to note that Oracle has continued and in all likelihood will continue to place a lot of emphasis on security.
Even more security in OCI
Today Oracle announced several security updates for OCI. We received an update on this by Mahesh Thiagarajan, SVP Security & Developer Services for Oracle Cloud Infrastructure. According to him, these announcements once again show that Oracle wants to do as much of the heavy lifting for customers as possible when it comes to security. The new services are prescriptive, as he calls it. By this he means that it’s all in there out-of-the-box.
The idea of prescriptive security is that, as a customer, you can assume it’s all set up properly. That means you don’t necessarily have to know how cloud security services work. Nor do you have to configure and maintain them. This makes OCI very easy to use in terms of security, according to Thiagarajan. By removing the human components as much as possible – as Oracle did with the Autonomous Database – you reduce the number of vulnerabilities. If Gartner’s prediction in the 2021 Hype Cycle for Cloud Security is correct, and that by 2023, at least 99 percent of cloud security failures will be the customer’s fault, then that’s a perfectly reasonable assumption.
OCI Network Firewall
Oracle announced a total of five security updates for OCI today. The main one, as far as we are concerned, is the OCI Network Firewall. This is a cloud-native firewall service that runs on Palo Alto Networks firewalls from the VM virtualized firewalls series. With this addition, you add all the characteristics of that series to OCI. This includes URL filtering, IDS and IDP, TLS inspection for inbound, outbound and lateral traffic going to workloads running on OCI. This means that the applications in OCI as well as the cloud environment as a whole get an extra layer of security. OCI Network Firewall is a so-called turn-key service. So you can start using it right away, without any additional configuration and management.
Oracle Threat Intelligence Service and Cloud Guard Threat Detector
In addition to prevention, detection also plays an important role in cloud security. That’s where Oracle Threat Intelligence Service comes in. This service is actually an aggregator for threat intelligence from various sources. With the information that this service provides, you can detect threats faster and therefore do something about them faster. You can do this in Oracle Cloud Guard, but also in other OCI services. In terms of sources, Thiagarajan explicitly mentions CrowdStrike. However, Oracle also uses its own telemetry and open-source feeds.
We already briefly mentioned Oracle Cloud Guard above. That too gets an update. Oracle Cloud Guard Threat Detector detects misconfigured resources and suspicious activity within a customer’s environment. This results in more insights for admins, and also a faster response time. Cloud Guard Threat Detector also has hundreds of so-called recipes. These are included in this service. You can automate your security to a certain extent with this and in a sense expand your SOC with it.
Oracle Security Zones becomes more flexible
With Oracle Security Zones it has been possible for organizations to apply very strict security to their entire OCI environment for some time. However, customers indicated that it would also be nice if there was some flexibility. Oracle adds that today. Customers can now add their own policies to Security Zones. In addition, Oracle now integrates them with Cloud Guard, so that the security of the cloud environment can also be closely monitored. Note that Security Zones are not so much about restricting what employees can and cannot do, that’s what IAM is for. Security Zone policies focus on resources and determine what configurations are and are not allowed.
Integration of IaaS and SaaS with support for Fusion Apps
The latest security update for OCI once again has to do with Oracle Cloud Guard. As you have seen by now, Cloud Guard manages a company’s security posture in OCI. With Oracle Cloud Guard Fusion Applications Detector, Oracle now also adds its Fusion Applications to this. With this, customers gain insight into both components, i.e. both IaaS and SaaS, in one place. The new functionality offers pre-configured recipes, which customers can also adapt to their own wishes in order to be able to monitor the applications. Initially this will be available for Fusion HCM and Fusion ERP, but the other Fusion Applications, such as Fusion Cloud Procurement, will undoubtedly follow.
In summary, OCI (and the Fusion Apps that run on top of it) gets a number of very substantial security updates. Several months ago we reported on updates for OCI network, storage and compute. So the OCI update picture is pretty much complete for this year. One of the things we haven’t heard a lot about are updates for developers who build applications on OCI. When we asked Thiagarajan about this, he was a bit vague. He indicated that Oracle just might have some news in that area later this year. To be continued, that’s for sure.