Security in Oracle Cloud Infrastructure and why you should care less about it

I recently attended Accenture’s Oracle leadership council and was asked to speak about Oracle Cloud Infrastructure security. I’ve said that I’m definitely not an expert on security and that’s why the subject was actually a cool one to speak about!

If you’ve used any of the major cloud providers (Azure, AWS, GCP) you know the security is built-in and they all give you tools which makes life easier when you are building your solutions. Oracle has all the tools available as well and at some point they could be considered a major cloud vendor too. If they will be or not is a long topic deserving it’s own post though.

Oracle has put lot of effort to provide security features in their cloud and if you look documentation of their services your see things like data encryption, customer isolation and security controls as basic features in all the services. This is nothing new with previously mentioned cloud providers either but now there is possibility to use these with many Oracle solutions as well.

An eye-opener for me was when I started working more with AWS. When you start using it you notice things like easily integrating your company’s Active Directory services with their Identity & Access Management (IAM) or provisioning load balancer with a certificate without needing to set up external services if you don’t want to.

But it’s not all that about features! It’s also the possibility to automate building your infrastructure. Partly because Oracle Cloud Infrastructure supports Infrastructure as Code with Terraform I’ve been adopting it as the main tool we use. Why does it help with your security? You can standardize and automate building your solution which reduces human errors, makes auditing easier and finally makes it lot easier to follow defined policies.

So why move?

Like it or not but many Oracle solutions are still hosted on-premise and can be considered as your company’s legacy applications. Why would you move those to cloud? On some cases it will probably make no sense. So don’t believe the cloud strategist saying it will change everything for better and don’t do it! But when it does either from cost, upgrade, or by way of integrating your application to use other cloud services, remember you can also build the security around your application easily when you lay in the groundwork.

You can also do a lot more with less people, for a small company building a highly secure solution hasn’t ever been so easy. If you study the options and plan them properly into your solution it takes lot less effort in the long run to maintain a secure system.

I’ll admit that I was long time advocate of doing most things in-house for Oracle solutions. If we speak for example about Oracle Applications it didn’t make sense to consider cloud as an option for a mid-sized company in many cases. Why? One thing for sure was the licensing! Considering the license strategy Oracle has had it hasn’t been so easy to transition using cloud providers and this has put many customers off so far. Another thing was that there wasn’t a good option from Oracle to do it, the OCI Classic wasn’t really the best option out there.

But now that there is an option with Oracle’s 2nd gen OCI and if it makes sense to consider moving your workload to Oracle Cloud Infrastructure, consider security not as an additional burden but as a pre-built feature which you can integrate to your architecture.

As a closing statement..

I’ll say that defining standards and policies has never been so important due to growing list of threats but with the tool set we are being provided by the cloud vendors and by properly adapting them into use we actually have lot more flexibility to operate. That way you can care less on security without being careless!