Oracle Cloud Infrastructure

From LIMSWiki
Jump to navigationJump to search
Oracle Cloud Infrastructure
Industry Cloud computing, Web services
Founder(s) Larry Ellison
Bob Miner
Ed Oates
Headquarters Redwood City, California, United States
Area served Worldwide
Key people Clay Magouyrk (EVP)
Products IaaS, PaaS, DBaaS, DaaS
Revenue $35.3 billion (2023, Q4)[1]

Oracle Cloud Infrastructure is a a collection of public, private, hybrid, and multicloud cloud computing services offered by Oracle Corporation, an American multinational information technology company. Oracle Cloud Infrastructure deploys to unknown number of data centers in 44 cloud regions in 23 countries around the world.[2] More than 100 different products and services are associated with Oracle Cloud Infrastructure, representing elastic computing, networking, content delivery, data storage, database management, security management, enterprise management, data analysis, and developer support.[2]

Provider research

This section uses public information to provide some answers to the 18 questions posed in Chapter 6 of the wiki-based guide Choosing and Implementing a Cloud-based Service for Your Laboratory. In some cases, public information could not be found, and a recommendation to further discuss the question with the cloud service provider (CSP) is made.

1. What experience do you have working with laboratory customers in our specific industry?

Oracle has the Oracle for Research program, which helps researchers, scientists, and academic institutions "to simplify the research process, accelerate discovery, and address humanity’s most urgent needs."[3] Through this program, labs at Flinders University[4], Royal Holloway University of London[5], University of Bristol[6], and University of Southern California[7] have used Oracle Cloud towards their objectives.

Laboratory informatics vendors that have turned to Oracle Cloud include AgiLab SAS[8], OPTIMIZA[9], and Triniti.[10] An Oracle representative is likely to be able to supply more examples of laboratories and laboratory informatics developers that use or have used Oracle Cloud Infrastructure.

2. Can your solution readily integrate with our other systems and business processes, making it easier for our end users to perform their tasks?

It will ultimately be up to your organization to get an answer from Linode tailored to your systems and business processes. However, this much can be said about Oracle Cloud Infrastructure integrations. The Oracle Integration collection of h database, application, social, and productivity adapters "offers innovative methods for accelerating all types of application connection and process automation projects. They include out-of-the-box templates and adapters to connect virtually any data store, process, application, service, or API across modern and legacy sales, marketing, HCM, finance, and order-management systems."[11]

3. What is the average total historical downtime for the service(s) we're interested in?

Some public information is made available about historic outages and downtime. Oracle Cloud Infrastructure has a systems status page with status history (you have to click on the "Incident History" link at the bottom, then the date range arrows in the top right of the subsequent page). You should be able to read through the incident details for each issue, going back through a fair amount of history. This will give you a partial picture of the issues experienced in the past, as well as any scheduled maintenance and currently impacted services. A follow-up on this question with an Oracle Cloud Infrastructure representative may reveal more historical downtime history for the services you are interested in.

4. Do we receive comprehensive downtime support in the case of downtime?

Oracle Cloud Infrastructure does not make this answer clear. However, the answer is likely tied to what after-sales support plan you choose. Confirm with Oracle what downtime support they provide based on the services your organization are interested in.

5. Where are your servers located, and how is data securely transferred to and from those servers?

Oracle Cloud Infrastructure is split up into 42 regions, each with various availability domains and fault domains. As for data transfers, Oracle Cloud Infrastructure provides multiple ways to better ensure safer data transmission. In its disaster recovery documentation, Oracle discusses networking services such as virtual cloud networks, reserved public IP addresses, Load Balancing, and FastConnect. For example, FastConnect can be used in hybrid cloud data transfers between on-premises and Oracle cloud infrastructures "that enable you recover your cloud workloads quickly, reliably, and securely."[12] As for the security of data in transit, Oracle Cloud Infrastructure addresses this with encryption mechanisms like TLS v1.2.[13]

6. Who will have access to our data (including subcontractors), and what credentials, certifications, and compliance training do they have?

Oracle broadly describes physical security controls at its facilities, but it doesn't discuss who is allowed into the heart of data centers and how access to those areas is controlled. It also doesn't describe any certifications or training that applies to the individuals who could access your data. This is a conversation to have with a Oracle Cloud Infrastructure representative.

7. Will our sensitive and regulated data be stored on a machine dedicated to complying with the necessary regulations?

Not all Oracle Cloud Infrastructure machines have the same controls on them; it will depend on the region, product, and compliance requirements of your lab. That said, verify with a representative that the machine your data will land on meets all the necessary regulations affecting your data.

8. How segregated is our cloud data from another customer's, i.e., will lapses of security of another customer's cloud affect our cloud? (It typically won't, but asking the question will hopefully prompt the provider to better explain how your data is segregated.)

Similar to IBM, Oracle appears to allow for both physical (bare metal) separation and logical separation for some of its services. They note:[14]:

Customer Isolation: Lets you deploy your application and data assets in an environment that is fully isolated from other tenants and from Oracle staff.

As for tenant isolation, the concept is addressed in Oracle's security documentation, in reference to both bare metal and virtual machine instances, as well as within the scope of networking. For details beyond the documentation, consult a representative.

9. Do you have documented data security policies?

Oracle Cloud Infrastructure documents its security practices in several places:

Some security-related documents, like the SOC 2 report, may not be publicly available, requiring direct discussion with an Oracle Cloud Infrastructure representative to obtain them.

10. How do you test your platform's security?

Oracle has this to say about internal and customer cloud security testing[15]:

Oracle regularly performs penetration and vulnerability testing and security assessments against the Oracle Cloud infrastructure, platforms, and applications. These tests are intended to validate and improve the overall security of Oracle Cloud services.

However, Oracle does not assess or test any components (including, non-Oracle applications, non-Oracle databases or other non-Oracle software, code or data, as may be applicable) that you manage through or introduce into – including introduction through your development in or creation in - the Oracle Cloud services (the “Customer Components”). This policy does not address or provide any right to conduct testing of any third-party materials included in the Customer Components.

Except as otherwise permitted or restricted in your Oracle Cloud services agreements, your service administrator who has system level access to your Oracle Cloud services may run penetration and vulnerability tests for the Customer Components included in certain of your Oracle Cloud services in accordance with the following rules and restrictions.

It also appears that Oracle may have a Red Team that handles its penetration and vulnerability testing.[16] Discuss this with a representative to learn more.

11. What are your policies for security audits, intrusion detection, and intrusion reporting?

Audits: Customers are able to audit their security by using the built-in Audit service. "Using the Audit service, customers can achieve their own security and compliance goals by monitoring all user activity within their tenancy. Because all Console, SDK, and command line (CLI) calls go through our APIs, all activity from those sources is included."[14] As for internal security audits, Oracle notes in its 2020 SOC 3 report that "[a]t least annually, Oracle Cloud Infrastructure completes an internal audit of the system. The internal audit is conducted by qualified auditors and as per the requirements set out in Clause 9 of ISO/IEC 27001:2013."[17]

Intrusion detection and reporting: Oracle Cloud Infrastructure has the following to say about its internal intrusion detection processes[18]:

Oracle employs intrusion-detection systems within the Oracle intranet to provide continuous surveillance for intercepting and responding to security events as they are identified. Oracle utilizes a network-based monitoring approach to detect attacks on open firewall ports within Oracle's intranet. Events are analyzed using signature detection, which is a pattern matching of environment settings and user activities against a database of known attacks. Oracle updates the signature database as soon as new releases become available for commercial distribution. Alerts are forwarded to Oracle's IT security for review and response to potential threats.

Customers also have intrusion detection and reporting mechanisms at their disposal, including Cloud Guard and Vulnerability Scanning.

12. What data logging information is kept and acted upon in relation to our data?

In its Oracle Services Privacy Policy, Oracle uses the term "systems operations data" to "include log files, event files, and other trace and diagnostic files, as well as statistical and aggregated information that relates to the use and operation of our Services, and the systems and networks these Services run on."[19] Oracle Cloud Infrastructure may use system logs related to your data to keep their services secure, investigate and prevent potential fraud, to administrate backup and disaster recovery plans, confirm compliance, research and development activities, and to comply with applicable laws.[19] Of course, customers can maintain and act upon their own data logs using tools like Logging Analytics.

13. How thorough are those logs and can we audit them on-demand?

It's not clear how thorough the logs are, but Oracle does state: "To the extent provided under applicable laws, Users may request to access, correct, update or delete personal information contained in Systems Operations Data in certain cases, or otherwise exercise their choices with regard to their personal information by filling out an inquiry form."[19] Consult with a representative to learn more.

14. For HIPAA-eligible data (e-PHI) we may have, will you sign a business associate agreement?

Yes, Oracle Cloud Infrastructure will sign a business associate agreement.[20] Consult their blog post or a representative for more details on their approach to HIPAA compliance.

15. What happens to our data should the contract expire or be terminated?

From the Oracle Cloud Hosting and Delivery Policies[21]:

For a period of 60 days upon termination of the Oracle Cloud Services, Oracle will make available, via secure protocols and in a structured, machine-readable format, Your Content residing in the production Oracle Cloud Services, or keep the service system accessible, for the purpose of data retrieval by You.

16. What happens to our data should you go out of business or suffer a catastrophic event?

It's not publicly clear how Oracle Cloud Infrastructure would handle your data should they go out of business; consult with a representative about this topic. As for catastrophic events, Oracles uses "fault domains" for ensuring data availability and redundancy. Those regions with availability domains typically have three fault domains. "Fault domains enable you to distribute your resources so that they don't depend on the same physical hardware within a single availability domain. As a result, hardware failures or maintenance events that affect one fault domain do not affect the resources in other fault domains."[12] It's highly unlikely that all three fault domains would be affected in a catastrophic event. However, if this is a concern, discuss further data redundancy with an Oracle Cloud Infrastructure representative.

17. Can we use your interface to extract our data when we want, and in what format will it be?

From question 15, we found that data can be extracted "via secure protocols and in a structured, machine-readable format." Verify with a representative the finer details, including when such extractions of files, database dumps, whole disks, backups, etc. may occur.

18. Are your support services native or outsourced/offshored?

It is unclear if support personnel are local to the customer or if support is outsourced to another business and country. Discuss this with an Oracle Cloud Infrastructure representative.

Managed security services

Oracle advertises managed security services, described as "a suite of services to help you strengthen the enterprise security posture of your IT environment," part of the Oracle Customer Success Services (CSS) portfolio of services. Oracles mentions the following services[22]:

  • vulnerability and threat prevention
  • data security and protection
  • identity and access management
  • regulatory security governance and compliance services

Additional information

Documentation and other media

External links


  1. "Oracle Announces Fiscal 2023 Fourth Quarter and Fiscal Full Year Financial Results". Oracle Corporation. 12 June 2023. Retrieved 04 August 2023. 
  2. 2.0 2.1 "Public Cloud Regions". Oracle. Retrieved 04 August 2023. 
  3. "Oracle for Research". Oracle. Retrieved 04 August 2023. 
  4. Miller, A.D. (4 August 2020). "From Viruses to Environmental Issues, Cloud Computing is Accelerating Research and Scientific Discovery". Oracle for Research Blog. Retrieved 04 August 2023. 
  5. Payton, R. (30 January 2023). "Royal Holloway & Oracle refine carbon storage to fight climate change". Oracle for Research Blog. Retrieved 04 August 2023. 
  6. "University of Bristol makes COVID breakthrough with Oracle". Oracle Corporation. 8 September 2021. Retrieved 04 August 2023. 
  7. Barker, B. (14 July 2021). "When bare metal GPUs and cloud come together, USC researchers win". Oracle for Research Blog. Retrieved 04 August 2023. 
  8. Munoz-Willery, I. (15 September 2017). "Agilab LIMS Solutions moves to Oracle Cloud". Paperless Lab Academy. Retrieved 04 August 2023. 
  9. "OPTIMIZA’s AccuLab: Powered By Oracle, Now Available in Oracle Cloud Marketplace". OPTIMIZA. 15 July 2019. Retrieved 04 August 2023. 
  10. "Lab Diagnostics Industry Solution for Oracle Cloud". Triniti. Retrieved 04 August 2023. 
  11. "Integrate and Automate Business Processes" (PDF). Oracle. 2020. Retrieved 04 August 2023. 
  12. 12.0 12.1 "Best practices for protecting your cloud topology against disasters". Oracle Help Center. Oracle. Retrieved 04 August 2023. 
  13. "Using In-transit TLS Encryption". Oracle Cloud Infrastructure Documentation. Oracle. Retrieved 04 August 2023. 
  14. 14.0 14.1 "Security Overview". Oracle Cloud Infrastructure Documentation. Oracle. Retrieved 04 August 2023. 
  15. "Oracle Cloud Security Testing Policies". Oracle Cloud Infrastructure Documentation. Oracle. Retrieved 04 August 2023. 
  16. Cross, D.B. (7 January 2020). "Why Red Teams Rule the Cloud!". Oracle Cloud Security Blog. Retrieved 04 August 2023. 
  17. "System and Organization Controls (SOC 3) Report". Oracle. 2023. Retrieved 04 August 2023. 
  18. "Security Principles for Network Communications". Oracle. Retrieved 04 August 2023. 
  19. 19.0 19.1 19.2 "Privacy @ Oracle: Oracle Services Privacy Policy". Oracle. Retrieved 04 August 2023. 
  20. Karabulut, Y. (30 May 2018). "Oracle Announces HIPAA Attestation for Oracle Cloud Infrastructure". Oracle Cloud Infrastructure Blog. Oracle. Retrieved 04 August 2023. 
  21. "Oracle Cloud Hosting and Delivery Policies" (PDF). Oracle. June 2023. Retrieved 04 August 2023. 
  22. "Oracle Managed Security Services". Oracle Corporation. Retrieved 04 August 2023.