In a bid to distinguish itself from other cloud platform providers through a focus on security, Oracle Corp. today is broadening the range of built-in and add-on cybersecurity features in Oracle Cloud Infrastructure.

The company cited the results of a survey it co-sponsored KPMG LLP last year that found that 78% of organizations use more than 50 discrete cybersecurity products. Oracle said the new features are intended not only to simplify management but also to address the problem misconfiguration and user error that Gartner Inc. has asserted will be responsible for more than 99% of cloud breaches over the next four years.

The new features complement the Oracle Cloud Guard and Oracle Security Zones the database giant announced in September 2020 that aggregate events across all of Oracle Cloud’s main infrastructure services and provide pre-configured, hard-coded security policies.

Simplifying back-end complexity

The Oracle Cloud Infrastructure Web Application Firewall for Flexible Load Balancers helps protect web applications from malicious internet traffic. Protections can be applied directly to the Flexible Load Balancer on both public and private instances to protect them from the common web vulnerabilities as identified by the Open Web Application Security Project’s list of the top 10 vulnerabilities.

Oracle also said it’s simplifying pricing for the virtual firewall. The service is available now on a trial basis in the Oracle Free Cloud trial.

Previously, the balancers and firewalls had to be set up and configured separately to handle both north-south and east-west traffic, said Bala Chandran, vice president of software security for Oracle Cloud. “Now you only set them up once,” he said, a seemingly simple process that nevertheless involved “a ton of back-end complexity.”

The new Oracle Cloud Infrastructure Vulnerability Scanning Service helps cloud customers identify and address risks from unpatched vulnerabilities and open ports by assessing and monitoring cloud hosts. The feature is integrated with Cloud Guard for rapid vulnerability identification and is available to all OCI customers at no additional cost.

“We scan your open ports and checks against open-source vulnerabilities and databases to score and issue alerts on a single pane of glass,” Chandran said. “We’re not saying this is a black box for security but a set of standards you can customize to your needs and we report where you’re deviating from them.”

Oracle Cloud Infrastructure Bastion provides restricted and time-limited secure access to resources that don’t have public endpoints and require strict resource access controls. It’s a fully managed service that enables secure and ephemeral Secure Shell access to the private resources in OCI.

Bastions are used by sophisticated customers to safely track who can get access to cloud resources. “The challenge is that someone has to set it up, maintain it and make sure it doesn’t live forever,” Chandran said. ”Maintaining those sessions becomes a big security hole, so these are essentially bastions-as-a-service that you can gate and audit.” The service is available all OCI paid and free tier tenancies.

Finally, Oracle Cloud Infrastructure Certificates is a new cloud certificate service based on the International Telecommunications Union’s X. 509 standard. It enables tenants to create private certificate authority hierarchies and transport layer security certificates easily and to deploy them to integrated services such as the load balancer and application program interface gateway. Oracle said the service simplifies an often long and confusing process of creating and managing authorities and certificates.

Oracle is providing demonstrations of the new features on its YouTube channel.

Taken together with last year’s Cloud Guard and Security Zones, the features are intended to buttress the perception that “our security strategy is differentiated from others,” said Fred Kost, global vice president of cross-platform, security, analytics and Linux. “How do we make it simpler and more prescriptive in helping customers do things right the first time?”

Although most cloud infrastructure providers hew fast to the shared responsibility model that requires customers to manage security for their own operating system instances, applications and data, he said, Oracle is trying to make it easier for them to avoid common errors without relieving them of responsibility.

Image: Willfried Wende/Pixabay