Oracle Sovereign Cloud

Oracle EU Sovereign Cloud

A speciality of the Oracle Sovereign Cloud portfolio is flexibility. Oracle offers different models of sovereign cloud to address varying organizational and regulatory needs for data residency, sovereignty, and compliance.

Oracle Sovereign Cloud models

Below are the key sovereign cloud models Oracle provides:

  1. Self-hosted at Customer: This model delivers a complete Oracle cloud region directly to a customer’s data center, providing all Oracle Cloud Infrastructure (OCI) services locally. It ensures that data, applications, and workflows remain within the customer’s premises, satisfying the strictest data residency and sovereignty requirements. Customers retain full control over physical hardware, operations, and access policies at the cost of higher responsibility on the customer’s side.
  2. EU Sovereign Cloud: The EU Sovereign Cloud adopts a model similar to the AWS European Sovereign Cloud, with its regions being both physically and logically isolated from the broader Oracle Cloud Infrastructure (OCI). These regions are operated exclusively by EU residents, ensuring protection against extraterritorial regulations, such as the U.S. CLOUD Act. Notably, the Oracle EU Sovereign Cloud offers the same pricing as other Oracle Cloud regions.
  3. OCI Public Cloud with sovereignty features: For organizations that can operate in the larger public cloud but still have specific sovereignty and governance requirements, Oracle provides advanced sovereignty tools and encryption features. Customers can leverage regional Oracle data centers while enforcing strict access controls, data encryption, and residency policies to meet compliance needs without the need for fully isolated environments.

All in all, Oracle’s approach is quite similar in it’s flexibility to the sovereignty options with Google. The notable difference is that Oracle does not involve T-Systems as an European guardian over the sovereignty controls.

Deep Dive: Sovereign Controls in EU Sovereign Cloud

Organizational Controls

Regions are operated by EU-based legal entities that own the hardware and data center leases and provide the operations and support.

The isolation of the EU Sovereign Cloud realm allows Oracle to restrict support and operations, including physical and logical access to the realm, to EU residents employed by EU legal entities.

The EU-based legal entities are backed by a governance committee to ensure integrity and alignment with current and future regulations.

Technical Controls

EU Sovereign Cloud regions form a separate realm to ensure physical, logical, and cryptographical segregation from other regions, and access is granted exclusively to EU legal entity teams for deployment, operation, and security. EU data residency is intrinsic to the platform.

Cybersecurity solutions on top of the EU Sovereign Cloud realm offers customizable controls to align with audit and compliance requirements. Enhanced encryption and key management options fortify data protection and confidentiality.

Disaster recovery capabilities within the EU Sovereign Cloud realm ensure localized resilience, with each region featuring three fault domains for hardware distribution. This setup enhances reliability and minimizes potential disruptions, bolstering business continuity for customers.

Contractual Controls

EU Sovereign Cloud is supported by specific agreements, such as the data processing agreement, the service description, and a dedicated addendum to the service pillar document.

The contracts outline responsibilities for handling personal information, third-party subprocessors, confidentiality, and security measures. The contracts are designed to help address the requirement that your content will not leave the selected EU Sovereign Cloud region(s) without your authorization or instruction and aim to reduce the risk of unauthorized access by entities or individuals outside of the EU Sovereign Cloud organizations.

When to chose sovereign OCI?

There are various reasons why the Oracle Cloud Infrastructure (OCI) might be a good choice. to name three:

  1. OCI is especially suitable for modernization of legacy Oracle workloads, e.g. when there is a dependency on an Oracle database. A transition to OCI can be easier than to other clouds.
  2. The business is using Oracle Fusion apps. This is a suite of applications built on Oracle Cloud that include cloud-based applications for enterprise resource planning (ERP), enterprise performance management (EPM), supply chain management and manufacturing (SCM), human capital management (HCM), and customer experience (CX)
  3. The customer wants to take advantage of the flexible sovereignty options Oracle provides.

Conclusion

Oracle provides highly flexible sovereignty options on Oracle Cloud Infrastructure (OCI), allowing organizations to achieve varying levels of data protection and isolation based on the chosen distribution of responsibilities between Oracle and the customer. However, a certain level of technical reliance on Oracle persists, particularly when utilizing the Oracle Database, Oracle Fusion Applications, or other Oracle-specific technologies.

To top