Use OCI Security Services for Data Protection with Oracle Cloud VMware Solution
Oracle Cloud VMware Solution provides a customer managed, native VMware-based cloud environment, installed within a customer’s tenancy and offers complete control using familiar VMware tools.
Oracle Cloud Infrastructure (OCI) is a next-generation infrastructure-as-a-service (IaaS) offering architected on security-first design principles. These principles include isolated network virtualization and pristine physical host deployment, which were previously difficult to achieve with earlier public cloud designs. With these design principles, OCI helps to reduce risk from advanced persistent threats.
This reference architecture describes the integration options for Oracle Cloud VMware Solution with OCI Data Protection layer and security services to address the requirements for running critical and sensitive workloads.
Architecture
This logical reference architecture primarily focuses on the Data Protection layer and describes how OCI Security Services can be used for Data Protection with Oracle Cloud VMware Solution workloads.
The following OCI native security services are a part of the OCI Security - Data Protection layer.
- The OCI Vault service helps to centrally manage the master encryption keys that protect data and the secret credentials that can be used to access OCI Block Storage, OCI File Storage or OCI Object Storage. Key management and secrets management are also a part of OCI Vault. Keys are master encryption keys used for encrypting object storage and buckets. Also, secrets can be protected (for example, database passwords). Both are managed centrally using the OCI Vault service
- The Oracle Data Safe service protects sensitive and regulated data stored in the Oracle database running inside the vCenter - Management Layer. The Oracle database is integrated with Oracle Data Safe using Data Safe DB connectors.
- The OCI Certificates service helps to provide TLS/SSL secure access to servers, web applications, and so on. The Administrator can create and manage private Certificate Authorities (CA) hierarchies and TLS certificates that integrate with OCI Load Balancing service.
Data Encryption: OCI storage encrypts data at rest and in transit by default by using the Advanced Encryption Standard (AES) algorithm with 256-bit encryption. In transit control plane data is encrypted by using Transport Layer Security (TLS) 1.2 or later.
The following diagram illustrates this reference architecture.
ocvs-data-security-arch-oracle.zip
The architecture has the following components:
- OCI Cloud Security Services
OCI Security helps organizations reduce the risk of security threats for cloud workloads. This Oracle Cloud VMware Solution security reference architecture describes the OCI Data Protection layer capabilities.
The OCI Vault service centrally manages encryption keys and secret credentials for the OCI storage layer and backup repository. These encryption keys protect the data and secret credentials. The Data Safe service is enabled for monitoring and assessing the database instance target in VMware using connectors. The Certificate service provides certificate issuance, storage, and management capabilities. These certificates can be deployed on a load balancer.
- Oracle Cloud VMware Solution
The Oracle Cloud VMware Solution deploys the VMware software-defined data center (SDDC) on Oracle Cloud core infrastructure services. The OCI bare metal DenseIO servers are used to run the VMware hypervisor, also known as ESXi that offers compute virtualization. The virtual machines running in the vCenter Management Layer consume either vSAN datastore or OCI Block Storage as a primary storage option. However, Oracle Cloud VMware Solution can also leverage OCI Block Volume and OCI File Storage as external storage options.
The virtual machines running in Oracle Cloud VMware Solution use the following storage and backup options.- vSAN Storage is an out-of-the-box software-defined storage solution offered in Oracle Cloud VMware Solution environment. The vSAN is enterprise storage and supports encryption using vSphere Native Key Provider or an external Key Management Service (KMS) provider.
- OCI Block Volume is presented to VMware ESXi server as an iSCSI target for virtual machine storage. OCI security features such as KMS, encryption and vaults apply to VM data stored in OCI Block Volume.
- File Storage allows the use of OCI File Storage service as a NFS storage for virtual machines. OCI security features, such as KMS, encryption and vaults, are applicable for the VMs stored in NFS storage backed by OCI File Storage.
- Object Storage stores the Oracle Cloud VMware Solution VM backup copies. Object Storage cannot be used to run the VMs. All OCI security features for object storage apply to the VM backup files.
The following table describes how OCI Security Services can be used for Data Protection with Oracle Cloud VMware Solution.
| OCI Service | Data protection with Oracle Cloud VMware solution |
|---|---|
| Data Safe | Data Safe is an OCI native service to safeguard Oracle database running on OCI or on-premises environment. The Oracle database running in Oracle Cloud VMware Solution SDDC as a virtual machine can be integrated with Data Safe using Data Safe connectors. |
| Block Volume Encryption | OCI Block Volume is mounted as an external Datastore for VMware SDDC offering OCI managed/Customer managed keys. |
| File Storage Encryption | The OCI File Storage service is mounted as an external NFS Datastore for VMware SDDC offering OCI managed/Customer managed keys. |
| Object Storage Encryption |
|
| Vault |
|
| Certificates |
|