Oracle’s new EU Sovereign Cloud regions to help enterprises meet data regulations

Oracle on Tuesday said it is opening its EU Sovereign Cloud for enterprises and government bodies to help them meet evolving data residency and privacy regulations — such as the General Data Protection Regulation (GDPR) — while moving to the cloud.  

The new EU Sovereign Cloud will comprise two data regions or data centers located in Frankfurt and Madrid, which will be operated by Oracle-owned EU legal entities incorporated in the EU, hiring EU-based personnel only, Oracle said. Enterprises across all 27 member states would be able to access the cloud at the same cost as its other cloud regions, the company added.

“Oracle EU Sovereign Cloud gives customers the services and capabilities of Oracle Cloud Infrastructure’s (OCI) public cloud regions with the same support, and service level agreements (SLAs) to run all workloads,” Oracle said in a statement.  

The two data centers have been put in place to manage disaster recovery, the company said. Oracle first announced its intent to launch the EU Sovereign Cloud in July 2022.

The newly opened EU Sovereign Cloud has implemented practices that support compliances as prescribed under the Schrems II ruling, the European Data Protection Board (EDPB) guidelines, and evolving regulations such as NIS 2, said Leo Leung, vice president of products and strategy at Oracle.   

“The Sovereign Cloud regions are designed on the principles of our Government Cloud that we offer to the US and UK. In the US, we offer two different kinds of Government Cloud, separate for defense and administrative bodies with different security features,” Leung said.

Oracle’s Sovereign Cloud offers physical separation

In contrast to other public cloud services providers such as Amazon Web Services (AWS), Microsoft Azure, and Google Cloud that offer controls to meet data regulations within existing cloud regions or cloud services, Oracle’s EU Sovereign Cloud is physically separate from its existing ten cloud regions in the EU.

The new Sovereign Cloud, according to the company, doesn’t share any infrastructure with Oracle’s other regions in the EU and has no backbone network connection to any Oracle cloud region globally.

Additionally, access to the Sovereign Cloud is managed separately from Oracle’s other commercial regions in order to enhance data security, Oracle said.  

The company claims to have added a new control layer, dubbed realm isolation, for the Sovereign Cloud, which imposes more restrictions based on security clearance and residency of personnel.

“Access to Oracle Cloud Infrastructure is based upon the concept of least privilege, which means restricting role entitlements to the minimum required to perform functions and implementing strict identity authorization policies,” Oracle’s senior manager Sarah Fujita wrote in a blog post.

“Access of operations staff to the infrastructure and services supporting OCI requires multifactor authentication, a VPN connection, and an SSH (Secure Shell) connection with a user account and password or private key,” Fujita added.

Other mechanisms to secure data include audit logs and Vault Key Management.

While audit logs can be used to monitor authentication logs for servers and network devices supporting OCI services, Vault Key Management provides centralized management of the encryption of an enterprise’s customer data with keys inside the realm.

“Enterprises can create, rotate, enable or disable keys, assign keys to resources, and use keys for encryption and decryption to safeguard data,” Fujita wrote, adding that enterprises can implement Vault either as a multitenant software-based key management service or as a dedicated hardware security module (HSM).

Additional measures for data security

Oracle also said it is adding two new additional data security measures to its Vault Key Management feature as part of the Sovereign Cloud in the form of OCI Dedicated Key Management Service and OCI External Key Management Service.

While OCI Dedicated Key Management gives enterprise customers control over their encryption keys by using a dedicated, single-tenant HSM provisioned within OCI, the External Key Management ability allows enterprises to encrypt their data using encryption keys that are created and managed by the customer outside of OCI.

“These encryption keys always stay within the custody of the customer and are never imported into OCI, enabling customers to move regulated workloads to OCI that require control over the physical storage of keys outside the cloud,” Oracle said, adding that Dedicated Key Management was developed in partnership with the Thales Group.

Oracle EU Sovereign Cloud to support OCI FastConnect

The EU Sovereign Cloud supports Oracle’s OCI FastConnect service which can be used to transfer data to OCI’s virtual cloud network via a dedicated private connection.

Currently, the new Sovereign Cloud will support FastConnect partners such as Arelion, DE-CIX, Digital Realty, Equinix, and InterCloud, Oracle said, adding that Digital Realty and Equinix were the host partners for the EU Sovereign Cloud region’s location in Madrid and Frankfurt respectively.

The Sovereign Cloud adds to Oracle’s tally of 37 commercial regions and seven government regions across 23 countries. In May, the company announced its intent to open a new cloud region in Serbia.