Oracle adds Zero Trust Packet Routing capability to its cloud platform

Oracle has added a new zero trust capability to its cloud platform which it says prevents corporate data from being inadvertently exposed through network misconfigurations.

Zero Trust Packet Routing for Oracle Cloud Infrastructure (OCI) enables organizations to set security attributes on resources and write natural language policies that limit network traffic based on the resources and data services accessed, the company said.

ZPR separates network security from the underlying architecture. As a result, Oracle said, organizations can safeguard themselves from one of the most common causes of compromise: network misconfigurations.

The announcement was made Tuesday at Oracle CloudWorld. ZPR is available immediately to OCI users at no charge.

Zero Trust Packet Routing (ZPR) is based on an open standard that Applied Invention and Oracle designed in 2023.

While ZPR has the potential to create an identity-aware network security layer, the technology is a work in progress, said Ron Westfall, research director at the Futurum Group, who was briefed on the announcement.

“What Oracle and its ZPR creator partner, Applied Invention, need to do is enlist a critical mass of cloud supply chain partners to support ZPR. Above all, they need the solid backing of an established standards organization — the IETF [Internet Engineering Task Force] comes to mind — to give it the standards-backing imprimatur to spur broader consideration and adoption,” he said.

“Overall it is a logical solution to the major problem of making security policy management and enforcement more simple. Should Oracle succeed in gaining broader ecosystem support and backing, I believe the solution will prove considerably less complex than current approaches.” 

Proposing to decouple security policies from the complexities of network configurations can provide a breakthrough in network security that enables CISO decision makers at enterprises and organizations to enforce security policies comprehensively across users and systems, he said.

“By enforcing policies that are based on the authenticated identity and attributes of both the communicated data and the communicators, ZPR can be implemented as a virtual network on top of IP. Aiding adoption and implementation ease is that enterprises can adopt ZPR using standard IP on both software and hardware, alongside not requiring any modifications to existing applications and networks.” 

Why Oracle says ZPR is needed

The new ZPR standard was needed, Oracle explained, because an organization’s network architecture changes each time an application is launched, a new instance is scaled up, or additional database servers are added. Using a traditional network architecture-based security approach is time-consuming due to the sheer complexity of securing and auditing the configuration points, the company said. In addition, responsibility is transferred to network teams to implement security requirements, which can result in human error.

“Though cloud network security has evolved over the last two decades, organizations are still increasingly vulnerable to unauthorized access and exfiltration of sensitive data due to security controls heavily reliant on user credentials,” Jae Evans, Oracle’s global chief information officer and executive vice president, said during the announcement. “OCI Zero Trust Packet Routing enables organizations to set security attributes on specific resources and then blocks traffic to those resources at the network level, making data security easier to understand, manage, and audit. It changes the paradigm of security in the cloud to protect organizations from malicious actors and the business-altering consequences of data breaches.”

How ZPR works

Oracle offered this example of how ZPR works: Imagine an organization with a sensitive database called Science App. As the central database grows, more staff want to access it. Traditionally this is done through restricting access to certain IP address ranges. The problem is, access control lists and network security group policies can become unwieldy, leading to accidental errors in policies. Under ZPR, a security operator would assign ZPR tags to network endpoints and resources. All compute instances that can run the Science App are assigned the ZPR security attribute – for example, “science.” Science database instances would carry the security attribute “sensitive” and the virtual cloud network that connects them the ZPR attribute “prod.” The company then writes ZPR policies that allow only permitted network packets to flow through the network. These policies are independent of IP addresses or network topology. Only tagged Science App instances can connect to the sensitive database, and all other traffic is blocked, regardless of the network configuration.

OCI ZPR policies are managed separately from network policies, so network administrators can change the network configuration without inadvertently changing security positions, Oracle said.

The advantages

Oracle says its ZPR implementation has three advantages for infosec teams:

• It improves security posture: Security teams can restrict access to sensitive data to a specific path, such as request origination host, network segment, or target data service. This helps reduce the attack surface area and safeguard against data exfiltration based on compromised credentials alone.
• It streamlines compliance: Security teams can quickly and easily prove to auditors that the necessary security controls are in place to meet compliance requirements by limiting access to a single, authorized path with natural language policies.
• It simplifies security management: Security teams can restrict access to sensitive data based on security attributes. Once a security attribute is set on data, security controls are automatically enforced based on the policies in place. This minimizes the need to deploy network-layer security rules based on characteristics such as IP addresses and ports.

In response to emailed questions, Martin Sleeman, Oracle’s senior principal product manager, said that no technical training is required for operators. “It takes only minutes to assign security attributes and write your first policy,” he said. “To manage a high-scale environment, there may be some learning to ensure that your security model will scale to support your environment. Based on an organization’s individual environment, that will likely add time to account for, but no technical training is required.” 

OCI ZPR will provide policy templates for common scenarios such as connectivity to an Oracle database or database backups, he added. Customers can edit these to input their own security attributes.

Oracle offers this guide explaining how to use ZPR.

Other Oracle CloudWorld announcements