Oracle UK Sovereign Cloud

General information

What are the benefits of the Oracle UK Sovereign Cloud?

1. It is purpose-built for workloads that require UK sovereignty.
2. Oracle provides a UK Sovereign Operating Model to support UK OFFICIAL-SENSITIVE workloads.
3. The UK Sovereign Operating Model limits access to the infrastructure contained in the realm to only Oracle's authorised UK personnel.
4. The cloud offers disaster recovery and high availability capabilities for customers to help ensure that their data remains inside the UK sovereign environment.

What is a Sovereign Operating Model and what does it mean for the Oracle UK Sovereign Cloud?

The Sovereign Operating Model helps ensure that your content stored in, or run on or through, Oracle UK Sovereign Cloud services. Your content will not leave the environment. Additionally, only authorised personnel who meet certain stipulations will be granted access to operate and manage the services. These are:

1. Located in the UK at time of access
2. UK resident
   • “Residing in the UK” means living in England, Wales, Scotland, or Northern Ireland
   • Minimum of five years of residency in the UK, with no more than six months outside of the UK at any one time
3. UK citizen
   • Can live and work in the UK free of any immigration controls
   • Ability to hold a UK passport
4. UK Security Check (SC) cleared

Further information shall be made available in the PaaS and IaaS Public Cloud Services Pillar Document.

How does Oracle facilitate the sovereignty and security of data within this dedicated cloud?

1. The UK Sovereign Cloud data centres are physically located in the UK. Only authorised personnel who meet the stipulations listed below have physical access to the Oracle infrastructure in the facility.
   • UK residents
     • “Residing in the UK” means living in England, Wales, Scotland, or Northern Ireland
     • Minimum of five years of residency in the UK, with no more than six months outside of the UK at any one time
   • UK citizens
     • UK Security Check (SC) cleared
2. Your content stored in our UK sovereign data centres does not leave the cloud throughout its lifecycle without your express permission or permission granted on your behalf.
3. The NCSC Sanitisation Assurance (CAS-S) scheme is used for secure sanitisation and disposal to comply with NCSC standards.
4. The Data Processing Agreement for Oracle Services applies to Oracle’s processing of personal information on your behalf in order to provide the services specified in your Services Agreement.
5. UK data protection law applies, meaning the UK General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018.
6. Oracle applies additional UK compliance schemes to these regions.

The operational teams that support the regions are located in the UK, and only authorised personnel have logical or physical access to the environment. All control, monitoring, and logging systems are also located in the UK. Oracle’s UK Security Controller tightly controls the approval process that determines which Oracle staff are authorised to access the logical or physical environment.

When did this dedicated dual-region cloud for customers become available?

The Oracle UK Sovereign Cloud realm consists of two regions: London, which was made available on December 3, 2019, and Newport, which was made available on July 31, 2020.

What connectivity is available to this cloud?

The Oracle UK Sovereign Cloud is connected to and accessible via the internet. The two regions are interconnected via a secure, non-internet backbone for inter-region traffic. Additionally, the regions offer Oracle Cloud Infrastructure (OCI) FastConnect connectivity options.

Who is eligible to gain access to this cloud?

Please contact your Oracle representative for information.

How is separation between customers enforced?

The answer to this is multilayered. To summarise:

• The Oracle UK Sovereign Cloud is a realm that is physically isolated from any other Oracle realm, for example, the OCI commercial realm US East region.
  • A tenancy (which is a customer environment within the cloud realm) only exists in a single realm.
  • A customer’s tenancy will only exist in the Oracle UK Sovereign Cloud realm and will only have access to the Oracle UK Sovereign Cloud regions.
  • Customers with tenancies in other OCI realms have no access to the Oracle UK Sovereign Cloud regions.
• The Oracle Cloud Infrastructure architecture was designed for security, with isolated network virtualisation, highly secure firmware installation, a controlled physical network, and network segmentation. Within Oracle UK Sovereign Cloud:
  • The compute and storage resources in each customer’s tenancy are enclosed in a distinct virtual cloud network (VCN) created for them. A VCN is a software-defined network that resembles the on-premises physical network used by customers to run their workloads.
  • Oracle is an original device manufacturer (ODM) with an in-house hardware development group that designs custom motherboards for OCI servers and develops firmware that runs on those motherboards, such as BIOS and BMC. A dedicated hardware security group also works with the hardware group to build security hardware. These Oracle teams have built the following security components, which are incorporated into OCI servers:
    • Hardware root of trust (RoT) - If a customer has complete access to the physical server they can reconfigure hardware peripherals or modify any firmware to support their workloads. The OCI Hardware Root of Trust helps negate the security risk of persistent firmware malware on the server (such as UEFI BIOS malware and NVMe drive malware) by installing known-good images of all firmware on an OCI server when provisioning tenancies between customers.
    • Off-box virtualisation hardware - Oracle Cloud Infrastructure uses Oracle’s custom-designed SmartNIC that isolates and virtualizes the network. The SmartNIC is isolated by hardware and software from the host, preventing a compromised cloud instance from affecting the network. OCI maintains greater external control of host network functionality and can prevent network traversal attacks. The privileged OCI control plane code runs on this dedicated hardware, referred to as off-box virtualisation, which is separate and segregated from the server processor running untrusted customer applications. The hypervisor is reduced to basic functionality, such as launching virtual machines and allocating memory, while all the privileged cloud control plane code is off-loaded to the off-box virtualisation hardware. This configuration has two security benefits: It reduces the attack surface of the hypervisor, and it helps limit the blast radius of a hypervisor security issue so it doesn’t impact cloud control plane operations.
      • All network traffic from customer applications is sent or received by the server’s NIC and flows through the off-box virtualisation running OCI control plane code. The cloud control computer is invisible to customers and is not accessible from customer applications due to server hardware configurations. As a result, customers don’t see this extra hop in their network path.
• Access to a customer’s tenancy is managed by that customer. OCI Identity and Access Management (IAM) provides features such as authentication, single sign-on (SSO), and identity lifecycle management for Oracle Cloud.

Please contact your Oracle representative for further details.

Why has Oracle changed the name of the realm?

The Oracle UK Sovereign Cloud reflects the purpose of the regions and aligns with the naming of other similar realms that Oracle operates for customers, such as the Oracle EU Sovereign Cloud.

Has any security or sovereignty aspect changed that could affect UK government workloads in the realm?

No. All fundamentals of the Oracle UK Sovereign Cloud remain the same as when it was called the Oracle Cloud for UK Government and Defence. The realm still provides the same data and operational sovereignty in the UK, and Oracle continually works to strengthen and improve its sovereign security controls and practices. Oracle remains the only hyperscale cloud provider offering a UK sovereign cloud that's purposely designed for customer workloads and information marked OFFICIAL SENSITIVE.

Are third-party services available?

Yes. Oracle allows a curated set of approved third-party service providers to securely offer services that are beneficial to this customer community. It is up to the individual customer to decide whether to contract with these third-party providers and to understand the terms under which their services are being offered.