Security by Design: Lessons from Oracle Cloud Infrastructure
Ariel Septon
fwd:cloudsec Europe 2025 · Day 2 · Main Room
Ariel Septon, a software engineer leading Oracle efforts at Native (formerly Rock Steady) and researcher at Stream Security, presented a comparative analysis of **Oracle Cloud Infrastructure (OCI)** security design choices and the lessons they offer for securing any cloud environment. Rather than advocating for OCI adoption, Septon examined three specific architectural decisions—human-readable policy syntax, encryption-at-rest by default, and opt-in region subscriptions—to argue that OCI's "security by design" philosophy reveals assumptions and weaknesses in how AWS, Azure, and GCP approach the same problems. The talk provides actionable strategies for applying OCI's design principles to any cloud platform through SCPs, Azure Policies, and GCP Organization Policies, while honestly addressing OCI's own trade-offs including the absence of deny policies and limited conditional logic.
AI review
A competent overview of OCI's security architecture with some useful cross-cloud comparisons, but ultimately this is a product-adjacent talk about IAM syntax and default settings rather than security research. No vulnerabilities discovered, no new attack techniques, no exploitation — just 'look how nicely OCI does policies.'