Scotti Woolery-Price | Partner Marketing Manager, Thales
More About This Author >
Scotti Woolery-Price | Partner Marketing Manager, Thales
More About This Author >
Advancing Data Sovereignty and Zero Trust Through Seamless Key Management
In a landscape where the safeguarding of sensitive information is paramount, the collaboration between Thales and Oracle Fusion Cloud Services helps create operational independence, data sovereignty, and uncompromising control for organizations worldwide. At Thales, our commitment to delivering robust, flexible, and user-centric data protection solutions stands at the forefront of this technical integration, enabling enterprises to hold the reins of their own encryption keys in the cloud.
Oracle Fusion Cloud Services is a comprehensive suite of cloud-based enterprise applications, designed to streamline core business processes such as finance, human resources, supply chain, and customer experience management. Built on a unified cloud platform, it empowers organizations with integrated analytics, automation, and artificial intelligence, enabling them to adapt rapidly to changing business requirements. Oracle Fusion Cloud Services delivers scalability, resilience, and continuous innovation, allowing organizations to optimize operations, enhance compliance, and drive competitive advantage in an increasingly digital world.
Redefining Cloud Security: The Thales Perspective
For years, organizations migrating to the cloud have been faced with a paradox: harnessing the agility and scalability of cloud platforms, while grappling with concerns about control, compliance, and the trustworthiness of third-party service providers. Recognizing these challenges, Thales has developed CipherTrust Cloud Key Management (CCKM), a component of CipherTrust Manager (CM), which is a solution designed to empower customers with control over their cryptographic keys and to support a zero-trust architecture that places data ownership firmly in their hands.
Through our integration with Oracle Fusion Cloud Services via Oracle’s Break Glass service, Thales is delivering on the promise of Bring Your Own Key (BYOK) and Hold Your Own Key (HYOK) capabilities. This partnership gives organizations the confidence that their encryption keys, and therefore their sensitive data, are governed by their own security policies, regulatory requirements, and operational preferences.
Rotating Key References: Simplicity and Security Combined
One of the most critical aspects of modern key management is ensuring that encryption keys can be rotated efficiently to mitigate risks associated with long-lived credentials. With Thales CCKM, organizations can seamlessly rotate master encryption keys or key references, strengthening the resilience and agility of their security posture.
To initiate a key rotation, administrators first use Thales CipherTrust Manager to generate and store a new version of the master external key. Users can instantly introduce a new external key version into their environment. This process is designed for simplicity, ensuring that organizations can adapt to evolving security requirements without unnecessary complexity.
Once the new version is available, Oracle Fusion Cloud Services can seamlessly recognize and utilize the updated key by referencing the appropriate external key version ID provided by Thales. In cases where no version ID is specified, Oracle’s External Key Management Service (EKMS) automatically selects the latest available version in CipherTrust Manager, streamlining workflows for both security and cloud operations teams. This harmonious integration between Thales and Oracle means organizations can enjoy both robust security and operational efficiency, without compromise.
Deployment Example
- Customer’s TDE master encryption key (MEK) is stored in a customer-controlled, Thales CipherTrust Manager or Luna Network HSM via CCKM.
- Fusion Databases use EKMS for Transparent Data Encryption (TDE) tasks.
- Cryptographic requests from Fusion Apps flow through OCI EKMS and securely via FastConnect/VCN to the customer’s on-premises KMS.
- The third-party KMS performs the requested cryptographic operation and returns the result to Fusion Applications via EKMS.
- For encryption, the TDE Data Encryption Key (DEK) is encrypted with the customer’s MEK; for decryption, the process is reversed.
Driving Operational Independence and Data Sovereignty
At Thales, we believe that true data sovereignty starts with uncompromising control over encryption keys. Our CipherTrust Cloud Key Management platform supports a zero-trust model, where keys are never exposed or managed by third-party cloud providers. Instead, customers can create, manage, and revoke keys within their own policies and procedures, aligning their cloud usage with the most stringent compliance standards including GDPR, HIPAA, PCI-DSS, and more.
This integration is particularly significant for organizations operating in regulated industries such as finance, healthcare, and government, where the requirements for auditable control and operational transparency are non-negotiable. Thales empowers these organizations to meet regulatory demands and internal governance requirements without sacrificing the benefits of cloud transformation.
Compliance You Can Verify
The ability to demonstrate compliance is as important as maintaining it. Thales CipherTrust Manager provides detailed auditing, logging, and reporting capabilities that allow organizations to verify their key management practices in real time. Through integration with Oracle Fusion Cloud Services, every key operation including generation, rotation, and deletion is logged in the Thales platform, enabling customers to produce verifiable evidence for auditors, regulators, and internal stakeholders.
Our approach to compliance is rooted in transparency, accountability, and automation. CipherTrust Manager automates many of the time-consuming aspects of key lifecycle management, reducing the risk of human error and ensuring that every action is captured for future analysis and review.
Securing the Future: Thales and Oracle Shaping the Cloud Together
As digital transformation accelerates, the expectations for security and control continue to evolve. The integration between Thales CipherTrust Cloud Key Management and Oracle Fusion Cloud Services represents a significant leap forward, giving organizations the tools to shape their cloud future on their own terms. By partnering with Oracle, Thales is reaffirming our commitment to customer empowerment, operational independence, and the highest standards of data protection.
We invite our customers and partners to explore the technical documentation, onboarding guides, and best practices that support this integration. Thales stands ready to help organizations harness the full power of cloud with confidence, knowing that their keys and their data will always be under their control.
Empowering the Future of Secure Cloud Collaboration
The joint solution from Thales and Oracle is more than a technical achievement, it is a statement of principle. In the age of zero trust and digital sovereignty, encryption must be robust, flexible, and most of all, under your control. With Thales CipherTrust Cloud Key Management, organizations can bring and hold their own keys, reinforcing the core tenet: your data, your control.
Thales is proud to be leading the way in cloud security innovation, working alongside Oracle and our global community to shape the future of secure cloud computing together.
Thales and Oracle are already integrated in other areas such as Exadata, Exadata Cloud@Customer, Oracle Key Vault, and Oracle Cloud Infrastructure. Visit our partner page to learn more.
For more information, please review our documentation and reach out to Thales experts to discover how CipherTrust Cloud Key Management can transform your organization’s cloud journey.
Additional Resources:
- Oracle Blog: https://blogs.oracle.com/cloud-infrastructure/post/external-key-management-for-fusion
- CCKM page Cloud Key Management | Cloud Key Management Services
- Thales oracle web page OCI Key Management for Digital Sovereignty & Compliance Requirements
- CipherTrust Self-Guided Demos Data Protection Demos | Thales