Oracle Takes Radical Approach to Solving Cloud Security Anxiety
- By Winston Thomas
- January 18, 2025

How do you bulletproof your cloud security posture as your applications grow in number and complexity? It’s not a new question, but it confounds many CISOs.
If you control too much, employees and customers may feel you are throwing a wrench in the way of innovation. Meanwhile, shadow IT and AI teams in your company go off building rogue robots in the dark corners of your network. But if you become too lax, you risk rampant data theft, leakages and gigantic lawsuits, not to mention government fines and a breakdown of trust with your customers. One data breach and it's lights out for your reputation (and maybe even your job).
Oracle says it now has the key for CISOs to escape this security purgatory. The company is taking a radically different approach with its new OCI Zero Trust Packet Routing (ZPR) to reimagine how they secure clouds fundamentally.
Security baked in, not bolted on
“Any customer who builds an application and sets up security does a good job on day one,” explains Mahesh Thiagarajan, executive vice president of Oracle Cloud Infrastructure.
“But then what happens when [the application] evolves over a few years? Because applications can live for a long time... if you don’t plan security at every step of the way and change the architecture, you create holes in your security posture,” he adds.
Thiagarajan believes that our traditional approach to defining security when deploying applications crumbles as applications age and sprawl. Multiply that by the number of applications and instances, and it is easy to see why the poor CISO feels he or she is drowning in hundreds of individual security policies and firewall rules.
OCI ZPR (pronounced "zipper") flips the script. Instead of being bolted onto applications like armor that gradually becomes ill-fitting over time, security is woven into the system's fabric.
“How we separate the control for the security organization and security posture away from the architectural evolution is at the base of what we're trying to solve,” Thiagarajan explains. OCI ZPR separates architecture evolution from network misconfiguration, he adds.
Analysts see the value. OCI ZPR “enables organizations to decouple network configuration from security, helping to eliminate the effects of human network configuration errors,” observes Philip Bues, senior research manager for cloud security at IDC in a press announcement.
At its core, OCI ZPR uses zero trust and least privilege principles to restrict access based on policies and security attributes. It enforces these policies at the network layer so that requests from unapproved sources will not touch the database. This approach prevents unwanted data exfiltration by limiting requests to approved paths only.
OCI ZPR’s approach allows Oracle to reduce the number of security configurations CISOs must manage by approximately 50%, claims Thiagarajan. And they’re aiming to reduce this even further.
Creating a new policy language standard
Oracle is not done yet. It has a long-term vision for OCI ZPR that extends far beyond its current capabilities. “We're just getting started,” says Thiagarajan.

For example, the company is working to make ZPR an open standard through zpr.org and the likes of Applied Invention to make the intent-based language used to define security policies more accessible. It hints to a future where this security model may be an industry standard.
Why would CISOs want another standard? The company believes that focusing on business intent and security outcomes simplifies security and better aligns with evolving business and application needs. It also represents a fundamental shift from traditional approaches that require deep technical knowledge of networking concepts that are becoming very hard to find.
“This new standard driven by Oracle flips this all too often checkbox item on its head to provide an innovative solution for organizations that simplifies compliance efforts, reduces the burden on security teams, and ultimately strengthens security,” adds IDC’s Bues.
Overall, OCI ZPR is designed to evolve alongside applications, maintaining security even as application architectures change. While time- and location-based dynamic security policies aren't yet implemented, Thiagarajan acknowledges these are "theoretically possible" but sees them as potential future developments.
A different way for secure AI training
OCI ZPR’s launch comes as AI reshapes the security landscape. The focus on AI model training has broadened the attack risks, while data sovereignty has made compliance an additional security headaches.
OCI ZPR’s implications for AI and machine learning workloads are particularly compelling. Companies can now create isolated “islands” for AI training infrastructure and strictly control what data these systems can access, even if individual network configurations are modified.
“If you have GPUs that are training the models, and you want to control access to data, you can actually segregate the data, put it in a different zone and tell ZPR that these computers [should only be accessing this data for AI training] and nowhere else,” explains Thiagarajan.
Another area where OCI ZPR proves its mettle is in meeting data sovereignty and residency requirements. These are continuing to expand, particularly in Asia. The solution provides a consistent security model that can be applied across different deployment models — from public cloud to isolated regions.
“Singapore thinks about sovereignty differently from how India thinks about sovereignty... different from how Japan thinks about sovereignty," notes Thiagarajan. The platform's flexibility allows companies to maintain consistent security controls while meeting diverse regulatory requirements, he adds.
Unraveling future security complexity
For CISOs grappling with cloud security complexity today, OCI ZPR represents a compelling vision of a future where network misconfigurations do not impact security postures and data governance — one where security is inherent in the infrastructure itself rather than bolted on through endless configurations.
As AI workloads become more prevalent and data sovereignty requirements more complex, this approach to security may become not just attractive but essential.
Image credit: iStockphoto/SIphotography
Winston Thomas
Winston Thomas is the editor-in-chief of CDOTrends. He likes to piece together the weird and wondering tech puzzle for readers and identify groundbreaking business models led by tech while waiting for the singularity.