Oracle Cloud Infrastructure (OCI) is a cloud platform that offers a comprehensive set of security and governance solutions to help customers protect their data, applications, and resources in the cloud. OCI is built on a foundation of security-first design principles, such as customer isolation, data encryption, security controls, visibility, secure hybrid cloud, high availability, and verifiably secure infrastructure. OCI also helps customers comply with various standards and regulations, such as FedRAMP, FIPS 140-2, GDPR, HIPAA, PCI DSS, and SOC 1/2/3.
In this article, we will explore some of the key features and benefits of OCI security and governance services, and how they can help customers achieve their security and compliance objectives.
One of the main challenges of cloud computing is to ensure that customers' data and resources are isolated from other tenants and from Oracle. OCI uses several mechanisms to achieve customer isolation, such as:
- Virtual Cloud Network (VCN): A VCN is a software-defined network that provides customers with a private and isolated network space in the cloud. Customers can create subnets, route tables, security lists, gateways, and other network components within their VCNs. Customers can also connect their VCNs to their on-premises networks using VPN or FastConnect services.
- Bare Metal Instances: Bare metal instances are physical servers that are dedicated to a single customer and run without any hypervisor or software layer between the hardware and the operating system. This eliminates the risk of cross-tenant interference or performance degradation due to noisy neighbors. Customers can also use bare metal instances to run specialized workloads that require high performance or custom hardware configurations.
- Dedicated Region Cloud@Customer: Dedicated Region Cloud@Customer is a service that allows customers to deploy a fully managed OCI region in their own data centers. Customers can access all the OCI services and features in their dedicated region, while maintaining complete control over their data sovereignty and compliance requirements. Dedicated Region Cloud@Customer also provides customers with the same performance, scalability, and availability as OCI public regions.
Data encryption is a vital component of data protection and compliance in the cloud. OCI provides customers with various options to encrypt their data at rest and in transit, such as:
- Key Management Service (KMS): KMS is a service that allows customers to create, manage, and use encryption keys to protect their data in OCI. KMS supports both symmetric and asymmetric keys, as well as hardware security modules (HSMs) for enhanced security. Customers can also bring their own keys (BYOK) or import keys from external sources to KMS.
- Transparent Data Encryption (TDE): TDE is a feature of Oracle Database that automatically encrypts data before it is written to disk, and decrypts it when it is read from disk. TDE protects data from unauthorized access or theft in case of physical or logical breaches. TDE works seamlessly with KMS to manage the encryption keys for the database.
- Object Storage Encryption: Object Storage is a service that allows customers to store and access unstructured data in the cloud. Object Storage encrypts all data by default using AES-256 encryption algorithm and KMS-managed keys. Customers can also use their own keys or customer-managed keys to encrypt their data in Object Storage.
Security controls are essential for reducing the risks associated with malicious or accidental user actions in the cloud. OCI provides customers with various tools to manage access to their services and segregate operational responsibilities, such as:
- Identity and Access Management (IAM): IAM is a service that allows customers to create and manage users, groups, policies, compartments, and federations in OCI. IAM enables customers to define granular permissions for different users and roles based on the principle of least privilege. IAM also supports multi-factor authentication (MFA), single sign-on (SSO), identity federation, and temporary security credentials for enhanced security.
- Security Zones: Security Zones are predefined compartments that enforce strict security policies for resources created within them. Security Zones help customers adhere to best practices for security and compliance by preventing misconfigurations or violations of security rules. Customers can use Security Zones to create secure environments for their sensitive or regulated workloads.
- Cloud Guard: Cloud Guard is a service that monitors and detects security threats across customers' OCI tenancies. Cloud Guard uses machine learning and built-in rules to identify anomalous or risky behaviors, such as unauthorized access attempts, insecure configurations, or data exfiltration. Cloud Guard also provides recommendations and automated actions to remediate the detected issues.
Visibility is crucial for minimizing security and operational risk in the cloud. OCI provides customers with various solutions to audit and monitor actions on their resources through comprehensive logs and security monitoring tools, such as:
- Audit: Audit is a service that records all the API calls and events that occur in customers' OCI tenancies. Audit logs provide customers with a detailed and searchable history of who did what, when, and where in their cloud environment. Audit logs can also be integrated with third-party tools or services for further analysis or reporting.
- Logging: Logging is a service that collects, stores, and manages logs from various OCI services and resources. Logging helps customers troubleshoot issues, optimize performance, and track changes in their cloud environment. Logging also supports custom log sources, log parsers, and log exporters for enhanced flexibility and integration.
- Security Advisor: Security Advisor is a service that provides customers with a holistic view of their security posture and compliance status in OCI. Security Advisor analyzes customers' OCI configurations and compares them with industry standards and best practices, such as CIS Benchmarks, PCI DSS, and ISO 27001. Security Advisor also provides customers with actionable recommendations and guidance to improve their security and compliance.
Secure hybrid cloud is a strategy that enables customers to use their existing security assets and solutions when accessing cloud resources and securing data and application assets. OCI provides customers with various options to achieve secure hybrid cloud, such as:
- VPN Connect: VPN Connect is a service that allows customers to create secure and encrypted connections between their on-premises networks and their VCNs in OCI. VPN Connect supports both site-to-site and remote access VPN scenarios, as well as multiple encryption protocols and algorithms.
- FastConnect: FastConnect is a service that allows customers to establish private and dedicated connections between their on-premises networks and their VCNs in OCI. FastConnect provides customers with higher bandwidth, lower latency, and more consistent network performance than public internet connections.
- Oracle Cloud VMware Solution: Oracle Cloud VMware Solution is a service that allows customers to deploy and run VMware-based environments in OCI. Customers can use the same VMware tools and processes that they are familiar with to manage their VMware workloads in the cloud. Customers can also leverage OCI's native services and features to enhance their VMware workloads with cloud capabilities.
High availability is a key requirement for running business-critical workloads in the cloud. OCI provides customers with various features and services to ensure consistent uptime for their workloads, such as:
- Fault Domains: Fault domains are logical groupings of hardware within an availability domain (AD) that are isolated from each other. Fault domains help customers protect their workloads from hardware failures or maintenance events that affect a subset of the infrastructure within an AD. Customers can distribute their resources across multiple fault domains to achieve higher availability and redundancy.
- Availability Domains: Availability domains are physically isolated data centers within a region that are connected by a low-latency network. Availability domains help customers protect their workloads from disasters or outages that affect an entire data center. Customers can replicate or migrate their resources across multiple availability domains to achieve higher availability and disaster recovery.
- Regions: Regions are geographically dispersed locations that consist of one or more availability domains. Regions help customers protect their workloads from disasters or outages that affect an entire geographic area. Customers can replicate or migrate their resources across multiple regions to achieve higher availability and global reach.
Verifiably secure infrastructure is a concept that ensures that the cloud infrastructure is secure by design and by operation. OCI implements rigorous processes and security controls in all the phases of development and operation of its infrastructure, such as:
- Secure Development Lifecycle (SDL): SDL is a framework that guides the development of secure software products and services. SDL incorporates security best practices and standards throughout the software development lifecycle, from design to deployment to maintenance. SDL also includes security testing, code reviews, threat modeling, vulnerability management, and incident response.
- Hardware Root of Trust: Hardware root of trust is a mechanism that verifies the integrity of the hardware components and firmware of the cloud infrastructure. Hardware root of trust uses cryptographic keys embedded in the hardware to authenticate the firmware before it is loaded into memory. Hardware root of trust prevents unauthorized or malicious modifications of the firmware or hardware.
- Immutable Infrastructure: Immutable infrastructure is a principle that prevents any changes or updates to the running cloud infrastructure once it is deployed. Immutable infrastructure ensures that the cloud infrastructure is consistent, reliable, and secure across all environments. Immutable infrastructure also simplifies the management and maintenance of the cloud infrastructure.
Oracle Cloud Infrastructure provides customers with a comprehensive set of security and governance solutions that can help them achieve their security and compliance objectives in the cloud. By using OCI's security-first design principles, customers can benefit from a secure, reliable, scalable, and cost-effective cloud platform for their data, applications, and resources.
To learn more about OCI security and governance services, visit https://www.oracle.com/security/cloud-security/