Security Services

Learn about the security services in Oracle Cloud Infrastructure that provide customer isolation, identity management, authorization, data encryption, vulnerability detection, monitoring, and more.

The following diagram illustrates the security services in Oracle Cloud Infrastructure.


A region has 2 VCNs, and each VCN has a bastion and private subnet. Each private subnet has an instance and a database. One of the VCNs is in a security zone. The other VCN also has a public subnet. The region also has a Vault and WAF.

Regions and Availability Domains

An Oracle Cloud Infrastructure region is the top-level component of the infrastructure. Each region is a separate geographic area with multiple, fault-isolated locations called availability domains. An availability domain is a subcomponent of a region and is independent and highly reliable. Each availability domain is built with fully independent infrastructure: buildings, power generators, cooling equipment, and network connectivity. With physical separation comes protection against natural and other disasters.

Availability domains within the same region are connected by a secure, high-speed, low-latency network, which allows you to build and run highly reliable applications and workloads with minimum impact to application latency and performance. All links between availability domains are encrypted.

For more information, see Regions and Availability Domains.

Oracle Cloud Infrastructure also offers regions with specific characteristics to meet the security and compliance requirements of government organizations:

Identity and Access Management (IAM)


This image shows the IAM policies, users, and groups, and their relation to resources within a tenancy.

The Oracle Cloud Infrastructure Identity and Access Management service provides authentication and authorization for all Oracle Cloud Infrastructure resources and services. You can use a single tenancy shared by various business units, teams, and individuals while maintaining security, isolation, and governance.

When you join Oracle Cloud Infrastructure, a tenancy is created. A tenancy is a virtual construct that contains all Oracle Cloud Infrastructure resources that belong to the customer. The administrator of the tenancy can create users and groups and assign them least-privileged access to resources that are partitioned into compartments. A compartment is a group of resources that can be managed as a single logical unit, providing a streamlined way to manage large infrastructure.

Key IAM concepts:

Resource
A cloud object that you create and use when interacting with Oracle Cloud Infrastructure services. For example, compute instances , block storage volumes , virtual cloud networks (VCNs ), subnets, and databases.
Policy
A set of authorization rules that define access to resources within a tenancy.
Compartment
A heterogeneous collection of resources for the purposes of security isolation and access control.
Tenancy
The root compartment that contains all of an organization's resources. Within a tenancy, administrators can create one or more compartments, create more users and groups, and assign policies that grant groups the ability to use resources within a compartment.
User
A human being or system that needs access to manage their resources. Users must be added to groups to access resources. Users have one or more credentials that must be used to authenticate to Oracle Cloud Infrastructure services. Federated users are also supported.
Group
A collection of users who share a similar set of access privileges. Administrators can grant access policies that authorize a group to consume or manage resources within a tenancy. All users in a group inherit the same set of privileges.
Identity Provider
A trusted relationship with a federated identity provider. Federated users who attempt to authenticate to the Oracle Cloud Infrastructure console are redirected to the configured identity provider. After successfully authenticating, federated users can manage Oracle Cloud Infrastructure resources in the console just like a native IAM user.

For example, you can create a compartment HR-Compartment to host a specific set of cloud networks, compute instances, storage volumes, and databases necessary for its HR applications. Use compartments to clearly separate resources for one project or business unit from another project or business unit. A common approach is to create a compartment for each major part of an organization.

All customer calls to access Oracle Cloud Infrastructure resources are first authenticated by the IAM service (or federated provider) and then authorized based on IAM policies. You can create a policy that gives a set of users permission to access the infrastructure resources (network, compute, storage, and so on) within a compartment in the tenancy. These policies are flexible and are written in a human-readable form that is easy to understand and audit. A policy contains one or more policy statements that follow this syntax:

Allow group <group_name> to <verb> <resource-type> in compartment <compartment_name>

The following example policy enables the GroupAdmins group to create, update, or delete any groups:

Allow group GroupAdmins to manage groups in tenancy

The following example policy enables the TestNetworkAdmins group to create, update, or delete any networks in the TestCompartment compartment:

Allow group TestNetworkAdmins to manage virtual-network-family in compartment TestCompartment

Each user has one or more credentials to authenticate themselves to Oracle Cloud Infrastructure. Users can generate and rotate their own credentials. In addition, a tenancy security administrator can reset credentials for any user within their tenancy.

  • Console password: Used to authenticate a user to the Oracle Cloud Infrastructure Console.
  • API key: All API calls are signed using a user-specific 2048-bit RSA private key. The user creates a public key pair, and uploads the public key in the Console.
  • Auth token: Auth tokens are Oracle-generated token strings that you can use to authenticate with third-party APIs that do no support Oracle Cloud Infrastructure's signature-based authentication. For example, use an auth token to authenticate with a Swift client. To ensure sufficient complexity, the IAM service creates the token and you cannot provide one.
  • Customer secret key: Used by Amazon S3 clients to access the Object Storage service’s S3-compatible API. To ensure sufficient complexity, the IAM service creates this password and you cannot provide one.

Oracle Cloud Infrastructure supports federation with Oracle Identity Cloud Service, Microsoft Active Directory, and Microsoft Azure Active Directory, and with other identity providers that support the Security Assertion Markup Language (SAML) 2.0 protocol. Federated groups are mapped to native IAM groups, which determine the permissions of a federated user.

For more information, see:

Identity Cloud Service

Oracle Identity Cloud Service (IDCS) provides identity management, single sign-on (SSO), and identity governance features for applications on-premise, in the cloud, or for mobile devices.

  • Use the IAM service to control administrative access to your Oracle Cloud Infrastructure services and resources.
  • Use Oracle Identity Cloud Service to secure custom applications running on those cloud resources.

Tenancies created after December 21, 2018 are automatically federated with Oracle Identity Cloud Service and configured to provision federated users in Oracle Cloud Infrastructure. Older tenancies can be manually federated with Oracle Identity Cloud Service. Federation allows IDCS users to access cloud resources and allows administrators to create IAM policies for IDCS groups.

Oracle Identity Cloud Service uses OpenID Connect and OAuth to deliver a highly scalable, multi-tenant token service for securing programmatic access to custom applications from other custom applications.

  • Use OAuth 2.0 to define authorization for your custom applications. The OAuth 2.0 framework is commonly used for third-party authorization requests with consent. Custom applications can implement both two-legged and three-legged OAuth flows.

  • Use OpenID Connect to externalize authentication for your custom applications. OpenID Connect has an authentication protocol that provides federated SSO, using the OAuth 2.0 authorization framework as a way to federate identities in the cloud. Custom applications participate in an Open ID Connect flow.

For more information, see:

Cloud Guard


Targets are monitored by Detectors, which trigger Problems, which trigger Responders

Use Cloud Guard to examine your Oracle Cloud Infrastructure resources for security weakness related to configuration, and to examine your operators and users for risky activities. Upon detection, Cloud Guard suggests corrective actions, and can be configured to automatically take certain actions. For example:

  • Detect an instance that is publically accessible (has a public IP address or is on a public subnet ) and stop the instance.
  • Detect an Object Storage bucket  that is publically accessible and disable the bucket.
  • Detect a user login from a suspicious IP address and restrict traffic from this address.

Oracle recommends that you enable Cloud Guard in your tenancy. You can configure a Cloud Guard target to examine your entire tenancy (root compartment and all subcompartments), or you can configure targets to check only specific compartments .

Each target is associated with a detector recipe, which defines specific user actions or resource configurations that cause Cloud Guard to report a problem. Oracle provides several default Cloud Guard detector recipes, which you can use as-is or customize as needed. For example, you might want to change the risk level or settings associated with certain detector rules. As Cloud Guard adds new detector rules, they are automatically enabled in Oracle-managed recipes, and disabled in custom recipes.

A Cloud Guard responder recipe defines the action or set of actions to take in response to a problem that a detector has identified. You can also use the Events and Notifications services to send notifications whenever Cloud Guard detects a type of problem for which you want to be notified. You can send notifications through email or Slack, or run custom code in the Functions service.

For more information, see Cloud Guard.

Vulnerability Scanning

Oracle Vulnerability Scanning Service helps improve your security posture by routinely checking hosts for potential vulnerabilities. The service generates reports with metrics and details about these vulnerabilities, and assigns each a risk level. For example:

  • Ports that are unintentionally left open might be a potential attack vector to your cloud resources, or enable hackers to exploit other vulnerabilities.
  • OS packages that require updates and patches to address vulnerabilities
  • OS configurations that hackers might exploit
  • Industry-standard benchmarks published by the Center for Internet Security (CIS) for the target OS

You can also monitor these vulnerabilities in Cloud Guard. Upon detection of a vulnerability, Cloud Guard suggests corrective actions, and can be configured to automatically take certain actions.

For more information, see Scanning Overview.

Security Zones


A security zone is associated with a compartment and security zone policies. Operations that violate policies are denied.

Security Zones let you be confident that your Compute, Networking, Object Storage, Database, and other resources comply with Oracle security principles and best practices. A security zone is associated with a compartment . When you create and update resources in a compartment that's associated with a security zone, Oracle Cloud Infrastructure validates these operations against security zone policies. If any security zone policy is violated, then the operation is denied.

Here are some examples of security zone policies:

  • Subnets in a security zone can't be public. All subnets must be private.
  • The boot volume for a compute instance in a security zone must also be in a security zone.
  • Object Storage buckets in a security zone must use a customer-managed master encryption key.
  • You can't move certain resources like block volumes and compute instances from a security zone to a standard compartment.

For more information, see Security Zones.

Vault

You can use the Vault service to create and manage the following resources:

  • Vaults
  • Keys
  • Secrets

A vault includes the encryption keys and secret credentials that you use to protect your data and connect to secured resources. As customer-managed resources, you have complete control over who has access to your vaults, keys, and secrets. You also control what authorized users and services can do with Vault resources. Levels of access might range from something as granular as whether an individual key can be used by a particular service to more broadly impactful lifecycle management activities, like whether a user can delete a key from a vault to prevent its use altogether.

Keys are stored on highly available and durable hardware security modules (HSM) that meet Federal Information Processing Standards (FIPS) 140-2 Security Level 3 security certification. Secrets and secret versions are base64-encoded and encrypted with master encryption keys, but do not reside within the HSM.

The key encryption algorithms that the Vault service supports includes the Advanced Encryption Standard (AES), the Rivest-Shamir-Adleman (RSA) algorithm, and the elliptic curve digital signature algorithm (ECDSA). You can create and use AES symmetric keys and RSA asymmetric keys for encryption and decryption. You can also use RSA or ECDSA asymmetric keys for signing digital messages.

Security zone policies require you to encrypt resources using customer-managed keys where possible. The following services support the use of customer-managed keys for resource encryption:

  • Block Volume
  • Container Engine for Kubernetes
  • Oracle Cloud Infrastructure Database
  • File Storage
  • Object Storage
  • Streaming

For more information, see Overview of Vault.

Security Advisor

Security Advisor helps you create cloud resources that align with Oracle's security principles and best practices. It also ensures that your resources meet the requirements enforced by security zone policies. For example, you can quickly create resources that are encrypted with a customer-managed master encryption key using the Vault service.

For example, you can use Security Advisor to create the following resources:

  • Object Storage bucket 
  • File Storage file system 
  • Compute instance (Compute)  (and associated boot volume)
  • Block Volume block storage volume 

For more information, see Overview of Security Advisor.

Bastion

Oracle Cloud Infrastructure Bastion provides restricted and time-limited access to target resources that don't have public endpoints.


The Client connects to a Session on a Bastion using an SSH Client or SSH Tunnel. The two Sessions connect to an instance and a database in a Private Subnet. The VCN that contains the Private Subnet has a Service Gateway.

Through the configuration of a bastion, you can let authorized users connect to target resources on private endpoints by way of Secure Shell (SSH) sessions. When connected, users can interact with the target resource by using any software or protocol supported by SSH. For example, you can issue Remote Desktop Protocol (RDP) commands or connect to a database by using Oracle Net Services. Targets can include resources like compute instances , DB systems , and Autonomous Transaction Processing databases.

Bastions reside in a public subnet and establish the network infrastructure needed to connect a user to a target resource in a private subnet . Integration with the IAM service provides user authentication and authorization. Bastions provide an extra layer of security by allowing you to specify what IP addresses can connect to a session hosted by the bastion.

For more information, see Bastion.

Web Application Firewall

Oracle Cloud Infrastructure Web Application Firewall (WAF) is a cloud-based, Payment Card Industry (PCI) compliant, security service that protects applications from malicious and unwanted internet traffic. WAF can protect any internet-facing endpoint, providing consistent rule enforcement across your applications.

Use WAF to create and manage protection rules for internet threats including Cross-Site Scripting (XSS), SQL Injection, and other OWASP-defined vulnerabilities. Unwanted bots can be mitigated while desirable bots are allowed to enter. You can also define and apply custom protection rules to your WAF configurations using the ModSecurity Rule Language.

Use WAF to create access rules that define explicit actions for requests that meet various conditions. For example, access rules can limit requests based on the geography or the signature of the request. A rule action can be set to log and allow, detect, block, redirect, bypass, or show a CAPTCHA for all requests that match the conditions.

For more information, see Overview of Web Application Firewall.

Audit

The Oracle Cloud Infrastructure Audit service records all API calls to resources in a customer’s tenancy and login activity from the Console. You can achieve your security and compliance goals by using the Audit service to monitor all user activity within your tenancy. Because all Console, SDK, and command line (CLI) calls go through our APIs, all activity from those sources is included. Audit records are available through an authenticated, filterable query API or they can be retrieved as batched files from Oracle Cloud Infrastructure Object Storage. Audit log contents include what activity occurred, the user that initiated it, the date and time of the request, as well as source IP, user agent, and HTTP headers of the request.

For more information, see Overview of Audit.