Oracle Cloud Infrastructure Documentation

Securing Your Tenancy

Learn how to get started with securing an Oracle Cloud Infrastructure tenancy.

Before your begin, get familiar with the security concepts and features in Oracle Cloud Infrastructure. See:

In a shared, multi-tenant compute environment, Oracle is responsible for the security of the underlying cloud infrastructure (such as data center facilities, and hardware and software systems). You are responsible for securing your workloads and configuring the security of your services (such as compute, network, storage, and database).

Security of an Oracle Cloud Infrastructure tenancy is based on a combination of factors, all of which must be thought through and securely configured. Take a hierarchical view of security configuration. Start by addressing foundational security issues, and then address the security of specific infrastructure resources. The following steps provide a high-level roadmap for configuring the security of a tenancy.

  1. Define a security model that meets the workload requirements for your tenancy.
    • Number of compartments
    • Number of users with administrative rights
    • Administrative roles and permissions
  2. (Optional) Provision identity domains  in the IAM service.

    Consider creating identity domains if you want to separate different user populations (development and production, for example), or if these user populations require different authentication settings.

    See Do You Have Access to Identity Domains? and IAM Identity Domain Types.

  3. Provision users, groups, compartments , and policies  in the IAM service.

    Create mechanisms for authenticating users and authorizing users to access tenancy resources in a least-privilege manner.

    See Securing IAM.

  4. (Optional) Provision security zones  for hosting cloud resources that must comply with Oracle's security best practices.

    If a user attempts to create or update a resource in a security zone, and this operation violates a security zone policy, then the action is denied.

    See Security Zones.

  5. (Optional) Enable Cloud Guard to detect and respond to common security issues.

    See Cloud Guard.

  6. Provision master encryption keys and secret credentials.

    See Vault.

  7. Provision and secure cloud networks.

    Use security lists , network security groups , or a combination of both to control packet-level traffic in and out of the resources in your VCN (virtual cloud network) . Use private subnets  to host resources that do not require internet access.

    See Securing Networking: VCN, Load Balancers, and DNS.

  8. Provision and secure cloud storage.

    Depending on your data storage requirements, your options include Database, Block Volume, Object Storage, and File Storage.

    Compliance and regulatory requirements are an important factor in determining an appropriate data storage security architecture.

    Refer to the specific service in Security Best Practices.

  9. Provision and secure the other services in your tenancy that your organization requires.

    For example, Compute or Container Engine for Kubernetes.

    Refer to the specific service in Security Best Practices.

  10. Periodically review Audit logs to ensure that user actions are in accordance with your initial security configuration.

    See Audit.

    If you enabled Cloud Guard, it also notifies you about security problems that it detected.