Shared Security Model

Security in the cloud is a shared responsibility between you and Oracle. For you to securely run your workloads in Oracle Cloud Infrastructure (OCI), you must be aware of your security and compliance responsibilities.

Whereas Oracle ensures the security of cloud infrastructure and operations, your organization must define its own security guidelines. The following table introduces the shared security model between your organization and Oracle.


Owner	Area of Responsibility
Customer	Security in the cloud. For example: Organization's data User credentials, other account information Account access management, application management Secure user access behavior, strong OCI Identity and Access Management (IAM) policies Patching Network and firewall configuration Security rules, route rules, virtual cloud network (VCN) configuration Client-side encryption Vault
Oracle	Security of the cloud. For example: Other Oracle Cloud Infrastructure services and functionality, such as Load Balancing, WAF, Cloud Guard, distributed denial-of-service (DDoS) protection Compute, network, and storage isolation IAM framework Data center physical security Hardware, software, networking, and facilities that run Oracle services

Oracle is responsible for all aspects of the physical security of the availability domains and fault domains in each region.

Both Oracle and your organization are responsible for the security of software and the associated logical configurations and controls.

Your organization is responsible for the security of the following areas:

Platforms that you create in OCI
Applications security and compliance
VCNs
IAM
Data security in databases and storage
The overall governance, risk, and security of the workloads that you run

For detailed information about security responsibilities in OCI, see the Oracle Cloud Infrastructure Security Guide.

For information about OCI compliance documentation, see Overview of Compliance Documents.

Oracle Cloud Infrastructure Documentation

Shared Security Model