Shared Security Model

Security in the cloud is a shared responsibility between you and Oracle. For you to securely run your workloads in Oracle Cloud Infrastructure (OCI), you must be aware of your security and compliance responsibilities.

Whereas Oracle ensures the security of cloud infrastructure and operations, your organization must define its own security guidelines. The following table introduces the shared security model between your organization and Oracle.

Owner Area of Responsibility

Security in the cloud. For example:

  • Organization's data
  • User credentials, other account information
  • Account access management, application management
  • Secure user access behavior, strong OCI Identity and Access Management (IAM) policies
  • Patching
  • Network and firewall configuration
  • Security rules, route rules, virtual cloud network (VCN) configuration
  • Client-side encryption
  • Vault

Security of the cloud. For example:

  • Other Oracle Cloud Infrastructure services and functionality, such as Load Balancing, WAF, Cloud Guard, distributed denial-of-service (DDoS) protection
  • Compute, network, and storage isolation
  • IAM framework
  • Data center physical security
  • Hardware, software, networking, and facilities that run Oracle services

Oracle is responsible for all aspects of the physical security of the availability domains and fault domains in each region.

Both Oracle and your organization are responsible for the security of software and the associated logical configurations and controls.

Your organization is responsible for the security of the following areas:

  • Platforms that you create in OCI
  • Applications security and compliance
  • VCNs
  • IAM
  • Data security in databases and storage
  • The overall governance, risk, and security of the workloads that you run

For detailed information about security responsibilities in OCI, see the Oracle Cloud Infrastructure Security Guide.

For information about OCI compliance documentation, see Overview of Compliance Documents.