Oracle Cloud Infrastructure (OCI) is responsible for ensuring the security of the Cloud, which includes maintaining the physical data center, physical network, physical host, and virtualization layer to ensure they are fast and up to date. OCI provides various services for security:

  1. Cloud Guard: This service falls under the category of Cloud Security Posture Management. It is used to examine resources for security weaknesses related to configurations, among other factors. Cloud Guard helps monitor and identify potential security issues and provides remediation options. It can automate the remediation process as well. Cloud Guard has two key aspects: detection and monitoring. When a problem is detected, Cloud Guard suggests corrective actions and can be configured to automatically take certain actions. For example, if a public bucket is detected, but the user wants it to be private, Cloud Guard monitors the configuration and raises a critical issue flag. This flag serves as a ticket to notify the user about the critical risk posed by the public bucket. The user can then enable a private bucket through Cloud Event triggers, notifications, or serverless services such as OCI functions. The responder, who has the necessary permissions, hands over the problem to the Cloud Guard operator, who can respond and make the bucket private according to Oracle policies. 
  2. Security Zone: This feature allows users to configure a location where security cannot be disabled. OCI provides several predefined security zones in each region. Security Advisor is a service that combines Security Zone, Cloud Guard, and other capabilities into a cohesive whole. It can be assigned to a particular compartment and applied to networking, storage, compute, and database services.
  3. Vulnerability Scanning Service: This service regularly checks hosts for potential vulnerabilities. It retrieves information from the database and reports on vulnerabilities and exposures. It creates scanning recipes which determine what information to examine and how frequently to conduct the scans (weekly or daily). There are two types of scanning: port scanning, where the service checks for 1000 common ports, and agent-based scanning, where the service checks against standard benchmarks published by the Center for Internet Security (CIS). The service assigns a risk level to each vulnerability identified. 
  4. OCI Vault: This is a managed service that allows users to manage encryption keys and secret credentials. It eliminates the need to store encryption keys and secrets in configuration files. Keys are stored on highly available and durable hardware security modules (HSMs). A key specifies the encryption and decryption algorithms to transform plaintext into ciphertext and vice versa. Algorithms such as Advanced Encryption Standard (AES), RSA, and ECDSA are supported. AES is a symmetric algorithm, where the same key is used for both encryption and decryption. RSA is an asymmetric encryption algorithm, where the public key encrypts data and the private key decrypts data. ECDSA keys are used for digital signing and cannot be used for encryption or decryption. Vault also supports envelop encryption. Access to master keys can be authorized using Identity and Access Management (IAM) policies, ensuring restricted access. Audit logs can be used to monitor key-related activities, providing additional security for the key vault. When a Vault is deleted, all the keys inside it are also deleted, and it cannot be recovered or accessed.
  5.  Web Application Firewall (WAF): The WAF protects against a complex layer 7 or application-layer attacks such as SQL injections and cross-site scripting exploits. It functions as a device, server-side plugin, or filter that applies a set of rules to HTTP or HTTPS traffic. By intercepting this HTTPS traffic and passing it through filters and rules, the WAF detects and protects against attack streams. The OCI WAF service provides multi-cloud support and can be used to protect any internet-facing application in any environment.
  6. Bastion: Bastion is a fully managed service that is provisioned within your virtual network. It provides secure and seamless Remote Desktop Protocol (RDP) or Secure Shell (SSH) connectivity directly to your virtual machines (VMs). Bastions act as logical entities that enable secure public access to target resources in the Cloud that cannot be directly accessed from the internet. An additional layer of security is provided through a configuration of CIDR block allow list. This allow list specifies the IP addresses that can connect to a Bastion session. Bastion ensures restricted access to target resources and eliminates the need for users to create and maintain their own Bastions.