1. Security Guide
  2. Introduction to Oracle Private Cloud Appliance Security
  3. Customer Security Responsibilities

Customer Security Responsibilities

The customer is always responsible for securing aspects of the system that are under the customer's direct control. These responsibilities include:

  • Information and Data: The customer always retains control over information and data. The customer controls how and when this data is used. The Cloud provider (Oracle) has zero visibility into customer data, and all data access is under the customer's control by design.

  • Application Logic and Code: Regardless of how Cloud resources are spun up, the customer secures and controls the customer's proprietary applications during the entire application life cycle. This includes securing code repositories from malicious misuse or intrusion, application build testing during the development and integration process, ensuring secure production access, and maintaining the security of any connected systems.

  • Identity and Access: The customer is always responsible for all aspects of identity and access management (IAM). This includes authentication and authorization mechanisms, any single sign-on (SSO) access, multi-factor authentication (MFA), access keys, certificates, the user creation processes, and password management.

  • Platform and Resource Configuration: When cloud environments spin up, the customer controls the operating environment. How control is maintained over those environments varies, based on whether instances are server-based or serverless (PaaS). A server-based instance requires more hands-on control over security, including OS and application hardening, maintaining OS and application patches, and so on. Server-based instances in the cloud behave like physical servers, and function as an extension of the customer's data center. For serverless resources, the provider’s control plane gives the customer access to the setup of the configuration. In all cases, the customer is responsible for knowing how to configure customer instances in a secure manner.

    Additionally, the customer maintains responsibility for securing everything in the customer organization that connects with the cloud. This includes:

    • The on-premises infrastructure stack and user devices.

    • Customer-owned networks and applications.

    • The communication layers that connect your users, both internal and external, to the cloud and to each other.

    The customer also needs to set up monitoring and alerting for security threats, incidents, and responses for domains that remain under customer control.