The image shows the security architecture underlying an implementation of an enterprise-scale baseline landing zone. It shows a tenancy (root compartment), labeled Level 0 (zero). Within the tenancy is a Cloud Guard instance and an IAM instance. Level 1 contains a business unit and two level 2 compartments, one the common infrastructure, the other the application landing zone.
The business unit contains a Cloud Guard instance, an Auditing service, and an IAM instance.
- Cloud Guard
- Two Service Connector Hubs
- Vulnerability scanning
- Storage buckets
- Logging Analytics service
- Logging service
- A service connector hub
- A streaming service
- A VM
- An autonomous database
The network compartment contains a virtual cloud network, access to which is through either an internet gateway, a NAT gateway, and a dynamic routing gateway, contains a bastion service
The landing zone application contains two level 3 compartments, one for front end applications, the other for back office apps. Each is protected within a maximum security zone.
The tenancy Cloud Guard instance communicates with all other Cloud Guard instances to provide data security across the architecture. The business unit (Level 1) Auditing service directs traffic through the Service Connector Hub in the security compartment, which passes it to the storage bucket. From there, user key data passed into the key vault. If an optional subcompartment for third-party security solutions is used, the business unit (Level 1) Auditing service also directs traffic through the subcompartment's Service Connector Hub to the streaming service, which pulls transactional date from the VM.
Data from the network compartment is passed to the Logging service, which the passes the appropriate data either back through the subcompartment for third-party security solutions' Service Connector Hub to its streaming service or, through the security compartment's Service Connector Hub on to the Logging Analytics service.