Protect Data at Rest

Oracle Cloud Infrastructure offers multiple storage options: block, object, and file. Data is encrypted at rest and in transit for these services. Use the following mechanisms to apply additional best practices to ensure that your data in the cloud is secure.

Restrict Permissions for Deleting Storage Resources

Enterprise Architect, Security Architect, Data Architect

To minimize the risk of inadvertent or malicious deletion of your data in the cloud, or to satisfy a requirement for immutable storage (for database backups as an example), grant the permissions listed in the following table to only the users who need these privileges:

Service	Permissions That You Should Restrict
Block Volumes	`VOLUME_DELETE` `VOLUME_ATTACHMENT_DELETE` `VOLUME_BACKUP_DELETE`
File Storage	`FILE_SYSTEM_DELETE` `MOUNT_TARGET_DELETE` `EXPORT_SET_DELETE`
Object Storage	`BUCKET_DELETE` `OBJECT_DELETE`

Ensure Secure Access to File Storage

Enterprise Architect, Security Architect, Data Architect

Take steps to ensure file storage is protected from unauthorized access.

Oracle Cloud Infrastructure File Storage exposes an NFSv3 endpoint as a mount target in each of your subnets. The mount target is identified by a DNS name and is mapped to an IP address. Use the network security groups of the mount target's subnet to configure network access to the mount target from only authorized IP addresses.
Use well-known NFS security best practices such as the all_squash option to map all the users to nfsnobody, and use NFS ACLs to enforce access control to the mounted file system.

Ensure Secure Access to Object Storage

Enterprise Architect, Security Architect, Data Architect

Object Storage provides AES-256 encryption for data at rest. Take steps to ensure object storage is protected from unauthorized access.

Object storage buckets can be public or private. A public bucket allows unauthenticated and anonymous reads to all the objects in the bucket. Create private buckets and use pre-authenticated requests (PARs) to provide access to objects stored in buckets to users who do not have IAM credentials.
To minimize the possibility of buckets being made public inadvertently or maliciously, grant the BUCKET_UPDATE permission to a minimal set of IAM users.
Ensure versioning is enabled for object storage buckets.

Encrypt Data in Block Volumes

Enterprise Architect, Security Architect, Data Architect

The Oracle Cloud Infrastructure Block Volumes service always encrypts all block volumes and boot volumes at rest by using the Advanced Encryption Standard (AES) algorithm with 256-bit keys. Consider the following additional encryption options.

Encrypt all of your volumes and their backups by using keys that you own, and you can manage the keys by using the Oracle Cloud Infrastructure Vault service.
Data is transferred between an instance and the attached block volume through an internal and highly secure network. You can enable in-transit encryption for paravirtualized volume attachments on virtual machine instances.

Encrypt Data in File Storage

Enterprise Architect, Security Architect, Data Architect

The Oracle Cloud Infrastructure File Storage service encrypts all data at rest. By default, the file systems are encrypted by using Oracle-managed encryption keys.

Encrypt all of your file systems by using keys that you own. You can manage the keys by using the Oracle Cloud Infrastructure Vault service.

In cross-region deployments, ensure keys are replicated across regions.

Encrypt Data in Object Storage

Enterprise Architect, Security Architect, Data Architect

The Oracle Cloud Infrastructure Object Storage service encrypts all of your objects by using the Advanced Encryption Standard (AES) algorithm with 256-bit keys. Each object is encrypted using a separate key.

The object-encryption keys are, in turn, encrypted by using an Oracle-managed master encryption key that's assigned to each bucket.
Configure buckets to use your own master encryption key that you store in the Oracle Cloud Infrastructure Vault service and rotate at a schedule that you define. Consider using data retention rules.

Maintain Keys and Secrets in Oracle Cloud Infrastructure Vault

Enterprise Architect, Security Architect, Data Architect

Oracle Cloud Infrastructure Vault can be used to store secrets like passwords, ssh keys, encryption keys, and certificates that applications may use to access resources. Storing secrets in a vault provides greater security than using code or local files.

Simplify key management by centrally storing and managing encryption keys.
Define a specific key to encrypt secrets and rotate it periodically.
Protect data at rest and in transit by supporting various encryption key types, including symmetric keys and, asymmetric keys.
Limit resources that access Oracle Cloud Infrastructure Vault to private subnets.
Periodically rotate secret contents to reduce impact if a secret is exposed.
Define a Secret Reuse Rule to prevent the reuse of secret contents across different versions of a secret.
Define a Secret Expiry Rule to limit the period of time a secret version can be used.
Integrate encryption with other OCI services such as storage, database, or applications for protecting data stored in these services.