This is a comprehensive list of security controls within the Oracle ecosystem, primarily focusing on Oracle Cloud Infrastructure (OCI).
Oracle uses a "Security-First" architecture, aiming to automate security and provide built-in protection by default. Like other major cloud providers, Oracle operates under a Shared Responsibility Model. Oracle is responsible for the security of the cloud (hardware, infrastructure, facilities), while the customer is responsible for security in the cloud (OS, applications, data, IAM configuration).
These controls define who (principals, users, groups, service accounts) can access which resources (instances, storage buckets, databases) in OCI.
OCI Identity and Access Management (IAM): The foundation of OCI security. It enables you to control access to OCI resources through:
Compartments: A fundamental logical isolation mechanism. Resources are organized within compartments, and IAM policies are assigned at the compartment level, ensuring strict isolation between different environments (e.g., Prod, Test, Dev) or organizational departments.
Domains: A container for managing users, groups, and applications, providing a level of isolation similar to other directory services.
Policies: Written statements (statements of authorization) that define permissions. Policies follow a structured syntax (e.g., "Allow group Advisors to manage instances in compartment Finance").
Dynamic Groups: Groups that include instances (Virtual Machines) based on rules, allowing instances to make authorized calls to OCI services without managing credentials.
Service Principals: Identities assigned to OCI services (e.g., Functions, DevOps) so they can interact with other services securely without credentials.
Multi-Factor Authentication (MFA): A vital control that requires a second factor of authentication beyond just a username and password. OCI IAM natively supports various MFA methods (mobile apps, SMS, hardware tokens).
Identity Federation: Allows OCI to integrate with external identity providers (like Microsoft Entra ID (Azure AD), Okta, or on-premises Active Directory) using standard protocols like SAML or OIDC.
API Signing Keys & Auth Tokens: Mechanism for users and automated tools to authenticate against the OCI API. Security controls around rotating and managing these keys are critical.
These controls manage network isolation, traffic flow, and external perimeter protection.
Virtual Cloud Network (VCN): The core isolated network environment in OCI.
Network Security Groups (NSGs): A modern approach to network firewalls. NSGs consist of a set of ingress and egress security rules that apply only to a specific group of VNICs (Virtual Network Interface Cards) on resources (like instances or databases), rather than to an entire subnet.
Security Lists: A subnet-level firewall mechanism. Security lists define ingress and egress rules that apply statefully or statelessly to all resources within that subnet. (Usually used in conjunction with NSGs).
OCI Web Application Firewall (WAF): Protects web applications from malicious traffic, SQL injection, XSS, bot attacks, and Layer 7 DDoS attacks. It can be integrated with Load Balancers or public facing endpoints.
FastConnect: Provides a private, dedicated connection between the customer’s on-premises infrastructure and OCI, bypassing the public internet for enhanced security, privacy, and predictable performance.
DRG (Dynamic Routing Gateway): Acts as a central router to connect VNets to other networks, such as on-premises networks (via FastConnect or Site-to-Site VPN) or other peered VCNs.
DDoS Protection: OCI provides always-on, volumetric DDoS attack protection for all OCI public facing endpoints (Layers 3 and 4) at no additional charge.
These controls focus on data security at rest (storage) and in transit (network). Oracle is well known for robust database-level security.
Encryption and Key Management
Always-on Encryption: OCI encrypts all customer data by default at rest in Object Storage, Block Volume, File Storage, and Database services using Oracle-managed keys.
OCI Vault (Key Management): A managed service that enables customers to centrally manage encryption keys and secrets (like database credentials, SSH keys, application tokens).
Customer-Managed Keys (CMK): Customers can generate and rotate their own cryptographic keys within Vault to protect data in supported services (e.g., Block Volumes, Object Storage, Database).
FIPS 140-2 Level 3 HSMs: Customers requiring higher regulatory compliance can utilize keys stored in FIPS 140-2 Level 3 certified Hardware Security Modules within Vault.
Database Specific Security
Transparent Data Encryption (TDE): Native to Oracle Databases (including OCI Database Cloud Service and Autonomous Database). TDE automatically encrypts sensitive columns (Column Encryption) or entire tablespaces (Tablespace Encryption) without requiring application changes.
Oracle Data Safe: A unified, cloud-based control center for managing the security posture of Oracle databases (cloud or on-premises). It provides:
Data Discovery: Finds sensitive data (PII, financial).
Data Masking: Replaces sensitive data with realistic but fictional data for non-production environments.
User Assessment: Identifies high-risk database users and assesses their permissions.
Security Assessment: Compares database configurations against security best practices (e.g., CIS benchmarks).
Database Vault: Controls access to application data within the database itself, preventing powerful administrative users (like DBAs) from seeing highly sensitive information unless strictly authorized.
These controls are designed to protect compute instances (VMs, Bare Metal), container environments, and application runtimes.
Cloud Guard: A comprehensive security monitoring and posture management (CSPM) service. It analyzes logs, resource configurations, and audit data, automatically identifying security misconfigurations and potential threats across OCI compartments. It can trigger automated "responder" actions to remediate problems (e.g., shut down a public bucket).
Scanning Service: Performs automated vulnerability scanning of OCI Compute instances and Container images stored in Oracle Cloud Infrastructure Registry (OCIR). It checks for CVEs (Common Vulnerabilities and Exposures) and insecure port configurations.
Compute Security:
Shielded Instances: Utilizes Hardware Root of Trust and Secure Boot to ensure that the server infrastructure and boot environment are untampered with and have not been altered by malware (rootkits/bootkits).
Isolation by default: Instances do not share memory or compute resources unless explicitly configured, minimizing the risk of side-channel attacks.
Bastion Service: Provides secure, time-limited SSH access to target private resources (like compute instances without public IPs) from specific public IP addresses, over SSL. This eliminates the need for jump hosts or public facing management ports.
These controls provide visibility, maintain a history of activity, and ensure compliance across the OCI environment.
Audit Service: Automatically records all API calls made to OCI resources, capturing "who did what, when, and from where." Audit logs are crucial for forensic analysis, operational auditing, and compliance verification.
Logging Service: Collects logs from OCI services (Service Logs), customized application logs (Custom Logs), and diagnostic logs (Audit Logs), providing a single glass of plane for log management and analysis.
Compliance Center: Allows on-demand access to Oracle’s compliance documentation (e.g., SOC, ISO, PCI, FedRAMP reports), illustrating Oracle’s adherence to global security standards.