Oracle’s mission is to build cloud infrastructure and platform services for your business to have effective and manageable security to run your mission-critical workloads
and store your data with confidence.
Oracle Cloud Infrastructure’s security approach is based on seven core
pillars. Each pillar has multiple solutions designed to maximize the security and
compliance of the platform.
- customer isolation
- Allow customers to deploy their application and data assets in an environment that
commits full isolation from other tenants and Oracle’s staff.
- data encryption
- Protect customer data at-rest and in-transit in a way that allows customers to meet
their security and compliance requirements for cryptographic algorithms and key
- security controls
- Offer customers effective and easy-to-use security management solutions that allow
them to constrain access to their services and segregate operational
responsibilities to reduce risk associated with malicious and accidental user
- Offer customers comprehensive log data and security analytics that they can use to
audit and monitor actions on their resources, allowing them to meet their audit
requirements and reduce security and operational risk.
- secure hybrid cloud
- Enable customers to use their existing security assets, such as user accounts and
policies, as well as third-party security solutions when accessing their cloud
resources and securing their data and application assets in the cloud.
- high availability
- Offer fault-independent data centers that enable high availability scale-out
architectures and are resilient against network attacks, ensuring constant uptime in
the face of disaster and security attack.
- verifiably secure infrastructure
- Follow rigorous processes and use effective security controls in all phases of cloud
service development and operation. Demonstrate adherence to Oracle’s strict security
standards through third-party audits, certifications, and attestations. Help
customers demonstrate compliance readiness to internal security and compliance
teams, their customers, auditors, and regulators.
Also, Oracle employs some of the world’s foremost security experts in
information, database, application, infrastructure, and network security. By using
Oracle Cloud Infrastructure, our customers directly benefit from
Oracle’s deep expertise and continuous investments in security.
Basic Security Considerations
The following principles are fundamental to using any application securely:
- Keep software up-to-date. This includes the latest product release and any patches
that apply to it.
- Limit privileges as much as possible. Users should be given only the access
necessary to perform their work. User privileges should be reviewed periodically to
determine relevance to current work requirements.
- Monitor system activity. Establish who should access which system components, and
how often, and monitor those components.
- Learn about and use
the Oracle Cloud Infrastructure security features. For more information, see Security Services and Features.
- Use secure best practices. For more information, see Security Best Practices .
- Keep up-to-date on security information. Oracle regularly issues
security-related patch updates and security alerts. Install all security
patches as soon as possible. See the Critical Patch Updates and Security Alerts
Understanding the Oracle Cloud Infrastructure Environment
When planning your Oracle Cloud Infrastructure deployment, consider the
Which resources must be protected?
- Protect customer data, such as credit card numbers.
- Protect internal data, such as proprietary source code.
- Protect system components from being disabled by external attacks or intentional
Who are you protecting data from?
For example, you must protect your subscribers’ data from other subscribers, but
someone in your organization needs to access that data to manage it. Analyze your workflows to determine who needs access to the data. Consider carefully how much access to give a system administrator; it is
possible that a system administrator can manage your system components without
needing to access the system data.
What will happen if protections on a strategic resource fail?
Sometimes, a fault in your security scheme is nothing more than an inconvenience. In
other cases, a fault might cause great damage to you or your customers.
Understanding the security ramifications of each resource will help you protect it
Shared Security Model
Oracle Cloud Infrastructure offers best-in-class security technology
and operational processes to secure its enterprise cloud services. However, for you to
securely run your workloads in Oracle Cloud Infrastructure, you must
be aware of your security and compliance responsibilities. By design, Oracle provides
security of cloud infrastructure and operations (cloud operator access controls,
infrastructure security patching, and so on), and you are responsible for securely
configuring your cloud resources. Security in the cloud is a shared responsibility
between you and Oracle.
In a shared, multi-tenant compute environment, Oracle is responsible for the security of
the underlying cloud infrastructure (such as data-center facilities, and hardware and
software systems) and you are responsible for securing your workloads and configuring
your services (such as compute, network, storage, and database) securely.
In a fully isolated, single-tenant, bare metal server with no Oracle software on it, your
responsibility increases as you bring the entire software stack (operating systems and
above) on which you deploy your applications. In this environment, you are responsible
for securing your workloads, and configuring your services (compute, network, storage,
database) securely, and ensuring that the software components that you run on the bare
metal servers are configured, deployed, and managed securely.
More specifically, your and Oracle's responsibilities can be divided into the following
- Identity and Access Management (IAM): As with all Oracle cloud
services, you should protect your cloud access credentials and set up individual
user accounts. You are responsible for managing and reviewing access for your own
employee accounts and for all activities that occur under your tenancy. Oracle is
responsible for providing effective IAM services such as identity management,
authentication, authorization, and auditing.
- Workload Security: You are responsible for protecting and securing
the operating system and application layers of your compute instances from attacks
and compromises. This protection includes patching applications and operating
systems, operating system configuration, and protection against malware and network
attacks. Oracle is responsible for providing secure images that are hardened and
have the latest patches. Also, Oracle makes it simple for you to bring the same
third-party security solutions that you use today.
- Data Classification and Compliance: You are responsible for
correctly classifying and labeling your data and meeting any compliance obligations.
Also, you are responsible for auditing your solutions to ensure that they meet your
- Host Infrastructure Security: You are responsible for securely
configuring and managing your compute (virtual hosts, containers), storage (object,
local storage, block volumes), and platform (database configuration) services.
Oracle has a shared responsibility with you to ensure that the service is optimally
configured and secured. This responsibility includes hypervisor security and the
configuration of the permissions and network access controls required to ensure that
hosts can communicate correctly and that devices are able to attach or mount the
correct storage devices.
- Network Security: You are responsible for securely configuring
network elements such as virtual networking, load balancing, DNS, and gateways.
Oracle is responsible for providing a secure network infrastructure.
- Client and Endpoint Protection: Your enterprise uses various
hardware and software systems, such as mobile devices and browsers, to access your
cloud resources. You are responsible for securing all clients and endpoints that you
allow to access Oracle Cloud Infrastructure services.
- Physical Security: Oracle is responsible for protecting the global
infrastructure that runs all of the services offered in Oracle Cloud Infrastructure. This infrastructure consists of the hardware,
software, networking, and facilities that run Oracle Cloud Infrastructure services.
For information about using security credentials to access Oracle Cloud Infrastructure, see Security Credentials.
Our security model is built around
people, process, tooling, and a common security “platform” of methodologies and
approaches from which we build our products. We apply this model to our core security
components of Security Culture, Security Design and Controls, Secure Software
Development, Personnel Security, Physical Security, and Security Operations that we use
to protect and secure our customers and business.
believe that a dynamic security-first culture is vital to building a successful
security-minded organization. We have cultivated a holistic approach to security culture
in which all our team members internalize the role that security plays in our business
and are actively engaged in managing and improving our products' security posture. We
have also implemented mechanisms that assist us in creating and maintaining a
- Security-minded leadership: Our senior leadership is actively
involved in our security planning, monitoring and management. We define and measure
ourselves against security metrics and include security as a component of our team
- Embedded expertise: To help with driving security practices within
our team, we have an embedded security-engineering model with security team members
sitting and working with our product development teams. This approach enables our
security organization to build deep understanding of the product-development
processes and system architectures. We are also able to better assist teams in
solving security challenges in real time and drive security initiatives more
- Common security standards: We actively work to integrate security
into our products and operations. One way we have done this is to establish a
security standards baseline. Our objective in creating this baseline is to provide a
single security point of reference for business that establishes clear and
actionable guidelines. The security baseline is updated frequently to incorporate
learned lessons and reflect emerging business factors. We have also created a series
of support materials to assist our teams in implementing security controls including
reference architectures, implementation guides, and access to security experts.
- Values of openness, constructive debate, and encouraged escalation:
Security issues can be addressed only when the people who can fix them are aware of
them. We believe that openness and transparency, constructive debate, and encouraged
escalation make us stronger. We encourage escalation, and we work to create an
environment where raising issues early and often is rewarded.
- Security training awareness: We maintain robust security and
awareness training programs that raise awareness and reinforce our security culture.
We require in-depth security training sessions for all new employees as well as
annual refresher trainings, and we provide security training that is tailored to our
employees’ specific job roles. All our software developers undergo a secure
development training that establishes baseline security requirements for product
development and provides best practices. We also work to provide engaging and
innovative forms of security awareness training such as guest speakers and
interactive forums (and we're not above providing food, drinks, or swag to drive
Security Designs and Controls
Security is integrated into our products and
operations through our Oracle Cloud Infrastructure Methodology. This
centralized methodology defines our approach for the core security areas that form the
security foundation from which we build our products. This approach lends itself to
agility and helps us apply best practices and lessons learned from one product across
the business, thus raising the security of all our products.
- User authentication and access control: Least-privilege access is
used to grant access to production systems, and the approved lists of service team
members are periodically reviewed to revoke access when there is no justifiable
need. Access to production environments requires multi-factor authentication (MFA).
The MFA tokens are granted by the security team, and tokens of inactive members are
disabled. All access to production systems is logged, and the logs are stored for
- Change management:Oracle Cloud Infrastructure follows a defined and rigorous change
management and deployment process that uses purpose-built proprietary testing and
deployment tools. All changes deployed into our production environment follow a
testing and approval process prior to release. This process is designed to ensure
that changes operate as intended, and can otherwise be rolled back to a previous
known good state to recover gracefully from unforeseen bugs or operational issues.
We also track the integrity of critical system configurations to ensure that they
align with expected state.
- Vulnerability management: We use both internal penetration testing
teams and external industry experts to help us identify potential vulnerabilities in
our products. These exercises help us improve the security of our products, and we
work to incorporate the lessons that we learn into our future development work.
Oracle Cloud Infrastructure hosts undergo periodic
vulnerability scanning using industry-standard scanners. Scan results are triaged to
validate applicability of findings to the Oracle Cloud Infrastructure environment, and that applicable findings are
patched by our product teams.
- Incident response: We have developed strong processes and
mechanisms to enable us to respond to and address incidents as they arise. We
maintain 24/7 incident response teams ready to detect and respond to events. Our
critical staff members carry paging devices that enable us to call on the expertise
needed to bring issues to resolution. We have also built a process to help us learn
from our incidents. We perform root cause analysis through our Corrective
Action/Preventative Action (CAPA) process. CAPAs are intended to discover process
gaps and changes that should be made by the business after an incident. CAPAs act as
a common language that we can use to reflect on an issue and capture concrete steps
to improve future operational readiness. CAPAs capture the root cause of an issue,
what is required to contain or fix the issue, and what steps we must take to ensure
that the issue does not recur. Our leadership team reviews all CAPAs, looks for
cross-organizational applications for learned lessons, and ensures that actions are
implemented in a timely manner.
- Security logging and monitoring: We have created automated
mechanisms to log various security-relevant events (for example, API calls and
network events) in the infrastructure, and monitor the logs for anomalous behavior.
Alerts generated by monitoring mechanisms are tracked and triaged by the security
- Network security: By default, customer communications with Oracle Cloud Infrastructure
services are done using the latest TLS ciphers and configuration to
secure customer data in transit, and hinder any man-in-the-middle attacks. As a
further defense in depth, customer commands to the services are digitally signed
using public keys, to prevent any tampering. The services also deploy proven,
industry-leading tools and mechanisms to mitigate distributed denial of service
(DDoS) attacks and maintain high availability.
- Control plane security:Oracle Cloud Infrastructure back-end (control plane) hosts are
securely isolated from customer instances by using network ACLs. Provisioning and
management of customer instances are done by software agents that must interact with
the backend hosts. Only authenticated and authorized software agents can
successfully interact with Oracle Cloud Infrastructure back-end
hosts. For back-end hosts, pre-production environments (for example, dev, test, and
integ) are separated from production environments so that any development and test
activities do not have any impact on production systems.
- Server security and media management: Oracle has a long history of
enterprise-class secure hardware development. Our Hardware Security team is
responsible for designing and testing the security of the hardware used to deliver
Oracle Cloud Infrastructure services. This team works with our
supply chain and tests hardware components to validate them against rigorous
Oracle Cloud Infrastructure hardware security standards. This
team also works closely with our product development functions to ensure that
hardware can be returned to a pristine, safe state after being released by
- Secure host wipe and media destruction:Oracle Cloud Infrastructure instances are securely wiped after
hardware is released by customers. This secure wipe restores hardware to a pristine
state. We have re-engineered the platform with proprietary hardware components that
allow us to wipe and reinitialize the hardware in a secure manner. When the
underlying hardware has reached end-of-life, it is securely destroyed. Before
leaving our data centers, drives are rendered unusable by using industry-leading
media destruction devices.
Secure Software Development
Secure product development requires consistently
applied methodologies that conform to clear security objectives and principles. We build
security practices into every element of our product development life cycle. Oracle
employs formal secure product development standards that are a roadmap and guide for
developers. These standards discuss general security knowledge areas such as design
principles and common vulnerabilities, and provide specific guidance on topics such as
data validation, data privacy, and user management.
Oracle secure product
development standards have evolved and expanded over time to address the common issues
affecting code, new threats as they are discovered, and new use cases by Oracle
customers. The standards incorporate insights and learned lessons; they do not live in a
vacuum, nor are they an “after the fact” addendum to software development. They are
integral to language-specific standards such as C/C++, Java, PL/SQL, and others, and are
a cornerstone to Oracle's secure development programs and processes.
assurance analysis and testing verify security qualities of Oracle products against
various types of attacks. There are two broad categories of tests employed for testing
Oracle products: static and dynamic analysis. These tests fit differently in the product
development lifecycle and tend to find different categories of issues, so they are used
together by Oracle product teams.
Our people make our
business. We strive to hire the best, and we invest in and continue to develop our
employees. We value training, and we require not only baseline security training for all
our employees but also specialized training to keep our teams abreast of the latest
security technologies, exploits, and methodologies. In addition to standard annual
corporate training programs that cover our information security and privacy programs
(among many others), we engage with a broad spectrum of industry groups and send our
employees to specialist conferences to collaborate with other industry experts on
emerging challenges. The objectives of our security training programs are to help our
employees better protect our customers and products, to enable employees to grow in
their knowledge areas around security, and to further our mission to attract and retain
the best talent.
We work to recruit the best talent for our team as we grow, and
we hire people with strong ethics and good judgment. All our employees undergo
pre-employment screening as permitted by law, including criminal background checks and
prior-employment validation. We also maintain performance evaluation processes to
recognize good performance and help our teams and employees identify opportunities for
growth. We maintain both team and employee evaluation processes, and we use security as
a component of our team evaluation processes. This approach provides our teams and
leadership visibility into how our teams are performing against our security standards
and enables us to identify best practices and improvement areas for critical security
Oracle Cloud Infrastructure
data centers are designed for security and availability of customer data. This approach
begins with our site selection process. Candidate build sites and provider locations
undergo an extensive risk evaluation process that considers environmental threats, power
availability and stability, vendor reputation and history, neighboring facility
functions (for example, high-risk manufacturing or high-threat targets), and
geopolitical considerations, among other criteria.
Oracle Cloud Infrastructure data centers align with Uptime Institute and
Telecommunications Industry Association (TIA) ANSI/TIA-942-A Tier 3 or Tier 4 standards
and follow a N2 redundancy methodology for critical equipment operation. Data centers
housing Oracle Cloud Infrastructure services use redundant power
sources and maintain generator backups in case of widespread electrical outage. Server
rooms are closely monitored for air temperature and humidity, and fire suppression
systems are in place. Data center staff are trained in incident response and escalation
procedures to address security or availability events that may arise.
We take a
layered approach to physical security that starts with the site build. Oracle Cloud Infrastructure data center facilities are durably built with steel, concrete, or
comparable materials and are designed to withstand impact from a light vehicle strike.
Our sites are staffed with security guards who are ready to respond to incidents 24
hours a day, 7 days a week, 365 days a year. The exterior of the sites is secured with
perimeter barriers and vehicle checks are actively monitored by a guard force and
cameras that cover the building perimeter.
All persons entering our data centers
must first go through a layer of security at the site entrances, which are staffed with
security guards. Persons without site-specific security badges entering the site must
present government-issued identification and have an approved access request granting
them access to the data center building. All employees and visitors must wear visible,
official identification badges at all times. There are additional security layers
between the entrance and server rooms that vary depending on the site build and risk
profile. Data center server rooms are built with additional security layers including
cameras that cover server rooms, two-factor access control, and intrusion-detection
mechanisms. Physical barriers are in place to create isolated security zones around
server and networking racks that span from the floor (including below the raised floor
where applicable) to the ceiling (including above ceiling tiles where
Access to Oracle Cloud Infrastructure data centers
is carefully controlled and follows a least-privilege access approach. All access to
server rooms must be approved by authorized personnel and is granted only for the
necessary period. Access usage is audited, and access provisioned within the system is
periodically reviewed by data-center leadership. Server rooms are isolated into secure
zones that are managed on a zone-by-zone basis, and access is provisioned only for those
zones required by personnel.
The Oracle Cloud Infrastructure Security Operations team is responsible for monitoring
and securing the unique Oracle Cloud Infrastructure hosting and
virtual networking technologies. The team works and trains directly with the Oracle
engineers who develop these technologies to leverage the unique security and
introspection capabilities they provide.
We monitor emerging internet security
threats daily and implement appropriate response and defense plans to address risks to
the business. When we determine that urgent changes are recommended that are within the
scope of the customers' responsibilities, we issue security alert bulletins to those
customers to ensure their protection.
In the case of a detected or reported
security issue that affects Oracle Cloud Infrastructure servers or networks, Security
Operations staff is available 24/7 to respond, escalate, or take required corrective
action. When necessary, we will escalate and coordinate with external parties (including
network and hosting service providers, hardware vendors, or law enforcement) to protect
Oracle Cloud Infrastructure, our customers, and our network's
security and reputation.
All actions performed in response to a security issue by
the Security Operations team are done according to our documented process, and are
logged in accordance with compliance requirements. Care is always taken to protect the
goals of service and data integrity, privacy, and business continuity.
Data Rights and Ownership
Oracle Cloud Infrastructure customers retain all ownership and intellectual
property rights in and to their content. Customer data protection is critically
important, and we strive to be transparent with our data protection processes as well as
law enforcement requests that we might receive.
complies with the EU-U.S. Privacy Shield Framework as set forth by the U.S. Department
of Commerce regarding the collection, use, and retention of personal information
transferred from the European Union to the United States. Oracle is also responsible for
ensuring that third parties who act as an agent on our behalf do the same.
has certified to the Department of Commerce that it adheres to the Privacy Shield
Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more
about the Privacy Shield program, and to view our certification, visit
For personal information received or transferred pursuant to the Privacy Shield
Framework, Oracle is subject to the regulatory enforcement powers of the U.S. Federal
continues to adhere to the underlying European privacy principles of the U.S.-Swiss Safe
Harbor for the processing of Personal Information received from Switzerland. To learn
more about the Safe Harbor program, and to view our certification, visit
Except as otherwise required by law, Oracle will promptly notify
customers of any subpoena, judicial, administrative or arbitral order of an executive or
administrative agency or other governmental authority that it receives and which relates
to the personal data Oracle is processing on the customer’s behalf. Upon customer
request, Oracle will provide customers with reasonable information in its possession
relevant to the law enforcement request and any assistance reasonably required for them
to respond to the request in a timely manner.
Oracle Cloud Infrastructure is built for enterprises. We operate under practices
aligned with the ISO/IEC 27002 Code of Practice for information security controls, from
which we have identified a comprehensive set of security controls that apply to our
business. Oracle Cloud Infrastructure is still a new product line, and
we must operate for a period of time in order for these security controls and our
operations to undergo external audit. As an enterprise cloud, we plan to pursue a broad
suite of industry and government certifications, audits, and regulatory