Security Services and Features
A key objective of Oracle Cloud Infrastructure is to allow you to create a logical extension of your on-premises infrastructure and data centers in Oracle Cloud Infrastructure. You can gain the benefits of a modern public cloud without having to compromise or reinvent your existing security posture. This idea was central to the design of all our infrastructure and services.
Regions and Availability Domains
To provide data availability and durability, Oracle Cloud Infrastructure enables you to select from infrastructure with distinct geographic and threat profiles. A region is the top-level component of the infrastructure. Each region is a separate geographic area with multiple, fault-isolated locations called availability domains. An availability domain is the subcomponent of a region and is independent and highly reliable. Each availability domain is built with fully independent infrastructure: buildings, power generators, cooling equipment, and network connectivity. With physical separation comes protection against natural and other disasters. Availability domains within the same region are connected by a secure, high-speed, low-latency network, which allows customers to build and run highly reliable applications and workloads with minimum impact to application latency and performance. All links between availability domains are encrypted. Most regions have at least three availability domains, which allows customers to deploy highly-available applications.
Identity and Access Management (IAM) Service
The Oracle Cloud Infrastructure Identity and Access Management (IAM) service is built to meet the requirements of enterprises, and it provides authentication and authorization for all their Oracle Cloud Infrastructure resources and services. An enterprise can use a single tenancy shared by various business units, teams, and individuals while maintaining security, isolation, and governance.
customer joins Oracle Cloud Infrastructure, a tenancy is created. A
tenancy is a virtual construct that contains all of the Oracle Cloud Infrastructure resources that belong to the customer. The
administrator of the tenancy can create users and groups and assign them
least-privileged access to resources that are partitioned into compartments. A
compartment is a group of resources that can be managed as a single logical unit,
providing a streamlined way to manage large infrastructure. For example, a customer can
create a compartment (
HR-Compartment) to host a specific set of cloud
network, compute instances, and storage volumes necessary to host its HR applications.
Compartments are a fundamental component of Oracle Cloud Infrastructure for organizing and isolating cloud resources. Customers use them to clearly separate
resources for the purposes of isolation (separating the resources for one project or
business unit from another). A common approach is to create a compartment for each major
part of an organization. Unlike most Oracle Cloud Infrastructure
services that are regionally scoped, the IAM service resources are global. Customers can have a single
tenancy across multiple regions.
The following are key IAM primitives:
- Resource: A cloud object that a company's employees create and use when interacting with Oracle Cloud Infrastructure services, for example, compute instances, block storage volumes, virtual cloud networks (VCNs), subnets, and route tables.
- Policy: A set of authorization rules that define access to resources within a tenancy.
- Compartment: A heterogeneous collection of resources for the purposes of security isolation and access control.
- Tenancy: The root compartment that contains all of an organization's resources. Within a tenancy, administrators can create one or more compartments, create more users and groups, and assign policies that grant groups the ability to use resources within a compartment.
- User: A human being or system that needs access to manage their resources. Users must be added to groups in order to access resources. Users have one or more credentials that must be used to authenticate to Oracle Cloud Infrastructure services. Federated users are also supported.
- Group: A collection of users who share a similar set of access privileges. Administrators can grant access policies that authorize a group to consume or manage resources within a tenancy. All users in a group inherit the same set of privileges.
- Identity Provider: A trusted relationship with a federated identity provider. Federated users who attempt to authenticate to the Oracle Cloud Infrastructure console are redirected to the configured identity provider. After successfully authenticating, federated users can manage Oracle Cloud Infrastructure resources in the console just like a native IAM user. Currently, Oracle Cloud Infrastructure supports the Oracle Identity Cloud Service and Microsoft Active Directory Federation Service (ADFS) as identity providers. Federated groups are mapped to native IAM groups to define the policies apply to a federated user.
All customer calls to access Oracle Cloud Infrastructure resources are first authenticated by the IAM service (or federated provider) and then authorized based on IAM policies. A customer can create a policy that gives a set of users permission to access the infrastructure resources (network, compute, storage, and so on) within a compartment in the tenancy. These policies are flexible and are written in a human-readable form that is easy to understand and audit. A policy contains one or more policy statements that follow this easy-to-understand syntax:
Allow group <group_name> to <verb> <resource-type> in compartment <compartment_name>
A verb defines the type of access covered. Oracle defines the following verbs that you can use in your policy statements:
- inspect: Provides the ability to list resources, without access to any confidential information or user-specified metadata that might be part of that resource.
- read: Includes inspect plus the ability to get user-specified metadata and the actual resource itself.
- use: Includes read plus the ability to work with existing resources
(the actions vary by resource type). Includes the ability to update the resource,
except for resource types where the update operation has the same effective impact
as the create operation (for example,
UpdateSecurityList). In such cases, the update ability is available only with the manage verb. In general, this verb does not include the ability to create or delete that type of resource.
- manage: Includes all permissions for the resource.
The following example policy enables the
GroupAdmins group to create,
update, or delete any groups:
Allow group GroupAdmins to manage groups in tenancy
Each user has one or more of the following credentials to authenticate themselves to Oracle Cloud Infrastructure. Users can generate and rotate their own credentials. In addition, a tenancy security administrator can reset credentials for any user within their tenancy.
- Console password: Used to authenticate a user to the Oracle Cloud Infrastructure Console.
- API key: All API calls are signed using a user-specific 2048-bit RSA private key. The user creates a public key pair, and uploads the public key in the Console.
- Auth token: Auth tokens are Oracle-generated token strings that you can use to authenticate with third-party APIs that do no support Oracle Cloud Infrastructure's signature-based authentication. For example, use an auth token to authenticate with a Swift client. To ensure sufficient complexity, the token is created by the IAM service and cannot be provided by a customer.
- Customer secret key: Used by Amazon S3 clients to access the Object Storage service’s S3-compatible API. To ensure sufficient complexity, the password is created by the IAM service and cannot be provided by a customer.
The Oracle Cloud Infrastructure Audit service records all API calls to resources in a customer’s tenancy as well as login activity from the graphical management Console. Using the Audit service, customers can achieve their own security and compliance goals by monitoring all user activity within their tenancy. Because all Console, SDK, and command line (CLI) calls go through our APIs, all activity from those sources is included. Audit records are available through an authenticated, filterable query API or can be retrieved as batched files from Oracle Cloud Infrastructure Object Storage. Audit log contents include what activity occurred, the user that initiated it, the date and time of the request, as well as source IP, user agent, and HTTP headers of the request.
Compute is a core component of Oracle Cloud Infrastructure and provides on-demand and elastic compute capabilities with enterprise-grade security and performance. Customers can provision thousands of compute instances and scale them up or down through an easy-to-use web-based management console. Programmatic support to do the same is available through feature-rich SDKs and command-line interfaces (CLIs). All compute instances are hosted in Oracle enterprise-grade data centers.
Compute instances are based on high-performance server hardware that uses latest-generation, multi-core server CPUs, large amounts of memory, and high-throughput NVMe local storage. Oracle Cloud Infrastructure provides bare metal (BM) and virtual machine (VM) instances. Customers can choose instances that fit their performance, cost, and software flexibility requirements.
- Bare metal instances: In bare metal instances, physical servers are dedicated to a single customer who has complete control over the server. There is no Oracle-managed hypervisor and Oracle personnel have no access to memory or local (NVMe) storage while the instance is running. All network virtualization is performed off-box and only the Oracle Integrated Lights Out Manager (ILOM) is accessible to the infrastructure (required in order to remotely reboot or reprovision instances). These bare metal instances offer consistent high performance and are immune to any noisy-neighbor issues. Customers have OS-level administrative privileges to the bare metal instance. After a customer terminates their bare metal instance, the server undergoes an automated disk and firmware-level wipe process to ensure isolation between customers.
- Virtual machine (VM) instances: Customers with flexibility requirements or those who don't need a dedicated bare metal instance can opt for VMs. Multi-tenant customer VMs in Oracle Cloud Infrastructure are managed by a security hardened hypervisor that provides strong isolation between customers.
Oracle Cloud Infrastructure instances use key-based SSH by default. Customers provide the SSH public keys to Oracle Cloud Infrastructure and securely use the SSH private keys for accessing the instances. Oracle recommends using key-based SSH to access Oracle Cloud Infrastructure instances. Password-based SSH could be susceptible to brute-forcing attacks, and are not recommended.
Oracle Linux images hardened with the latest security updates are available for you to run on Oracle Cloud Infrastructure instances. Oracle Linux images run the Unbreakable Enterprise Kernel (UEK) and support advanced security features such as Ksplice to apply security patches without booting, which allows enterprises to live-update their instances without any disruption. In addition to Oracle Linux, Oracle Cloud Infrastructure makes a growing list of other OS images available, including CentOS, Ubuntu, and Windows Server. You can also bring your own custom images. All Oracle-provided images come with secure defaults including OS-level firewalls turned on by default.
High-throughput and reliable networking is fundamental to public-cloud infrastructure that delivers compute and storage services at scale. As a result, we invested significant innovation in Oracle Cloud Infrastructure networking to support requirements of enterprise customers and their workloads. Oracle Cloud Infrastructure regions have been built with a state-of-the-art, non-blocking Clos network that is not over-subscribed and provides customers with a predictable, high-bandwidth, low latency network. The data centers in a region are networked to be highly available and have low-latency connectivity between them.
The Oracle Cloud Infrastructure Networking service offers a customizable private network (a VCN, or virtual cloud network) to customers, which enforces logical isolation of customer Oracle Cloud Infrastructure resources. As with their on-premises network in their data centers, customers can set up a VCN with hosts with private IP addresses, subnets, route tables and gateways using VCN. The VCN can be configured for internet connectivity, or connected to the customer's private data center through an IPSec VPN gateway or FastConnect. FastConnect offers a private connection between an existing network's edge router and Dynamic Routing Gateways (DRG). Traffic does not traverse the internet.
The Networking service also supports bi-directional, stateful and stateless firewalls that allow customers to initialize network security access controls. Firewalls and ACLs specified for a customer VCN are propagated throughout the network topology and control plane, ensuring a multi-tiered and defense-in-depth implementation. Each tenant (customer) can create multiple VCNs to implement logical grouping of their resources.
The following are key networking concepts associated with a VCN:
- Subnets: The primary subdivision of a VCN. Subnets have historically been specific to an availability domain, but can now be regional (covering all availability domains in the region). Subnets can be marked as private upon creation, which prevents instances launched in that subnet from having public IP addresses.
- Internet gateway: A virtual router that provides public internet connectivity from a VCN. By default, a newly created VCN has no internet connectivity.
- Dynamic routing gateway: A virtual router that provides a path for private traffic between a VCN and a data center’s network. It is used with an IPSec VPN or Oracle Cloud Infrastructure FastConnect connection to establish private connectivity between a VCN and an on-premises or other cloud network.
- NAT gateway: A virtual router that gives cloud resources without public IP addresses access to the internet without exposing those resources to incoming internet connections.
- Service gateway: A virtual router that gives cloud resources private access to Oracle services such as Object Storage without using an internet gateway or NAT gateway.
- Routing tables: Virtual routing tables that give the subnets access to the VCN’s gateways (Internet Gateway and Dynamic Routing Gateway). Routes can also use private IPs as a target to implement network functionality such as NAT, firewalls, IDS, and so on.
- Primary VNICs: Subnets contain virtual network interface cards (VNICs) that attach to instances. The VNIC determines how the instance connects with endpoints inside and outside the VCN. Each instance has a primary VNIC that is created during instance launch and cannot be removed. During instance launch, the Networking service also assigns a public IP address. Customers can override that behavior during instance launch and request to have no public IP address assigned.
- Secondary VNICs: VNICs with public and private IP addresses that can be attached to an instance. In a bring-your-own-hypervisor (BYOH) scenario, where customers can run their hypervisor on a BM instance, a secondary VNIC can be assigned to a VM, to allow VCN networking for the VM. This is very useful for running virtual security appliances in a VCN.
- IPSec VPN connection: A secure VPN connection between a VCN and a data center.
- Security lists: Virtual firewall rules that define allowed ingress and egress to an instance at the packet level. Individual rules can be defined to be stateful or stateless.
Virtual firewalls are implemented by using VCN security lists. Customers can specify a set of firewall rules and associate them with one or more subnets. Associating a security list with a subnet applies those firewall rules to all instances running inside the subnet, at the packet level. There are two types of firewall rules:
- Ingress rules: Ingress rules specify the source (IP CIDR and port range), destination port range, and protocol to match on, and are applied to ingress network connections.
- Egress rules: Egress rules specify the destination (IP CIDR and port range), source port range, and protocol to match on, and are applied to egress network connections.
Every VCN has a default security list customers may optionally use that allows only SSH and certain types of important ICMP ingress traffic, and all egress traffic. Customers can associate multiple security lists with a subnet. The subnet uses the default security list if the customer doesn’t specify another list for the subnet to use.
For further information about security in the Networking service, see:
Oracle Cloud Infrastructure offers multiple storage solutions to meet the performance and durability requirements of customers:
- Local Storage: NVMe-backed storage on compute instances, offering extremely high IOPS.
- Block Volumes: Network-attached storage volumes, attachable to compute instances.
- Object Storage: Regional service for storing large amounts of data as objects, providing strong consistency and durability.
The Oracle Cloud Infrastructure Block Volumes service provides persistent storage that can be attached to compute instances using the iSCSI protocol. The volumes are stored in high-performance network storage and support automated backup and snapshot capabilities. Volumes and their backups are accessible only from within a customer's VCN and are encrypted at rest using unique keys. For additional security, iSCSI CHAP authentication can be required on a per-volume basis.
The Oracle Cloud Infrastructure Object Storage service provides highly scalable, strongly consistent, and durable storage for objects. API calls over HTTPS provide high-throughput access to data. All objects are encrypted at rest using unique keys. Objects are organized by bucket, and, by default, access to buckets and objects within them requires authentication. Users can use IAM security policies to grant users and groups access privileges to buckets.
To allow bucket access by users who do not have IAM credentials, the bucket owner (or a user with necessary privileges) can create pre-authenticated requests that allow authorized actions on buckets or objects for a specified duration. Alternately, buckets can be made public, which allows unauthenticated and anonymous access. Given the security risk of inadvertent information disclosure, Oracle highly recommends carefully considering the business case for making buckets public. Object Storage enables you to verify that an object was not unintentionally corrupted by allowing an MD5 hash to be sent with the object (or with each part, in the case of multipart uploads) and returned upon successful upload. This hash can be used to validate the integrity of the object.
In addition to its native API, the Object Storage service supports Amazon S3 compatible APIs. Using the Amazon S3 Compatibility API, customers can continue to use the existing Amazon S3 tools (for example, SDK clients), and partners can modify their applications to work with Object Storage, with minimal changes to their applications. Their native API can co-exist with the Amazon S3 Compatibility API, which supports CRUD operations. Before customers can use the Amazon S3 Compatibility API, they must create an S3 Compatibility API key. After they've generated the necessary key, they can use the Amazon S3 Compatibility API to access Object Storage in Oracle Cloud Infrastructure.
Oracle Cloud Infrastructure makes it easy to run, scale, and secure your Oracle databases (DBs) in the cloud. The Oracle Cloud Infrastructure Database service offers three types of DB systems:
- Bare metal: Comprising 1-node DB and 2-node Real Application Cluster (RAC) systems, providing exceptional performance at cost-effective pricing.
- Exadata: Proven industry-leading Exadata DB systems in quarter, half, and full rack configurations.
- Virtual machine: Allows customers to create full-featured Oracle databases on VM shapes with various cores.
DB systems are accessible only from a customer’s VCN, and customers can configure VCN security lists to control network access to their databases. The Database service is integrated with Oracle Cloud Infrastructure IAM for controlling which users can launch and manage DB systems. By default, data is encrypted at rest using Oracle TDE with master keys stored in an Oracle Wallet on each DB system. RMAN backups of DB systems are encrypted and stored in customer-owned buckets in the Object Storage service. Customers need to create a bucket for DB backups and configure the Oracle Database Cloud Backup module with an auth token (to use with the Swift API) and IAM permissions to access the bucket. Alternately, DB backups can be made to local NVMe storage on the DB system.
Each user automatically has the ability to create, update, and delete their own auth tokens in the Console or the API. An administrator does not need to create a policy to give a user those abilities. Administrators (or anyone with permission to the tenancy) also have the ability to manage auth tokens for other users. Any user of a Swift client that integrates with Object Storage needs permission to work with the service.
Load Balancing Service
Oracle Cloud Infrastructure Load Balancing provides automated traffic distribution to compute instances in a customer’s VCN. Load balancers (LBs) can be created as public (accepting traffic from the internet and directing it to private instances) or private (directing traffic between private instances). LBs can be configured for SSL termination using customer-provided certificates; end-to-end SSL, whereby the LB terminates the SSL connection and creates a new SSL connection to the backend; or SSL tunneling, in which the SSL connection is passed through to the backend (TCP load balances only). The Load Balancing service supports TLS 1.2 by default, and prioritizes the following forward-secrecy ciphers in the TLS cipher-suite:
Managed Domain Name Servers (DNS) Service
The Oracle Cloud Infrastructure DNS service provides dynamic, static, and recursive DNS solutions for enterprise customers. The service connects visitors to customer websites and applications with fast and secure services. The DNS service operates on a global anycast network with 18 points of presence (PoPs) on five continents and offers fully redundant DNS constellations and multiple Tier 1 transit providers per PoP. The solution provides a DNS-based Distributed Denial of Services (DDoS) protection and in-house security expertise that leverages a vast sensor network that collects and analyzes over 240 billion data points per day. The DNS service also fully supports the secondary DNS features to complement the customer’s existing DNS service, providing resiliency at the DNS layer.