OCI Zero Trust Packet Routing uses security attributes (essentially metadata) to identify and organize resources. With OCI ZPR, you can assign security attributes to OCI resources such as databases and compute instances. Then, you can create OCI ZPR policies that reference those security attributes. These policies are enforced at the network layer, disallowing traffic via any unauthorized paths.
OCI ZPR’s policy language makes it simple to create rules that specify which resources are allowed to communicate. OCI ZPR policies reference metadata about the specific data resources being accessed and the security attributes they contain. Policies only allow access from a specific originator (e.g., a compute instance) to a specific data resource. If an authorized request attempts to access the resource outside of that specific path, the request will fail.
Although unprotected databases with guessable credentials may be breached within minutes, just one line of OCI ZPR policy can help prevent a database from being exposed.
Using a traditional network architecture–based security approach is time-consuming due to the sheer complexity of securing and auditing network configuration points. In addition, the responsibility to implement security policies is transferred to network teams, whose typical goals of low latency and high availability do not always align with security goals. OCI Zero Trust Packet Routing helps address these challenges by separating network security from network architecture, enabling security teams to write policies that are enforced at the network layer. OCI ZPR dramatically reduces complexity, letting network administrators run a flat network while security teams protect resources as intended.
OCI ZPR helps makes audit and compliance response easier by establishing clear intent-based policies and security attributes applied to resources. Without OCI ZPR, understanding access required auditors to review subnets; CIDR blocks; routing tables; security groups; network ACLs; rules based on IP, port, and protocol; and firewall rules that define ingress and egress restrictions. OCI ZPR reduces the effort it takes to analyze and understand which hosts and services can communicate with each other.
Auditors can rest assured that security policies apply to all appropriately labelled resources, despite changes to the network configuration.