Keep Your Data Secure
Throughout the
Cloud Lifecycle

Oracle Cloud Infrastructure Security—
Oracle Cloud Guard and Oracle Security Zones

Shifting the cloud security shared responsibility
model with Oracle Security Zones

According to the 2020 Oracle and KPMG Cloud Threat Report, 96 percent of IT professionals are familiar with what’s called the cloud security shared responsibility model.

But while most are familiar, few are experts. In the same report, it was revealed that only 8 percent fully understand the shared responsibility model for all types of cloud services.3

Only 8 percent of IT professionals fully understand the cloud security shared responsibility model for all types of
cloud services

Oracle Security Zones is helping to change this. With the introduction of Oracle Security Zones, Oracle is shifting the cloud security shared responsibility model so that the cloud service provider can provide additional assistance to the customer. Layers of the shared responsibility model that IaaS customers were traditionally responsible for are being partially covered by Oracle Security Zones. And with Oracle Security Zones, configuration management, monitoring, and enforcement are improved.

In addition, there is additional protection provided by
various enforcement points including the control plane,
the data plane, and Oracle Cloud Guard for reactive enforcement. This will enable customers to focus more on the security strategy for the rest of their data and applications.

Oracle Security Zones can assist with the cloud security shared responsibility model in multiple ways, including:

  • Denying public access to Oracle Cloud Infrastructure resources, such as databases and object storage buckets
  • Enforcing the policy that detached storage resources must reside in the same secure compartment as the compute instance
  • Encrypting resources with storage functions—such as block volumes, object storage buckets, and
    databases—with a customer-managed key

Without Oracle Security Zones

With Oracle Security Zones

Examples of control-plane enforcement policies in Oracle Security Zones include:

  • At the data layer: Without customer-managed keys for encryption (such as keys in Oracle Cloud Infrastructure Vault), the creation of block volumes and object storage buckets is prevented.
  • At the application layer: The creation of an internet gateway in VCN for public access is prevented.
  • At the guest OS layer: The creation of a compute instance without a sanctioned image is prevented.
  1. 3 “Oracle and KPMG Cloud Threat Report 2020,” Oracle,