Cloud Adoption and Transformation

OCI Security
Ricardo Carrillo
[email protected]
Cloud Specialist

1 Copyright © 2020, Oracle and/or its affiliates. All rights reserved.

 Safe harbor statement

• The following is intended to outline our general product direction. It is intended

for information purposes only and may not be incorporated into any contract.
It is not a commitment to deliver any material, code, or functionality, and
should not be relied upon in making purchasing decisions. The development,
release, timing, and pricing of any features or functionality described for
Oracle’s products may change and remains at the sole discretion of Oracle
Corporation.

Copyright © 2024, Oracle and/or its

2
affiliates
Agenda

1 2 3
Security of Cloud Security Security Services
the Cloud Shared
Responsability
Model

4 5
DB Security Security Services
Services Architecture

Copyright © 2024, Oracle and/or its affiliates 3

1
State of the security market – Top enterprise security
concerns
Security Complexity
Localized geographic area, composed of one or more Availability
Domains
of organizations worldwide have Supply Chain Vulnerabilities
33% experienced a ransomware attack or breach
Hybrid Work Environment

global positions that cannot be filled due to

4M the cybersecurity talent shortage
Fraud

Compliance Requirements

of data breaches involved the

82% “human element” Geopolitical Risks

Disparate SaaS
Sources: IDC 2021 Ransomware Study: Where You Are Matters, (ISC)² Cybersecurity Workforce Study 2021, and Verizon Data Breach Investigations Report 2022

Copyright © 2024, Oracle and/or its affiliates 4

1

Complete Cloud Services

Developer Applications Analytics Governance &
services Localized geographic area, composed of one or more Availability Administration
Domains
SERVERLESS APP INTEGRATION BUSINESS & INDUSTRY SaaS
Events, Functions, Integration Cloud, Workflow, ERP, HCM, SCM, Sales, Marketing, BUSINESS ANALYTICS
API Gateway Notifications, Email Delivery Service, Vertical Industry Analytics Cloud,
Fusion Analytics
LOW CODE CLOUD OPS
APEX, Digital Assistant IAM, Compartments,
Tagging, Console,
Cost Advisor
Data & AI Databases

BIG DATA AI SERVICES MESSAGING ORACLE DATABASES DISTRIBUTED & OSS DBs SECURITY
APPDEV Big Data, Data Flow, Data Science, Streaming, ATP, ADW, DBCS VM/BM, NoSQL, MySQL, Cloud Guard, Security
Visual Builder Studio, Data Integration, Data Text Analytics, Queueing, Service JSON, Dedicated, Exadata, Postgres, Search Indexing, Zones, Vault, KMS,
GraalVM, Helidon, SQL Catalog, Golden Gate Anomaly Detection Connector Exadata C@C Distributed Cache Data Safe, DDoS, WAF
Developer, Shell,
APIs/CLI/SDKs/Docs

Core Infrastructure
OBSERVABILITY
Monitoring, Logging,
INFRASTRUCTURE as
COMPUTE CONTAINERS OS, VMWARE STORAGE NETWORKING Logging Analytics,
CODE Containers, Kubernetes, Autonomous Linux, NVMe, Block, File, VCN, LB, Service Notifications, Events,
Resource Manager,
Bare metal, VM, CPUs,
Service Mesh, Registry OS Mgmt Service, Object, Archive, Gateway, FC, VPN, Operations Insights,
Terraform, Ansible GPUs, HPC APM, Management Cloud
Marketplace Data Transfer Cluster Networking

PUBLIC AND GOVERNMENT REGIONS / CLOUD AT CUSTOMER / AZURE

Copyright © 2024, Oracle and/or its affiliates 5

1

OCI services by platform

Customer
Compute Blockchain Database Event Hub Visual Builder
Experience

Database
Storage Developer Big Data Java ERP
Backup

Autonomous
Bare Metal Database Mysql SOA Developer EPM

Database
Analytics Goldengate APEX HCM
Schema

IaaS IoT Mobile Integration Digital Assistant Supply Chain

PaaS
SaaS Edge Services API Platform Container
Content and Talent
Experience Management

Copyright © 2024, Oracle and/or its affiliates 6

2

Shared responsibility model

The following image from the International Information System Security Certification Consortium (ISC2) clarifies the areas of
responsibility for IaaS, PaaS and SaaS, and OCI, aligned with this, offers the best security technology and operational processes to
secure your enterprise cloud services. However, cloud security is based on a shared responsibility model:

Customer is responsible for security in the cloud IaaS PaaS SaaS

On-premises
• Secure your workloads and configure your services (Infrastructure-as-a-Service) (Platform-as-a-Service) (Software-as-a-Service)

• Configure your applications securely to meet your User Access/Identity User Access/Identity User Access/Identity User Access/Identity
compliance obligations
• Application and OS patching, OS configuration Data Data Data Data
• Identity and access management
• Network security Application Application Application Application

• Endpoint protection
• Data classification and compliance Guest OS Guest OS Guest OS Guest OS

Virtualization Virtualization Virtualization Virtualization

Oracle is responsible for cloud security
• Physical security of data centers Network Network Network Network

• Hardware, software, networks

Infrastructure Infrastructure
• Software to manage operations and services in Infrastructure Infrastructure

the cloud. Physical Physical Physical Physical

Copyright © 2024, Oracle and/or its affiliates Cloud Service Provider Responsibility Customer Responsibility 7
2

Oracle’s Security Principles

• Simple: Always on security posture. Easy defaults for
developing and running apps
Oracle Security Principles
Ease of use

• Prescriptive: Recipes to enforce security posture,

Unified
automated baseline management
Transparent
Data

Automated • Integrated: Unified Security and Identity across IaaS,

Prescriptive
PaaS and SaaS

• Offer “at cost” to eliminate the cost/security

tradeoff
Copyright © 2024, Oracle and/or its affiliates 8
2

Industry Security Approaches (Last Privilege)

This approach adheres the following: The goal of least is to regularly audit usage, reduce unnecessary
standing permissions wherever possible.

• Restricts access and permissions as much as possible, without

interfering with users' normal usage.

• A cloud admin can achieve this principle by defining the

minimum amount of privilege users in each role need to perform
their work.

• When a cloud admin define IAM policies, should follow the

standard security advice of granting the least privilege or
granting only the permissions required to perform a task.

• Determine what users (and roles) need to do and then craft

policies that allow them to perform only those tasks.
Source: StrongDM, Principle of Least Privilege Explained (How to Implement It),
September 13, 2024

Copyright © 2024, Oracle and/or its affiliates 9

2

Industry Security Approaches (Zero Trust)

One
Know your architecture, including
users, devices, services, and data
Eight
Choose or develop services that are
Two
designed with the least privileges for
now the Identity of your users,
their operation
services and devices
Three
Seven Evaluate the behavior of users,
Don't trust any network, much less services and the health of devices
your own.

Six Four
Focus on proactive monitoring and not Make use of policies for the
reactive monitoring of all activities that authorization of requests to assets
happen in the environment (users, Five according to the las privilege
services and devices) Authenticate (AuthN) and authorize approach and division of duties
(AuthZ) users, groups, services and
Copyright © 2024, Oracle and/or its affiliates devices.
10
Oracle offers a full stack of stack of cybersecurity capabilities
Storage and Database Safeguards

Vault Key Secrets Certificates Autonomous

Management Management Data Safe
Database

Compute and OS  
OS Isolated Oracle
Signed Hardware Harden Disk Autonomous
Bare Metal Management Network
Firmware Root of Trust Images Linux
Compute Hub Virtualization

Network
Virtual Cloud Security Lists Network Bastion Dynamic Routing FastConnect VPN NAT Gateway
Network Firewall Gateway

Cloud Security
Identity and Operator Access
OCI Identity and
Access Governance Access Management Policies Federation

Monitoring and Prevention

Cloud Guard Fusion Apps Security Zones
Threat Threat Vulnerability Logging Auditing
Intelligence Detector Detector
Scanning

Internet and Edge

DDoS WAF WAF for
Protection Fusion Apps
Oracle Cloud
Security differentiators

Copyright © 2024, Oracle and/or its affiliates 11

 Supplementary Security –
FREE Core Security
Free for many use cases

Security Portfolio
Casos de uso
Servicios de Seguridad
*FREE
FREE
• Políticas y acceso de usuarios administrados
• Administrar la autenticación multi-factor Gestión de identidad y Enterprise class
• Inicio de sesión único para proveedores de identidad
• Grabar llamadas API automáticamente
acceso IAM OCI IAM for tenancy OCI IAM Access
administration Identity Domains Governance

FREE *FREE *FREE FREE

• Cifrado de datos en reposo y en tránsito
• Gestión y almacenamiento de claves centralizado
• Rotar, administrar y recuperar secretos Protección de Datos Data Protection
• Descubra, clasifique y proteja los datos
Encryption Vault Data Safe Certificates

FREE FREE FREE FREE FREE

• Gestión de la postura de seguridad Detección y remediación
Posture
• Security Advisor para mejora de Postura de
• Escaneo de vulnerabilidad y exposición Management
seguridad Security Zones
Vulnerability Security Threat
Scanning Advisor Intelligence

FREE FREE
• Arranque seguro, Arranque medido FREE FREE
• Aislamiento de carga de trabajo OS & Workloads
• Bastión Protección de SO
• Gestión de parches y paquetes del sistema operativo Protection Shielded Confidential
Dedicated Host Bastions OS Management Instances Computing

FREE FREE
• DDoS Protection
• Network Security Controls Protección de Network
• Virtual Firewalls Protection
• Filter malicious web traffic
infraestructura Security Lists Network
DDoS Protection WAF
& NSG Firewall

Copyright © 2024, Oracle and/or its affiliates 13

3

Oracle provides consistent security

Dedicated Region

Oracle Public cloud Oracle Dedicated cloud

Access OCI cloud services Single tenant Oracle Cloud, running
from 41+ global regions in your data center for data residency
& data localisation

Other
Clouds

Hybrid cloud Other Clouds

• Our products work with your
Security across cloud and on- other providers
premises • 12Azure interconnect regions
• 11 GCP Interconnect regions
Copyright © 2024, Oracle and/or its affiliates 14
3

Oracle’s Security First Approach

Automated security to reduce Continuous and Always-On Security-first design principles

complexity and prevent human security for seamless with security Architected-In to
error protection reduce risk

Copyright © 2024, Oracle and/or its affiliates 15

3

Cloud Security Posture Management (CSPM)

Security and risk Continuous monitoring AI and ML-based DevSecOps Automatic

assessment and alerting Security capabilities integration Remediation

“CSPM provides the tools necessary to identify, analyze, and remediate cloud
assets”

Copyright © 2024, Oracle and/or its affiliates 16

3

Security "of " the cloud and security "on" the cloud

Customer Data Identity and Access Management

Customer

Security ON the
cloud Firewall Configuration Applications

Operating Systems Network Configuration

Oracle

Compute Storage Database

Security OF the
cloud
Regions Availability Domains Fault Domains

Copyright © 2024, Oracle and/or its affiliates 17

3

OCI Compliance
System & Organization ZERO-TRUST SECURITY
PCI Compliance OCI & GDPR
Controls with OCI
Security Services
Oracle capabilities help
address core compliance
SOC reports PCI Compliance Advisory Whitepaper
needs at all levels
Data Safe Logging OCI IAM ISO, PCI, SOC
compliant
deployment
solutions
Your compliance Cloud Guard
Vulnerability Access
Scanning Governance
obligations
…and many more

Oracle’s
compliance
obligations

OCI manages 70+ compliance

programs across regions and
industries

Copyright © 2024, Oracle and/or its affiliates 18

4

Oracle database security helps guard against attacks

Attack Configuration Lateral movement Data theft Compromised Attack spread

drift and data access backups from
ransomware

Identity and Access Data Safe / DB SAT Audit Vault Advanced Security Zero Data Loss Isolated network
Management (IAM) Database Firewall and Key Vault services virtualization
(AVDF)

Seamless identity Continuously assess Detect suspicious Encrypt the data and Recover up to the last Separates
integration with OCI IAM your configuration and activity with Audit protect encryption valid transaction with virtualization layer
helps decrease the risk of users with Data Safe Vault and Database keys with Advanced immutable backups from the network
attacks with multi-factor and database security Firewall (AVDF) Security and Key ZDLRA (Zero Data Loss layer to protect
authentication and role- assessment tool
based access control Vault Recovery Appliance) customer instances
and ZFS

Copyright © 2024, Oracle and/or its affiliates 19

5

Security "of " the cloud and security "on" the cloud

Visit Oracle Security 20

Copyright © 2024, Oracle and/or its affiliates
5

Path to outcome based on proven real-world experiences

Cloud Guard
to see your cloud security posture & address issues in minutes

Data Safe
Yes to quickly evaluate data security risks and manage compliance
Self-service requirements
Already
Security
on OCI ? Reference Architectures
to adopt the proven best practices

OCI Secure Landing Zones

for secure on-boarding based on CIS OCI benchmarks
No
Oracle Maximum Availability Architecture (MAA)
White Paper MAA
Oracle-guided
Security Oracle Managed Security Services for Oracle Cloud
Yes and On-Premises
to strengthen your cloud security posture with actionable
Need to quantify recommendations
security benefits of
a move to OCI?
Top 10 Reasons to Adopt Oracle Cloud
to strengthen your cloud security posture with actionable
recommendations
No
Oracle Cloud Lift Services
to accelerate your migration to OCI
21
Copyright © 2024, Oracle and/or its affiliates