Shared Responsibility Security on Oracle Cloud

January 18, 2021
Sophisticated threats:
76 percent of organizations experienced a security incident.1
Security alert overload:
Midsize companies average 16,937 alerts per week; only 19 percent are reliable and 4 percent are investigated.2
Scarcity of talent:
66 percent of cybersecurity jobs cannot be filled by skilled candidates.3
Porous perimeter:
91 percent of organizations have security concerns about adopting cloud; only 14 percent believe traditional security is enough.4


Understanding the Oracle Cloud Shared Responsibility Model

Cloud providers like Oracle employ best-in-class, enterprise-grade security technology and operational processes to secure the cloud services. To deploy and operate your workloads securely in Oracle Cloud, you must be aware of your security and compliance responsibilities.

You’re responsible for configuring your cloud resources securely. The following graphic illustrates the Oracle cloud shared security responsibility model:

Shared Security Responsibility Model Illustration

Oracle is solely responsible for all aspects of the physical security of the availability domains and fault domains in each region. Both Oracle and you are responsible for the infrastructure security of hardware, software, and the associated logical configurations and controls.

As a customer, your security responsibilities encompass the following:

  • The platform you create on top of Oracle Cloud.
  • The applications that you deploy.
  • The data that you store and use.
  • The overall governance, risk, and security of your workloads.

The shared responsibility extends across different domains:

Identity and Access Management (IAM) Workload Security Data Classification and Compliance Host Infrastructure Security
Network Security Client and Endpoint Protection Physical Security


Securing the Complete EBS Stack in Cloud

Cloud services have become an essential part of modern business, increasing both opportunities and risks. Oracle provides security features and options at every layer of the cloud.

  • Technology: Robust, layered defenses span IaaS, PaaS, and SaaS, extending security to the network, hardware, chip, operating system, storage, and application layers, bolstered by new security cloud services.
  • Process: Security policies and controls are maintained by people and technology at physical data centers.
  • People: The Oracle Cloud employs talented, industry-leading cybersecurity professionals who are trained on Oracle Software Security Assurance practices.
  • Physical: Data centers are built around multi-layered physical defences designed to allow authorized people in and keep unauthorized people out.

Does EBS to OCI Change Security Responsibilities?

You are responsible regardless of where it is stored. How to ensure your security posture is intact in the cloud may differ from organization to organization and it is definitely your responsibility. The shared responsibility model is spelled out in the terms of services document of every CSP from Microsoft to Amazon or even Oracle. Even today it is arguably the least understood and most misconceived concept. Simply put, the shared responsibility model outlines the CSP’s responsibility to maintain a secure and continuously available service and enterprises’ responsibility to ensure secure use of the service.

Oracle Cloud Infrastructure (OCI) is designed with services and features that constitute the seven core security pillars. They are:

Seven Core Security Pillars of Oracle Cloud Infrastructure

De-risk Cloud Migration

Design Principles for EBS Security

Apply the following design principles to deploy, operate, and use your applications securely in Oracle Cloud Infrastructure:

  • Understand and implement the security services and features of Oracle Cloud Infrastructure.
  • Understand the shared security responsibility model when assessing cloud.
  • Implement the principles of least privilege and separation of duties. -Limit privileges as much as possible. Users should be given only the access that’s essential to perform their work. Review user privileges periodically to determine relevance to the current work requirements.
  • Implement multilayer security mechanisms.
  • Protect data at rest and in transit.
  • Monitor and respond to security events. -Monitor system activity. Establish who should access which system components, and how often; and monitor those components.
  • Stay up to date on security alerts, patches, and software updates.
  • Implement security-related best practices.


The shared security model over the Cloud IaaS brings substantial responsibility on the shoulders of the customer. This can be reasonably addressed with careful planning, implementation and monitoring.

Gartner recommends to rely on the expertise of a third-party Oracle managed service provider (MSP/MSE) to fully understand all of the addressable responsibilities and capabilities of both the client organization and Oracle, guaranteeing continuity and security of their environments running on OCI.

Sources –
1 QuinStreet Enterprise, “2015 Security Outlook: Meeting Today’s Evolving Cyber-Threats,”
2 Ponemon Institute, “The Cost of Malware Containment,” 2015.
3 Leviathan Security Group, “Quantifying the Cost of Cloud Security,”
4 Crowd Research Partners, “Cloud Security: 2016 Spotlight Report,”

Subscribe to our blog

Related Posts