Oracle's Security Responsibilities

Security in the cloud is a shared responsibility between you and Oracle. In general, Oracle provides security of cloud infrastructure and operations, such as cloud operator access controls and infrastructure security patching.

Oracle is responsible for the following security requirements. Except where noted, these points are not covered in further detail in this guide.

Area Details

Physical security

Oracle is responsible for protecting the global infrastructure that runs all services offered in Oracle Cloud Infrastructure. This infrastructure consists of the hardware, software, networking, and facilities that run Oracle Cloud Infrastructure services.

Security patching

Oracle conducts security patching monthly to ensure that Oracle Cloud Infrastructure services have up-to-date security patches.

Network security

  • DDoS attack detection and mitigation

    Oracle Cloud Infrastructure provides automated Distributed Denial of Service (DDoS) attack detection and mitigation of high-volume Layer 3/4 DDoS attacks. Oracle's tools and processes protect against network-based attacks, also known as volume-based attacks. You can enable additional network protection by subscribing to Oracle Web Application Firewall (WAF) service.

  • Network access

    All public traffic is terminated with one of the methods:

    • Customer-built APIs: TLS 1.2 or higher.

    • Built-in APIs: As set by the Oracle Cloud Infrastructure regional OpenID Connect (OIDC) proxy, TLS 1.2 or higher.

    You can restrict which networks have access to Oracle Integration instances by configuring an allowlist (formerly known as whitelist). See Restrict Access to an Instance in Provisioning and Administering Oracle Integration 3.

    Allowlists are also covered in this guide. See Control Network Access.

  • Private endpoint

    You can secure outbound traffic to specific resources by using a private endpoint. See Connect to Private Resources in Provisioning and Administering Oracle Integration 3.

    Private endpoints are also covered in this guide. See Control Network Access.

Data that you provide

Oracle Integration protects and encrypts all data received by using Oracle-managed keys.

Security and vulnerability scanning

Oracle performs security and vulnerability scanning using the Oracle Vulnerability Scanning service. Additionally, a process is available if your organization wants to run a vulnerability scan. See Oracle Cloud Security Testing Policies in the Oracle Cloud Infrastructure Documentation.

Compliance

Oracle Integration has reached compliance for SOC 1, SOC 2, ISO 27001, PCI DSS, and HIPAA. Certification details are available upon request, with some requiring an NDA Master Agreement with Oracle.

For publicly available information, see Oracle Cloud Compliance.

Data encryption

  • Oracle follows all the guidelines from Oracle Cloud Infrastructure Vault and Oracle Cloud Infrastructure Secrets for rotating the service instance encryption keys.

  • Oracle encrypts data at rest and data over wire.

  • All inbound traffic is protected by either TLS or SFTP, which are used for secure encrypted transport. The following encryption options are available for inbound traffic:

    • HTTP over TLS: This encryption option is available for inbound traffic to Oracle Integration and File Server. If you use REST APIs to access either resource, this encryption option is always used.

    • SFTP: This encryption option connects to an FTP port directly, without using HTTP, and is available for inbound traffic to File Server.

Data durability

Oracle takes regular backups of your data.

Oracle recommends that each organization perform their own backup, as well. See Data Visibility.

Service tenancy durability

Oracle is responsible for the retention of the data in the activity stream. Oracle retains the data for the time period specified by your Oracle Integration edition. See Oracle Integration Editions in Provisioning and Administering Oracle Integration 3.

Your organization determines the level of data that is included in the activity stream as well as the retention period. For details, see Data Visibility.

Process isolation and data isolation

Oracle isolates data by service instance. Each service instance stores its data individually.