Under the Oracle Cloud Infrastructure (OCI) Shared Security Responsibility Model, security is a shared effort between Oracle and the customer. Oracle is responsible for the security of the cloud, which includes the physical data centers and the core infrastructure. The customer is responsible for security in the cloud. This includes protecting their own data, managing user access, and configuring the security of their cloud resources. Configuring network security features like firewalls, security lists, and network security groups within their Virtual Cloud Network (VCN) is a fundamental customer responsibility to control traffic to and from their applications and workloads.

A. Ensuring the integrity of the underlying cloud infrastructure is Oracle's responsibility. The customer builds on top of this infrastructure, but does not manage its core integrity.

B. Physical security of data centers, including access controls and environmental protections, is exclusively managed by Oracle as the cloud provider.

C. Management of hardware firmware and patching the underlying hypervisors are Oracle's responsibilities to maintain the security and stability of the cloud infrastructure.

1. Oracle Cloud Infrastructure Documentation

"Security Overview": This document explicitly outlines the shared model. Under the "Customer Responsibilities" section for "Network security

" it states the customer is responsible for the "Configuration of virtual network

subnets

routing tables

and gateways. Configuration of security lists

network security groups

and network firewalls." Conversely

under "Oracle Responsibilities

" it lists "Hardware

software

networking

and facilities that run Oracle Cloud services." This directly supports option D and refutes A

B

and C.

Source: Oracle Cloud Infrastructure Documentation

"Security Overview"

Section: "Shared Security Responsibility Model".

2. Oracle Cloud Infrastructure Security Guide: This guide details the customer's role in securing their tenancy. It emphasizes that customers must configure network controls to secure their workloads.

Source: Oracle Cloud Infrastructure Security Guide

Section: "Securing the Network"

Paragraph 1. "You are responsible for securing your cloud network and its perimeters."

3. Oracle Cloud Infrastructure Documentation

"Overview of Networking": This document describes the components of a VCN that customers must configure

including Security Lists and Network Security Groups

reinforcing that this configuration is a customer task.

Source: Oracle Cloud Infrastructure Documentation

"Overview of Networking"

Section: "Comparing Security Lists and Network Security Groups".