Under the Oracle Cloud Infrastructure (OCI) Shared Security Responsibility Model, security is a partnership between Oracle and the customer. Oracle is responsible for the security of the cloud, which includes the physical data centers, host infrastructure, and the underlying network. The customer is responsible for security in the cloud.

This includes configuring network-level security controls like Security Groups and Network Access Control Lists (ACLs) to control traffic flow to their resources. Additionally, the customer is responsible for protecting their data, which involves implementing and managing data encryption for data in transit and at rest, ensuring their applications and connections use secure protocols like TLS.

B. OCI Platform Compliance Audits: Oracle is responsible for the compliance and audits of its own cloud platform and infrastructure, providing customers with attestation reports.

C. Patch Management of the OCI Hypervisor: The hypervisor is part of the core virtualization infrastructure, and its security and patching are solely Oracle's responsibility.

D. Physical Security of Cloud Infrastructure: Securing the physical data centers, including access control and environmental protections, is a fundamental responsibility of Oracle as the cloud provider.

1. Oracle Cloud Infrastructure Documentation

Security

"Overview of Security": This document outlines the shared model. It states

"You are responsible for securely configuring network elements such as virtual networks

subnets

gateways

and firewalls." This directly supports option A. It also states

"You are responsible for data classification

data encryption

and backups

" which supports option E.

Reference: Oracle Cloud Infrastructure Documentation > Security > Overview of Security > Shared Security Responsibility Model section.

2. Oracle Cloud Infrastructure Security Guide: This guide details the security approach. In the "Security Responsibilities" section

it clearly delineates tasks. Customer responsibilities include "Network Controls" (like Security Lists and Network Security Groups) and "Data Classification and Compliance

" which encompasses managing data encryption. Oracle's responsibilities are listed as "Physical Security

" "Host Infrastructure Security" (including the hypervisor)

and "Network Infrastructure Security."

Reference: Oracle Cloud Infrastructure Security Guide PDF

"Security Responsibilities" chapter

pages 6-8.