Welcome to this module on OCI security. Let's start with an introduction. In security, you always hear this term called shared security model. What does this actually mean? Well, in an on-premises environment, you own the whole stack and you are responsible for security end-to-end. As you move to the Cloud, some of the responsibilities transferred to the Cloud provider in this case Oracle, and some are detained by you, so that is what we mean by a shared security model. What does it look like in the Cloud? Well, in the cloud, Oracle Cloud Infrastructure is responsible for security of the Cloud, which means things like the physical data center, the physical network, the physical host, even virtualization layer making sure it's pursed and it's up-to-date. All those are responsibilities of Oracle. That's basically the security of the Cloud. You are responsible for security in the Cloud. What does that mean? Well, that means you are responsible for the data, you are responsible for the endpoints devices, mobile or PCs or your servers over your PCs which are accessing them, and you are responsible for account and Access Management. Identities and Access Management. There are some other things you are responsible for, like if you're using operating systems, you need to make sure they are patched and kept up to date. This is the model in the Cloud, some responsibility shift to the Cloud provider. Some responsibilities are still retained by you. Let us look at the OCI security portfolio available currently in OCI. I have put in this slide the use cases and the services, so you really understand not just the services, but you also understand the context in which they operate. The first layer builds on layered approach, and it's also good because it shows you that the security follows defense in depth, meaning you have security in different layers of the stack. It's security is not just an add-on, it's not just something that you access separately, it's defense in depth. It is available at different layers of the stack. The first thing we start with is Infrastructure Protection and this basically we have several services for DDoS, Web Application Firewall, etc. which helps with Infrastructure Protection. DDoS can be categorized into layer of seven, layer 3 and four, and we have services for each of the layers. WAF helps with some of the layer seven DDoS protection and layer 3 and layer 4 DDoS protection is turned on by default. Then, moving beyond that, you need to protect the operating system and workload protection. We have several capabilities to help there. We have a service called OS management, which helps with automating patches and simplifying package deployment, we have bare-metal servers, or you could have dedicated host which you could isolate in a single tenant model, etc. Then on top of that, we have these set of services which provide you intelligence on security detection and also automatic remediation. Sometimes these are referred to as Cloud Security Posture Management capabilities, CSPM, and under this services, we have a whole lot of capabilities like Cloud Guard and Security Zones, and we'll look into each of these in subsequent lessons. Data Protection is as important as always, and there are many services which you can leverage, including key management provided through a service called Vault. There's a service called Data Safe which is available with our Cloud databases, etc. One thing to keep in mind here is encryption is always turned on by default in OCI. On top of that, you have Identity and Access Management, where you can manage authentication and authorization and also things like multi-factor authentication. This is our security line up. The thing to keep in mind is defense in depth, so security, as you can see here, is implemented at various layers of the stack. How does these all operate? As you can see in this graphic here, you have an environment where you have some virtual networks and you are using various security services. Whether it's vulnerability scanning, whether it's auditing, whether it's Bastion surveys on the vault or the Identity Access Management Service. Again, in the next subsequent lesson, we'll get into many of these services in detail. But just keep in mind, we have a very broad and extensive set of security services. Just to recap in the Cloud, when you move to the Cloud basically you get this shared security model. You are responsible for some of the security aspects and the Cloud provider takes care of the other aspects. Security is not just one service or an add-on, there's a whole extensive set of services available in different layers of the stack. We went over some of those. Next lessons we will look into some of these in greater details. I hope you found this lesson useful. Thanks for watching.
