OCI Zero Trust Packet Routing

Prevent unauthorized access to data by managing network security policy separately from the underlying network architecture with Oracle Cloud Infrastructure (OCI) Zero Trust Packet Routing—generally available soon. Using an easily understood and intent-based policy language, security administrators can define specific access pathways for data. Traffic that is not explicitly allowed by policy cannot travel the network, improving security while simplifying the work of security, network, and audit teams.

What is OCI Zero Trust Packet Routing? (2:21)

OCI Zero Trust Packet Routing enables organizations to set security attributes on resources and write natural language policies that limit network traffic based on the resources and data services accessed. This effort is based on the 2023 initiative to develop a new open standard for Zero Trust Packet Routing (ZPR) with Applied Invention and other organizations. With ZPR, organizations can protect themselves from one of the most common causes of compromise—network misconfigurations. OCI is the first cloud provider to implement Zero Trust Packet Routing into its platform.

Why OCI Zero Trust Packet Routing (OCI ZPR)

  • Enhance security

    OCI ZPR improves traditional data security by restricting the potential paths for data exfiltration, even for authorized users, minimizing the attack surface area.

  • Reduce administrative burden

    Databases with guessable credentials can be breached in minutes; just one line of ZPR policy can prevent a database from being exposed.

  • Simplify compliance

    OCI ZPR helps make audit and compliance response easier by providing visibility via clear policies and security labels applied to data sources.

Product Tour

Introducing OCI

Introducing OCI

OCI Zero Trust Pack Routing (OCI ZPR) provides an easily managed way to secure access to data. Leveraging the principles of zero trust and least privilege, OCI ZPR restricts access based on policies and security attributes. These policies are enforced at the network layer. Any request that doesn’t originate from a source allowed by ZPR policy will not be able to reach the database.

How to access OCI ZPR

How to access OCI ZPR

You can access OCI ZPR from the OCI console menu bar under Identity & Security.

Get started from the OCI ZPR

Get started from the OCI ZPR overview page

The OCI ZPR overview page provides guidance and links to update OCI ZPR security attributes, write OCI ZPR policies, and apply security attributes to protected OCI resources.

Manage OCI ZPR security attribute namespaces

Manage OCI ZPR security attribute namespaces

An OCI ZPR security attribute namespace creates a security model for your OCI ZPR implementation. It defines the set of security attributes that OCI ZPR policies will use to allow or deny access.

To create a new namespace, click Create Security Attribute Namespace.

Create OCI ZPR security attribute

Create OCI ZPR security attributes

Within an OCI ZPR security attribute namespace, create the set of security attributes that you’ll use to write OCI ZPR policies. These may be used, for example, to identify compute instances or databases associated with a particular application.

Manage OCI ZPR policies

Manage OCI ZPR policies

Create and manage OCI ZPR policies with the built-in policy editor. You can use the OCI ZPR policy wizard, select a template based on common scenarios, or write your own policies.

Apply security attributes to OCI resources

Apply security attributes to OCI resources

Apply the policies you develop to OCI resources you wish to protect. OCI ZPR will then disallow traffic that doesn't conform to policy. This helps prevent unwanted data exfiltration by limiting requests to approved paths.

How OCI Zero Trust Packet Routing works

OCI ZPR can be used to help secure access to data within an OCI tenancy.
This diagram explains – in three steps – how OCI ZPR can be used to help secure access to data within an OCI tenancy. In the first step, “Establish security model,” identify the resources you wish to protect, then create related OCI ZPR security namespaces and attributes for each. Next, in the second step, Deploy OCI ZPR policies to express your security intent. For example, a policy might allow compute instances tagged with a specific security attribute to access database resources tagged with another security attribute. Finally, in the third step, apply security attributes to the in-scope data and compute resources. Once policies are in place and security attributes are applied, OCI will prevent access to data that originates outside the specific path you’ve defined in your OCI ZPR policies.

Explore the OCI Zero Trust Packet Routing architecture

Watch Pradeep Vincent, Chief Technical Architect at OCI, explain how OCI Zero Trust Packet Routing architecture helps protect against data breaches.

Industry perspectives on ZPR

  • “Traditional security tools try to protect sensitive data by blocking access, but history shows it is almost impossible to anticipate all the ways a hacker might attempt to infiltrate a network. With Zero Trust Packet Routing, the network does not allow any data to move through the network without explicit permission. Organizations using Oracle Cloud Infrastructure can now take advantage of this to better safeguard their data. Oracle is the first to offer this new level of security, and we’re hopeful other cloud platforms will follow.”

    Danny Hillis
    Co-founder, Applied Invention
  • “As public clouds emerged, enterprises had the opportunity to redefine how they address network security. However, they carried over most of the same concepts that tightly coupled security and network configuration. A single mistake in a highly complex cloud network can result in exposure. OCI Zero Trust Packet Routing enables organizations to decouple network configuration from security, helping to eliminate the effects of human network configuration errors. This new standard driven by Oracle flips this all too often checkbox item on its head to provide an innovative solution for organizations that simplifies compliance efforts, reduces the burden on security teams, and ultimately strengthens security.”

    Philip Bues
    Senior Research Manager, Cloud Security, IDC

Get started with Oracle Cloud Infrastructure

Try Oracle Cloud Free Tier

Build, test, and deploy applications on Oracle Cloud—for free.

Contact sales

Interested in learning more about Oracle Cloud Infrastructure? Let one of our experts help.