OCI Zero Trust Packet Routing

Prevent unauthorized access to data by managing network security policy separately from underlying network architecture with Oracle Cloud Infrastructure (OCI) Zero Trust Packet Routing. Using an intuitive and intent-driven policy language, security administrators can define specific access pathways for data. Traffic that isn’t explicitly allowed by policy can’t travel the network, improving security while streamlining operations for security, network, and audit teams.

What is OCI Zero Trust Packet Routing? (2:21)

OCI Zero Trust Packet Routing lets organizations assign human-readable security attributes to resources and create policies in natural language to manage network traffic based on resource and data service access. The software stems from an initiative with Applied Invention and other organizations to develop a new open standard for zero trust packet routing. Unlike traditional, error-prone internet protocol (IP)–based rules, zero trust packet routing establishes clear trust boundaries, fills gaps in legacy controls, and guards against network misconfigurations—one of the most common causes of compromise.

OCI Zero Trust Packet Routing helps prevent lateral movement and, when integrated with OCI Private Service Access and identity and access management (IAM) deny statements, mitigates risks associated with compromised credentials and data exfiltration. The latest release broadens service coverage and improves visibility, providing a simpler, more resilient, and smarter zero trust security framework. Oracle is the first cloud provider to implement zero trust packet routing into its cloud platform.

Zero Trust, Maximum Resilience

Traditional perimeter security is no longer sufficient. Learn how a zero trust approach can help protect your systems in the cloud and on-premises from advanced threats, insider risks, and other vulnerabilities.

Access the ebook

Why use OCI Zero Trust Packet Routing?

  • Enhance security

    OCI Zero Trust Packet Routing improves traditional data security by restricting the potential paths for data exfiltration—even for authorized users—thereby minimizing the attack surface area.

  • Reduce administrative burden

    Databases with guessable credentials can be breached in minutes; just one line of OCI Zero Trust Packet Routing policy can prevent a database from being exposed to threats.

  • Simplify compliance

    OCI Zero Trust Packet Routing helps streamline audit and compliance processes by providing visibility via clear policies and security labels applied to data sources.

  • Address key security threats

    OCI Zero Trust Packet Routing helps prevent lateral movement within networks, restricts data exfiltration through strict access controls, and mitigates the impact of compromised credentials by integrating OCI Private Service Access and IAM deny statements.

Product tour

Introducing OCI ZPR

Easily secure access to data

OCI Zero Trust Packet Routing provides an easily managed way to secure access to data. Leveraging the principles of zero trust and least privilege, OCI Zero Trust Packet Routing restricts access based on policies and security attributes. These policies are enforced at the network layer. Any request that doesn’t originate from a source allowed by OCI Zero Trust Packet Routing policy won’t be able to reach the database.

How to access OCI Zero Trust Packet Routing

How to access OCI Zero Trust Packet Routing

You can access OCI Zero Trust Packet Routing from the OCI console menu bar under Identity & Security.

Get started from the overview page

Get started from the overview page

The OCI Zero Trust Packet Routing overview page provides guidance and links to update security attributes, write policies, and apply security attributes to protected OCI resources.

Manage security attribute namespaces

Manage security attribute namespaces

An OCI Zero Trust Packet Routing security attribute namespace creates a security model for your implementation. It defines the set of security attributes that OCI Zero Trust Packet Routing policies will use to allow or deny access.

To create a new namespace, click Create Security Attribute Namespace.

Create security attributes

Create security attributes

Within an OCI Zero Trust Packet Routing security attribute namespace, create the set of security attributes that you’ll use to write policies. These may be used, for example, to identify compute instances or databases associated with a particular application.

Manage policies

Manage policies

Create and manage OCI Zero Trust Packet Routing policies with the built-in policy editor. You can use the policy wizard, select a template based on common scenarios, or write your own policies.

Apply security attributes to OCI resources

Apply security attributes to OCI resources

Apply the policies you develop to OCI resources you wish to protect. OCI Zero Trust Packet Routing will then disallow traffic that doesn’t conform to policy. This helps prevent unwanted data exfiltration by limiting requests to approved paths.

How OCI Zero Trust Packet Routing works

This diagram explains – in three steps – how OCI ZPR can be used to help secure access to data within an OCI tenancy. In the first step, “Establish security model,” identify the resources you wish to protect, then create related OCI ZPR security namespaces and attributes for each. Next, in the second step, Deploy OCI ZPR policies to express your security intent. For example, a policy might allow compute instances tagged with a specific security attribute to access database resources tagged with another security attribute. Finally, in the third step, apply security attributes to the in-scope data and compute resources. Once policies are in place and security attributes are applied, OCI will prevent access to data that originates outside the specific path you’ve defined in your OCI ZPR policies.
OCI implementation of the open zero trust policy language

OCI Zero Trust Packet Routing implements the open zero trust policy language using the OCI Zero Trust Packet Routing policy enforcement language, which is designed specifically for OCI virtual cloud networks. It adheres to the open zero trust packet routing specification while providing native enforcement and scalability in OCI.

Explore the OCI Zero Trust Packet Routing architecture

Watch Pradeep Vincent, Chief Technical Architect at OCI, explain how OCI Zero Trust Packet Routing architecture helps protect against data breaches.

Industry perspectives

  • “Traditional security tools try to protect sensitive data by blocking access, but history shows it is almost impossible to anticipate all the ways a hacker might attempt to infiltrate a network. With Zero Trust Packet Routing, the network does not allow any data to move through the network without explicit permission. Organizations using Oracle Cloud Infrastructure can now take advantage of this to better safeguard their data. Oracle is the first to offer this new level of security, and we’re hopeful other cloud platforms will follow.”

    Danny Hillis
    Co-founder, Applied Invention

  • “As public clouds emerged, enterprises had the opportunity to redefine how they address network security. However, they carried over most of the same concepts that tightly coupled security and network configuration. A single mistake in a highly complex cloud network can result in exposure. OCI Zero Trust Packet Routing enables organizations to decouple network configuration from security, helping to eliminate the effects of human network configuration errors. This new standard driven by Oracle flips this all too often checkbox item on its head to provide an innovative solution for organizations that simplifies compliance efforts, reduces the burden on security teams, and ultimately strengthens security.”

    Philip Bues
    Senior Research Manager, Cloud Security, IDC

OCI Zero Trust Packet Routing resources


Get started with Oracle Cloud Infrastructure

Try Oracle Cloud Free Tier

Build, test, and deploy applications on Oracle Cloud—for free.

Try it for free

Contact sales

Interested in learning more about Oracle Cloud Infrastructure? Let one of our experts help.

Get in touch