Does Oracle have root access to my ExaCC guest operating systems?

No. Oracle engineers do not have accounts or SSH access to your DomU guest virtual machines. The customer maintains exclusive root-level authority over the guest operating systems and the database instances running within them.

Can I disable Transparent Data Encryption (TDE) on Exadata Cloud@Customer?

No. TDE is enforced by default for all databases provisioned through the ExaCC control plane and cannot be turned off.

Who is responsible for patching the guest operating system (DomU)?

You are. While Oracle provides pre-built software images and orchestrates automated update tools via the OCI console, the customer is responsible for scheduling and initiating patching for the guest OS, Grid Infrastructure, and Database engines.

Where are the TDE master encryption keys stored?

By default, master encryption keys are kept locally in secure Oracle Wallet files inside the guest VM filesystem. Alternatively, you can configure your databases to use OCI Vault with Hardware Security Modules (HSMs).

Does ExaCC encrypt data moving across the internal cluster network?

Yes. High-speed database cluster communications travel over an internal RoCE or InfiniBand network fabric that is physically isolated inside the closed Exadata rack.

How can I prevent my corporate DBAs from viewing sensitive data?

Implement Oracle Database Vault, which blocks privileged users like SYS or DBA from querying application data schemas unless they are granted explicit authorization within a defined security realm.

What happens to data on a failed physical disk when Oracle replaces it?

Exadata storage servers utilize secure erasure protocols. Because all data blocks are encrypted at rest via TDE, any data remaining on a failed NVMe drive is unreadable without your master encryption key.

Can I use my corporate identity provider to manage ExaCC cloud access?

Yes. You can federate your corporate Identity Provider with OCI IAM using SAML 2.0 or OpenID Connect for SSO and cloud permission management.

Oracle Exadata Cloud@Customer Security: Who Controls What?

01 · Introduction

Security for Oracle Exadata Cloud@Customer (ExaCC) often triggers conflicting assumptions. Because the physical rack sits directly inside your private data center, infrastructure teams frequently assume they own the entire environment. Conversely, compliance officers look at the cloud control plane connection and assume Oracle handles everything.

Neither view is accurate. ExaCC operates on a strict shared responsibility model — Oracle secures and manages the infrastructure, while customers remain responsible for their databases, users, applications, and business data.

The ExaCC shared responsibility model means Oracle manages OCI control plane operations and bare-metal infrastructure (Dom0, storage cells, network switches), while the customer retains exclusive control of guest VMs (DomU), database instances, IAM policies, TDE master keys, and application data.

01

Seven layered security dimensions must all be addressed for an audit-ready deployment.

02

Control Plane (Oracle) and Customer Plane (you) split at the hypervisor boundary.

03

TDE is mandatory — but encryption alone does not replace Database Vault, IAM, or network segmentation.

02 · Dimensions of ExaCC Security Architecture

ExaCC blends on-premises and cloud paradigms. Because the OCI control plane runs inside your data center, security is a defense-in-depth layered architecture — not a single toggle or firewall rule.

Operational Security — patching, governance, audit trails

Database Security — users, roles, profiles, authentication

Data Security — TDE, masking, encryption in transit

Identity Security — OCI IAM, federation, dynamic groups

Network Security — VCNs, NSGs, client/backup networks

Infrastructure Security — compute nodes, storage cells, Dom0

Physical Security — DC access, power, environmental controls

Figure 1 · Seven layered security dimensions for Oracle Exadata Cloud@Customer

Layer	Scope	Primary Owner
Physical Security	Data center access, biometrics, surveillance, PDUs	Customer DC
Infrastructure Security	Storage cells, compute nodes, hypervisor (Dom0)	Oracle
Network Security	VCNs, subnets, DRGs, rack switches	Shared
Identity Security	OCI IAM, federation, API keys, dynamic groups	Customer
Database Security	DB users, roles, schema privileges, profiles	Customer
Data Security	TDE at rest, SQL*Net/TLS in transit, data masking	Customer
Operational Security	Patching schedules, governance, audit logging	Shared

03 · The ExaCC Shared Responsibility Model

ExaCC splits administration into the Control Plane (Oracle) and the Customer Plane (your DBAs and cloud engineers).

Oracle Responsibilities

Hardware, firmware, storage cells, network switches
Hypervisor & Dom0 — no customer root access
Infrastructure patching and proactive hardware monitoring

Customer Responsibilities

DomU guest OS, Grid Infrastructure, Oracle Database
OCI IAM policies and database user access controls
TDE keys, backups, unified auditing, application security

Figure 2 · Control Plane vs Customer Plane administrative boundaries

04 · How OCI IAM Secures ExaCC

OCI IAM on ExaCC is the primary gateway to your resource lifecycle. Compromised cloud admin credentials can delete database clusters without a single SQL command.

OCI IAM uses Compartments, Groups, and Policies under a default-deny paradigm. Isolate ExaCC clusters in dedicated compartments (e.g., Root → Production → Data_Platform → ExaCC_Prod).

/* Exadata Cloud Database Administrators */
                    Allow group ExaCC_DBAs to manage cloud-vm-clusters in compartment Data_Platform
                    Allow group Security_Auditors to inspect cloud-vm-clusters in compartment Data_Platform
                

Use Dynamic Groups for VM-based OCI API access instead of long-lived API keys:

ANY {instance.compartment.id = 'ocid1.compartment.oc1..exampleprodcompartmentid'}

05 · How Your Data Is Protected

Data protection within ExaCC is anchored around Transparent Data Encryption (TDE) — encrypting data before commit to block storage and decrypting in the SGA buffer cache.

When you provision a database on ExaCC, TDE is enabled by default and cannot be disabled. The Master Encryption Key wraps tablespace keys and is stored in an Oracle Wallet or OCI Vault HSM.

Network Plane	Protection	Configuration
Internal Interconnect	Physically isolated RoCE/InfiniBand inside the rack	Not snoopable from corporate LAN
Client Connections	SQL*Net Native Encryption or TLS/TCPS	`SQLNET.ENCRYPTION_SERVER = REQUIRED`

06 · Can Oracle Access Customer Databases?

No. Can Oracle pull data from your application tables? The technical isolation sits at the hypervisor layer.

Exadata compute nodes run Dom0 (Oracle-managed hypervisor) isolated from DomU guest VMs where you hold exclusive root access. Oracle's infrastructure tools cannot cross this OS boundary.

Figure 5 · Secure tunnel, firewall, and Dom0/DomU privilege boundary

07 · ExaCC Security Best Practices

Private Endpoints & NSGsRestrict port 1521/2484 to application tier IPs only.
MFA & IdP FederationFederate OCI IAM with Entra ID or Okta; enforce MFA on admin accounts.
Oracle Database VaultBlock privileged DBAs from querying sensitive application schemas.
Unified Auditing + External SIEMStream audit trails to immutable external logging.

08 · How Enterprises Secure Production ExaCC

PCI DSS · Retail Bank

Database Vault + TDE with OCI HSM + TLS 1.3 mTLS on all SQL connections.

HIPAA · Healthcare

Dedicated OCI compartment, data masking on clones, Audit Vault + Database Firewall.

Sovereignty · Government

Inspected control-plane traffic, OCI Government Cloud region, federated AD groups.

Hybrid · Global Enterprise

FastConnect + Direct Connect to AWS, Okta federation to OCI IAM for unified SSO.

09 · Common Security Misconceptions

Misconception 1

Oracle owns my customer databases.

Oracle manages Dom0 and storage cells only. You own DomU VMs, database software, schemas, and accounts.

Misconception 2

Oracle can view data via the control plane tunnel.

The tunnel is limited to infrastructure APIs. Oracle has no DomU login access or TDE master passwords.

Misconception 3

TDE solves every access control challenge.

TDE prevents physical theft but decrypts for authenticated users. Pair with Database Vault or VPD for logical access control.

Misconception 4

OCI IAM fully secures database assets.

IAM controls cloud lifecycle only. Users with DB credentials can still connect via SQL*Net.

Misconception 5

Encryption replaces database auditing.

Encryption protects data; auditing tracks behavior. Configure Unified Auditing for compliance and forensics.

Misconception 6

ExaCC is automatically compliant.

Oracle provides a compliant platform; your configuration determines PCI DSS or HIPAA audit success.

10 · Enterprise Security Best Practices

Area	Recommendation
Identity Governance	Audit OCI IAM groups quarterly; remove stale admin access
Least Privilege	Granular IAM policies per compartment — no generic admin accounts
TDE & Key Management	Verify encryption on all PDBs; evaluate OCI Vault HSM for key rotation
Network Isolation	Dedicated VCN subnets with scoped NSGs
Database Auditing	Unified Auditing exported to external SIEM; run DSAT assessments

11 · The Enterprise Security Checklist

OCI IAM: Least-privilege policies configured for ExaCC management?
MFA: Mandatory for all cloud administrators?
Network Segmentation: Client/backup networks isolated with NSGs?
TDE Validation: Active on all tablespaces across all PDBs?
Key Governance: MEK backed up with documented rotation process?
Unified Auditing: Privileged events forwarded to external destination?
Responsibility Matrix: Teams signed off on shared responsibility model?

12 · Frequently Asked Questions

Does Oracle have root access to my ExaCC guest OS?

No. Customer maintains exclusive root authority over DomU guest VMs.

Can I disable TDE on ExaCC?

No. TDE is enforced by default and cannot be turned off.

Who patches DomU?

You are. Oracle provides images and tools; you schedule guest OS, Grid, and Database patching.

Where are TDE master keys stored?

Oracle Wallet in the guest VM by default, or OCI Vault with HSM.

Can I use my corporate IdP?

Yes. Federate via SAML 2.0 or OpenID Connect with OCI IAM.

13 · 8 Security Principles Every ExaCC Team Should Know

Shared ResponsibilityOracle secures infrastructure; you secure databases, apps, and data.
Infrastructure BoundaryOracle owns hardware, Dom0, storage cells, and network switches.
Database OwnershipYou control DomU VMs, credentials, backups, and encryption keys.
OCI IAMCompartments, groups, and least-privilege policies govern cloud lifecycle.
TDE by DefaultAll tablespaces encrypted — unreadable without your master key.
Defense-in-DepthNetwork isolation, encryption in transit, auditing — all required.
Shared CompliancePlatform is compliant-ready; your config determines audit success.
Complete SeparationOracle cannot read your production database data.

14 · Conclusion

The strongest security feature in ExaCC isn't encryption or IAM — it's understanding exactly who is responsible for every layer. When Oracle and the customer each secure their part, ExaCC delivers enterprise-grade protection without sacrificing operational flexibility.

At ExaGuru, our Exadata Expert course covers ExaCC shared responsibility, Dom0/DomU isolation, and production security patterns.

ExaGuru — Oracle Cloud Training & Consulting

Email: [email protected]

Web: www.exaguru.com