QuickGuide: Security on OCI

OCI’s native capability to obtain packet capture and monitor flow data between components

Each compute instance in a VCN has one or more Virtual Network Interface Cards (VNICs). The OCI Networking service uses Security Lists to determine what traffic is allowed through a given VNIC. The VNIC is subject to all rules in all security lists associated with the VNIC’s subnet.

To help you troubleshoot your security lists or audit the traffic in and out of your VNICs, you can set up VCN Flow Logs.

Flow logs record details about traffic that has been accepted or rejected based on the security list rules.

Packet capture options are:

• OCI virtual Terminal Access Point (vTAP^*) 
  • Turn on packet capture with Palo Alto
  • Gigamon
  • Stenographer

OCI’s solution and capability to provide cloud posture to detect changes and misconfigurations within the environment

Oracle Cloud Guard (CG) to monitor, identify, achieve, and maintain a strong security posture on Oracle Cloud. You can use CG to examine Oracle Cloud Infrastructure resources for security weakness related to configuration, and your operators and users for risky activities. Upon detection, Cloud Guard can suggest, assist, or take corrective actions, based on your configuration.

Oracle Data Safe will help you to assess (detect) weak database security configurations and raised database user entitlements, audit user activity, as well as discover and mask sensitive data over time scale.

Cloud Guard works in conjunction with Data Safe, Security Zones and Security Advisor. Cloud Guard Demo.

Oracle Cloud Infrastructure Events Service tracks resource changes using events that comply with the Cloud Native Computing Foundation (CNCF) CloudEvents standard.

Developers can respond to changes in real-time by triggering code with Functions, writing to Streaming, or sending alerts using Notifications.

Oracle Cloud Resource Manager (RM) to safely and predictably manage the lifecycle of your infrastructure using declarative configuration files. RM has drift-detection capabilities with detailed drift reporting functionality.

Oracle has published Terraform-based landing zone template that meets the security guidance prescribed in the CIS Oracle Cloud Infrastructure Foundations Benchmark e.g.,

• Palo Alto Networks stack
  • Exadata Cloud Service  stack

You can also avail of CIS Hardened Images available via OCI Marketplace or Bring your own Image (BYOI).

Oracle Cloud Infrastructure Identity and Access Management (IAM) to control who has access to your cloud resources. You can control and enforce what type of access a group of users have and to which specific resources using IAM Policies. Oracle also has spelled out a list of common policies for easy and expedited reference. IAM policies have simple English language like syntax.

In Oracle Cloud encryption is enabled by default and cannot be turned off:

• Block volume and volume backups are always encrypted using AES.
• Object Storage data at rest is encrypted with AES-256-GCM.
• File Storage Services are encrypted by default. You can enable in-transit encryption as well.
• Oracle Databases are encrypted for data at-rest with TDE

You can use Oracle Cloud Infrastructure Vault to use customer managed encryption keys.

Cloud Guard and Data Safe will help you to enforce and improve security postures and protect from drift in configurations.

OCI’s Zero Trust Architecture Strategy

OCI has published Zero-trust security white-paper based on UK National Cyber Security Centre’s (NCSC) 8 Zero Trust principles which are applicable to organizations across the globe.

Oracle pursues three tenets to assist customers in securing their cloud: (i) automated, (ii) always-on, and (iii) architected-in with security-first design principle.

• Support for SAML 2.0, OAuth 2.0 and OpenID Connect; SCIM 2.0, JML process
• OCI IAM uses instance principals and resource principals against which IAM policies are written towards least-privilege principles.
• OCI Vault to securely store and retrieve secrets encrypted using customer-managed encryption keys stored in FIPS 140-2 Level 3 HSM.
• OCI has implemented capabilities to establish health of services with OS Management, Auditing and Logging, Events with Notifications.
• OCI implements ubiquitous encryption encrypting all data, everywhere, always.
• OCI provided TLS 1.2 encrypted connections for all endpoints published by Oracle such as API endpoints, OCI console, etc.
• OCI supports password-less authentication through the FIDO2 standard.
• Cloud Advisor works in conjunction with Cloud Guard.
• OCI Hardware Root of Trust reduces the risk of firmware-based attacks.
• OCI isolated network virtualization prevents hypervisor breakouts (“hyper jacking”).
• OCI hyper segmentation separated with service and customer enclaves.
• OCI implements L2 MACSec encryption on private backbone between regions.
• OCI provides detection and mitigate on L3 and 4 volumetric DDoS attacks.

In addition, Oracle Cloud Infrastructure has published guidance on how to meet the US Department of Defence Secure Cloud Computing Architecture.

OCI’s capability to ensure policies are enforced and/or alerted to when provisioning cloud resources

Oracle Cloud Infrastructure Audit service automatically records calls to all supported Oracle Cloud Infrastructure public application programming interface (API) endpoints as log events.

Log events recorded by the Audit service include API calls made by the Oracle Cloud Infrastructure Console, Command Line Interface (CLI), Software Development Kits (SDK), your own custom clients, or other Oracle Cloud Infrastructure services.

Audit payload is detailed here. Information in the logs includes time the API activity occurred, source of the activity, target of the activity, type of action, type of response. 

The Audit Service can be integrated with a SIEM e.g., Splunk.

Security Zones let you be confident that your resources in Oracle Cloud Infrastructure, including Compute, Networking, Object Storage, and Database resources, comply with Oracle security principles.

A security zone is associated with a compartment and a security zone recipe. When you create and update resources in a security zone, Oracle Cloud Infrastructure validates these operations against the list of policies defined in the security zone recipe. If any security zone policy is violated, then the operation is denied.

OCI’s existing native capability for vulnerability management

Vulnerability Scanning Service (VSS) to identify

• Ports that are unintentionally left open might be a potential attack vector to your cloud resources or enable hackers to exploit other vulnerabilities.
• OS packages that require updates and patches to address vulnerabilities
• OS configurations that hackers might exploit
• Industry-standard benchmarks published by the Center for Internet Security (CIS) against National Vulnerability Database.
• The scanning service checks hosts for compliance (Access, Authentication, and Authorization) benchmarks defined for Distribution Independent Linux

VSS requires instance image that supports Oracle Cloud Agent. Port scanning on an instance’s public IP address does not require an agent.

You can also use Qualys or Rapid7.

OCI’s Cloud Shell

Oracle Cloud Infrastructure Cloud Shell access is governed by OCI IAM Policies and activities are recorded in OCI Audit trail. Oracle Cloud Shell does not allow root access or the use of sudo. Access to OCI resources from Cloud Shell are still governed by IAM policies granted by tenancy administrator.

There is no default access to Cloud Shell. An IAM Policy is required to enable access to Cloud Shell. Cloud Shell uses Lumberjack for logging.

OCI’s Key Management

Oracle Cloud Infrastructure Vault is a managed service that lets you centrally manage the encryption keys that protect your data and the secret credentials that you use to securely access resources. Vaults securely store master encryption keys and secrets that you might otherwise store in configuration files or in code. Specifically, depending on the protection mode, keys are either stored on the server or they are stored on highly available and durable hardware security modules (HSM) that meet Federal Information Processing Standards (FIPS) 140-2 Security Level 3 security certification. You can use the Vault service to create and manage the following resources: Vaults, Keys, and Secrets.

Customer-managed keys for Exadata Cloud Service can be enabled using OCI Vault Service. Oracle Database Vault should be used to restrict access application data access for Database service accounts. Exadata Cloud Service security controls are detailed here.

For the underlying infrastructure components, 3^rd party Privilege Account Management (PAM) solutions, such as BeyondTrust, CyberArk, and Thycotic can be leveraged in the same manner as they would on-premises.

OCI’s SSL Offloading Capability

Oracle Cloud Infrastructure Flexible Load Balancer offers application delivery capabilities including SSL offloading, cookie-based session persistence, multi-site hosting, URL path and advanced layer 7 header-based routing. OCI Flexible Load Balancers support Transport Layer Security (TLS) termination to decrypt encrypted data traffic. SSL termination also works to increase site and web application performance by reducing the workload scope of back-end servers.