Part 4 of 4 - Oracle IaaS and Seven Pillars of Trusted Enterprise Cloud Platform
Note: My original blog series was published in ORACLE CLOUD INFRASTRUCTURE blog site. I have republished it here with permission.
Official Disclaimer: The views and opinions expressed in this blog are those of the author and do not necessarily reflect the official policy or position of Oracle Corporation.
The concluding post of this series, in which we mapped Oracle's seven pillars of a trusted computing platform to Oracle Cloud Infrastructure security capabilities, covers a few services that were introduced or enhanced since the publication of earlier posts (Part 1, Part 2 and Part 3), along with relevant services from the Oracle Cloud Security portfolio for enterprises.
New and Enhanced Features
First, let's explore the major new services and features that enhance the security of customer environments on Oracle Cloud Infrastructure.
Encrypt your Data using Keys you Control
In October 2018, we announced the release of Oracle Cloud Infrastructure Key Management, a managed service that enables customers to encrypt their data by using keys that they control. Customers who have the following requirements should consider using Key Management:
- Customers who want to centralize encryption management of their data in the public cloud
- Customers who are currently using hardware security module (HSM) based key management in their physical data centers (on-premises) and want to use a similar type of secure service for encryption key management
- Customers who want to have full control of their encryption key management for their public cloud assets
- Customers who want to have the public cloud based key management systems backed by cloud service providers' HSMs that meet Federal Information Processing Standards (FIPS) 140-2 Security Level 3 security certification
For more information, see the Key Management documentation.
Ensuring Secure Network Isolation between Departments with Transit Routing through a Hub VCN
The following is a basic use case for using transit routing:
A customer organization has different departments, each with its own VCN. The customer's on-premises-based security information and event management (SIEM) tool needs access to the applications and servers running in different VCNs, but the customer doesn't want the administration overhead of maintaining a secure connection from each VCN to the on-premises network. Instead, the customer wants to use a single FastConnect or IPSec VPN.
I'll use the below diagram to give you an idea of how transit routing works. One of the VCNs acts as the hub (VCN-H) and connects to the customer's on-premises network by way of FastConnect or an IPSec VPN. The other VCNs are locally peered with the hub VCN. The traffic between the on-premises network and the peered VCNs transits through the hub VCN. The VCNs must be in the same region but can be in different tenancies.
For details, see the transit routing documentation.
Isolate Resources by Teams and Projects with Nested Compartments
Be able to isolate resources as needed based on your corporate structure or hierarchy by nesting compartments. Nesting enables a managed service provider, or a customer's central IT department that provides IT as a service to the business units, to grant granular rights by assigning policies that correspond to nested compartments. Consider the following use case:
The Central IT network team is responsible for managing networks elements such as VCNs across projects. Central IT would like to enable the App/Dev project teams to create subnets in the prebuilt VCNs on demand, through their CI/CD pipeline, during application and associated compute/storage deployment. Central IT would also like to hide certain projects based on business units. The following diagram depicts the nested compartment architecture that the Central IT team could create to grant access to specific groups:
I'd appreciate your comments below if you're interested in a detailed blog post further explaining this use case.
Enterprise Cloud Security Offerings
Now let's move on to some of the enterprise-scale cloud security offerings from Oracle that can be consumed as a platform as a service (PaaS). Customers can use these services to fulfill their portion of the shared security responsibility model.
Enhance your Security Controls with Oracle Identity Cloud Service
Oracle Identity Cloud Service (IDCS) enables enterprises to seamlessly connect their users to cloud-based and on-premises applications. IDCS integrates tightly with on-premises systems such as Active Directory as well as Oracle’s IAM to extend identities to the cloud.
IDCS provides administration capabilities in the cloud such as user/group and application administration, including provisioning and deprovisioning of applications. It also provides access management capabilities such as single sign-on, strong authentication, and adaptive risk-based policies. Finally, it is the platform upon which governance capabilities like access requests, certifications, and workflows will be built for cloud applications.
IDCS acts as the identity foundation for the Oracle Cloud. In other words, if you purchase any service in the Oracle Cloud, an instance of IDCS is automatically created for your tenant instance, where all users are managed in it.
For details, see the IDCS service page.
Maintain Security Control and Detect Threats with Oracle Cloud Access Security Broker
Oracle Cloud Access Security Broker (CASB) Cloud Service is a multimode cloud-access security broker that provides advanced threat analytics using user-behavior analytics (UBA) and third-party feeds, configuration seeding, monitoring and alerts, and shadow IT discovery. For details, see the CASB service page.
Following are the key features for Oracle CASB on Oracle Cloud Infrastructure:
- Policy alerts: Alerting and notifications on policy changes to resources
- Security controls: Detection of insecure settings of Oracle Cloud Infrastructure resources
- Threat detection: Detection of user risks and threats using machine learning (ML) analytics
- Key security indicator reports
- Exporting data and threat remediation: Enterprise integrations with SIEM or ITSM systems
The following sections provide details.
CASB Policy Alerts
Following are some examples of these alerts and notifications on policy changes to Oracle Cloud Infrastructure resources:
- Compute images: Updates to or removal of images
- Compute instances: Launch or termination
- DB systems: Launch or termination actions
- Identity groups and policies: Creation, updates, and deletion
- Identity users: Lifecycle actions, API key actions, login failures, and resets
- Network load balancers: Creation, updates, and deletion
- Network security lists: Creation, updates, and deletion
- Network VCNs: Creation, updates, and deletion
- Object storage: Creation and deletion, and preauthentication requests
- Storage block volumes: Attaching and export/import events
CASB Security Controls
Following are some examples of the controls for detecting insecure settings of Oracle Cloud Infrastructure resources:
- Instances having public IP addresses or public images
- Untagged resources
- Users and IAM
- User groups having too many or too few users
- Too broad IAM policies
- Use of API keys
- Unattached storage volume
- Public storage buckets
- VCNs or load balancers with no inbound security lists, or attached
- Internet gateway insecure security lists with open ports for telnet, FTP, Finger, or other attack vector protocols
- Imminent expiration of load balancer certificates
CASB Threat Detection
CASB uses ML-based analytics to detect the following threats in Oracle Cloud Infrastructure:
- IP hopping
- Brute force attacks
- User behavior risks and anomalies
- Admin behavior risks
- Audit activity
- Number of successful or failed logins per day
- Network IP addresses and mapped geolocations
- Time of access
- Endpoint context (OS, browsers)
- External threat feeds
- Geolocation feeds
- IP address reputation
CASB Key Security Indicator Compliance Reports
Following are some of the out-of-the-box reports used for Oracle Cloud Infrastructure:
- API Key Roll Over report: Key state and rollover status for API keys
- Privileged IAM Group Membership report: Users added to or removed from groups
- Privileged IAM Users and Groups report: Actions targeting users and groups
- Public Buckets report: Details on publicly accessible buckets
- Swift Passwords report: Information about Swift passwords
CASB Data Exports and Remediation
CASB provides the following enterprise integrations with SIEM or ITSM systems:
- Manual incident management: Creation and management of incidents generated from reported events
- External incident management: Integration with ServiceNow
- Integration with SIEM: Export events to Splunk, QRadar
- Export to CSV
Security Monitoring with Oracle Management Cloud
Oracle Management Cloud is an integrated suite of capabilities that enable customers to perform the following actions:
- Easily monitor applications, end to end, and reduce false alerts and give notifications where possible
- Quickly troubleshoot issues with all the data needed to solve that problem at that time—metrics, logs, topology
- Keep applications secure and compliant
- Automatically remediate the most common problems whether they are security or management events
- Analyze data over a longer period of time to spot trends and issues
Regardless of whether the application is running on-premises, in the Oracle Cloud, or in anyone else’s cloud and on any technology stack, customers can use parts of these capabilities individually or use them all together. This unified platform brings a rich set of potentially interrelated data to a single place that allows you to get a complete view, entity and topology.
For details, see the Oracle Cloud Management service page.
Oracle Management Cloud Security Features
This post highlights the Oracle Management Cloud features related to security, such as monitoring security events and user behavior, and catching data access (SQL-based) anomalies at the user, group, database, and application level.
The security monitoring tools can tell you that a user accessing a database host was normal. The Security Monitoring and Analytics (SMA) module can go deeper and tell you that the query that the user ran was abnormal for the user based on behavioral analysis, thereby providing benefits like a broader threat-detection range. SMA can detect nuanced anomalies through multi-dimensional baselines (for example, user logins by location, time, and host).
SMA also provides the following security features:
- Addresses scalability problems through our platform (next-generation service with auto scaling) and visualization problems through intelligent security visualization (for example, timeline).
- Investigates faster with session awareness and kill chain visualization (for example, account hijacking). In general, user context is rarely present in logs. SMA determines the underlying user by stitching together DHCP, IDM, VPN, and other activity context. Then it enables visualizing threats at the user level (rather than the account level), thereby providing benefits like a dramatic reduction in manual investigative work, resulting in faster time to detection.
- Helps Security Operations Center (SOC) analysts understand internal and external threat vectors by ensuring security visibility across a heterogeneous, evolving infrastructure. SMA can collect and analyze any log or other data from the IT stack on bare metal, in private clouds, or in SaaS, PaaS, and IaaS infrastructure. SMA can be used to automate SOC runbooks with out-of-the-box vendor independent security and compliance content (rules, reports, and so on).
- Categorizes events so content is future-proofed against changes in vendors and products (that is, a failed login is just that, regardless of the device type and vendor). This results in actionable insights, automated remediation, and faster time to value.
- Uses underlying ML algorithms to leverage continuous threat intelligence context (URL classification, URL/IP reputation) in detection and triage of threat indicators. Customers can bring their own threat intelligence feed or leverage Oracle's out-of-the-box feed for early awareness of threat indicators in detection and investigation, thereby getting benefits like reduced false negatives by leveraging the latest threat context as activity happens.
- Works with Oracle Management Cloud Orchestration to continually harden systems by triggering runbook automation (account lockouts, and port or other configuration changes). SMA can hook its correlation and detection logic to any instrumentation framework so the appropriate SOC remediation procedures for a given threat type can be automated. This results in unprecedented benefits like faster mean time to remediation.
The primary goal of the posts in the series is to provide guidance for the customer to securely develop, migrate, and run workloads on Oracle Cloud Infrastructure. The posts throughout the series depicted how to use various Oracle IaaS and PaaS services to protect data, achieve required compliance, and secure the application environments across Oracle Cloud Infrastructure.
Links to other relevant Oracle Cloud Infrastructure security blogs: