DoD impact level 4 reference architecture with Oracle Cloud Infrastructure

The Oracle Cloud Infrastructure (OCI) Government cloud regions are accredited up to DISA impact level 5 (IL5) for infrastructure and platform as a service (IaaS and PaaS). In my previous post, I discussed designing a reference architecture for DoD impact level 2 workloads on Oracle Government Cloud.

In this post, we examine a reference architecture for DoD impact level 4 workloads on Oracle Government Cloud. OCI supports five regions that are built for the US government. All five are accredited for up to impact level 4 (IL4), and three are accredited for up to IL5. The following table describes the regions, accredited impact levels, and the BCAP connections.

The data processed at IL4, accommodates nonpublic, unclassified data where the unauthorized disclosure of information could be expected to have a serious adverse effect on organizational operations and assets, or individuals. This data is Controlled Unclassified Information (CUI) or mission data, including data used in direct support of military of contingency operations. For IL4, all DoD traffic from the nonclassified internet protocol router network (NIPRNet) to and from off-premises CSP infrastructure service levels 4 and 5 missions, and the mission virtual networks must traverse one or more NIPRNet BCAPs. No direct IL4 or 5 traffic is permitted to or from the internet except through the NIPRNet IAPs and demilitarized zone (DMZ) capabilities provided by the mission owner, a DoD component, or DISA.

How does OCI provide strong virtual separation for IL4?

For IL4, the CSP must provide evidence of strong virtual separation controls and monitoring. Oracle Cloud Infrastructure provides multiple levels of isolation and virtual separation. OCI provides isolated network virtualization through a custom-designed SmartNIC. Hardware and software isolates the SmartNIC from the host, preventing a compromised instance from compromising the network.

Compute isolation is created when your tenancy is provisioned and when you start to deploy systems by creating your virtual cloud network (VCN). If you require further isolation, you can choose to use OCI bare metal or dedicated virtual machine (VM) host options. These options provide a dedicated physical server for stronger isolation. You don’t need dedicated compute to have strong isolation. Your Compute instances are already isolated to your VCN, providing extra isolation with dedicated compute options.

OCI reduces risk by decoupling network virtualization from the hypervisor. Oracle has implemented network virtualization as a highly customized hardware and software layer that moves cloud control away from the hypervisor and host and puts it on its own network. This hardened and monitored layer of control enables isolated network virtualization. Isolated network virtualization is implemented in every data center in every region, which means that all OCI tenants benefit from this reduced risk.

What are my off-premises connectivity options with OCI for impact level 4?

For an IL4 system, network traffic must traverse the NIPRNet through a CAP. Select OCI regions allows for connectivity through a BCAP. For more information on how Oracle connects to the NIPRNet, see the following articles:

• Connecting to the NIPRNet for impact level 4 and 5 workloads in Oracle Cloud Infrastructure

• Oracle Cloud Infrastructure US federal cloud with DISA impact level 5 authorization

Sample DoD IL4 reference architecture workload

As an application owner, you inherit the controls and authorizations that OCI has put in place. Applications owners are still responsible for applying more controls, according to the DoD cloud computing security requirements guide (SRG).

A DoD IL 4 reference architecture is different from an IL2 system, based on external network access and more security controls. IL4 requires NIPRNet connectivity through a CAP, which the reference architecture introduces. Direct access from the internet isn’t allowed. The following graphic shows a sample reference architecture hosting an IL4 system in an OCI government region:

This architecture has the following design considerations:

• By default, OCI uses a zero-trust security model. With zero-trust security, no one is trusted by default from inside or outside the network.

• All public internet traffic must enter the DoDIN before entering the VCN of the OCI tenancy.

• We introduce more requirements, according to the Cloud Computing – Security Requirements Guide (CC-SRG).

  • Virtual data center security stack (VDSS): Traffic into the VCN flows into subnet A, the VDSS. The core services of the VDSS contain a web application firewall for network traffic inspection, a next-generation firewall for intrusion prevention and intrusion detection, and load balancers.

  • Virtual data center management service (VDMS): Subnet B, a VDMS, provides security systems to manage the security posture, such as bastion, Identity and Access Management (IAM), assured compliance assessment solution (ACAS), host-based security system (HBSS), security information and event management (SIEM), patch management, and core services.

• The rest of the subnets contain your mission owner components (IaaS and PaaS workloads), such as your virtual instances, web servers, middle tier servers, and your databases. These subnets are separated from your VDSS and VDMS systems and subnets.

You can find more information in What is Secure Cloud Computing Architecture (SCCA).

What’s next?

I invite you to give it a try yourself. When you have your design laid out, you can get started with Oracle Cloud Free Tier for a 30-day free trial in our commercial regions, which includes US$300 in credits to get you started with a range of services, including compute, storage, and networking. If you want to test drive in our Oracle Cloud Infrastructure regions dedicated for the Government, consult with your Oracle sales representative for a proof of concept in the appropriate region.