Oracle built Oracle Cloud Infrastructure (OCI) with a security-first design principle, implementing core Zero Trust security from the ground up, through controls including Hardware-based Root of Trust, Isolated Network Virtualization, and hyper-segmentation. In addition to this security-first design, security services are provided that can help our customers to follow this philosophy. The world of security doesn’t stand still and neither does OCI when it comes to the security capabilities that are developed and provided to our customers. As a result, we are pleased to announce an updated version of our whitepaper, Approaching Zero Trust Security in Oracle Cloud Infrastructure.

Zero Trust WP 3

You might have heard of the M-22-09 memorandum that was published earlier this year, which describes the United States Federal strategy to move the U.S. Government towards a Zero Trust Architecture by 2024. This strategy will serve as the foundation for a paradigm shift in Federal cyber security and provide a model for others to follow. The very statement in the memorandum, “The Federal Government can no longer depend on conventional perimeter-based defences. Users should log into applications, rather than networks”, is a classic indication of how the tradition “castle-and-moat” security model has changed over the last couple of decades and how organizations should not wait to respond to the next cyber security breach. Rather, organizations must take more pro-active steps in building more resilient Zero Trust Security. As stated in the memorandum’s introduction below, U.S. Government departments are required to move towards a zero trust architecture.

“This memorandum sets forth a Federal zero trust architecture (ZTA) strategy, requiring agencies to meet specific cybersecurity standards and objectives by the end of Fiscal Year (FY) 2024 in order to reinforce the Government’s defences against increasingly sophisticated and persistent threat campaigns.”

We hear very frequently of our customers’ plans to adopt zero trust model to improve their overall approach to cyber security. Zero trust security isn’t a tool or product you can buy, or a checkbox you can enable within an application. It is a security paradigm, a multi-phased approach that takes time, effort, and investment to adopt. Oracle Cloud Infrastructure (OCI) can help accelerate your Zero Trust Security journey.

We have taken the opportunity in this latest version to update the paper to use the final released set of 8 zero trust security principles from the UK’s National Cyber Security Centre (NCSC), rather than the beta principles that were used in the previous version of the paper. Furthermore, we have also updated the paper with some of the latest OCI security capabilities, including:

  • OCI Threat Intelligence
  • Oracle Cloud Guard Threat Detector
  • Oracle Cloud Guard Fusion Applications Detector
  • OCI Vulnerability Scanning
  • OCI Bastion
  • OCI Certificates
  • Custom Security Zones
  • OCI WAF protection on load balancers
  • OCI Network Firewall (powered by Palo Alto)
  • OCI Identity and Access Management (IAM) Domains (the merger of OCI IAM and Identity Cloud Service (IDCS) into a combined service).

If you haven’t read the whitepaper yet but have an interest in OCI and how it can help you approach zero trust security, then we encourage you to have a look. It provides a very pragmatic approach for your Zero Trust Security journey. If you’ve already seen the paper, now might be a good time to look back through it and see how the new OCI security services listed above can fit into your overall zero trust security architecture.

We often hear different myths around zero trust security, so we wanted to dispel the top myths that we hear.

Myth 1: Zero Trust is just a marketing hype; not a practical model.

Whilst many organizations have taken the opportunity to align their products and services to zero trust, it is not just a marketing hype. It is a design philosophy and a new way of thinking about security in the modern IT estate, where data is spread across multiple locations, both on-premises and in the cloud. Furthermore, through publications like those from the US National Institute for Standards in Technology (NIST), it is a movement that is gaining population and momentum.

Myth 2: Zero Trust Security is only for big organizations with matured security architecture.

As mentioned earlier, Zero Trust Security is not a security product or solution, but it is a security paradigm, a multi-phased approach that can be introduced gradually in any organization. For example, the starting point could be as simple as organizations starting to mandate Multi-Factor Authentication (MFA) for its users. So, Zero Trust Security is a boon to smaller organizations as well, to build the right kind of security architecture, right from the beginning.

Myth 3: Zero Trust is only focused on Network Security or Identity

Zero Trust has in fact 3 dimensions – securing the network, securing the identities and their access & securing and monitoring the services – all of which should be aligned to protect an organization’s crown jewel – data.

  1. In a zero-trust architecture, given that we assume the network is hostile, we need to think about how to micro-segment the network to limit the blast radius. We have to think about how to perform continuous protective monitoring that will help identify patterns of activity on your networks, which in turn can provide indicators of compromise. So, network is the first dimension to ZTS.
     
  2. Then we need to understand who is accessing the data and services. Because we are not inherently trusting the network, at every point, it is critical that we authenticate and authorize anything that is trying to connect to the systems before we grant access. We need to have robust access policies to make sure that right identities have the right permissions to access the right resources and right data.  So, the second dimension to ZTS is Identity.
     
  3. Given that network can’t be trusted, security services need to be designed to protect the environment through continuous monitoring & automated remediation tools when needed. All services have to dynamically apply security controls in real-time for every request-response flow – not just at the perimeter, but at every layer including infrastructure, network, application, and data access points in the enterprise. They need to monitor the environment appropriately – not just from health perspective, but also from the real-time threat detection perspective.

Therefore, all of these dimensions should work together to provide a layered defense mechanism while implementing Zero Trust Security.

Myth 4: Zero Trust Security provides poor user experience.

Zero Trust Security, if implemented properly, should enhance the user experience and reduce the complexity of overall security architecture. It should avoid the security weak points and prevent the back door access. For example, providing centralised identity management enables users to remember fewer passwords and also have a common, positive experience for additional security like MFA.

So, if you haven’t already started, we encourage you to start your Zero Trust journey!  As the first step to it, choose a cloud provider who aligns to a Zero Trust security strategy and can provide the necessary controls to help accelerate a program based on Zero Trust. Learn more about how Oracle can help customers with their Zero Trust Security approach with the latest version of the whitepaper here.