So, you’ve just signed up to a shiny new cloud provider. It’s exciting when you realise that you not only have an almost unlimited supply of Infrastructure-as-a-Service (IaaS) at your fingertips, but you also have a plethora of various platform services just waiting for you to use. However, before you get carried away spinning up compute and uploading your files into storage, you need to realise that you have a shared responsibility for security, as shown in Figure 1.
Figure 1 – Security is not just the job of the Cloud Service Provider
Sure, the Cloud Service Provider (CSP) has a set of security responsibilities, but so do you. At a minimum, irrespective of whether you are using Software, Platform, or Infrastructure as-a-service, you will always be responsible for your data, your users, and to some extent, your configuration. As you move away from SaaS towards IaaS, your responsibilities grow as you become responsible for software, operating systems, patching etc.
It seems that, whilst we have talked for a long time as an industry about the cloud security shared responsibility model, there is still plenty of confusion out there. The two statistics in Figure 1 come from the Oracle and KPMG Cloud Threat Report 2019, and reviewing the figures from the recently released report for 2020, the situation isn’t any better. Only 8% of this year’s respondents stated that they fully understand the cloud security shared responsibility model. I’ve discussed this topic before when looking at how “Security must be easier and not just for the experts”.
In this article, I want to look at Cloud Security Posture Management (CSPM) and some of the use cases that come to mind, as well as those that I am hearing from customers. I’ll discuss a number of use cases, why they are important, and how Oracle Cloud Infrastructure (OCI) is helping you to meet and address your shared responsibilities. So, if you are ready, let’s get started.
Before we can look at use cases, we need to understand what we mean by Cloud Security Posture Management. Simply put, it is looking at how you ensure that your cloud environment is configured in a secure manner, that it remains secure over time, and that configuration changes or activities don’t weaken that posture. Gaining that secure position, never mind maintaining it can be difficult, due to a number of factors, including:
Let’s examine some use cases that we need to address with CSPM and then we’ll discuss how Oracle can help you to meet your security responsibilities in this area.
Use Case 1 - Data exposure through public buckets
No doubt you will have seen plenty of data breach stories in the media where sensitive data was found on object storage buckets that had public visibility. There may be valid use cases where a bucket should be public, however this should be on a very tightly controlled exception basis.
In OCI, it’s difficult to create a public object storage bucket by mistake. First you create the bucket, then you change its visibility to make it public.
This may be an intentional change in visibility of the bucket, but this also could have been a temporary change, such as for debugging or testing.
While the bucket is public and if it contains sensitive data, you are at risk of a data breach. The attacker just needs to find the bucket on the internet, and believe me, there are plenty of people looking for them.
Use Case 2 – Ensuring only approved OS types and versions are used for compute
Another common use case is looking at the images that should be used when creating new compute instances. OCI provides a wide variety of images that can be used, including:
You can also bring your own images as well as using existing boot volumes. Now, imagine you have a standard, approved OS type that your compute instances must be built with, or you have a custom image that you want to ensure is used as a gold build for all instances. This image may have your corporate standard IT tools on it such as anti-virus, and corporately approved packages. It may also have a number of services removed or hardening policies applied.
As part of enforcing your security policy, you need to ensure that all compute instances are using the approved OS types and versions, or are using your gold build images.
This means you need to identify any compute instances that don’t use the approved images. Furthermore, you may also want to automatically shutdown any instances violating that policy, or even terminate them. In some cases, you may also disable the account of the administrator who is creating these non-approved compute instances.
Use Case 3 – Adding internet-based routes to your Virtual Cloud Network
The next use case is addressing network access to your cloud environment. One common design pattern for cloud deployments is as an expansion to your existing data centre. In these cases, it is common for a VPN or private connection (called FastConnect in OCI) to be deployed between your data centre and your cloud environment. All access to those cloud services are directed down this connection and there is no direct access over the internet.
Now, let’s take the scenario where a network administrator makes a change to your virtual cloud network (VCN). They add an internet gateway and change the routing rules for this new gateway. In our use case here, neither of those actions should be performed on this particular VCN. It might be that the administrator has changed the wrong VCN by mistake, or it could be something more nefarious. Either way, the change needs to be identified quickly and fixed to ensure that any the security risk is minimised.
Use Case 4 – Key Rotation
For our final use case, let’s think about key management. Cryptographic keys are used in lots of places, whether as the basis for in-transit encryption, or for encryption at rest. Many organisations have IT security policies governing the lifecycle and use of keys, including how often keys must be changed.
Within OCI, Oracle will manage keys for you where you have no policy stipulating that you must manage your own. Any time you create a storage device (e.g. object storage bucket, boot volume, block volume, file storage), then it will be encrypted with an Oracle-managed key. However, we also provide you the ability to manage your own keys, through OCI Vault, a service backed by highly-available FIPS 140-2 Level 3 Hardware Security Modules (HSMs).
If you do choose to manage your own keys, you will likely need to rotate them periodically to ensure the amount of data encrypted by any one key is not too great.
Therefore, being able to identify keys that you manage that haven’t been rotated in-line with your security policy is important. Even better would be automatically rotating those keys to help ensure you’re meeting all of your regulatory compliance needs and industry best practices.
Now, we’ve talked about a number of use cases, we understand the problem. So, how is Oracle helping in this area?
Back at Oracle OpenWorld 2019, our vision for OCI security was announced and it was focused on making security easier, more automated, and always-on. To deliver that vision, a number of capabilities were announced including Oracle Cloud Guard. Some of the key design principles of Cloud Guard include:
One of the most interesting design principles is our use of Embedded Expertise. What this means is that Oracle knows OCI best. We know what security controls are available and how best to apply them at scale. We also know what problems to look for and how to apply security features to mitigate those problems. By applying all of our own embedded expertise we are taking the burden away from you and removing the need for you to build all of these policies yourself.
Let’s take one of our use cases above as an example and look at how Cloud Guard would address a security risk such as a public bucket.
Within Cloud Guard, Oracle uses our own embedded expertise to create out-of-the-box rules to identify common problems, including, in this case, the detection of any buckets that are public. Of course, you can tune the rules to add various conditions. For example, in this particular rule, we can tune it to exclude any buckets that are authorised to be public.
In my scenario, I have created two buckets and made them both public. As my very inventive names suggests, one of my buckets is allowed to be public and therefore shouldn’t trigger any alerts.
Within Cloud Guard I am using the out-of-the-box rules but have tuned the detector rule for public bucket detection to exclude the bucket named authorised-public-bucket.
Now, Cloud Guard will identify any issues it finds within OCI as Problem, but we can see that in this scenario, it only identifies the unauthorised-public-bucket as a Problem.
Note also, how Cloud Guard also recognised that we are using the default, Oracle-managed keys for the encryption of these buckets rather than our own customer-managed keys through OCI-Vault.
If configured to do so, Cloud Guard can automatically remediate the problem, in this case, by changing the bucket back to private, which is has done here.
It can also send notifications. In my case, I am sending all Critical notifications to Slack, and all non-critical notifications to email. However, I could just as easily send them to PagerDuty, a custom HTTPs URL, or even call a serverless function using OCI functions ( by writing a function using the opensource fn project):
As you can see, Cloud Guard has not only identified a problem with my object storage buckets, but it has informed me about it as well as provided, automated closed-loop remediation to remove the security risk.
Cloud Guard is currently in Limited Availability, due to be released later this year. Therefore, don’t forget to refer to Oracle’s Safe Harbor statement below:
The preceding is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, timing, and pricing of any features or functionality described for Oracle’s products may change and remains at the sole discretion of Oracle Corporation.