According to IDC, the top security threat in cloud environments is ‘security misconfiguration of production environments’ – based on a survey of 300 CISOs. Fortunately, ‘security misconfiguration’ is a challenge Oracle Cloud Infrastructure (OCI) helps organizations address head-on with the recent integration of Oracle Security Zones and Oracle Cloud Guard.
With Custom Security Zones (CSZ), enterprises can quickly and easily apply security policies to automatically enforce desired security posture and prevent changes that could weaken a customer’s security configuration. Security Zone policies can be applied to various cloud infrastructure types (network, compute, storage, database, etc.) to help ensure cloud resources stay secure and prevent security misconfigurations. Users determine which policies are appropriate for their needs by defining Custom Security Zone policy sets.
When a Custom Security Zone is created, Cloud Guard monitoring is automatically setup to match your Security Zone policies, providing ongoing verification of your security posture. This parallel combination of cloud security policy enforcement and security posture monitoring is unique in the industry today – and exceptionally easy to use as well.
Let’s consider a simple example. In deploying a new application, a cloud customer needs to reflect different security postures between front-end and back-end compartments. With Custom Security Zones, it’s simple to enable more permissive policies for the front-end compartment (e.g. enable internet traffic and public buckets), while setting more restrictive policies on the back-end (e.g. block internet traffic, prevent public buckets and require databases to have back-ups). In this case, Custom Security Zones makes it easy to apply different policies to achieve different security outcomes. In case security policy needs to be changed, the policies enforced for either the front-end or back-end of the application can be modified in minutes to reflect new requirements or security concerns.
Security Zone Use Cases
Why would someone want to take advantage of Security Zones and what are the use cases? Security Zones enable users to quickly apply security policy to OCI – where a single policy can be applied to different types of infrastructure resources (network, compute, storage, database, etc.) in a uniform, reliable way.
The top use cases for Security Zones are:
- Guardrails – Easily apply prescriptive guardrails that protect customer resources and prevent human error. Policy enforcement can stop misconfigurations before they happen.
- Application Protection – Provide security to application resources and API endpoints (dedicated apps and SaaS) that reflect specific needs.
- Enhanced High Security – Enforce security on compartments to prevent misconfiguration and protect sensitive data (intellectual property protection, government data, financial data, etc.)
Advantages of Custom Security Zones
Let’s look at some of the highlights of Custom Security Zones:
1. Ease of use
Custom Security Zones apply security policy to cloud infrastructure compartments and it takes just minutes to set up. The simplicity is notable – just decide what security policy is appropriate to meet your needs and follow the steps below.
2. Great flexibility
With Custom Security Zones, users can apply a custom policy set to any compartment, at any time. They can also edit the recipe applied to a compartment at any time.
3. Growing array of policy choices
Custom Security Zones policy types include the following: Restrict Resource Movement, Restrict Resource Association, Deny Public Access, Require Encryption, Ensure Data Durability, Ensure Data Security, and Use only Approved Configurations. New policies that extend Security Zones to additional infrastructure resource types and OCI services will be added over time. View the documentation for more detail on CSZ security policies.
4. Integration with Cloud Guard
Custom Security Zones is now integrated with Cloud Guard. Together, these services share a common view of tenant security and interoperate at a foundational level to enhance security. When you create a Custom Security Zone, you automatically get a set of Cloud Guard monitoring targets created that match your Security Zone recipe.
5. Console, SDK, API and Terraform support
Custom Security Zones has gained programmatic access via SDK, API and Terraform in addition to Console access, enabling automated infrastructure builds and greater convenience when using cloud resources at scale.
6. Existing Maximum Security Zones transition easily
Existing Maximum Security Zones compartments will be converted to an editable CSZ compartment which provides greater flexibility than available previously. Maximum Security Zones recipe remains available to all users for future use.
How do I Get Started with Security Zones?
One of the best things about applying security policy using Security Zones is how easy it is to accomplish. You will likely be done defining your Security Zone policy in OCI before you finish your morning beverage. To test this claim, follow the steps below.
Step 1: Create Your Recipe
Start by selecting ‘Identity and Security’ in the OCI Console, and then ‘Security Zones’ from the left-hand sidebar menu as shown below. Then click on ‘Create Recipe’ to define a new policy set.
Step 2: Select Desired Security Policies
Select the security policies desired for the use case.
Step 3: Specify Security Zone Details
After clicking on the ‘Create Security Zone’ button, the new Security Zone is created.
Step 4: Create Security Zone
After clicking on the ‘Create Security Zone’ button, the new Security Zone is created.
Summary
Setting security policy for enterprise cloud resources is simpler than ever with Custom Security Zones – a built-in, integrated, no-extra cost security tool from OCI. Security Zones extends the scope of security posture management beyond monitoring and visibility to active enforcement of resource-based security policy. The previous generation of Security Zones called Maximum Security Zones, defined the concept. Custom Security Zones is now delivering on the promise of greater convenience and flexibility. Turn it on today in your OCI tenancy.