The concluding post of this series, in which we mapped Oracle's seven pillars of a trusted computing platform to Oracle Cloud Infrastructure security capabilities, covers a few services that were introduced or enhanced since the publication of earlier posts (Part 1, Part 2 and Part 3), along with relevant services from the Oracle Cloud Security portfolio for enterprises.
First, let's explore the major new services and features that enhance the security of customer environments on Oracle Cloud Infrastructure.
In October 2018, we announced the release of Oracle Cloud Infrastructure Key Management, a managed service that enables customers to encrypt their data by using keys that they control. Customers who have the following requirements should consider using Key Management:
For more information, see the Key Management documentation.
The following is a basic use case for using transit routing:
A customer organization has different departments, each with its own VCN. The customer's on-premises-based security information and event management (SIEM) tool needs access to the applications and servers running in different VCNs, but the customer doesn't want the administration overhead of maintaining a secure connection from each VCN to the on-premises network. Instead, the customer wants to use a single FastConnect or IPSec VPN.
I'll use the below diagram to give you an idea of how transit routing works. One of the VCNs acts as the hub (VCN-H) and connects to the customer's on-premises network by way of FastConnect or an IPSec VPN. The other VCNs are locally peered with the hub VCN. The traffic between the on-premises network and the peered VCNs transits through the hub VCN. The VCNs must be in the same region but can be in different tenancies.
For details, see the transit routing documentation.
Be able to isolate resources as needed based on your corporate structure or hierarchy by nesting compartments. Nesting enables a managed service provider, or a customer's central IT department that provides IT as a service to the business units, to grant granular rights by assigning policies that correspond to nested compartments. Consider the following use case:
The Central IT network team is responsible for managing networks elements such as VCNs across projects. Central IT would like to enable the App/Dev project teams to create subnets in the prebuilt VCNs on demand, through their CI/CD pipeline, during application and associated compute/storage deployment. Central IT would also like to hide certain projects based on business units. The following diagram depicts the nested compartment architecture that the Central IT team could create to grant access to specific groups:
I'd appreciate your comments below if you're interested in a detailed blog post further explaining this use case.
Now let's move on to some of the enterprise-scale cloud security offerings from Oracle that can be consumed as a platform as a service (PaaS). Customers can use these services to fulfill their portion of the shared security responsibility model.
Oracle Identity Cloud Service (IDCS) enables enterprises to seamlessly connect their users to cloud-based and on-premises applications. IDCS integrates tightly with on-premises systems such as Active Directory as well as Oracle’s IAM to extend identities to the cloud.
IDCS provides administration capabilities in the cloud such as user/group and application administration, including provisioning and deprovisioning of applications. It also provides access management capabilities such as single sign-on, strong authentication, and adaptive risk-based policies. Finally, it is the platform upon which governance capabilities like access requests, certifications, and workflows will be built for cloud applications.
IDCS acts as the identity foundation for the Oracle Cloud. In other words, if you purchase any service in the Oracle Cloud, an instance of IDCS is automatically created for your tenant instance, where all users are managed in it.
For details, see the IDCS service page.
Oracle Cloud Access Security Broker (CASB) Cloud Service is a multimode cloud-access security broker that provides advanced threat analytics using user-behavior analytics (UBA) and third-party feeds, configuration seeding, monitoring and alerts, and shadow IT discovery. For details, see the CASB service page.
Following are the key features for Oracle CASB on Oracle Cloud Infrastructure:
The following sections provide details.
Following are some examples of these alerts and notifications on policy changes to Oracle Cloud Infrastructure resources:
Following are some examples of the controls for detecting insecure settings of Oracle Cloud Infrastructure resources:
CASB uses ML-based analytics to detect the following threats in Oracle Cloud Infrastructure:
Following are some of the out-of-the-box reports used for Oracle Cloud Infrastructure:
CASB provides the following enterprise integrations with SIEM or ITSM systems:
Oracle Management Cloud is an integrated suite of capabilities that enable customers to perform the following actions:
Regardless of whether the application is running on-premises, in the Oracle Cloud, or in anyone else’s cloud and on any technology stack, customers can use parts of these capabilities individually or use them all together. This unified platform brings a rich set of potentially interrelated data to a single place that allows you to get a complete view, entity and topology.
For details, see the Oracle Cloud Management service page.
This post highlights the Oracle Management Cloud features related to security, such as monitoring security events and user behavior, and catching data access (SQL-based) anomalies at the user, group, database, and application level.
The security monitoring tools can tell you that a user accessing a database host was normal. The Security Monitoring and Analytics (SMA) module can go deeper and tell you that the query that the user ran was abnormal for the user based on behavioral analysis, thereby providing benefits like a broader threat-detection range. SMA can detect nuanced anomalies through multi-dimensional baselines (for example, user logins by location, time, and host).
SMA also provides the following security features:
The primary goal of the posts in the series is to provide guidance for the customer to securely develop, migrate, and run workloads on Oracle Cloud Infrastructure. The posts throughout the series depicted how to use various Oracle IaaS and PaaS services to protect data, achieve required compliance, and secure the application environments across Oracle Cloud Infrastructure.
Links to other relevant Oracle Cloud Infrastructure security blogs: