We operate in a world where we need to be hypervigilant about our data and infrastructure. For example, even the most careful cloud administrators can fall victim to account takeover techniques, such as phishing attacks and privilege escalation. Nobody wants to misconfigure the security of their data and accidentally expose it to the public internet.
Public cloud providers, such as Oracle Cloud Infrastructure (OCI), include Identity and Access Management (IAM) services that enable you to apply more security layers that can help reduce your attack surface and improve the security posture of your infrastructure, data, and applications. For more information, see Govern Public Access to OCI Resources using OCI IAM Network Perimeters and Network Sources.
OCI IAM provides two key capabilities to help mitigate account takeover attacks by restricting the networks from which users can access your tenancy. Network perimeters restrict the set of IP addresses that are allowed to access the Oracle Cloud Console. Network sources enable you to write policies that restrict access to specific OCI resources based on the requestor’s IP address.
When a user attempts to sign in to an application protected by an OCI IAM identity domain, including the Console, the sign-in action is evaluated by the relevant sign-in policy for the application. This policy consists of a series of rules with conditions and resulting actions. The rules are evaluated in order, until the conditions of that rule are met by the current sign on context. Then the action associated with that rule is enacted. By applying a sign-on policy rule that restricts access by IP address, network perimeters help you limit the potential attack surface by disallowing requests to originate from any network other than the ones you specify.
Similarly, network sources help you restrict access to OCI resources, such as compute or storage instances based on the user’s IP address. If you want to ensure that administrative requests originate within your corporate network, this restriction can be valuable and further reduces your potential attack surface.
To learn more about how to implement OCI IAM network perimeters and network sources to provide more layers of protection in your Oracle Cloud Infrastructure tenancy, view our tutorial, Govern Public Access to OCI Resources using OCI IAM Network Perimeters and Network Sources.