Best practices for migrating IL4 and IL5 workloads with the Oracle Cloud Native SCCA Solution

October 30, 2023 | 4 minute read
George Boateng
Solution Architect
John Horton
Principal Solution Architect
Rakesh Kumar
Director of Product Management for Oracle DoD Cloud
Nelson Chen
Senior Principal Product Manager
Text Size 100%:

This blog is part 2 of our multipart series on the Oracle Cloud Native SCCA solution. 

Our first blog discussed the challenges that Department of Defense (DoD) customers face to meet Secure Cloud Computing Architecture (SCCA) requirements and how the Oracle Cloud Native SCCA Landing Zone solution can help overcome some of those challenges. Next, we discuss how to use the Oracle SCCA solution to migrate your DoD workloads to the cloud.

Planning your SCCA approach

To plan how you will build an Oracle Cloud Infrastructure (OCI) architecture that is compliant with SCCA, you will need to review DoD and Oracle resources. The Cloud Computing Requirements Guide (CC SRG) provides guidance to DoD Mission Owners on the security policies and requirements in their cloud computing environment. The SCCA Functional Requirements Document (FRD) provides a summary of SCCA requirements. To learn more about the Oracle SCCA solution, review the Oracle Cloud Native SCCA Landing Zone (LZ) Architecture Guide, the Customer Responsibility Guide, and the reference architecture documentation. These documents can help you understand SCCA requirements and how the Oracle SCCA Cllud Native Landing Zone can help you meet many of those requirements.

Features of the Oracle SCCA Solution

The Oracle Cloud Native SCCA Landing Zone is availableto downloadable in Terraform or the Terraform-as-a-service tool, Oracle Resource Manager. You can use this landing zone in any OCI region, including government, classified, and public cloud.

The core components of SCCA controls are the Virtual Data Center Security Stack (VDSS), Virtual Data Center Managed Services (VDMS), and the workload. The VDSS consists of core network security such as firewalls and network mirroring, while the VDMS is for user and application security tools such as audit logs, encryption key management, and secured access through Bastion.

A graphic depicting the architecture for a deployment of Oracle Cloud Native SCCA Landing Zone.

Figure 1: Oracle Cloud Native SCCA Landing Zone architecture

As outlined in Figure 1, the Oracle Cloud Native SCCA Landing Zone uses OCI Identity and Access Management (IAM) compartments to isolate components, enabling separation of duties and reducing the blast radius of a potential compromise. The design is based around the flow of data from an external DoD-owned network connection through the security stack into the workload compartments. We have created a specialized compartment specifically for OCI Logging which is the destination for all audit logs gathered by the tenancy. This allows you the ability to grant an external third-party access to logging data without the risk of inadvertently giving them access to other parts of the environment.

Finally, we have implemented a suite of services that are scoped at the tenancy level rather than at the individual compartment or instance. Tenancy level services include identity domains that enables federation to external identity providers (IdPs) such as Active Directory, and Cloud Guard which is a tenancy-wide security monitoring and alerting tool. This architecture also provides support for x509 authentication.

Deploying the Oracle Cloud Native SCCA Landing Zone is simple

Getting started with your SCCA Landing Zone deployment is easy. To learn more about prerequisites, refer to the configuration guide to learn more about prerequisites. As a best practice, you should deploy the SCCA Landing Zone in your OCI home region.

You may deploy the landing zone directly from your OCI console, the Terraform CLI, or the OCI Resource Manager. If you are familiar with Terraform and comfortable with running the stack from CLI, this option is great for you. If you prefer a guided deployment, Resource Manager is the best option.  

In the Oracle Console, Launch Resources, view the Resource Manager, and select Create a stack.

A screenshot of the Create a stack option in the Oracle Cloud Console.

Under Stack configuration, > select Change Template.

A screenshot of a sample e-commerce application stack configuration template.

From the Browse templates menu, select the Architecture tab.

Under Template Name, select the OCI SCCA Landing Zone option, then click Select template.

A screenshot of the Browse templates section with the OCI SCCA Landing Zone selected and highlighted.

In the Create stack menu, click Next. Follow the instructions to select the correct option or enter the required data in each field.

The landing zone scripts will begin configurating your OCI architecture. 

Our Cloud Native SCCA Landing Zone documentation makes it simple

The Oracle Cloud Native SCCA solution is easy to use and makes security compliance and cloud adoption for DoD workloads simple, fast, and cost effective by using a framework of cloud native services. The Oracle Cloud Native SCCA Landing Zone script and associated technical documentation are provided at no separate or additional charge under a customer's contract. Underlying consumable cloud services used to stand up the SCCA-compliant architecture in a customer's tenancy may be billable in accordance with the customer's contract.

Commercial customers can also take advantage of the automated security posture outlined above. All OCI customers can leverage SCCA and other Oracle Enterprise Landing Zones (OELZs) that allow organizations to quickly implement best practices for security and compliance. 

For more information on the Oracle Cloud Native SCCA solution, contact our DoD Product Management team.

For more information, see then following resources:

Oracle SCCA Website

Understanding the Oracle Cloud Native SCCA solution for DoD IL4 and IL5 workloads

SCCA Architecture Guide

SCCA Customer Responsibility Guide

Oracle Cloud Native SCCA Landing Zone on GitHub

Oracle Cloud Native SCCA Landing Zone Documentation

Oracle Cloud Native SCCA Landing Zone press release

 

George Boateng

Solution Architect

George Boateng is a Solution Architect supporting ONSRs. He has a background in OCI, AWS, DEVOPS, Linux, and Windows. He has experience automating infrastructure using CloudFormation and Terraform. George assists customers in solving technical challenges as well as helping to drive work. He is a key member of the team working on the Oracle Cloud Native SCCA Landing Zone for DoD customers.

Show more

John Horton

Principal Solution Architect

John is a 15-year Oracle veteran and 20-year USAF veteran. He has worked across a broad set of Oracle teams including consulting, cloud architecture, Oracle Applications architecture for Cloud, and US Government Cloud.

Rakesh Kumar

Director of Product Management for Oracle DoD Cloud

Rakesh Kumar is the Director of Product Management for Oracle DoD Cloud. He is responsible for managing product and services in Oracle’s DoD Cloud and leads the Cloud Native SCCA business and go-to-market team.

Mr. Kumar is a Graduate of M.I.T. Sloan School of Management and has several degrees from Harvard schools including Harvard Business School.

Show more

Nelson Chen

Senior Principal Product Manager

Nelson Chen is a Senior Principal Product Manager for Oracle Cloud Infrastructure and is responsible for OCI Landing Zone products and services. He has more than 20 years of experience in IT Infrastructure/Security, and he is a certified Oracle Cloud Architect Professional, CISSP, CISA, and CISM.


Previous Post

Run Lightning Fabric with NVIDIA GPUs on OCI

Dhvani Sheth | 4 min read

Next Post


Announcing Kasten K10 support for Data Protection of Oracle Container Engine for Kubernetes

Ramesh Venkat | 4 min read