This blog is part 2 of our multipart series on the Oracle Cloud Native SCCA solution.
Our first blog discussed the challenges that Department of Defense (DoD) customers face to meet Secure Cloud Computing Architecture (SCCA) requirements and how the Oracle Cloud Native SCCA Landing Zone solution can help overcome some of those challenges. Next, we discuss how to use the Oracle SCCA solution to migrate your DoD workloads to the cloud.
To plan how you will build an Oracle Cloud Infrastructure (OCI) architecture that is compliant with SCCA, you will need to review DoD and Oracle resources. The Cloud Computing Requirements Guide (CC SRG) provides guidance to DoD Mission Owners on the security policies and requirements in their cloud computing environment. The SCCA Functional Requirements Document (FRD) provides a summary of SCCA requirements. To learn more about the Oracle SCCA solution, review the Oracle Cloud Native SCCA Landing Zone (LZ) Architecture Guide, the Customer Responsibility Guide, and the reference architecture documentation. These documents can help you understand SCCA requirements and how the Oracle SCCA Cllud Native Landing Zone can help you meet many of those requirements.
The Oracle Cloud Native SCCA Landing Zone is availableto downloadable in Terraform or the Terraform-as-a-service tool, Oracle Resource Manager. You can use this landing zone in any OCI region, including government, classified, and public cloud.
The core components of SCCA controls are the Virtual Data Center Security Stack (VDSS), Virtual Data Center Managed Services (VDMS), and the workload. The VDSS consists of core network security such as firewalls and network mirroring, while the VDMS is for user and application security tools such as audit logs, encryption key management, and secured access through Bastion.
Figure 1: Oracle Cloud Native SCCA Landing Zone architecture
As outlined in Figure 1, the Oracle Cloud Native SCCA Landing Zone uses OCI Identity and Access Management (IAM) compartments to isolate components, enabling separation of duties and reducing the blast radius of a potential compromise. The design is based around the flow of data from an external DoD-owned network connection through the security stack into the workload compartments. We have created a specialized compartment specifically for OCI Logging which is the destination for all audit logs gathered by the tenancy. This allows you the ability to grant an external third-party access to logging data without the risk of inadvertently giving them access to other parts of the environment.
Finally, we have implemented a suite of services that are scoped at the tenancy level rather than at the individual compartment or instance. Tenancy level services include identity domains that enables federation to external identity providers (IdPs) such as Active Directory, and Cloud Guard which is a tenancy-wide security monitoring and alerting tool. This architecture also provides support for x509 authentication.
Getting started with your SCCA Landing Zone deployment is easy. To learn more about prerequisites, refer to the configuration guide to learn more about prerequisites. As a best practice, you should deploy the SCCA Landing Zone in your OCI home region.
You may deploy the landing zone directly from your OCI console, the Terraform CLI, or the OCI Resource Manager. If you are familiar with Terraform and comfortable with running the stack from CLI, this option is great for you. If you prefer a guided deployment, Resource Manager is the best option.
In the Oracle Console, Launch Resources, view the Resource Manager, and select Create a stack.
Under Stack configuration, > select Change Template.
From the Browse templates menu, select the Architecture tab.
Under Template Name, select the OCI SCCA Landing Zone option, then click Select template.
In the Create stack menu, click Next. Follow the instructions to select the correct option or enter the required data in each field.
The landing zone scripts will begin configurating your OCI architecture.
The Oracle Cloud Native SCCA solution is easy to use and makes security compliance and cloud adoption for DoD workloads simple, fast, and cost effective by using a framework of cloud native services. The Oracle Cloud Native SCCA Landing Zone script and associated technical documentation are provided at no separate or additional charge under a customer's contract. Underlying consumable cloud services used to stand up the SCCA-compliant architecture in a customer's tenancy may be billable in accordance with the customer's contract.
Commercial customers can also take advantage of the automated security posture outlined above. All OCI customers can leverage SCCA and other Oracle Enterprise Landing Zones (OELZs) that allow organizations to quickly implement best practices for security and compliance.
For more information on the Oracle Cloud Native SCCA solution, contact our DoD Product Management team.
For more information, see then following resources:
Understanding the Oracle Cloud Native SCCA solution for DoD IL4 and IL5 workloads
SCCA Customer Responsibility Guide
Oracle Cloud Native SCCA Landing Zone on GitHub
Oracle Cloud Native SCCA Landing Zone Documentation
Oracle Cloud Native SCCA Landing Zone press release
George Boateng is a Solution Architect supporting ONSRs. He has a background in OCI, AWS, DEVOPS, Linux, and Windows. He has experience automating infrastructure using CloudFormation and Terraform. George assists customers in solving technical challenges as well as helping to drive work. He is a key member of the team working on the Oracle Cloud Native SCCA Landing Zone for DoD customers.
John is a 15-year Oracle veteran and 20-year USAF veteran. He has worked across a broad set of Oracle teams including consulting, cloud architecture, Oracle Applications architecture for Cloud, and US Government Cloud.
Rakesh Kumar is the Director of Product Management for Oracle DoD Cloud. He is responsible for managing product and services in Oracle’s DoD Cloud and leads the Cloud Native SCCA business and go-to-market team.
Mr. Kumar is a Graduate of M.I.T. Sloan School of Management and has several degrees from Harvard schools including Harvard Business School.
Nelson Chen is a Senior Principal Product Manager for Oracle Cloud Infrastructure and is responsible for OCI Landing Zone products and services. He has more than 20 years of experience in IT Infrastructure/Security, and he is a certified Oracle Cloud Architect Professional, CISSP, CISA, and CISM.
Next Post