This blog is part 2 of our multipart series on the Oracle Cloud Native SCCA solution.
Our first blog discussed the challenges that Department of Defense (DoD) customers face to meet Secure Cloud Computing Architecture (SCCA) requirements and how the Oracle Cloud Native SCCA Landing Zone solution can help overcome some of those challenges. Next, we discuss how to use the Oracle SCCA solution to migrate your DoD workloads to the cloud.
Planning your SCCA approach
To plan how you will build an Oracle Cloud Infrastructure (OCI) architecture that is compliant with SCCA, you will need to review DoD and Oracle resources. The Cloud Computing Requirements Guide (CC SRG) provides guidance to DoD Mission Owners on the security policies and requirements in their cloud computing environment. The SCCA Functional Requirements Document (FRD) provides a summary of SCCA requirements. To learn more about the Oracle SCCA solution, review the Oracle Cloud Native SCCA Landing Zone (LZ) Architecture Guide, the Customer Responsibility Guide, and the reference architecture documentation. These documents can help you understand SCCA requirements and how the Oracle SCCA Cllud Native Landing Zone can help you meet many of those requirements.
Features of the Oracle SCCA Solution
The Oracle Cloud Native SCCA Landing Zone is availableto downloadable in Terraform or the Terraform-as-a-service tool, Oracle Resource Manager. You can use this landing zone in any OCI region, including government, classified, and public cloud.
The core components of SCCA controls are the Virtual Data Center Security Stack (VDSS), Virtual Data Center Managed Services (VDMS), and the workload. The VDSS consists of core network security such as firewalls and network mirroring, while the VDMS is for user and application security tools such as audit logs, encryption key management, and secured access through Bastion.
Figure 1: Oracle Cloud Native SCCA Landing Zone architecture
As outlined in Figure 1, the Oracle Cloud Native SCCA Landing Zone uses OCI Identity and Access Management (IAM) compartments to isolate components, enabling separation of duties and reducing the blast radius of a potential compromise. The design is based around the flow of data from an external DoD-owned network connection through the security stack into the workload compartments. We have created a specialized compartment specifically for OCI Logging which is the destination for all audit logs gathered by the tenancy. This allows you the ability to grant an external third-party access to logging data without the risk of inadvertently giving them access to other parts of the environment.
Finally, we have implemented a suite of services that are scoped at the tenancy level rather than at the individual compartment or instance. Tenancy level services include identity domains that enables federation to external identity providers (IdPs) such as Active Directory, and Cloud Guard which is a tenancy-wide security monitoring and alerting tool. This architecture also provides support for x509 authentication.
Deploying the Oracle Cloud Native SCCA Landing Zone is simple
Getting started with your SCCA Landing Zone deployment is easy. To learn more about prerequisites, refer to the configuration guide to learn more about prerequisites. As a best practice, you should deploy the SCCA Landing Zone in your OCI home region.
You may deploy the landing zone directly from your OCI console, the Terraform CLI, or the OCI Resource Manager. If you are familiar with Terraform and comfortable with running the stack from CLI, this option is great for you. If you prefer a guided deployment, Resource Manager is the best option.
In the Oracle Console, Launch Resources, view the Resource Manager, and select Create a stack.
Under Stack configuration, > select Change Template.
From the Browse templates menu, select the Architecture tab.
Under Template Name, select the OCI SCCA Landing Zone option, then click Select template.
In the Create stack menu, click Next. Follow the instructions to select the correct option or enter the required data in each field.
The landing zone scripts will begin configurating your OCI architecture.
Our Cloud Native SCCA Landing Zone documentation makes it simple
The Oracle Cloud Native SCCA solution is easy to use and makes security compliance and cloud adoption for DoD workloads simple, fast, and cost effective by using a framework of cloud native services. The Oracle Cloud Native SCCA Landing Zone script and associated technical documentation are provided at no separate or additional charge under a customer’s contract. Underlying consumable cloud services used to stand up the SCCA-compliant architecture in a customer’s tenancy may be billable in accordance with the customer’s contract.
Commercial customers can also take advantage of the automated security posture outlined above. All OCI customers can leverage SCCA and other Oracle Enterprise Landing Zones (OELZs) that allow organizations to quickly implement best practices for security and compliance.
For more information on the Oracle Cloud Native SCCA solution, contact our DoD Product Management team.
For more information, see then following resources:
Understanding the Oracle Cloud Native SCCA solution for DoD IL4 and IL5 workloads
SCCA Customer Responsibility Guide
Oracle Cloud Native SCCA Landing Zone on GitHub
Oracle Cloud Native SCCA Landing Zone Documentation
Oracle Cloud Native SCCA Landing Zone press release