Elevating OCI Cache security with network security groups

Oracle Cloud Infrastructure (OCI) consistently innovates to strengthen the security of our cloud offerings. We’re proud to introduce the addition of network security groups (NSGs) to OCI Cache that help provide a refined control over your data traffic.

Precisely managing access to sensitive data

In sectors like healthcare, where OCI Cache is instrumental in managing sensitive patient records, the granularity of access control is crucial. Various departments interact with a multitude of data points, and seeking to ensure that each department accesses only the information necessary for their function is paramount for compliance and security.

NSGs: Your data traffic controllers

NSGs serve as sophisticated traffic controllers in your network, helping you to enforce precise security rules at the network level. These rules determine which types of traffic are allowed to enter and exit network interfaces attached to your OCI Cache clusters. By setting these parameters, NSGs help ensure that only traffic from approved sources reaches your data stores.

Using NSGs instead of security Lists offers the following benefits:

• Granularity: NSGs allow for detailed traffic rules specific to groups of resources, rather than applying blanket rules across all resources in a subnet.
• Flexibility: You can specify security rules that affect only chosen resources, which can be particularly beneficial in multitier application setups where different layers have different security needs.
• Isolation: With NSGs, you can effectively segregate the traffic rules of different application components, which can help to enhance security by minimizing potential points of exposure.

For environments requiring specific, customized security configurations without the constraints of subnet-wide rules, NSGs tends to offer a more tailored solution compared to security lists. You can use both in tandem to achieve a comprehensive security posture.

NSGs real-world use case

Let’s illustrate NSGs’ role using the following healthcare application scenario:

• Creation of NSGs: Administrators create NSGs within the virtual cloud network (VCN) that houses the OCI Cache cluster. NSGs begin without preset rules, which allows admins to craft security policies that cater to specific network traffic requirements.
• Configuring NSG rules: For an OCI Cache cluster handling patient records, security rules in the NSG control the following access types:
  • Stateless: Disabled to maintain context for connection sessions.
  • Source type: Specified as Classless Interdomain Routing (CIDR) blocks or other NSGs to identify authorized network sources, such as particular departmental servers.
  • IP protocol: Set to transmission control protocol (TCP), aligning with OCI Cache’s communication protocol.
  • Source port range: Set broadly to “All” to accommodate various client connections.
  • Destination port range: Targeted to 6379, the OCI Cache service's default port.
• Associating NSGs with OCI Cache clusters: The NSG is associated with the OCI Cache cluster through the Oracle Cloud Console, aligning traffic rules with the operational needs of different hospital departments.

By using NSGs between departmental networks and OCI Cache, we control network traffic to help adhere to operational protocols, enabling tailored access for each department to the patient data cache. This setup simplifies access management at the network level, without the need to manage individual user roles, and tends to offer a more targeted approach than security lists, which apply uniformly across all resources in a subnet. This method not only increases operational efficiency, but also helps to provide enhanced security and compliance, a crucial advantage for healthcare customers managing sensitive patient information.

Conclusion

NSG support for OCI Cache provides an additional mechanism for controlling network-level access to your data caches. By managing traffic flow, NSGs aim to contribute significantly to the overall security posture of your applications, complementing other access control measures within the system. This support helps ensure that sensitive data, such as patient records, is shielded from unauthorized network access, while maintaining the high availability and performance of Oracle Cloud Infrastructure Cache.

To learn more, see the following resources:

• OCI Cache technical documentation
• Network Security Groups technical documentation
• OCI Cache product page
• Oracle Supports Valkey
• In the Oracle Cloud Console, you can find OCI Cache under “Databases.”
• Sign up to OCI for free