Cybersecurity attacks are disrupting thousands of businesses around the world, causing billions in damages. According to the 2021 IBM Security Threat Intelligence Index, the #1 attack vector was scan and exploit, which targets any and all open ports on the internet. 2021 also saw arguably the worst security exploit of the decade in Log4Shell. It is clear malicious network attacks and vulnerabilities like this aren't going away - what is your plan to protect against them?
Oracle's Gen 2 Cloud is built with a security-first approach, enabling private access so that traffic does not go over the internet. However, it may be the case that some resources and applications must be internet facing. This post, written in conjunction with NetFoundry, addresses mitigating Log4J risks and other vulnerabilities with NetFoundry and OCI's help.
We won't explain Log4Shell in detail here, but there are some things to note about vulnerabilities and the risks they pose:
Zero-trust principles are a major defense in the cybersecurity war, but many zero-trust solutions would not have stopped the largest attacks of 2021 like Log4Shell, Colonial Pipeline, SolarWinds, Kaseya, as these solutions focus on remote access and operate as 'bolt-on' solutions which can inconvenience users and workflows. We would need to close all inbound network connections for all applications and systems to truly disrupt these attacks and restrict lateral movement. Closing these connections suffocates ransomware, mitigating the biggest risks of Log4Shell, but it suffocates business too! So how can you protect yourself from this when you are unable to restrict inbound traffic?
What is needed is a private, zero-trust connectivity that can be embedded into applications and systems so that it is transparent to users. We need these principles applied across any use case, enabling businesses to hide all apps, APIs, servers, and databases behind a zero-trust overlay network. But how can we possibly close all network connections without closing the business? Meet Ziggy!
Ziggy is the mascot for OpenZiti, the next generation of secure, open-source networking created and maintained by NetFoundry. OpenZiti provides everything needed for a truly private, zero-trust overlay network, and is tailer-made for OCI as Oracle Cloud embraces Open-Source software technologies. Embedding Ziti directly into your applications using OpenZiti's SDKs gives you the following benefits:
External network level attacks become all but impossible and lateral movement is largely restricted as OpenZiti reduces the potential attack vectors from billions of malicious actors to only those you trust. This means zero-day exploits become virtually impossible, all without stopping your business.
By adopting OpenZiti, developers can incorporate secure-by-design as a feature. This allows you to extend the principles of OCI's Gen2 security and private access to your applications on OCI and any external resources or applications across the internet - invaluable for multi-cloud architectures.
One example of a company using OpenZiti for its private APIs is Ozone. The integration ensures secure communication between the application delivery vendor's control plane and its customer's Kubernetes environments. Another is Redfaire, a leading JD Edwards on Oracle Cloud partner, who leverages NetFoundry to deliver the highest security JD Edwards to their customers. Other resources include published blogs on how to get started with NetFoundry on OCI, how to apply Ziti to Oracle Kubernetes Engine, Built & Deployed videos, and hands-on training with LiveLabs.
OpenZiti is open source, so downloading it is simple and free! Run it locally, use Docker, or host it yourself. If you want to avoid the hassle of hosting and supporting it yourself, let NetFoundry do it for you. This includes an 'Always Free' tier so you can start with no cost.
Cody is a Cloud Architect for Oracle Cloud's Commercial accounts