Welcome to the third article in my series on “Enhancing EBS Security on OCI”. In the first article, I looked at the threats and risks associated with moving an application like EBS to the Cloud, and also discussed the first attack vector, Infrastructure Attack. The second article then looked at enhancing user security.
In this article, I am going to talk about the threats to EBS itself, as an application exposed to the internet. I’ll then look at how you can apply Cloud-based security controls to minimise this risk.
As I discussed in the first article in this series, there is a threat to your EBS application when you expose it to the internet. Attacks such as Distributed Denial Of Service (DDoS), cross site scripting CSS), sensitive data disclosure, all attack the application directly. Standard security controls such as firewalls, port filtering, and reverse proxies do not prevent all of these attacks. The impact of a successful attack at this level could mean that sensitive data is leaked, or that your application is taken offline, even for your authorised users. Given that EBS typically manages many of your typical enterprise processes such as source-to-settle, procure-to-pay, hire-to-fire, losing the availability of EBS (or any enterprise application) can cause severe disruption to any business.
As mentioned in part 1 of this series, EBS has alot of guidance and security capabilities built-in that should always be your first port of call when deploying a secure EBS solution. For example, whenever exposing EBS to the internet, you should always follow the DMZ deployment guidelines (MOS Notes: 1375670.1 (EBS 12.2) and 380490.1 (EBS 12.2) to expose on the EBS products certified for internet access. Furthermore, MOS Notes 1367293.1 (EBS 12.2) and 376700.1 (EBS 12.1) cover how to enable TLS 1.2 within your EBS deployment.
In addition, some of the protections mentioned above will be provided by your Cloud Provider as an out-of-the-box service. For example, within OCI, all customers get volumetric-based DDoS protection by nature of using OCI. However, volumetric DDoS isn’t the only type of availability-based attack that needs mitigating.
Fortunately, there are controls that can mitigate these types of application attacks. Web Application Firewalls (WAF) are designed to offer these types of protections. I’ve demonstrated some of the key capabilities of Oracle’s WAF in one of my other articles here. As you can see, through its protection rules, access control, threat intelligence, and bot management, you can protect your EBS application from the types of threats we are discussing in this article.
Of course, Oracle WAF isn’t the only approach you can take. It is possible to use a different cloud-based WAF (if they are able to protect any internet-facing endpoint). Alternatively, you could also deploy a WAF directly onto OCI compute, either by installing the software yourself, or by deploying an appliance from the OCI marketplace.
However, Oracle WAF is a compelling solution, offering a true Cloud-based WAF, that can protect your applications deployed on OCI, or indeed on any internet-facing endpoint.
Whether you use OCI’s WAF or an alternative approach, protecting your EBS application from attack is critical to maintain the availability of your application as well as the integrity and confidentiality of the data within it.
A few months ago, I was working with a customer who had just completed the migration of their EBS environment to the Cloud. Within three days of their application going live, it was taken offline through a DDoS attack that would have been prevented had they deployed a WAF as part of the migration. Needless to say, they are now deploying OCI WAF to mitigate the risk of that happening again.
I hope you are enjoying reading this series of articles. If you are, stay tuned. In the next article, I will look at how you monitor EBS as well as the platform it is running on to ensure that any problems are identified and rectified quickly.