How the Oracle OCI Proactively protect the customer workload in cloud from day one?

Current Challenge

Customer Engineer responsible for provisioning cloud resources might not be aware or not well trained for how to use the best security configuration as part of their cloud implementation. If the security is not follow during the starting phase then it always become very difficult to address later during the the cloud go live and often it became the reactive approach. The proactive approach to address the security from starting were missing in many CSP providers.

Oracle is helping to shift more of the security responsibilities from the customer to the cloud provider. 

Oracle OCI Gen2 Cloud built from ground level Built In Security Always On with Zero Trust Security Model

Oracle Security Zones

A service that helps ensures customers implement Oracle’s best practices for security by enforcing them from the start and removing the chance of configuration drift or someone violating them later. This brings clarity regarding what is needed to meet their security needs and removes guesswork from the equation when it comes to implementation.

Security Zones let you be confident that your resources in Oracle Cloud Infrastructure, including Compute, Networking, Object Storage, and Database resources, comply with Oracle security principles.

Access the Security Zone in OCI

Security zone An association between a compartment and a security zone recipe. Resource operations in a security zone are validated against all policies in the recipe.                                          

Security zone recipe A collection of security zone policies.

Security zone policy A security requirement for resources in a security zone.

When you create and update resources in a security zone, OCI validates these operations against the list of policies defined in the security zone recipe.

High Level Proposed Architecture

Creating Security Zone

Your tenancy has a predefined recipe named “Maximum Security Recipe”, which includes all available security zone policies. Oracle manages this recipe and you can’t modify it.

In general, security zone policies align with these security principles:

  1. Resources can’t be moved from a security zone to a standard compartment because it might be less secure
  2. Data in a security zone can’t be copied to a standard compartment because it might be less secure.
  3. All the required components for a resource in a security zone must also be located in a security zone. Resources that are not in a security zone might be vulnerable. For example, a compute instance in a security zone can’t use a boot volume that is not in a security zone.
  4. Resources in a security zone must not be accessible from the public internet.
  5. Resources in a security zone must be encrypted using customer-managed keys.
  6. Resources in a security zone must be regularly and automatically backed up.
  7. Resources in a security zone must use only configurations and templates approved by Oracle.

A security zone policy differs from an IAM policy in the following ways:

  • Administrators create IAM policies to grant users the ability to manage certain resources in a compartment.
  • A security zone policy ensures that these management operations comply with the Oracle maximum security architecture and best practices.
  • A security zone policy is validated regardless of which user is performing the operation.
  • A security zone policy denies certain actions; it doesn’t grant capabilities.
  • Administrators can’t create, modify, or disable security zone policies.

Verify the Security Zone

  1. You can’t create the bucket without customer managed keys.

It is suggesting you to follow the workflow to create secure bucket.

2. You can’t create the public bucket in security zone.

3. You can’t move the bucket from security zone to standard compartment.

4. You can’t add Internet Gateway in Security zone

Reference Architecture

OCI Documentation

Thank you for visiting this blog.

Disclaimer : The views expressed on this blog are my own and do not reflect the views of the companies I work, The opinions give by visitors on this site are there own opinions.

OCI DRG functionality expanded in Oracle Cloud

DRG functionality has been expanded to include the following capabilities:

  • You can attach a DRG to more than one VCN to provide inter-VCN network connectivity. VCNs can be in the same or different tenancies. 
  • You can now assign a different route table and policy to each network resource attached to your DRG enabling granular routing control.  For instance, by connecting all your VCNs and on-premises networks to a single DRG used as a “Hub,” you have a single central gateway to configure traffic routing and Layer 3 isolation.  One possible use case of routing policy is directing all traffic passing thru the DRG to a network virtual appliance or firewall.
  • Your on-premises network connected to a DRG in one region can access networks connected to a DRG in a different region using a remote peering connection (RPC).
  • You can now enable equal cost multi-path (ECMP) routing towards your IPSec VPN and FastConnect connections to support active-active scenarios. ECMP is controlled on a per route table basis.
  • Remote peering connections can now connect DRGs in the same region or different tenancies.

Use case demonstration in Oracle Blog

Introducing global connectivity and enhanced cloud networking with the dynamic routing gateway

Latest OCI Release Notes update

OCI Networking Release Notes

Preparation for Exam : Oracle Cloud Infrastructure Architect Professional

I would like to share my learning experience with Oracle Cloud Infrastructure, It took 6 months to prepare for OCI-P Exam.

Thank you Oracle University for providing a great free learning opportunity

This article covers useful tips and important URLs related to OCI-P Exam.

[1]  Candidate must have one of the following certifications.
Oracle Cloud Infrastructure 2018|2019|2020 Certified Architect Associate

[2] Register for the OCI free tier

Spend enough time for OCI HandsOn on Oracle Cloud free tier and always free tier.

[3] OCI-P Exam Preparation Session.

[4] OCI-P Study Guide

[5] Oracle University Free Training to Become OCI Architect Professional
Oracle Cloud Infrastructure 2019|2020 Architect Professional

[6] OCI Sessions recordings

[7] Oracle Cloud Infrastructure Documentation
https://docs.cloud.oracle.com/pdf/gsg/OCI_Getting_Started.pdf
https://docs.cloud.oracle.com/pdf/ug/OCI_User_Guide.pdf
https://docs.cloud.oracle.com/en-us/iaas/Content/General/Reference/aqswhitepapers.htm

[8] My Personal Study Materials (Tips / FAQs / Screen Captured Material during OU. training and documentation)

[9] Register the OCI-P Exam.

[10] OCI-P Badges

Oracle Cloud Infrastructure 2019 Certified Architect Professional

[11] OCI-P Certification

Thank you for visiting this blog 🙂