The goal of this guide is to provide a process and easy steps to follow to ensure your Oracle Cloud Infrastructure (OCI) tenancy is configured to have a high security posture and it is aligned with cloud security best practices as provided by the Center for Internet Security (CIS) OCI Foundations Benchmark and Oracle. Regardless of whether you're starting with a fresh OCI Tenancy or managing one with existing workloads, the objective remains consistent: to assure the security of your tenancy and maintain that security over time.
In this blog we will focus on highly recommended security controls and will address additional recommended security controls in a subsequent blog post.
Throughout the blog we will reference our Security Guide Github repo that hosts a wealth of links to blogs, integration guides and Oracle documentation.
If you are looking for prescribed guidance on setting up foundational security in a new tenancy or assessing the security posture of your existing tenancy, skip ahead by use the links below.
Before diving into recommendations, we need to introduce a few concepts and industry standards.
Oracle and cyber security experts across the industry have collaborated with the Center for Internet Security (CIS) to publish prescriptive guidelines outlining the recommended deployment practices within Oracle Cloud Infrastructure. These practices include the configuration of various controls to maintain a robust security posture.
As cloud security and network solution architects, we have been working to help customers implement security controls since OCI was first launched. Over the years we have identified multiple customer pain points and design challenges. Our organization’s recommendations and best practices are collectively referred as the “Oracle Best Practices”.
Most of our best practices and recommendations on Tenancy design are anchored around the Center for Internet Security (CIS) OCI Foundations Benchmark and recommendations it provides.
If you are using a different security framework, you can follow this documentation to see how you can map CIS security controls and other frameworks such as NIST, ISO, HIPAA, PCI, SOC 2.
The CIS OCI Landing Zone architecture facilitates the automated deployment of a secure OCI tenancy that aligns to the CIS Foundations Benchmark recommendations. In addition, the Terraform based Landing Zone provisions resources needed to support meeting the highly recommended controls that we detail further below in this document. The Terraform template is publicly available in GitHub under the oracle-quickstart project. The quickstart can be used as-is or be customized if desired. If you have any questions or issues, please file an issue in the Landing Zone’s GitHub repository.
Oracle has created an assessment script that can be run against any OCI tenancy to evaluate the compliance with the CIS OCI Foundations Benchmark and Oracle Best Practices. The script provides insights into areas that are not compliant with the benchmark along with recommendations on how to remediate them.
To strengthen the security posture of their OCI tenancy we recommend focusing on six foundational security control areas.
The ability to proactively have logs on Security related events presented for triage to the relevant resources is key to the detection and prevention of Cyber Security Incidents. Many organizations utilize Security Information and Event Management (SIEM) platforms to correlate and analyze logs and alerts from relevant assets.
Highly recommended Controls:
Visibility into your tenancy’s security posture by continuous scanning and alerting on deviation from defined security baselines is critical. This can prevent misconfiguration and drift that could expose attack vectors.
Highly recommended Controls:
Enforcing a unified way of authentication to the OCI Console via an Enterprise Identity Provider and enforcing security controls like Multi-Factor Authentication (MFA) for all users is a key component along with centrally managed user lifecycle. Access to resources should be governed by a separation of duties approach, allowing users access only to resources needed to perform their job role.
Highly recommended Controls:
The implementation of a secure and scalable network architecture is as critical in Cloud based environments as in the traditional on-premises deployments. It is important that the topology provides traffic inspection and resilient connectivity as needed without requiring major architectural updates.
Highly recommended Controls:
The focus in this domain is around visibility into cloud spending and provisioned assets in a tenancy. Especially having tooling and processes in place to quickly detect any unexpected spending either due to a compromise or unsanctioned resource creation.
Highly recommended Controls:
Database Security controls are essential as they protect the data where it resides, mitigating or preventing damage to the availability, integrity and/or confidentiality of the data. Processes and tooling should be in place to continuously scan database in the tenancy and report deviations from security baseline configurations.
Highly recommended Controls:
Understanding your current OCI Tenancy security posture and configured settings is crucial, as it will influence the approach you should adopt.
We typically see two types of scenarios:
The approach for a new tenancy, is mostly straight forward since we know the current state and don’t need to factor in running production workloads.
Despite the unique configurations of an existing tenancy, conducting an assessment to gauge alignment with our highly recommended security controls remains straightforward. Following this assessment, defining the approach and potential remediation tasks, along with their risk assessment, planning, and execution, becomes manageable.
So far, we’ve provided an overview of concepts, security domains and controls within those domains that we highly recommend you review.
The next step in securing your tenancy is to select one of our specific blogs covering either the new tenancy or existing tenancy scenarios in a lot more detail.
Abhi Mukherjee is a Principal Cloud Architect who drives cloud security programs as part of the North America Cloud Technology and Engineering Team.
Previous Post