OCI Foundations - Security: Difference between revisions
NickPGSmith (talk | contribs) (Created page with "== Introduction == Shared Security Model: * Some responsibilites move to Oracle * Some are retained by the customer Infrastructure Protection: * DDos Protection * Web Application Firewall * Security Lists/NSG * Network Firewall Identity and Access Management: * IAM * MFA * Federation * Audit OS and Workload Protection: * Shielded Instances: eg VMs with SecureBoot * Dedicated Hos * Bastion * OS Management Data Protection * Vault Key Management * Vault Secrets Managem...") |
NickPGSmith (talk | contribs) m (2 revisions imported) |
||
(One intermediate revision by the same user not shown) | |||
Line 92: | Line 92: | ||
== Vault == | == Vault == | ||
Managed service to manage keys and credentials: | |||
* Don't store in files or code | |||
* Supports AES, RSA and ECDSA | |||
* Can rotate master keys | |||
* Regional service with public API | |||
Envelope Encryption: | |||
* Data keys are actually used by Block Storage, Object Storage, etc | |||
* The data keys are encrypted by a master key from the Vault | |||
* Master key deleted -> no way to recover | |||
* Vault is soft deleted: 7 day gap before actual deletion | |||
Encrypt: | |||
* Object Storage: request to vault | |||
* Vault returns a data key and encrypted (with master key) key | |||
* Vault encrypts with data key, then destroys it. Keeps encrypted key. | |||
Decrypt: | |||
* Object Storage: request to vault, passing encrypted key | |||
* Vault returns data key, having decrypted with its master key | |||
* Storage uses key to decrypt data | |||
Virtual Private Vault: | |||
* Dedicated partition in a HSM | |||
* Option is chargable according to use, otherwise not | |||
Example: Bucket using cault keys: | |||
Create policy to allow a service access to the keys in the vault | |||
allow service objectstorage-us-ashburn-1 to use keys in compartment sandbox | |||
When the bucket is created, select: | |||
* Encrypt using customer-managed keys |
Latest revision as of 04:53, 8 May 2024
Introduction
Shared Security Model:
- Some responsibilites move to Oracle
- Some are retained by the customer
Infrastructure Protection:
- DDos Protection
- Web Application Firewall
- Security Lists/NSG
- Network Firewall
Identity and Access Management:
- IAM
- MFA
- Federation
- Audit
OS and Workload Protection:
- Shielded Instances: eg VMs with SecureBoot
- Dedicated Hos
- Bastion
- OS Management
Data Protection
- Vault Key Management
- Vault Secrets Management
- Data Safe
- Certificates (CA management)
Detection and Remediation (Cloud Security Posture Management)
- Cloud Guard
- Security Zones (devices have to comply with certain security policies)
- Threat Intelligence
- Vulnerability Scanning
Monitor and remediate issues.
Cloud Guard
Falls under "Cloud Security Posture Management". Detect Problems -> Apply Response
Target:
- Sets the scope of resources (eg a compartment)
Detectors:
- Identify issues with resources or actions
- Public Instance
- Public bucket
- Suspicious IP
Problems:
- Potential Secuity issues
Responders:
- Stop instance
- Disable bucket
- Suspend user
- OCI Notifications or Functions
Security Zones and Security Advistor
Requires Cloud Guard to be enabled.
A compartment can be assigned as a Security Zone, meaning policies are applied, eg:
- Subnets must be private
- Customer-managed encryption key
Security Advisor supports:
- Secure Object Storage Buckets
- Secure File Systems
- Secure Virtual Machine Instances
- Secure Block Volumes
Encryption Basics
- Plaintext <-> Cyphertext
- Key, processed though an algorithm, encrypts/decrypts
- Encryption at Rest / Encryption in Transit
- Symmetric encryption (eg AES) / Asymmetric encryption (eg RSA)
- ECDSA: can be used only for digital signing
Hardware Security Module:
- Physical security device
- Tamper evident
- Used to managed digital keys
- Performs crypto functions
OCI Vault service uses HSM that meet FIPS 140-2 Security Level 3:
- Requires dentity based authentication
- Deletes keys from the device when it detects tampering
Vault
Managed service to manage keys and credentials:
- Don't store in files or code
- Supports AES, RSA and ECDSA
- Can rotate master keys
- Regional service with public API
Envelope Encryption:
- Data keys are actually used by Block Storage, Object Storage, etc
- The data keys are encrypted by a master key from the Vault
- Master key deleted -> no way to recover
- Vault is soft deleted: 7 day gap before actual deletion
Encrypt:
- Object Storage: request to vault
- Vault returns a data key and encrypted (with master key) key
- Vault encrypts with data key, then destroys it. Keeps encrypted key.
Decrypt:
- Object Storage: request to vault, passing encrypted key
- Vault returns data key, having decrypted with its master key
- Storage uses key to decrypt data
Virtual Private Vault:
- Dedicated partition in a HSM
- Option is chargable according to use, otherwise not
Example: Bucket using cault keys:
Create policy to allow a service access to the keys in the vault
allow service objectstorage-us-ashburn-1 to use keys in compartment sandbox
When the bucket is created, select:
- Encrypt using customer-managed keys