OCI Foundations - Security
Introduction
Shared Security Model:
- Some responsibilites move to Oracle
- Some are retained by the customer
Infrastructure Protection:
- DDos Protection
- Web Application Firewall
- Security Lists/NSG
- Network Firewall
Identity and Access Management:
- IAM
- MFA
- Federation
- Audit
OS and Workload Protection:
- Shielded Instances: eg VMs with SecureBoot
- Dedicated Hos
- Bastion
- OS Management
Data Protection
- Vault Key Management
- Vault Secrets Management
- Data Safe
- Certificates (CA management)
Detection and Remediation (Cloud Security Posture Management)
- Cloud Guard
- Security Zones (devices have to comply with certain security policies)
- Threat Intelligence
- Vulnerability Scanning
Monitor and remediate issues.
Cloud Guard
Falls under "Cloud Security Posture Management". Detect Problems -> Apply Response
Target:
- Sets the scope of resources (eg a compartment)
Detectors:
- Identify issues with resources or actions
- Public Instance
- Public bucket
- Suspicious IP
Problems:
- Potential Secuity issues
Responders:
- Stop instance
- Disable bucket
- Suspend user
- OCI Notifications or Functions
Security Zones and Security Advistor
Requires Cloud Guard to be enabled.
A compartment can be assigned as a Security Zone, meaning policies are applied, eg:
- Subnets must be private
- Customer-managed encryption key
Security Advisor supports:
- Secure Object Storage Buckets
- Secure File Systems
- Secure Virtual Machine Instances
- Secure Block Volumes
Encryption Basics
- Plaintext <-> Cyphertext
- Key, processed though an algorithm, encrypts/decrypts
- Encryption at Rest / Encryption in Transit
- Symmetric encryption (eg AES) / Asymmetric encryption (eg RSA)
- ECDSA: can be used only for digital signing
Hardware Security Module:
- Physical security device
- Tamper evident
- Used to managed digital keys
- Performs crypto functions
OCI Vault service uses HSM that meet FIPS 140-2 Security Level 3:
- Requires dentity based authentication
- Deletes keys from the device when it detects tampering
Vault
Managed service to manage keys and credentials:
- Don't store in files or code
- Supports AES, RSA and ECDSA
- Can rotate master keys
- Regional service with public API
Envelope Encryption:
- Data keys are actually used by Block Storage, Object Storage, etc
- The data keys are encrypted by a master key from the Vault
- Master key deleted -> no way to recover
- Vault is soft deleted: 7 day gap before actual deletion
Encrypt:
- Object Storage: request to vault
- Vault returns a data key and encrypted (with master key) key
- Vault encrypts with data key, then destroys it. Keeps encrypted key.
Decrypt:
- Object Storage: request to vault, passing encrypted key
- Vault returns data key, having decrypted with its master key
- Storage uses key to decrypt data
Virtual Private Vault:
- Dedicated partition in a HSM
- Option is chargable according to use, otherwise not
Example: Bucket using cault keys:
Create policy to allow a service access to the keys in the vault
allow service objectstorage-us-ashburn-1 to use keys in compartment sandbox
When the bucket is created, select:
- Encrypt using customer-managed keys