OCI Foundations - Security

From Smithnet Wiki
Revision as of 13:51, 22 July 2023 by NickPGSmith (talk | contribs) (Created page with "== Introduction == Shared Security Model: * Some responsibilites move to Oracle * Some are retained by the customer Infrastructure Protection: * DDos Protection * Web Application Firewall * Security Lists/NSG * Network Firewall Identity and Access Management: * IAM * MFA * Federation * Audit OS and Workload Protection: * Shielded Instances: eg VMs with SecureBoot * Dedicated Hos * Bastion * OS Management Data Protection * Vault Key Management * Vault Secrets Managem...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Introduction

Shared Security Model:

  • Some responsibilites move to Oracle
  • Some are retained by the customer

Infrastructure Protection:

  • DDos Protection
  • Web Application Firewall
  • Security Lists/NSG
  • Network Firewall

Identity and Access Management:

  • IAM
  • MFA
  • Federation
  • Audit

OS and Workload Protection:

  • Shielded Instances: eg VMs with SecureBoot
  • Dedicated Hos
  • Bastion
  • OS Management

Data Protection

  • Vault Key Management
  • Vault Secrets Management
  • Data Safe
  • Certificates (CA management)

Detection and Remediation (Cloud Security Posture Management)

  • Cloud Guard
  • Security Zones (devices have to comply with certain security policies)
  • Threat Intelligence
  • Vulnerability Scanning

Monitor and remediate issues.

Cloud Guard

Falls under "Cloud Security Posture Management". Detect Problems -> Apply Response

Target:

  • Sets the scope of resources (eg a compartment)

Detectors:

  • Identify issues with resources or actions
  • Public Instance
  • Public bucket
  • Suspicious IP

Problems:

  • Potential Secuity issues

Responders:

  • Stop instance
  • Disable bucket
  • Suspend user
  • OCI Notifications or Functions

Security Zones and Security Advistor

Requires Cloud Guard to be enabled.

A compartment can be assigned as a Security Zone, meaning policies are applied, eg:

  • Subnets must be private
  • Customer-managed encryption key

Security Advisor supports:

  • Secure Object Storage Buckets
  • Secure File Systems
  • Secure Virtual Machine Instances
  • Secure Block Volumes

Encryption Basics

  • Plaintext <-> Cyphertext
  • Key, processed though an algorithm, encrypts/decrypts
  • Encryption at Rest / Encryption in Transit
  • Symmetric encryption (eg AES) / Asymmetric encryption (eg RSA)
  • ECDSA: can be used only for digital signing

Hardware Security Module:

  • Physical security device
  • Tamper evident
  • Used to managed digital keys
  • Performs crypto functions

OCI Vault service uses HSM that meet FIPS 140-2 Security Level 3:

  • Requires dentity based authentication
  • Deletes keys from the device when it detects tampering

Vault

Retrieved from ‘https://www.smithnet.org.uk/wiki/index.php?title=OCI_Foundations_-_Security&oldid=446