OCI Foundations - Security

From Smithnet Wiki
Revision as of 04:53, 8 May 2024 by NickPGSmith (talk | contribs) (2 revisions imported)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Introduction

Shared Security Model:

  • Some responsibilites move to Oracle
  • Some are retained by the customer

Infrastructure Protection:

  • DDos Protection
  • Web Application Firewall
  • Security Lists/NSG
  • Network Firewall

Identity and Access Management:

  • IAM
  • MFA
  • Federation
  • Audit

OS and Workload Protection:

  • Shielded Instances: eg VMs with SecureBoot
  • Dedicated Hos
  • Bastion
  • OS Management

Data Protection

  • Vault Key Management
  • Vault Secrets Management
  • Data Safe
  • Certificates (CA management)

Detection and Remediation (Cloud Security Posture Management)

  • Cloud Guard
  • Security Zones (devices have to comply with certain security policies)
  • Threat Intelligence
  • Vulnerability Scanning

Monitor and remediate issues.

Cloud Guard

Falls under "Cloud Security Posture Management". Detect Problems -> Apply Response

Target:

  • Sets the scope of resources (eg a compartment)

Detectors:

  • Identify issues with resources or actions
  • Public Instance
  • Public bucket
  • Suspicious IP

Problems:

  • Potential Secuity issues

Responders:

  • Stop instance
  • Disable bucket
  • Suspend user
  • OCI Notifications or Functions

Security Zones and Security Advistor

Requires Cloud Guard to be enabled.

A compartment can be assigned as a Security Zone, meaning policies are applied, eg:

  • Subnets must be private
  • Customer-managed encryption key

Security Advisor supports:

  • Secure Object Storage Buckets
  • Secure File Systems
  • Secure Virtual Machine Instances
  • Secure Block Volumes

Encryption Basics

  • Plaintext <-> Cyphertext
  • Key, processed though an algorithm, encrypts/decrypts
  • Encryption at Rest / Encryption in Transit
  • Symmetric encryption (eg AES) / Asymmetric encryption (eg RSA)
  • ECDSA: can be used only for digital signing

Hardware Security Module:

  • Physical security device
  • Tamper evident
  • Used to managed digital keys
  • Performs crypto functions

OCI Vault service uses HSM that meet FIPS 140-2 Security Level 3:

  • Requires dentity based authentication
  • Deletes keys from the device when it detects tampering

Vault

Managed service to manage keys and credentials:

  • Don't store in files or code
  • Supports AES, RSA and ECDSA
  • Can rotate master keys
  • Regional service with public API

Envelope Encryption:

  • Data keys are actually used by Block Storage, Object Storage, etc
  • The data keys are encrypted by a master key from the Vault
  • Master key deleted -> no way to recover
  • Vault is soft deleted: 7 day gap before actual deletion

Encrypt:

  • Object Storage: request to vault
  • Vault returns a data key and encrypted (with master key) key
  • Vault encrypts with data key, then destroys it. Keeps encrypted key.

Decrypt:

  • Object Storage: request to vault, passing encrypted key
  • Vault returns data key, having decrypted with its master key
  • Storage uses key to decrypt data

Virtual Private Vault:

  • Dedicated partition in a HSM
  • Option is chargable according to use, otherwise not

Example: Bucket using cault keys:

Create policy to allow a service access to the keys in the vault

allow service objectstorage-us-ashburn-1 to use keys in compartment sandbox

When the bucket is created, select:

  • Encrypt using customer-managed keys