Previously, I showed how to use Terraform and PSM CLI to spin up a “Build Server” and use it to provision Oracle Integration Cloud (OIC) environments. You can find this blog here.
In this blog I am going to show you how to do the same, but to provision Oracle API Platform environments.
The approach that I will be following is the same:
Continue reading “Teaching How to use Terraform to automate Provisioning of Oracle API Platform”
Targeted cyber intrusions remain the biggest threat to government ICT systems. Since opening in early 2010, the Australian Cyber Security Centre (ACSC) has detected and responded to thousands of these intrusions. These attacks are dealing with the Zero-Day exploits, DoS, DDoS, SQL Injections, Phishing, Ransomware, Large XML payloads and many other innovative attacks on IT systems.
You should never assume that your information is of little or no value. Adversaries are not just looking for classified information. A lot of activity observed by the ACSC has an economic focus, looking for information about Australia’s business dealings, its intellectual property, its scientific data and the government’s intentions.
The advent of cloud has challenged the traditional Security Operations Centres because users are outside the traditional network boundaries and they are using channels such as Mobile and Social. Modern IT Security attacks therefore become unpredictable. They are not carried out by humans but mobile devices or IoT Botnets. These attacks are adaptive in nature that remain dormant for some time waiting for an event to happen. These Advanced Persistent Threats (APT) in the Kill Chain process are inevitable and unpredictable.
Modern security attacks are not hard to plan against because many enterprises today have a traditional Security Operations Centre (SOC). There are many challenges that traditional Cyber Security Operations Centres (CSOCs) are facing in today’s world. There are too many monitoring tools and data but no real insight. A traditional SOC is built upon traditional security infrastructure deployed within the corporate network, and was originally designed to protect applications and users on the network. Following are the issues that are faced by traditional Security Operations Centre:
A traditional SOC purviews the corporate network, not your applications and data residing in the cloud. Analysts say that on an average, most enterprises today have applications on about 6 different cloud service providers. In the Identity Management space, I’m sure all of you are adapting to meet the needs of both on premises applications as well as modern cloud apps. What use is a SOC that looks inward to your own network, and provides no protection for your data residing on that many cloud service providers?
Previous generations of management tools expect that human intelligence will draw conclusions out of the data, but human operators are already overwhelmed with the velocity and volume of alerts and data coming their way, and so they get tired and miss things. Your SOC analysts struggle with too many alerts, generated from a disparate bunch of security products deployed alongside each other. The classic Target breach that happened a couple of years ago could have been detected promptly, if only the alerts could have been acted upon in a timely manner, instead of being lost in a sea of other less-important alerts.
Other tools have attempted to apply more advanced analytical techniques, but have only done so to subsets of the data because it’s too compute-intensive to do it across the board, so human operators are still required to stitch together information out the data silos.
Your SOC operations complains of a constant shortage of resources. Skilled cybersecurity professionals are a sought-after resource, and with good reason. That is because most of the processes in a traditional SOC are manual, requiring human intervention to triage and act upon issues. Very little is automated.
I’m sure many of you can relate to the problem of shortage of resources as well, since staffing modern Identity Management operations, especially across on-premises legacy applications and modern cloud applications, is a challenge too in today’s market.
Traditional SOCs are based on a static “prevent-and-defend” philosophy, designed to keep the bad guys out of the network. They do not adapt contextually to the prospect of an attacker getting onto your network.
In the Identity Management space, I’m sure most of you can relate to the need for contextual application access control policies. Many Identity Management vendors provide such capabilities today – of detecting and alerting when user activity appears suspicious. For example, when a user who typically logs in during US business hours from a fixed location in the US, is suddenly detected to login from a new browser, a new location, and in the late hours of the night US time.
The threat is real, but there are things every organisation can do to significantly reduce the risk of a cyber intrusion. In 2009, based on our analysis of these intrusions, the Australian Signals Directorate (ASD) produced Strategies to Mitigate Targeted Cyber Intrusions – a document that lists a variety of ways to protect an organisation’s ICT systems. At least 85% of the intrusions that ASD respond involve adversaries using unsophisticated techniques that would have been mitigated by implementing the Top 4 mitigation strategies as a package. According to ASD Information Security Manual and Information Security Advice, the Top 4 mitigation strategies are:
This when implemented correctly ‘Application Whitelisting’ makes it harder for an adversary to compromise an organisation’s ICT system. This allows only specifically authorised applications to run on a system. This is better than Blacklisting an application. This is because only known vulnerabilities can be blocked. Since hackers are getting innovative they will find a new way to overcome this hurdle. This is the reason Application Whitelisting is preferred.
A software patch is a small piece of software designed to fix problems or update a computer program. Patching an organisation’s system encompasses both the second and third mitigation strategies. It is important to patch both your operating system and applications within a two-day timeframe for serious vulnerabilities. Once a vulnerability in an operating system or application is made public you can expect malware to be developed by adversaries within 48 hours. In some cases, malware has been developed to take advantage of a publicly-disclosed vulnerability within eight hours.
There is often a perception that by patching a system without rigorous testing, something is likely to break on the system. In most of cases, patching will not affect the function of an organisation’s ICT system. Balancing the risk between taking weeks to test patches and patching serious vulnerabilities within a two-day timeframe can be the difference between a compromised and a protected system.
When an adversary targets a system, they will primarily look for user accounts with administrative privileges. Administrators are targeted because they have a high level of access to the organisation’s ICT system. If an adversary gains access to a user account with administrative privileges they can access any data the administrator can access – which generally means everything. Minimising administrative privileges makes it more difficult for the adversary to spread or hide their existence on a system.
Administrative privileges should be tightly controlled. It is important that only staff and contractors that need administrative privileges have them. In these cases, separate accounts with administrative privileges should be created which do not have access to the internet. This reduces the likelihood of malware infecting the administrator as they should not be web browsing or checking emails while using their privileged account. It is also important that once the staff is finished with their administrator privileges they are removed from those privileges.
As a package, these mitigation strategies are highly effective in helping achieve a defence-in-depth ICT system. The combination of all four strategies, correctly implemented, will help protect an organisation from low to moderately sophisticated intrusion attempts. Put simply, they will make it significantly more difficult for an adversary to get malicious code to run on your ICT system, or continue to run undetected. This is because the Top 4 strategies enable multiple lines of defence against cyber intrusions.
Of course, implementing the other strategies will provide additional protection for ICT system. Several strategies have an overall security rating of ‘excellent’ which means that they are the most effective measures to protect ICT systems. However, an organisation should also conduct a risk assessment and implement other mitigation strategies as required to protect its ICT system.
IT threats are multi-vector. The ability to correlate anomalous events from the network, applications and user behaviours is key in early detection and containment. Identity is now the bridge between user, application and network controls. It is the identity context brought together with technologies such as machine learning, big data and advanced analytics that allows a security professional to centralise and normalise user activities. Therefore, Identity SOC must protect users, applications, APIs, content and data as well as workloads.
The Identity SOC utilises optimised dashboards and risk console for security professionals that is bringing in feeds from throughout the environment such as following:
Identity SOC includes automated orchestration and incident response management. Bi-directional integrations allow it to be self-healing enabling different departments to work together through organised playbooks and processes.
Oracle is making a big investment in the world’s first Identity SOC. With new security cloud services that integrate several new technologies into a homogeneous set of services. The integrated technologies include Security Incident and Event Management (SIEM), User & Entity Behaviour Analytics (UEBA), Identity Management (IDM), API Platform Cloud Service (APICS) and Cloud Access Security Broker (CASB). Each of these new services will integrate with the rest of security fabric, but when joined together they offer the full benefit of an identity SOC with bi-directional controls and actionable intelligence.
Oracle offers a comprehensive information security portfolio. It provides Information Security for browser based web applications, mobile application and business-to-business applications and systems. Oracle Information Security provides defence in depth by having rich Database Security functions and services. The following diagram depicts the functional aspect of Oracle Information Security:
Oracle Information Security is a complete end-to-end IT Security portfolio from Cloud to On-Premises to Hybrid Cloud Information Security. The following diagram depicts the operational aspect of Oracle Information Security:
The following sections briefly describe the Oracle Information Security portfolio from the functional viewpoint. Oracle information security portfolio can be divided into Oracle Cloud Security, Oracle Hybrid Security and Oracle On-Premises Security.
Oracle Cloud Security offers the most complete identity and security solution for providing secure access and monitoring of hybrid cloud environment and addressing all IT governance and compliance requirements. Oracle Cloud Security delivers an identity Security Operations Centre (SOC) providing actionable intelligence and bi-directional control through a combined offering of Security Information and Event Management (SIEM), User Entity Behaviour Analytics (UEBA), Cloud Access Security Broker (CASB) and Oracle Identity Cloud Service (IDCS).
Oracle Cloud Security follows a shared responsibility model. The figure below depicts the same:
The following presents the brief overview of each of the Oracle Cloud Security Service:
Modern cloud applications require modern identity and access management (IAM) architectures. There is a need for IAM solutions offered as identity cloud services (IDaaS). As enterprises use more software applications as services (SaaS), platform as a service (PaaS) and infrastructure as a service (IaaS), they must provision users and oversee the rights that are assigned to them, quickly and easily.
Oracle Identity Cloud Service (IDCS) is Oracle’s next-generation IDaaS platform built on modern cloud principles using open identity standards to address these challenges. This platform delivers innovative and fully integrated IAM capabilities through a multi-tenant cloud that can be leveraged by other cloud-based services.
Oracle Cloud Access Security Broker (CASB) is the service that gives visibility and insight into both enterprise’ entire cloud stack and deep information about the cloud services that are getting utilised by the enterprise within security controls.
Oracle CASB is the service that is used for the following:
Oracle Management Cloud (OMC) is a suite of next-generation integrated monitoring, management, and analytics cloud services that leverage machine learning and big data techniques against the full breadth of the operational data set. OMC’s Unified Platform helps customers improve IT stability, prevent application outages, increase DevOps agility and harden security across their entire application and infrastructure portfolio.
Following sections discuss the aspects of OMC that are related to IT Security:
Oracle Log Analytics Cloud Service monitors, aggregates, indexes, and analyses all log data from your applications and infrastructure – enabling users to search, explore, and correlate this data to troubleshoot problems faster, derive operational insight, and make better decisions.
Oracle Security Monitoring and Analytics (SMA) Cloud Service enables rapid detection, investigation and remediation of the broadest range of security threats across on-premises and cloud IT assets. Security Monitoring and Analytics provides integrated SIEM and UEBA capabilities built on machine learning, user session awareness, and up-to-date threat intelligence context.
Oracle Configuration and Compliance Service enables the IT and Business Compliance function to assess, score and remediate violations using industry standard benchmarks in addition to your own custom rules. The Oracle Configuration and Compliance Service can assess both on premise and cloud infrastructure.
Oracle API Management solution supports agile and secure API development and makes it easy to keep an eye on KPIs covering every aspect of the API lifecycle. True hybrid API deployment – in the Cloud or on-premises – means that API solution is modern and adaptable, all while employing the most up-to-date security protocols. It provides the virtualisation layer and protects APIs against DDoS, SQL injection and XML attacks etc.
Oracle Information Security provides state-of-the-art Hybrid Cloud security. It is a well-known fact that Organisations are not going to migrate to the cloud overnight. Therefore, organisations need an information security solution for a hybrid cloud. Oracle Information Security offers the following for the hybrid cloud:
Oracle Identity Cloud Service provides tools for a seamless integration with Microsoft Active Directory (AD) platform:
With AD platform fully integrated to Oracle Identity Cloud Service, AD users in the cloud are kept in sync without any management effort.
Oracle Hybrid Security provides OIM Cloud Connector through which the users get provisioned into Oracle Identity Cloud service in an automated fashion
Oracle Identity Cloud Service can federate with other Identity Providers IdP. This is done through open standards such as SAML, OpenID Connect and OAuth open standard protocols. Oracle IDCS can be federated with Social Identities such as Google, Facebook, Twitter and LinkedIn.
Oracle Identity Cloud Service and Oracle Access Manager on-premises component can be integrated as Service Provider and Identity Provider and vice versa. They both talk SAML 2 protocols through which a trust can be established between the two.
Oracle Identity Management provides a unified, integrated security platform designed to manage user lifecycle and provide secure access across the enterprise resources, both within and beyond the firewall and into the cloud. The Oracle Identity Management platform provides scalability with an industry-leading suite of solutions for identity governance, access management and directory services.
Oracle Identity Governance is a solution that provides self-service, compliance, reconciliation, provisioning and password management services for applications residing on-premise or on the Cloud. Oracle Identity Governance and Administration is placed in the leaders quadrant in Gartner Magic Quadrant that can be reached on the following URI:
https://www.gartner.com/doc/reprints?id=1-4POUQXH&ct=180126&st=sb
Oracle Access Management provides an enterprise-level security platform, delivers risk-aware end-to-end user authentication, single sign-on, and authorization protection. The Oracle Access Management enables enterprises to secure access and seamlessly integrate social identities with application. Oracle Access Management is placed in the leaders quadrant in Gartner Magic Quadrant that can be reached on the following URI:
https://www.gartner.com/doc/reprints?id=1-42A5TO6&ct=170607&st=sb
Oracle Directory Services provides a comprehensive directory solution with storage, proxy, synchronization and virtualization capabilities. With this unifying approach, it provides the services required for both enterprise and carrier-grade environments, including scalability to billions of entries, easy installation, elastic deployments, enterprise manageability, and effective monitoring.
Oracle Database provides a rich set of security features to manage user accounts, authentication, privileges, application security, encryption, network traffic, and auditing.
Oracle Advanced Security comprises of two features: Transparent Data Encryption and Oracle Data Redaction. The following defines these features:
Oracle Key Vault enables customers to easily deploy encryption and other security solutions by offering robust, central management of encryption keys, Oracle Wallets, Java KeyStores, and credential files.
Oracle Key Vault enables customers to quickly deploy encryption and other security solutions by centrally managing encryption keys, Oracle Wallets, Java KeyStores, and credential files. It is optimized for managing Oracle Advanced Security Transparent Data Encryption (TDE) master keys. The full-stack, security-hardened software appliance uses Oracle Linux and Oracle Database technology for security, availability, and scalability.
Oracle Database Vault implements powerful security controls within Oracle Database. These unique security controls restrict access to application data by privileged database users, reducing the risk of insider and outside threats and addressing common compliance requirements.
Oracle Database Vault security controls help organizations address compliance with data privacy laws and standards such as the EU General Data Protection Regulation (GDPR), the Payment Card Industry Data Security Standard, and numerous other regulations that require strong internal controls on access, disclosure, or modifications to sensitive information.
Oracle Audit Vault and Database Firewall (AVDF) provides a sophisticated next-generation SQL grammar analysis engine that inspects SQL statements going to the database and determines with high accuracy whether to allow, log, alert, substitute, or block the SQL. Oracle AVDF supports white list, black list, and exception list based polices. A white list is simply the set of approved SQL statements that the database firewall expects to see. These can be learned over time or developed in a test environment. A black list includes SQL statements from specific users, IP addresses, or specific types that are not permitted for the database. Exception list-based policies provide additional deployment flexibility to override the white list or black list policies. Policies can be enforced based upon attributes, including SQL category, time of day, application, user, and IP address. This flexibility, combined with highly accurate SQL grammar analysis, enables organizations to minimize false alerts, and only collect data that is important. Database Firewall events are logged to the Audit Vault Server enabling reports to span information observed on the network alongside audit data.
Oracle Data Masking and Subsetting helps improve security, accelerate compliance, and reduce IT costs by sanitizing copies of production data for testing, development, and other activities and by easily discarding unnecessary data.
Oracle Label Security uses row level data classifications to enforce access controls restricting users to only the data they can access. It enables organizations to control their operational and storage costs by enabling data with various levels of sensitivity to co-mingle within the same database. Oracle Label Security also provides a cost-efficient way to address regulatory requirements for managing access to data on a need to know basis.
In a previous blog, I explained how to treat your Infrastructure as Code by using technologies such as Vagrant and Terraform in order to help automate provisioning and decommissioning of environments in the cloud. Then, I evolved those concepts with this other blog, where I explained how to use Oracle PaaS Service Manager (PSM) CLI in order to provision Oracle PaaS Services into the Cloud.
In this blog, I am going to put together both concepts and show how simply you can automate the provisioning of Oracle Integration Cloud with Terraform and PSM CLI together.
To provision a new PaaS environment, I first create a “Build Server” in the cloud or as my boss calls it a “cockpit” that brings all the required bells and whistles (e.g. Terraform, PSM CLI, GIT, etc) to provision PaaS environments. I will add all the tooling it requires as part of its bootstrap process. To create the “Build Server” in the first place, I am using Vagrant + Terraform as well, just because I need a common place to start and these tools highly simplify my life. Also, this way, I can also treat my “Build Server” as “infrastructure as code” and I can easily get rid of it after I built my target PaaS environments and save with that some bucks in the cloud consumption model.
Once I build my “Build Server”, I will then simply git clone a repository that contains my scripts to provision other PaaS environments, setup my environment variables and type “terraform apply”. Yes, as simple as that!
This is a graphical view of what I will be doing:
I was asked recently to speak at a Developer forum about ways to make life easier for developers to secure their applications in the cloud. The session was great and lots of questions were asked but perhaps the most surprising question asked was from a developer who wants to integrate a custom application with Oracle Identity Cloud. This developer needs access to the public keys used by Identity Cloud Service before a user has authenticated to the service. More importantly, the developer needs the keys represented in the JWK format. According to the specification, a JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data structure that represents a cryptographic key.
There are very valid reasons why the developer needs access to the public keys without an authenticated session. Public keys let someone verify the signature on something signed with the associated private key or encrypt a message to send to you.
The developer asked Can I get a JWK from Oracle Identity Cloud Service without an OAuth Access Token?
The answer is simple… YES!!! There are two important API’s available in Oracle Identity Cloud Service
User: "Wats PaaS?" Bot: "Oracle Cloud Platform has the most comprehensive suite of PaaS solutions to help you increase business agility and drive innovation in the cloud. The most popular are Integration Cloud, Mobile & Chatbots and Blockchain" User: "Oops! I meant SaaS" Bot: "Oracle Cloud Platform has the most comprehensive suite of [....] User: "Sure... See you later"
I believe machines are very good at doing repeatable and predictable tasks. Humans by nature are everything but predictable. This is why it takes a lot of work to build a Bot that can survive human contact….
This post is a deep technical dive into sub-intents, System components and how we combine them to build a dialog flow that attempts to maintain a conversation even when the user “goes off script”.
Continue reading “What if in the middle of the conversation the user changes mind?”
Hi, just thought to post the solution for this error, when I hit this error, searched all over internet couldn’t find any specific blog describing possible cause of getting this error while invoking an API.
Let me give some background. I have created an API using Oracle API Platform Management Portal and when I tried invoking that API using google postman tool I was getting below error –
This was a silly mistake but worth highlighting. When we create API definition in API Management portal there is tab page “API Implementation” which has configuration field “API Request” where we need to define the API endpoint URL where consumer of this API will send input request. While I was declaring that portion I have given this URL “api/medrec”.
Continue reading “‘API life Cycle is invalid!’ Error for Oracle API CS API’s”
In this blog I am going to document the Oracle API Platform Gateway Node (Version : 18.1.3) Installation steps which is one of the critical components of API Platform Cloud Service.
Oracle provides API Platform Cloud Service as a foundation product for API Management that comprises the Full API Lifecycle, encompassing the complete API Design & Documentation, API Security, Discovery & Consumption, Monetization, and Analysis etc.
Oracle API Platform comprises 3 major components as stated below to serve specific purpose-
Management Portal – This is used to create and manage APIs, deploy APIs to gateways, and manage gateways, and create and manage applications. You can also manage and Deploy APIs and manage gateways with the REST API.
Developer Portal – Application developers subscribe to APIs and get the necessary information to invoke them from this portal.
Gateway Node – This is the security and access control run-time layer for APIs. Each API is deployed to a gateway node from the Management Portal or via the REST API.
In addition to above, Oracle also offer Oracle Apiary to quickly design, prototype, document and test APIs.
Below is the high level architecture diagram of API Platform.
Continue reading “Oracle API Platform Cloud Service – Installation Steps of Gateway Node”
In this blog, I am going to show you how to configure Oracle Load Balancer as a Service (LBaaS) to proxy/redirect traffic into multiple APIs. For the sake of this example, I am going to point to running APIs hosted on my Oracle API Gateway, as well as running on a 3rd party Cloud provider. However, you can use Oracle LBaaS to proxy traffic to any HTTP or HTTPS endpoint(s).
In this example, I am going to consume an existing API that I built some time ago that when invoked returns a random joke. In order to test it in high availability mode, I am also going to configure yet another “jokes” API that will serve as a redundant backend endpoint/API.
This is the high-level view of how Oracle LBaaS can easily enable multiple proxy/redirections to backend APIs hosted across various places:
In my previous article, Securing Applications with Multi Factor Authentication I discussed how to roll out basic MFA. While this is great if your requirements are very straightforward, there are times when you’ll need a more sophisticated approach. One of the most common examples that I get asked about is how to challenge users for Multi Factor Authentication only when they are connecting remotely from home or when traveling.
In this article I use an example where the business requirement is to enforce MFA for people in the Customer Relations department who are accessing protected applications when they are not on the corporate network. I’ll explain how to configure policies and rules that allow users connected to the corporate network to login with just their User ID and Password, while users connected remotely will need to use Multi Factor Authentication to access protected applications.
In this blog, I am going to get you started with Oracle PaaS Service Manager (PSM) CLI – A great tool to manage anything API-enabled on any Oracle PaaS Service or Stack. For example, provisioning, scaling, patching, backup, restore, start, stop, etc.
It has the concept of Stack (multiple PaaS services), what means that you can very easily provision and manage full Stacks, such as Oracle Integration Cloud (OIC), that combines multiple PaaS solutions underneath, e.g. ICS, PCS, VBCS, DBCS, etc.
For this, we are going to use a pre-cooked Vagrant Box/VM that I prepared for you, so that you don’t have to worry about installing software, but moving as quickly as possible to the meat and potatoes.
This is a graphical view of what we are going to do:
RedThunder.Blog 