Previously, I have discussed Oracle’s overall information security portfolio in blog entry – Oracle Information Security – Where it begins, Where it ends. It was pertaining to information security in Oracle Cloud Infrastructure – Classic and On-Premises suite of products including Identity and Access Management and Database Security.
In a series of five blog posts, I am going to cover the security concepts in Oracle Cloud Infrastructure (aka OCI or Oracle Gen-2 Cloud). The Oracle Cloud Infrastructure (OCI) is a trusted enterprise cloud platform that offers customers deep control with unmatched security. It provides Oracle customers with effective and manageable security to confidently run their mission-critical workloads and store their data.
This is the first of five articles in the series. This will explain the generic concepts in the OCI that will lay the foundation for understanding the other articles in the series. The other articles are going to be on the topics – Identity and Access Management, Networking, Key Management and Edge Services Security.
OCI Security is based on seven core pillars as discussed in the next section. Each one of the pillars has multiple solutions designed to maximise the security and compliance of the platform.
Seven pillars of a trusted enterprise cloud platform
- Customer Isolation: Allow customers to deploy their application and data assets in an environment that commits full isolation from other tenants and Oracle’s staff. OCI offers Bare Metal instances, VM instances, Virtual Cloud Network and IAM Compartments in order to achieve the customer isolation
- Data Encryption: Protect customer data at-rest and in-transit in a way that allows customers to meet their security and compliance requirements with respect to cryptographic algorithms and key management. OCI provides – Default Storage Encryption, Key Management Service (KMS) and Database Encryption
- Security Controls: Offer customers effective and easy-to-use application, platform, and network security solutions that allow them to protect their workloads, have a secure application delivery using a global edge network, constrain access to their services, and segregate operational responsibilities to reduce the risk associated with malicious and accidental user actions. OCI provides User Authentication, Instance Principals, Authorisation, Network Security Controls, Application and Edge Security Controls
- Visibility: Offer customers comprehensive log data and security analytics that they can use to audit and monitor actions on their resources, allowing them to meet their audit requirements and reduce security and operational risk, OCI provides various Audit Logs along with CASB-based monitoring
- Secure Hybrid Cloud: Enable customers to use their existing security assets, such as user accounts and policies, as well as third-party security solutions, when accessing their cloud resources and securing their data and application assets in the cloud. OCI provides – Identity Federation, Third-Party Security solutions, Security Connectivity using VPN and FastConnect
- High Availability: Offer fault-independent data centers that enable high-availability scale-out architectures and are resilient against network attacks, ensuring constant uptime in the face of disaster and security attack. OCI provides three options for HA – Multi-Region, Multi-Availability Domain, Multi-Fault domain within Availability Domain SLAs
- Verifiable Secure Infrastructure: Follow rigorous processes and use effective security controls in all phases of cloud service development and operation. Demonstrate adherence to Oracle’s strict security standards through third-party audits, certifications, and attestations. Help customers demonstrate compliance readiness to internal security and compliance teams, their customers, auditors, and regulators, OCI provides – Security Operations, Compliance Certifications and Attestations, Customer Penetration and Vulnerability Testing and Secure Software Development
Shared Security Model
Customers in order to securely run their workloads need to be aware of their Security and Compliance responsibilities. By design, Oracle provides security of cloud infrastructure and operations (cloud operator access controls, infrastructure security patching, and so on), and customers are responsible for securely configuring their cloud resources. Security in the cloud is a shared responsibility between the customer and Oracle.
In a shared, multi-tenant compute environment, Oracle is responsible for the security of the underlying cloud infrastructure (such as data-center facilities, and hardware and software systems) and customers are responsible for securing their workloads and configuring their services (such as compute, network, storage, and database) securely.
In a fully isolated, single-tenant, bare-metal server with no Oracle software on it, the customers’ responsibility increases as they bring the entire software stack (operating systems and above) on which they deploy their applications. In this environment, customers are responsible for securing their workloads, and configuring their services (compute, network, storage, database) securely, and ensuring that the software components that they run on the bare metal servers are configured, deployed, and managed securely. More specifically, customer and Oracle responsibilities can be divided into the following areas:
- Identity and access management (IAM): As with all Oracle Cloud services, customers should protect their cloud access credentials and set up individual user accounts. Customers are responsible for managing and reviewing access for their own employee accounts and for all activities that occur under their tenancy. Oracle is responsible for providing effective IAM services such as identity management, authentication, authorization, and auditing.
- Workload security: Customers are responsible for protecting and securing the operating system and application layers of their compute instances from attacks and compromises. This protection includes patching applications and operating systems, operating system configuration, and protection against malware and network attacks. Oracle is responsible for providing secure images that are hardened and have the latest patches. Also, Oracle makes it simple for customers to bring the same third-party security solutions that they use today.
- Data classification and compliance: Customers are responsible for correctly classifying and labeling their data and meeting any compliance obligations. Also, customers are responsible for auditing their solutions to ensure that they meet their compliance obligations.
- Host infrastructure security: Customers are responsible for securely configuring and managing their compute (virtual hosts, containers), storage (object, local storage, block volumes), and platform (database configuration) services. Oracle has a shared responsibility with customers to ensure that the service is optimally configured and secured. This responsibility includes hypervisor security and the configuration of the permissions and network access controls required to ensure that hosts can communicate correctly and that devices are able to attach or mount the correct storage devices.
- Network security: Customers are responsible for securely configuring network elements such as virtual networking, load balancing, DNS, and gateways. Oracle is responsible for providing a secure network infrastructure
- Client and end-point protection: Customers use various hardware and software systems, such as mobile devices and browsers, to access their cloud resources. Customers are responsible for securing all clients and endpoints that they use to access Oracle Cloud Infrastructure services.
- Physical security: Oracle is responsible for protecting the global infrastructure that runs all of the services offered in Oracle Cloud Infrastructure. This infrastructure consists of the hardware, software, networking, and facilities that run Oracle Cloud Infrastructure services.
Layered Security on OCI
OCI operates in regions. A region is a metropolitan area; inside the regions we have multiple data centers that are called Availability Domains (AD). Each region consists of three availability domains. These are isolated from each other and all your resources like compute and database go inside an AD. There is a grouping of hardware and infrastructure within Availability Domain called Fault Domain.
ADs are wired together over private dark fiber and there is very little latency between ADs making it a perfect fit for a High Availability primitive and replication of data. There is a dedicated backbone connecting these ADs. The backbone plugs into edge or peering points of presence where customers can get direct connections into our network.
This is depicted in the figure 1 below:
Availability Domain is characterised by:
- no noisy-neighbours
- very high scalability (1 million network ports)
- low latency and
- high speed inter-connectivity of physical network between the hosts
Physical Network in AD is accompanied by an off-box network virtualisation that moves the storage and network IO out of the hypervisor and bare-metal instances with lower overhead. This is depicted in figure 2 below:
Finally at the application layer we have OCI services such as – Identity and Access Management, Storage Services (Local, Block, File, Object and Archival), Security (Audit and Key Management), Networking (VCN, VPN, FastConnect, Load Balancer), Database (Bare Metal, VMs, RAC, Exadata), Data Movement (Storage, Data Xfer), Compute (Bare Metal, GPUs, VMs and Containers), Autonomous Database (ADW, ATP) and Edge Services (DNS, Email). These services are pictorially depicted in the figure 3 below:
Conclusion: This blog post has discussed the seven pillars of security upon which Oracle Cloud Infrastructure OCI (Oracle Gen-2 Cloud) is built. This article has also discussed the basic concepts and nomenclature in OCI in terms of the regions, data centers, high availability and network connectivity between the data centers. This part has laid the foundation for uncovering the various security layers in the subsequent parts in the series. In the next part I am going to discuss OCI Identity and Access Management.