Security – RedThunder.Blog

Virus & Malware Scanning Object Storage in OCI

If you’re like me, then working in IT means you also assume Tech Support duties for friends, family, and those distant relatives that only seem to call when they’ve got a problem.

I just clicked on this link, and my computer is doing something weird. I think my PC has a virus, what do I do?

When it’s just a single computer, the answer is simple, contain and validate the rouge software is removed, install an AV solution, change their passwords, enable MFA, and provide some education on what to look out for next time.

But now imagine you’re an organisation building a new application, or are moving applications to the cloud. Are you simply performing a lift-and-shift or are you planning to make use of cloud native services? Where are you going to store your data, specifically user uploaded files? Object Storage was built specifically to solve the challenges of how to store unstructured data in the cloud.

However, there is a catch. If you were previously storing files on a server file system, then it’s likely you were also running an anti-virus / anti-malware solution to identify malicious files. With Object Storage the underlying file system is transparent, so you can’t install AV, yet many compliance requirements still state “Uploaded files must be scanned for viruses and malware”.

OCI User Access Review Made Easy

I’m sure we can all agree, adopting a cloud strategy is awesome. The opportunities and benefits it affords are many. However cloud governance is an ongoing problem that plagues security, compliance, and management teams, which cloud vendors like Oracle are continually trying to solve.

If you’re reading this, you’ve probably been asked, or heard at least once:

Who has access to what in our environment?
Any Security / Compliance Manager

The answer should be easy and simple. However the reality is likely lots of manual time & work, spreadsheets, and endless clicking in a cloud console. If you’re doing this manually then I agree, it’s time that you could be dedicating to more important tasks.

The challenge in trying to answer these questions:

What users exist and what groups do they belong to?
What does my OCI tenancy compartment structure look like?
What policies have users explicitly created?
What permissions do users have in my tenancy?
Are there any excessive / non-compliant policies & permissions in my tenancy?

is that these complex relationships can’t be easily represented and interpreted in a table-like format. In the OCI ecosystem:

users can be federated with an Identity Provider and can belong to one or many federated, or local IAM groups,
policies can be defined for “any-user” or for a group,
policies are inherited meaning they apply to all sub-compartments from which the policies are applied.

To make things easier I’ve created a solution using Oracle tools and services to simplify the auditing of OCI tenancies and user permissions called “Peek”.

Field Level Encryption with Oracle Integration and OCI Vault

Integration platforms are often required to handle confidential information such as personal details, payment information or other data protected by compliance and regulatory standards such as HIPAA, GDPR, PII and PCI.

Various methods exist to protect data from unauthorized access while data is in transit and at rest. These approaches typically encrypt the entire payload. As a complementary approach Field Level Encryption has an important role to play by ensuring that only appropriately configured clients can read sensitive data fields. This approach also allows clients without the encryption keys to work with the non-sensitive data which would be impossible to do with a fully encrypted payload.

Although Field Level Encryption (FLE) is not natively supported in Oracle Integration (OIC) today, this blog will explore several options that will allow you to implement FLE with OIC. In this blog, I will present these options, discuss some guiding principles and showcase some sample implementations.

#DaysOfArm (15 of X)

This is my 15th #DaysOfArm article that tracks some of the experiences that I’ve had so far. It’s been a little while since I’ve worked on this series however saying that … much of what I’ve been doing didn’t seem different from any other type of environment.

And just to recap from the first post (here) on June 12 2021.

It’s been just over 2 weeks since the launch of Ampere Arm deployed in Oracle Cloud Infrastructure (OCI). Check this article out to learn more (here). And it’s been about one week since I started looking into the new architecture and deployment, since I started provisioning the VM.Standard.A1.Flex Compute Shape on OCI and since I started migrating a specific application that has many different variations to it to test it all out.

This is my next learning where I looked into Let’s Encrypt to create a set of free certificates for Oracle Cloud Infrastructure A1.Flex VM Instances.

Bastion Access For Minecraft

In the previous post, I did some work in managing Security Lists to protect the Minecraft Server. To read about that, head (here). Another method of connecting to the Minecraft Server is through a Bastion Host. As part of Oracle Cloud Infrastructure, it is free to create a session through the Bastion Service (service limits do apply). Here’s a brief encounter of getting this up and going.

Security Lists for Minecraft

The Minecraft Server has been up and running for a little while now on my Oracle Cloud Infrastructure Always Free Tier. And it’s something that has become more valuable. The hours of crafting, building and mining is something that needs attention. I’ve experienced the situation when months of work has been wiped or worse hacked. It’s not a good feeling.

I’ve been using the Security Lists in Oracle Cloud Infrastructure to define specific ingress rules. What I’ve done now is make that easier.

Adding OAuth to ORDS

Adding security over the APIs across multiple layers was something that we considered when putting this project together. This perspective was reinforced at the #DigitalDefence hackathon in Nov 2020. Check out what happened (here).

We focus on the score and event APIs exposed by Autonomous Data Warehouse.

Here we will focus on the different REST APIs exposing the data hosted by Autonomous Data Warehouse. We started off with HTTP Basic Authentication but quickly turned to using OAuth. Here we’ll explore more about the OAuth side and how to get that started.

#DigitalDefence – A Tribute To The Teams

It was fantastic to see / hear / participate in the closing ceremony of the #DigitalDefence Hackathon 2020. If you want to check the whole ceremony including some of locknotes, check it out here.

#DigitalDefence Hackathon 2020 Closing Ceremony recorded by Hackmakers (https://hackmakers.com)

It was great to see who won but also from the judging perspective, who else was in the Top 11 (yes 11, not 10) where we worked with our executive team including Cherie Ryan, Vice President at Oracle and our Regional Managing Director of Australia and New Zealand to pick the winners.

#DigitalDefence Hackathon … The Why?

Head to https://hackmakers.com to register as a competitor or to showcase your project / product.

It’s almost 9 days before the event launches on the Friday night. Even before that, there are a series of workshops / webinars that we are hosting as part of the event in the days leading up to the event. Even then we are:

a/ Making sure that we have people, mentors, marketing, product managers, executives lined up to help where they can.
b/ Making sure that we have ideas, platforms, trials, programs, education material lined up to help where it’s feasible.
c/ Making sure that we help promote, advocate, market the event so those who would benefit would know about the event and attend.

All this effort for what outcome?

This says it all. And even though this is about #anomalydetection #deepfake #cybersecurity, much of this comes down to data – where the data can be sourced, how the data can be analysed, is the data reliable and can it be trusted.

Over the coming days leading up to the event – there will be plenty of chatter around it. Follow the event on LinkedIn. Some easy ways to follow are:

1/ Follow #DigitalDefence at https://www.linkedin.com/feed/hashtag/?keywords=digitaldefence
2/ Follow Hackmakers at https://www.linkedin.com/company/hackmakers
3/ Follow me at https://www.linkedin.com/in/lowe-jason/

I’ll be writing more about it here as we go and as new content is available. If you are interested to know or more if you want to join a team or showcase a project or product – head to the Hackmakers website https://hackmakers.com/ to learn more and register.

Secure Inter-Service Communication in OCI

Oracle Cloud Infrastructure provides a ton of useful services for automating and orchestrating behaviours in your cloud environment, and while they are often pretty handy on their own, leveraging them together gives almost complete flexibility on what you can achieve. Want to trigger a backup using a command in slack, then have a message get sent back when it completes? Sure! Want to periodically poll a log API and archive the results? Easy. Oracle Cloud Infrastructure provides a number of inbuilt capabilities, as well as the ability to jump into arbitrary code to build elaborate automation flows, and this blog post will focus upon the security constructs around this, looking at how services can be authorised to invoke one another, as well as how they authenticate themselves, while avoiding storing sensitive data in insecure ways. This post is intended as an overview of the concepts, and will be referenced in more concrete ways in future.