Security – RedThunder.Blog

Field Level Encryption with Oracle Integration and OCI Vault

Integration platforms are often required to handle confidential information such as personal details, payment information or other data protected by compliance and regulatory standards such as HIPAA, GDPR, PII and PCI.

Various methods exist to protect data from unauthorized access while data is in transit and at rest. These approaches typically encrypt the entire payload. As a complementary approach Field Level Encryption has an important role to play by ensuring that only appropriately configured clients can read sensitive data fields. This approach also allows clients without the encryption keys to work with the non-sensitive data which would be impossible to do with a fully encrypted payload.

Although Field Level Encryption (FLE) is not natively supported in Oracle Integration (OIC) today, this blog will explore several options that will allow you to implement FLE with OIC. In this blog, I will present these options, discuss some guiding principles and showcase some sample implementations.

#DaysOfArm (15 of X)

This is my 15th #DaysOfArm article that tracks some of the experiences that I’ve had so far. It’s been a little while since I’ve worked on this series however saying that … much of what I’ve been doing didn’t seem different from any other type of environment.

And just to recap from the first post (here) on June 12 2021.

It’s been just over 2 weeks since the launch of Ampere Arm deployed in Oracle Cloud Infrastructure (OCI). Check this article out to learn more (here). And it’s been about one week since I started looking into the new architecture and deployment, since I started provisioning the VM.Standard.A1.Flex Compute Shape on OCI and since I started migrating a specific application that has many different variations to it to test it all out.

This is my next learning where I looked into Let’s Encrypt to create a set of free certificates for Oracle Cloud Infrastructure A1.Flex VM Instances.

Bastion Access For Minecraft

In the previous post, I did some work in managing Security Lists to protect the Minecraft Server. To read about that, head (here). Another method of connecting to the Minecraft Server is through a Bastion Host. As part of Oracle Cloud Infrastructure, it is free to create a session through the Bastion Service (service limits do apply). Here’s a brief encounter of getting this up and going.

Security Lists for Minecraft

The Minecraft Server has been up and running for a little while now on my Oracle Cloud Infrastructure Always Free Tier. And it’s something that has become more valuable. The hours of crafting, building and mining is something that needs attention. I’ve experienced the situation when months of work has been wiped or worse hacked. It’s not a good feeling.

I’ve been using the Security Lists in Oracle Cloud Infrastructure to define specific ingress rules. What I’ve done now is make that easier.

Adding OAuth to ORDS

Adding security over the APIs across multiple layers was something that we considered when putting this project together. This perspective was reinforced at the #DigitalDefence hackathon in Nov 2020. Check out what happened (here).

We focus on the score and event APIs exposed by Autonomous Data Warehouse.

Here we will focus on the different REST APIs exposing the data hosted by Autonomous Data Warehouse. We started off with HTTP Basic Authentication but quickly turned to using OAuth. Here we’ll explore more about the OAuth side and how to get that started.

#DigitalDefence – A Tribute To The Teams

It was fantastic to see / hear / participate in the closing ceremony of the #DigitalDefence Hackathon 2020. If you want to check the whole ceremony including some of locknotes, check it out here.

#DigitalDefence Hackathon 2020 Closing Ceremony recorded by Hackmakers (https://hackmakers.com)

It was great to see who won but also from the judging perspective, who else was in the Top 11 (yes 11, not 10) where we worked with our executive team including Cherie Ryan, Vice President at Oracle and our Regional Managing Director of Australia and New Zealand to pick the winners.

#DigitalDefence Hackathon … The Why?

Head to https://hackmakers.com to register as a competitor or to showcase your project / product.

It’s almost 9 days before the event launches on the Friday night. Even before that, there are a series of workshops / webinars that we are hosting as part of the event in the days leading up to the event. Even then we are:

a/ Making sure that we have people, mentors, marketing, product managers, executives lined up to help where they can.
b/ Making sure that we have ideas, platforms, trials, programs, education material lined up to help where it’s feasible.
c/ Making sure that we help promote, advocate, market the event so those who would benefit would know about the event and attend.

All this effort for what outcome?

This says it all. And even though this is about #anomalydetection #deepfake #cybersecurity, much of this comes down to data – where the data can be sourced, how the data can be analysed, is the data reliable and can it be trusted.

Over the coming days leading up to the event – there will be plenty of chatter around it. Follow the event on LinkedIn. Some easy ways to follow are:

1/ Follow #DigitalDefence at https://www.linkedin.com/feed/hashtag/?keywords=digitaldefence
2/ Follow Hackmakers at https://www.linkedin.com/company/hackmakers
3/ Follow me at https://www.linkedin.com/in/lowe-jason/

I’ll be writing more about it here as we go and as new content is available. If you are interested to know or more if you want to join a team or showcase a project or product – head to the Hackmakers website https://hackmakers.com/ to learn more and register.

Secure Inter-Service Communication in OCI

Oracle Cloud Infrastructure provides a ton of useful services for automating and orchestrating behaviours in your cloud environment, and while they are often pretty handy on their own, leveraging them together gives almost complete flexibility on what you can achieve. Want to trigger a backup using a command in slack, then have a message get sent back when it completes? Sure! Want to periodically poll a log API and archive the results? Easy. Oracle Cloud Infrastructure provides a number of inbuilt capabilities, as well as the ability to jump into arbitrary code to build elaborate automation flows, and this blog post will focus upon the security constructs around this, looking at how services can be authorised to invoke one another, as well as how they authenticate themselves, while avoiding storing sensitive data in insecure ways. This post is intended as an overview of the concepts, and will be referenced in more concrete ways in future.

Consumer Data Right (CDR) – User-specific Identifiers for ID Permanence

Version 1.0.0 of the Consumer Data Right standard was released in September, and it introduces a common set of Banking APIs in line with Australian government legislation. The principles behind the standards design are very solid, though the some of the specific requirements are pretty wild and they result in a bit of rethinking of some of the classical API conventions. The most prominent example of this is the approach the CDR standards take towards ‘object identifiers’, in the ID Permanence section, and I considered the requirements for this interesting enough to spend some time thinking about and documenting.

In this context, an ‘object identifier’ refers to the way in which you refer to an individual instance of an object from your API, such as the ‘accountId’ in the following URI:

GET /banking/accounts/{accountId}

In this blog post we will look at what the CDR requires for these types of identifiers, and provide some sample code which implements the obfuscation requirements specified in the standard.

Enhance the security of your website with Oracle Cloud Infrastructure’s Web Application Firewall

Oracle recently introduced a Web Application Firewall (WAF) to further enhance and secure Oracle Cloud Infrastructure offerings. The Oracle Cloud Infrastructure WAF is based on Oracle Zenedge and Oracle Dyn technologies. It inspects all traffic destined to your web application origin and identifies and blocks all malicious traffic. The WAF offers the following tools, which can be used on any website, regardless of where it is being hosted:

Origin management
Bot management
Access control
Over 250 robust protection rules that include the OWASP rulesets to protect against SQL injection, cross-site scripting, HTML injection, and more

In this post, I configure a set of access control WAF policies to a website. Access control defines explicit actions for requests that meet conditions based on URI, request headers, client IP address, or countries and regions.

Continue reading “Enhance the security of your website with Oracle Cloud Infrastructure’s Web Application Firewall”