Enable Security Operations

An essential part of onboarding to OCI is collaborating with your security teams at the beginning of your cloud adoption initiative. Work with your platform and operation teams to include cloud security practices within all operations.

For most organizations, cloud adoption involves a high learning curve and a large culture shift that spans multiple teams. Engage your cybersecurity teams early during the planning and architecture phase, instead of later, so that you can help teams shape and align processes with a common understanding of the features and limitations of cloud services. With early feedback from the platform and application teams, security management processes are more likely to be an enabler and protector to your cloud initiative, instead of a late blocker.

Cloud Guard is a cloud-native service that helps you monitor, identify, achieve, and maintain a strong security posture ind Oracle Cloud. Use the service to examine your OCI resources for security weakness related to configuration, and your OCI operators and users for risky activities. Upon detection, Cloud Guard can suggest, assist, or take corrective actions, based on your configuration.

• Cloud Guard uses Oracle-managed or user-managed detector and responder "recipes." Recipes are combinations of rules that either identify or respond to different conditions.
• You can target OCI compartments with detector recipes so that Cloud Guard can detect misconfigured resources and insecure activity across tenants.
• Cloud Guard provides security administrators with the visibility to triage and resolve cloud security issues.
• Security inconsistencies can be automatically remediated with out-of-the-box security recipes so that you can quickly and efficiently scale security operations.
• You can integrate Cloud Guard event details, such as the problem threshold reached, or the problem detected, with existing processes using the OCI Notifications service. For example, Notifications can send Slack or email messages, or trigger automation using custom OCI functions.
• Oracle-managed recipes provide an excellent baseline because OCI keeps them up to date with the latest rules. Your security policy team (green team) can further adjust these rules to better fit your organization's needs by cloning Oracle-managed recipes to create user-managed recipes, including disabling a rule, revising a risk level, and so on.

Cloud Guard detects misconfiguration and security zones help prevent these problems from occurring.

A security zone is created by associating a compartment with a security zone recipe. When you create and update resources in a security zone, OCI validates these operations against the list of policies defined in the security zone recipe. If any security zone policy is violated, then the operation is denied. However, existing resources that were created before the security zone might also violate policies. OCI Security Zones integrates with Cloud Guard to identify policy violations in existing resources.

Oracle manages a single, predefined recipe named Maximum Security Recipe, which includes all available security zone policies. Because the policies of Maximum Security Recipe are relatively strict and not customizable, your organization must consider it for suitable workloads only after jointly evaluating the security zone with the application architect. Create your own security recipes when needed.

OCI Vulnerability Scanning Service helps improve your security posture in OCI by routinely checking hosts for potential vulnerabilities. The service generates reports with metrics and details about the findings.

The Vulnerability Scanning service can identify several types of security issues in compute instances and container images:

• Ports that are unintentionally left open might be a potential attack vector to your cloud resources, or enable hackers to exploit other vulnerabilities.
• OS packages that require updates and patches to address vulnerabilities.
• OS configurations that hackers might exploit.
• Industry-standard benchmarks that are published by the Center for Internet Security (CIS).

Vulnerability Scanning checks hosts for compliance with the section 5 (Access, Authentication, and Authorization) benchmarks defined for Distribution Independent Linux.

When you create a repository in Oracle Cloud Infrastructure Registry (also known as Container Registry), image scanning is enabled by default on the repository. Every time an image is pushed to the repository, the image is scanned for security vulnerabilities in the Common Vulnerabilities and Exposures (CVE) database. Container Registry automatically rescans any images in the repository that have changed since the previous scan.

The security team can also use the default configuration detector recipe in Cloud Guard to detect and respond to security vulnerabilities identified by the Vulnerability Scanning service.

Logging is essential for security analysts to discover potential security breaches or internal misuses of information.

With Oracle Cloud Infrastructure Logging, analysts can access logs from OCI resources, including critical diagnostic information that describes how resources are performing and being accessed. Logging is a highly scalable and fully managed single pane of glass for all the logs in your tenancy.

By default, audit logs are retained for 365 days. With OCI Service Connector Hub, you can archive logs to immutable storage longer to fulfill the compliance requirements for some regulated industries. Using a similar pattern, logs can integrate with third-party security information and event management (SIEM) tools such as Splunk and QRadar using the OCI Streaming service.

• Cloud Adoption Framework Landing Zone
• Protect your workloads in the cloud using security zones
• Self-Service Landing Zone