Oracle Cloud Learning Center


6 Securing Oracle Cloud

This button toggles the Table of Contents floating window

 

This section describes security considerations and best practices for Oracle Cloud customers. These topics are relevant to several or all of Oracle's Cloud offerings.

Topics:

About Security in a Cloud-based Environment

Security is the foundation of Oracle Cloud services including physical security, operating system and virtualization layer security, and tenant isolation. Security is particularly important in Oracle Cloud as its customers can be attractive phishing targets.

In a cloud-based application environment, security is a shared responsibility model. You need to take responsibility for implementing best practices as applicable to your business or organization. End-to-end security requires network and application level security in your own environment.

All the standard IT security practices prior to the cloud era are still applicable and must be implemented in a cloud environment.

As you prepare to move your enterprise environment to a multi-tenant enabled cloud environment, consider the following guidelines and implement the necessary security measures. These security best practices include people, processes, and products.

General Oracle Cloud Security Awareness

  • Update your browser and antivirus to the latest versions.

  • Install email filtering.

  • Install firewall security and configure whitelists accordingly.

  • Educate and familiarize your users with Oracle Cloud identity management services, such as using credentials and an identity domain to sign in, and setting up challenge questions for the password reset procedure.

  • Establish in-house helpdesk security practices specific for cloud applications.

  • Involve your security or compliance specialists in cloud planning.

  • Adopt good coding practices.

  • Isolate sensitive data.

Identity Management and Access Control Best Practices

  • Implement proper user identity life cycle management.

    • Develop policies for new users.

    • Grant access to an Oracle Cloud service only to employees who require the service.

    • Examine user credentials routinely. Ensure employee systems and identities in Oracle Cloud are updated and synchronized.

    • Remove access to Oracle Cloud services from any employee who is suspended or terminated.

  • Implement proper role segregation.

  • Assign roles only to those whose job requires the privileges associated with the role. For example, assign administrative roles such as Service Administrator or Identity Domain Administrator carefully.

  • Enforce a strong password policy.

  • Implement a portal that provides single access to Oracle Cloud services.

HTTP Cookie Security in Custom Applications

To implement security from development to deployment of custom applications, common coding security practices such as data encryption, prevention of typical malicious attacks, and securing the interaction between a server and a client's web browser for web applications must be included and tested throughout the whole life cycle along with the security foundation that Oracle Cloud provides on the infrastructure and platform levels.

HTTP cookies are a common mechanism for sharing state between HTTP clients and servers. Because cookies are easy to use and are not restricted to a specific format, their usage varies widely from short values that are used solely as a session key for retrieving state on the server during request processing to containers of data that are shared and jointly edited by client and server code. Almost every web application uses some form of HTTP cookie often for critical functionality such as tracking the user's identity or the state of the user's session.

The security of HTTP cookies is based around the notion of Same Origin Policy (SOP). The basis of SOP for cookies is twofold:

  • Cookies should only be able to be set.

  • Cookies should only be returned back to the websites that created them.

The scope of a cookie can be limited either to a specific website such as foo.bar.com or to an entire domain such as bar.com in which case the cookie will be sent to all websites that belong to the specified domain, for example, www.bar.com and payments.bar.com. A website sets cookies by returning a specific HTTP response header that defines the name, value, scope, and other attributes of the cookie.

Attacks using a domain cookie to attempt to poison other websites are not new and are not restricted to only cloud providers.

In summary, a combination of factors make HTTP cookies an attractive target for attackers. Some of these factors include SOP, inconsistency among browsers in their support for preventative schemes, and more importantly, the frequency and importance of their usage. Therefore, to prevent cookie hijacking and related forgeries, application developers should adopt security design best practices that are not browser dependent. The following table lists the recommended best practices for using cookies.

Application Requirement for HTTP Cookies Security Best Practices Required Setting Exposure / Recommendation

No need for sharing among hosts within a domain.

No need for access by Java scripts or Applets.

  • Signed and encrypted

  • Host scoped

  • HttpOnly=True

N/A

This is the recommended posture for custom applications.

Oracle Cloud components must conform.

Need to allow Java scripts or Applets to access or set cookies.

  • Signed and encrypted

  • Host scoped

HttpOnly= False

Cross-site scripting (XSS) vulnerability can be exploited by malicious scripts. Therefore, cookie integrity validation by the website is critical.

Need to share among many hosts in the domain.

  • Signed and encrypted

  • Domain scoped

  • HttpOnly=True

HttpOnly=False

Exposed to malicious website in the same domain. Do not rely on Oracle Cloud domain. Use vanity domains.

Need to allow Java scripts or Applets and need to share among many hosts in the domain.

  • Signed and encrypted

  • Domain scoped

HttpOnly= False

Adopt both of the measures from the two previous rows.



Previous Page Next Page