Skip Headers
Oracle® Cloud Getting Started with Oracle Cloud
Release 12.2

Part Number E27036-02
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Feedback page
Contact Us

Go to previous page
Previous
PDF · Mobi · ePub

5 Securing Oracle Cloud

Security is the foundation of Oracle Cloud services including physical security, operating system and virtualization layer security, and tenant isolation. In a cloud-based application environment, security is a shared responsibility model. You need to take responsibility for implementing best practices as applicable to your business or organization.. End to end security requires network and application level security in your own environment.The following are guidelines that you should consider and implement as you prepare to move your enterprise environment to a multi-tenant enabled cloud environment.

Topics:

Common Security Considerations

Security is particularly important in Oracle Cloud as its customers can be attractive phishing targets.

All the standard IT security practices prior to the cloud era are still applicable and must be implemented in a cloud environment. The following security best practices include people, processes, and products.

General Oracle Cloud Security Awareness

  • Update your browser and antivirus to the latest versions.

  • Install email filtering.

  • Install firewall security and configure whitelists accordingly.

  • Educate and familiarize your users with Oracle Cloud identity management services, such as using credentials and an identity domain to log in, and setting up challenge questions for the password reset procedure.

  • Establish in-house helpdesk security practices specific for cloud applications.

  • Involve your security or compliance specialists in cloud planning.

  • Adopt good coding practices.

  • Isolate sensitive data.

Identity Management and Access Control Best Practices

  • Implement proper user identity life cycle management.

    • Develop policies for new users.

    • Only grant access to Oracle Cloud services to those who require them.

    • Routinely examine and ensure employee systems and identities in Oracle Cloud are updated and synchronized.

    • Remove Oracle Cloud service access to employees who are suspended or terminated.

  • Implement proper role segregation.

  • Properly assign roles only to those who are entitled to use them. For example: assign administrative roles such as Service Admin or Identity Domain Administrator carefully.

  • Enforce a strong password policy.

  • Implement a portal that provides single access to Oracle Cloud services.

Custom Applications Security Practices

To implement security from development to deployment of custom applications, common coding security practices such as: data encryption, prevention of typical malicious attacks, and securing the interaction between a server and a client's web browser for web applications must be included and tested throughout the whole life cycle along with the security foundation that Oracle Cloud provides on the infrastructure and platform levels.

The following are security guidelines for both web and non web-enabled applications.

Common Web Application Security Considerations

About HTTP cookie security

HTTP cookies are a common mechanism for sharing state between HTTP clients and servers. Because they are easy to use and are not restricted to a specific format, their usage varies widely from short values that are used solely as a session key for retrieving state on the server during request processing to containers of data that are shared and jointly edited by client and server code. Almost every web application uses some form of HTTP cookie often for critical functionality such as tracking user identity or the state of a user's session.

The security of HTTP cookies is based around the notion of Same Origin Policy (SOP). The basis of SOP for cookies is that they should only be able to be set and should only be returned back to the website(s) that created them. The scope of a cookie can be limited to either a specific web site such as foo.bar.com or it can be scoped to an entire domain such as bar.com in which case the cookie will be sent to all websites that belong to the specified domain, for instance: www.bar.com, and payments.bar.com. A web site sets cookies by returning a specific HTTP response header that defines the name, value, scope, and other attributes of the cookie.

Attacks using a domain cookie to attempt to poison other web sites are not new, nor are they restricted to only cloud providers.

In summary, a combination of factors make HTTP cookies an attractive target for attackers. Some of these factors include: SOP, inconsistency among browsers in their support for preventative schemes, and more importantly the frequency and importance of their usage. Therefore, to prevent cookie hijacking and related forgeries, application developers should adopt security design best practices that are not browser dependent. For a list of recommended best practices for using cookies, see Table 5-1.

Table 5-1 Cookie Security Best Practices

Application requirement for HTTP cookies Security best practices Required setting Exposure / recommendation

- No need for sharing among hosts within a domain.

- No need for access by Java scripts or Applets.

- Signed and encrypted

- Host scoped

- HttpOnly=True

N/A

This is the recommended posture for custom applications.

Oracle's Oracle Cloud components must conform.

- Need to allow Java scripts or Applets to access or set cookies.

- Signed and encrypted

- Host scoped

HttpOnly= False

Cross-site scripting (XSS) vulnerability can be exploited by malicious scripts. Therefore, cookie integrity validation by the website is critical.

- Need to share among many hosts in the domain.

- Signed and encrypted

- Domain scoped

- HttpOnly=True

HttpOnly=False

Exposed to malicious website in the same domain. Do not rely on Oracle Cloud domain. Use vanity domains.

- Need to allow Java scripts or Applets and need to share among many hosts in the domain.

- Signed and encrypted

- Domain scoped

HttpOnly= False

Adopt both of the measures from the two rows above.