1 New Features and Enhancements

The following topics describe new features and enhancements for Oracle® Communications Security Shield Cloud Service releases.

24.0.4.0.0 May 2024

The following information describes the new content and behavior delivered in the latest Oracle® Communications Security Shield Cloud Service (Security Shield) release.

The following table describes the enhancements in the Security Shield 24.0.4.0.0 release.

Table 1-1 New Features and Enhancements

Features and Enhancements Description
Cloud Communication Service Supports TLS 1.3
The Cloud Communication Service ( CSS) supports TLS 1.3 in addition to the versions currently supported.
  • Customers installing CCS for the first time do not need to do anything specific.
  • Existing customers who are updating their CCS version need to modify their cfg/cfg.json file with the following changes, marked in bold, before activating the new CCS.

Instructions for Modifying the cfg/cfg.json File

"LAN": { "Server-Addr": "0.0.0.0", "Server-Port": 8000,
"TLS-Cipher-Suite": "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384",
 <<<------ Weak ciphers are removed  "TLSv13-Cipher-Suite": "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384", 
<<<------ New line added "TLS-Server-Cert": "./ssl/lan-cert.pem", "TLS-Server-Key": "./ssl/lan-key.pem", "TLS-Server-DH": "./ssl/dh2048.pem", "TLS-Client-CA-Path": "./ssl/ca", "TLS-Client-Verify": true, "API-Key-Verify": true }, 
"WAN": { "Server-FQDN": "ccs.tesla.com", "Server-Addr": "0.0.0.0", "Server-Port": 443,
"TLS-Cipher-Suite": "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384", 
"TLSv13-Cipher-Suite": "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384", 
<<<------ New line added "TLS-Server-Cert": "./ssl/wan-cert.pem", "TLS-Server-Key": "./ssl/wan-key.pem", "TLS-Server-DH": "./ssl/dh2048.pem", "TLS-Client-CA-Path": "./ssl/ca", "TLS-Client-Verify": true, "IDCS-FQDN": "idcs.oraclecloud.com", "IDCS-Port": 443, "IDCS-Tenant-ID": "idcs-tenant-id", "IDCS-Verify": true }

24.0.0.0.0 February 2024

The following information describes the new content and behavior delivered in the latest Oracle® Communications Security Shield Cloud Service (Security Shield) release.

The following table describes the new features and enhancements in the Security Shield 24.0.0.0.0 release.

Table 1-2 New Features and Enhancements

Features and Enhancements Description
Updated User Interface (continued)

Oracle continued updating the Security Shield User Interface (UI) to align with Oracle styles and standards. You may notice slight variations in behavior, which are documented in the User's Guide along with new screen captures of the affected UI.

New Scoreboard for Trusted Enterprise Calls

Oracle added the new Answered Outbound Calls scoreboard metric card to the Dashboard to support the Trusted Enterprise Calls subscription.

The Answered Outbound Calls scoreboard metric card displays the number of outbound calls that were answered, and when selected, a dashboard with the following content displays:
  • Call answer rate—Shows the percentage of the number of outbound calls that were answered in the last 24 hours.
  • Top outbound numbers by call volume—Shows the top fifteen attested outbound phone numbers and the top fifteen unattested outbound phone numbers that were answered in the last 24 hours.
  • Average call duration by type—Shows the average duration of attested and unattested calls in minutes and notes the percentage of difference between the two in the last 24 hours.

See "The Dashboard" chapter in the User's Guide.

Short Number Processing Enhancement

To provide better results from phone number lookups, Oracle enhanced the lookup behavior for inbound calls as follows:

  • When a phone number contains fewer than seven digits, Security Shield will not perform the number lookup. In this way Security Shield avoids generating a lookup response with a high risk because the number does not comply with number plans, which can reduce false positive results.
Always Send the P-OCSS-Call-Info Header

Security Shield includes the P-OCSS-Call-Info header regardless of the lookup response so you can rely on the P-OCSS-Call-Info header for call treatment.

See "P-OCSS-Call-Info Header Codes" in the User's Guide.

New SPL Options for Inbound and Outbound Calls

The 24.0.0.0.0 release adds new SPL options to send only inbound or outbound calls to the Security Shield cloud.

The SPL option "ocssEnabled" can allow the Session Border Controller to send both inbound and outbound calls to Security Shield for policy lookup. The SPL package provides the flexibility to choose whether you want to send only inbound calls or only outbound calls to Security Shield for policy lookup by way of the new "inboundOnly" and "outboundOnly" spl-option configurations.

Configuration options:
  • spl-options ocssEnabled, inboundOnly—Allows only inbound calls
  • spl-options ocssEnabled, outboundOnly—Allows only outbound calls
  • spl-options ocssEnabled—Allows both inbound and outbound calls

Configuration Examples:

realm-config
spl-options ocssEnabled,inboundOnly
realm-config
spl-options ocssEnabled,outboundOnly

About the New SPL Package

SPL version: 1.15.0.0 (Package Build : 1.14_20240124223927)

Customers currently using Security Shield must upgrade their Session Border Controllers to the latest released SPL, but only after upgrading their tenant to the latest Security Shield release. Get the latest version available for download from Oracle Software Delivery Cloud or My Oracle Support. Install the SPL on the external-facing realm.

23.3.1.0.0 January 2024

The following information describes the new content and behavior delivered in the latest Oracle® Communications Security Shield Cloud Service (Security Shield) release.

The following table describes the new features and enhancements in the Security Shield 23.3.1.0.0 release.

Features and Enhancements Description
Trusted Enterprise Calls

To help you achieve higher answer percentages and longer connection times for your outbound enterprise calls, Security Shield can optionally provide call signing and phone number attestation for trusted outbound enterprise calls. You can use the call attestation service completely through Security Shield or you can use your own call signing and attestation vendor in conjunction with Security Shield.

You can use Trusted Enterprise Calls as a standalone subscription or you can use it with the Standard or Premium subscriptions.

For North American customers, only.

See "Trusted Enterprise Calls" in the User's Guide.

23.3.0.0.0 - December 2023

The following information describes the new content and behavior delivered in the latest Oracle® Communications Security Shield Cloud Service (Security Shield) release.

The following table describes the new features and enhancements in the Security Shield 23.3.0.0.0 release.

Features and Enhancements Description
Support for Podman with Oracle Linux 8

Security Shield adds support for the Podman container engine for Oracle Linux 8. When you install the Cloud Communications Service during your Security Shield configuration, you can now choose either Podman or Docker as the container engine.

In the Installation and Maintenance Guide see:
  • Install, Configure, and Activate the Cloud Communication Service
  • Deactivate the Cloud Communication Service
  • Update the Cloud Communication Service

23.3.0.0.0 - November 2023

The following information describes the new content and behavior delivered in the latest Oracle® Communications Security Shield Cloud Service (Security Shield) release.

The following table describes the new features and enhancements in the Security Shield 23.3.0.0.0 release.

Features and Enhancements Description
Updated User Interface
Oracle updated the Security Shield User Interface (UI) to align with current styles and standards. You may notice slight variations in behavior, which are documented in the User's Guide along with new screen captures of the UI. For example,
  • Configuration dialogs are now called drawers because they slide out from the side of the page rather than pop up, as before.
  • Search fields support using supplied filter chips to help you narrow your search.
  • Navigation to the main pages occurs through a menu rather than by way of tabs, as before.
  • Information about your subscription displays when you click your initials on the banner rather than by way of a tile on the Dashboard, as before.
Changes to Reputation Score Classification Mappings

There are now only three classifications on the Reputation Score Classification page: Low Risk, Medium Risk, and High Risk.

Standard Subscription
  • Former High Risk still maps to High Risk
  • Former Suspicious Risk now maps to Medium Risk
  • Former Acceptable Risk and Good Risk now map to Low Risk
Premium Subscription
  • Former Critical Risk and Severe Risk now map to High Risk
  • Former Significant Risk and Suspicious Risk now map to Medium Risk

  • Former Acceptable Risk and Good Risk now map to Low Risk

Changes to Enforcement Action Mappings for Existing Tenants

The following changes apply to existing tenants following an upgrade. Existing tenants show six classifications, but will show only three after the upgrade.

Security Shield merges existing classifications into the new ones as follows and gives precedence to the enforcement action noted with the asterisk.
  • Good and Acceptable combine to form Low Risk.
  • Significant Risk and Suspicious combine to form Medium Risk.
  • Severe Risk and Critical Risk combine to form High Risk.

For example: Suppose you had set Block for Significant Risk and Allow for Suspicious in your existing configuration. After you upgrade, Security Shield combines those classifications into the new Medium Risk classification and prefers the enforcement action set for Suspicious. In this example, Security Shield displays Allow for the enforcement action for the Medium Risk classification.

Note: After the upgrade, you can reset the enforcement action for the new classifications on the Reputation Score Classification page. Choices include Allow, Block and Redirect.

Enforcement Action Defaults for New Tenants

The following behavior applies to new tenants:

  • The High Risk enforcement action defaults to Block.
  • The Low Risk and Medium Risk enforcement actions default to Allow.

23.2.0.0.0 - August 2023

The following information describes the new content and behavior delivered in the latest Oracle® Communications Security Shield Cloud Service release.

The following table describes the new features and enhancements in the Oracle® Communications Security Shield Cloud Service 23.2.0.0.0 release.

Features and Enhancements Description
Tenant-Based Exclusion List

You may have other departments, company locations, trusted affiliates, trusted partners, and other trusted entities that call you frequently. You can exclude phone numbers for those parties from risk assessment using a new enforcement action called "Exclude". Such high-frequency numbers may otherwise generate high-risk responses resulting in blocked calls, even though the numbers are trusted.

To enable customers to exclude certain trusted high-frequency numbers from risk scoring, Oracle modified the behavior of the Allow enforcement action and added the new Exclude enforcement action.

Allow—Oracle® Communications Security Shield Cloud Service ignores the risk assessment and allows the call with no further threat detection evaluation. Oracle® Communications Security Shield Cloud Service classifies the call as "Good."

Exclude—Oracle® Communications Security Shield Cloud Service ignores the risk assessment and still evaluates the call against TDoS, Traffic Pumping, Spoofing, and Toll Fraud threat detection. Fraud Risk, Spam Risk and Call Center detection is bypassed.

See "Access Control List Enforcement Actions" in the Oracle® Communications Security Shield Cloud Service User's Guide.

Analytics Reports Enhancement

Oracle created a new version of the Project Workbook and Data Set for the Oracle® Communications Security Shield Cloud Service Analytics reports for enhanced performance when loading the data set. The enhanced Project workbook and Data Set, called OCSS 2.0, contains all the same default reports and data points as before with no additions.

Unlike the previous Project workbook, OCSS 2.0 uses materialization to pre-compute the data set. The advantage of materialization is faster loading times compared to querying the base table view of the data, which is especially beneficial for large data sets.

Oracle recommends that you use filters to limit the data that is loaded for even greater efficiency. If you set the filters to the full 30 days, with all other filters disabled, loading times may be longer because the loading time is a function of the data size.

Note: The materialization process updates the data set every five minutes, so you may notice that some new calls do not appear in the results right away.

You can still use the original analytics Project Workbook and Data Set, called OCSS on the UI, with no modification required, for at least the duration of the 23.2.0.0.0. release. If you have existing reports based on the OCSS Project Workbook and Data Set, Oracle recommends moving them to the OCCS 2.0 Project because the OCSS Project Workbook and Data Set will reach end-of-life in the not distant future.

Important: From the 23.2.0.0.0 release and forward, when you create a custom analytics Project, you must use OCSS 2.0.

See "Call Traffic Analytics" in the Oracle® Communications Security Shield Cloud Service User's Guide.

Support for Multi-Factor Authentication to Cloud Account (OCI Console)

As part of continuous efforts to improve the security of Oracle Cloud Infrastructure (OCI), Oracle started the next phase of the Multi-Factor Authentication plan for the OCI Console. The new policy is designed specificity to help prevent the compromise of customer cloud accounts (OCI Console). It is not for access to the Oracle® Communications Security Shield Cloud Service Dashboard and analytics. To learn more about the policy, see About the "Security Policy for OCI Console" Sign-On Policy.

New Customers

All new Identity Access Management (IAM) domains and Identity Cloud Service (IDCS) stripes now include a sign-on policy named "Security Policy for OCI Console" seeded in the active state.

Existing Customers

After a two-week period of seeding the policy in a disabled state, Oracle will activate the policy for existing customers who do not activate it themselves. The Appendix at the end of this document explains the enforcement rules Oracle will apply. The new policy is in effect. Oracle is activating the "Security Policy for OCI Console" by default.

If you want to opt out of Oracle automatically activating the policy, delete the "Security Policy for OCI Console" sign-on policy using REST APIs. See Delete a Policy

For information about the enforcement rules Oracle applies to activating the new Multi-Factor Authentication policy for the OCI Console, see Appendix-A for What's New 23.2.0.0.0.

Cloud Communication Service (CCS) Patch Released

Oracle pushed Cloud Communication Service release 1.3.0.1 to My Oracle Support (MOS) as 1.12.10 (Program Increment 12, Patch 12). Ensure that your deployment uses the version of CCS in the 1.12.10 package.

There are no CCS changes for Program Increment 13 (23.2.0.0.0 ).

Appendix-A for What's New 23.2.0.0.0

Oracle will not activate the Multi-Factor Authentication policy for Oracle Cloud Infrastructure (OCI) when an active external IDP (SAML/Social or X.509) is configured in the IAM domain or IDCS Stripe. When no external IDP is configured, the enforcement rule in the following table applies.

Table 1-3 Activation Rules

Tenancy Type Sign-on Policy "Security Policy for OCI Console" status The customer has defined its own sign-on policy for the OCI Console or has explicitly assigned the OCI Console to the default sign-on policy Sign-on policy "Security Policy for OCI Console" status after forced activation
With IAM Domain (All domain types) Present and enabled N/A. When the customer has a sign-on policy in place, there is no change. No Change.
Present and disabled No Change the policy to Present and enabled
Present and disabled Yes No Change. Oracle will not overwrite a customer-defined policy.
Deleted N/A No change.
With IDCS Stripes Enabled (All IDCS Types) Present and enabled N/A. When the customer has a sign-on policy in place, there is no change. No Change.
Present and disabled No Change the policy to Present and enabled.
Present and disabled Yes No Change. Oracle we will not overwrite a customer-defined policy.
Deleted N/A No Change.

23.1.0.0.0 - May 2023

The following information describes the new content and behavior delivered in the latest Oracle® Communications Security Shield Cloud Service (Security Shield ) release.

The following table describes the new features and enhancements in the Security Shield 23.1.0.0.0 release.

Features Description
Policy Updates

Oracle streamlined how the Session Border Controller learns of policy updates after an initial response from OCSS, so that you no longer need to provision a network device to allow traffic into your network.