About Effective Strategies for Security and Compliance

A security and compliance approach encompasses three key strategies: design, monitor, and optimize. These strategies are applied iteratively and each can feed back into the others.

Create a Design Strategy

A comprehensive Security design strategy provides security assurance through Identity Management: the process of authenticating and authorizing security principals. Use identity management services to authenticate and grant permission to users, partners, customers, applications, services, and other entities.

It also encourages protection of assets by placing controls on network traffic originating in Oracle Cloud Infrastructure, between on-premises and Oracle Cloud Infrastructure-hosted resources, and traffic to and from Oracle Cloud Infrastructure. If security measures aren't in place, attackers can gain access; for example, by scanning across public IP ranges. Proper network security controls can provide defense-in-depth elements that help detect, contain, and stop attackers who attempt to gain entry to your cloud deployments.

A successful design strategy will also endeavor to classify, protect, and monitor sensitive data assets using access control, encryption, and logging in Oracle Cloud Infrastructure. It will also place controls on data at rest and in transit.

Applications and the data associated with them act as the primary store of business value on a cloud platform.Applications can play a role in risks to the business because they encapsulate and run business processes which need to be available and provided with high integrity. Applications also store and process business data which requires high assurances of confidentiality, integrity and availability. Therefore a successful strategy should focus on and enable application and data security.

Create a Monitoring and Auditing Strategy

A successful monitoring strategy will focus on health modeling.

Health modeling refers to the activities that maintain the security posture of a workload through monitoring. These activities can indicate whether the current security practices are effective, or if there are there new requirements. Health modeling can include these categories:

  • Monitor the workload and the infrastructure in which it runs.
  • Conduct audits.
  • Enable, acquire, and store audit logs.
  • Update and patch security fixes.
  • Respond to incidents.
  • Simulate attacks based on real incidents.

Create an Optimization Strategy

Once a secure baseline has been established for security operations in the cloud, security teams will need to continuously investigate cloud-specific security processes and controls that can result in advances and optimizations over existing security practices.

Thousands of businesses are successfully and safely using cloud services to meet business goals for increasing the agility and decreasing the cost of IT services. This best practices framework provides recommendations for patterns across the security operations organizations that will deliver the needed security architectures, processes and controls to enable safe business use of cloud services. In addition to starting with a secure deployment, you should implement a strategy of continuous improvement.

Follow Security Design Principles

The articles in this pillar describe how to implement the three strategies of design, monitor, and optimize, and offer recommendations for how they can be implemented in Oracle Cloud Infrastructure. Each of these recommendations implements one or more of the following security design principles.

These principles support these three key strategies and describe a securely architected system hosted on cloud or on-premises data centers (or a hybrid combination of both). Application of these principles will dramatically increase the likelihood that your security architecture will maintain assurances of confidentiality, integrity, and availability.

Best security and compliance practices implement these design principles:

  • Design for Attackers: Your security design and prioritization should be focused on the way attackers see your environment, which is often not the way IT and application teams see it. Inform your security design and test it with penetration testing to simulate one-time attacks. Use red teams to simulate long-term persistent attack groups. Design your enterprise segmentation strategy and other security controls to contain attacker lateral movement within your environment. Actively measure and reduce the potential attack surface that attackers target for exploitation of resources within the environment.
    • Limit Permissions Based on Requirements. Write policies that are as granular as possible in terms of the target resources and the required access privileges.
    • Enforce Network Segmentation. Restrict traffic to isolate application deployments from each other at a network level, and use an allowlist for all required network flows. Minimize overly permissive traffic.
  • Leverage Native Controls: Favor native security controls built into cloud services over external controls from third parties. Native security controls are maintained and supported by the service provider, eliminating or reducing effort required to integrate external security tooling and update those integrations over time.
  • Use Identity as Primary Access Control: Access to resources in cloud architectures is primarily governed by identity-based authentication and authorization for access controls. Your account control strategy should rely on identity systems for controlling access rather than relying on network controls or direct use of cryptographic keys.
  • Accountability: Designate clear ownership of assets and security responsibilities and ensure actions are traceable for non-repudiation. You should also ensure entities have been granted the least privilege required (to a manageable level of granularity).
  • Embrace Automation: Automation of tasks decreases the chance of human error that can create risk, so both IT operations and security best practices should be automated as much as possible to reduce human errors (while ensuring skilled humans govern and audit the automation).
  • Focus on Information Protection: Intellectual property is frequently one of the biggest repositories of organizational value and this data should be protected anywhere it goes, including cloud services, mobile devices, workstations, and collaboration platforms (without impeding collaboration that allows for business value creation). Your security strategy should be built around classifying information and assets to enable security prioritization, leveraging strong access control and encryption technology, and meeting business needs such as productivity, usability, and flexibility.
  • Design for Resilience: Your security strategy should assume that controls will fail and design accordingly. Making your security posture more resilient requires several approaches working together:
    • Ongoing Vigilance: Ensure that anomalies and potential threats that could pose risks to the organization are addressed in a timely manner.
    • Defense in Depth: Consider additional controls in the design to mitigate risk to the organization in the event a primary security control fails. This design should consider how likely the primary control is to fail, the potential organizational risk if it does, and the effectiveness of the additional control (especially in the likely cases that would cause the primary control to fail).
    • Defense at Edge: Consider effective integrated edge security to control threats before they impact on your applications. This is critical for information security policy compliance.
    • Least Privilege: This is a form of defense in depth to limit the damage that can be done by any one account. Accounts should be granted the least amount of privilege required to accomplish their assigned tasks. Restrict the access by permission level and by time. This helps to mitigate the damage of an external attacker who gains access to the account, or an internal employee who inadvertently (or deliberately, as with an insider attack) compromises security assurances.
  • Assume Zero Trust: When evaluating access requests, all requesting users, devices, and applications should be considered untrusted until their integrity can be sufficiently validated. Access requests should be granted conditionally based on the requestor's trust level and the target resource‚Äôs sensitivity. Reasonable attempts should be made to offer means to increase trust validation (for example, request multi-factor authentication) and remediate known risks (change known-leaked password, remediate malware infection) to support productivity goals.