Optimize the Security Posture of Your Environment

Designing security controls is an iterative process, and a successful security implementation relies on continuous monitoring and optimization. In Oracle Cloud Infrastructure, optimization of security postures is carried out using Oracle Cloud Guard.

Enable Oracle Cloud Guard for Optimization

Enterprise Architect, Security Architect, Network Architect

One of the most interesting design principles of Oracle Cloud Guard is Oracle's use of Embedded Expertise. Oracle knows which problems to look for and how to apply security features to mitigate them.
Oracle embeds its expertise in Oracle Cloud Guard with out-of-the-box rules to identify common problems and any deviations from the baseline that was fixed during the design stage, and then optimises accordingly. By embedding its expertise, Oracle lifts the burden from you, removing the need to build these policies yourself.

Oracle Cloud Guard has two main configuration options: detector recipes and responder recipes. Detector recipes deal with how certain violations are detected, and responder recipes deal with how the violations are responded to.

Detector recipes are a predefined and pre-configured set of rules. These recipes detect security violations and risks (if any) that are present in your cloud account, based on security best practices for Oracle Cloud Infrastructure.

Detector recipes can be one way to effect optimization to your infrastructure. They have the following variations:

  • Configuration detector recipe
  • Activity detector recipe
  • Threat detector recipe
  • Instance security recipe

Upon detecting a rule violation through a detector recipe, Oracle Cloud Guard can take one of the pre-configured actions from the responder recipe. These actions are resource-dependent. For example, it stops or deletes a Compute instance if it has a public IP, or makes a publicly visible Object Storage bucket private. These responder recipes can use more rules to recommend an action, and the selection of rules depends on the resource type. Detector recipe rules can be tuned to align to your security standards to enable you to create recipes with the right detentions at the right severity.

Create a security zone in the root compartment that denies public network access. This will automatically create an Oracle Cloud Guard target for the root compartment.

You can send Oracle Cloud Guard events to third-party security information and event management (SIEM) platforms. The SIEM system is a critical operations tool that manages the security of cloud resources. OCI includes native threat detection, prevention, and response capabilities, which can be used to implement an efficient SIEM platform.

Implement Third-Party Cloud Security Posture Management for Multicloud

Enterprise Architect, Security Architect, Network Architect

Third-Party Cloud Security Posture Management (CSPM) provides visibility into your multicloud security posture, strengthening compliance by automating risk identification and remediation across infrastructure as a service (IaaS), software as a service (SaaS), and platform as a service (PaaS) environments.

CSPM uniformly applies best practices for cloud security to hybrid, multicloud, and container environments, ensuring a robust and compliant cloud security posture.