Designing security controls is an iterative process, and a successful security implementation relies on continuous monitoring and optimisation. In Oracle Cloud Infrastructure, optimization of security postures is carried out using Oracle Cloud Guard.
Enable Oracle Cloud Guard for Optimization
Enterprise Architect, Security Architect, Network ArchitectOne of the most interesting design principles of Oracle Cloud Guard is Oracle's use of Embedded Expertise. Oracle knows Oracle Cloud Infrastructure best: what security controls are available, and how best to apply them at scale. Oracle also knows which problems to look for and how to apply security features to mitigate them.
Oracle Cloud Guard has two main configuration options: detector recipes and responder recipes. Detector recipes deal with how certain violations are detected, and responder recipes deal with how the violations are responded to.
Detector recipes are a predefined and pre-configured set of rules. These recipes detect security violations and risks (if any) that are present in your cloud account, based on security best practices for Oracle Cloud Infrastructure.
Detector recipes can be one way to effect optimization to your Infrastructure. They have the following variations:
- Configuration detector recipe: This recipe checks and detects any configuration that violates a security rule within your tenancy, as determined by Oracle Cloud Guard’s pre-provisioned rules. Examples include Compute instances with a public IP, or database instances with patches not applied.
- Activity detector recipe: This recipe checks and detects any individual user action or activity that violates a security rule within your tenancy, as determined by Oracle Cloud Guard’s pre-provisioned rules. Examples include a user terminating the database system, or deleting a subnet.
Upon detecting a rule violation through the detector recipe, Oracle Cloud Guard can take one of the pre-configured actions from the responder recipe. These actions are resource-dependent. For example, it stops or deletes a Compute instance if it has a public IP, or makes a publicly visible Object Storage bucket private. These responder recipes can use more rules to recommend an action, and the selection of rules depends on the resource type.