Protect Data at Rest
Oracle Cloud Infrastructure offers multiple storage options: block, object, and file. Data is encrypted at rest and in transit for these services. Use the following mechanisms to apply additional best practices to ensure that your data in the cloud is secure.
Restrict Permissions for Deleting Storage Resources
Enterprise Architect, Security Architect, Data Architect
Service | Permissions That You Should Restrict |
---|---|
Block Volumes |
|
File Storage |
|
Object Storage |
|
Ensure Secure Access to File Storage
Enterprise Architect, Security Architect, Data Architect
- Oracle Cloud Infrastructure File Storage exposes an NFSv3 endpoint as a mount target in each of your subnets. The mount target is identified by a DNS name and is mapped to an IP address. Use the security lists of the mount target's subnet to configure network access to the mount target from only authorized IP addresses.
- Use well-known NFS security best practices such as the
all_squash
option to map all the users tonfsnobody
, and use NFS ACLs to enforce access control to the mounted file system.
Ensure Secure Access to Object Storage
Enterprise Architect, Security Architect, Data Architect
- Object storage buckets can be public or private. A public bucket allows unauthenticated and anonymous reads to all the objects in the bucket. Create private buckets and use pre-authenticated requests (PARs) to provide access to objects stored in buckets to users who do not have IAM credentials.
- To minimize the possibility of buckets being made public inadvertently or maliciously, grant the
BUCKET_UPDATE
permission to a minimal set of IAM users.
Encrypt Data in Block Volumes
Enterprise Architect, Security Architect, Data Architect
- Encrypt all of your volumes and their backups by using keys that you own, and you can manage the keys by using the Oracle Cloud Infrastructure Vault service.
- Data is transferred between an instance and the attached block volume through an internal and highly secure network. You can enable in-transit encryption for paravirtualized volume attachments on virtual machine instances.
Encrypt Data in File Storage
Enterprise Architect, Security Architect, Data Architect
Encrypt all of your file systems by using keys that you own. You can manage the keys by using the Oracle Cloud Infrastructure Vault service.
Encrypt Data in Object Storage
Enterprise Architect, Security Architect, Data Architect
- The object-encryption keys are, in turn, encrypted by using an Oracle-managed master encryption key that's assigned to each bucket.
- Configure buckets to use your own master encryption key that you store in the Oracle Cloud Infrastructure Vault service and rotate at a schedule that you define.
Maintain Application Secrets in Oracle Cloud Infrastructure Vault
Enterprise Architect, Security Architect, Data Architect
- Define a specific key to encrypt secrets and rotate it periodically.
- Limit resources that access Oracle Cloud Infrastructure Vault to private subnets.
- Periodically rotate secret contents to reduce impact if a secret is exposed.
- Define a Secret Reuse Rule to prevent the reuse of secret contents across different versions of a secret.
- Define a Secret Expiry Rule to limit the period of time a secret version can be used.