1. Best practices framework for Oracle Cloud Infrastructure
  2. Protect Data at Rest

Protect Data at Rest

Oracle Cloud Infrastructure offers multiple storage options: block, object, and file. Data is encrypted at rest and in transit for these services. Use the following mechanisms to apply additional best practices to ensure that your data in the cloud is secure.

Restrict Permissions for Deleting Storage Resources

Enterprise Architect, Security Architect, Data Architect

To minimize the risk of inadvertent or malicious deletion of your data in the cloud, grant the permissions listed in the following table to only the users who need these privileges:
Service Permissions That You Should Restrict
Block Volumes
  • VOLUME_DELETE
  • VOLUME_ATTACHMENT_DELETE
  • VOLUME_BACKUP_DELETE
File Storage
  • FILE_SYSTEM_DELETE
  • MOUNT_TARGET_DELETE
  • EXPORT_SET_DELETE
Object Storage
  • BUCKET_DELETE
  • OBJECT_DELETE

Ensure Secure Access to File Storage

Enterprise Architect, Security Architect, Data Architect

Take steps to ensure file storage is protected from unauthorized access.
  • Oracle Cloud Infrastructure File Storage exposes an NFSv3 endpoint as a mount target in each of your subnets. The mount target is identified by a DNS name and is mapped to an IP address. Use the security lists of the mount target's subnet to configure network access to the mount target from only authorized IP addresses.
  • Use well-known NFS security best practices such as the all_squash option to map all the users to nfsnobody, and use NFS ACLs to enforce access control to the mounted file system.

Ensure Secure Access to Object Storage

Enterprise Architect, Security Architect, Data Architect

Take steps to ensure object storage is protected from unauthorized access.
  • Object storage buckets can be public or private. A public bucket allows unauthenticated and anonymous reads to all the objects in the bucket. Create private buckets and use pre-authenticated requests (PARs) to provide access to objects stored in buckets to users who do not have IAM credentials.
  • To minimize the possibility of buckets being made public inadvertently or maliciously, grant the BUCKET_UPDATE permission to a minimal set of IAM users.

Encrypt Data in Block Volumes

Enterprise Architect, Security Architect, Data Architect

The Oracle Cloud Infrastructure Block Volumes service always encrypts all block volumes and boot volumes at rest by using the Advanced Encryption Standard (AES) algorithm with 256-bit keys. Consider the following additional encryption options.
  • Encrypt all of your volumes and their backups by using keys that you own, and you can manage the keys by using the Oracle Cloud Infrastructure Vault service.
  • Data is transferred between an instance and the attached block volume through an internal and highly secure network. You can enable in-transit encryption for paravirtualized volume attachments on virtual machine instances.

Encrypt Data in File Storage

Enterprise Architect, Security Architect, Data Architect

The Oracle Cloud Infrastructure File Storage service encrypts all data at rest. By default, the file systems are encrypted by using Oracle-managed encryption keys.

Encrypt all of your file systems by using keys that you own. You can manage the keys by using the Oracle Cloud Infrastructure Vault service.

Encrypt Data in Object Storage

Enterprise Architect, Security Architect, Data Architect

The Oracle Cloud Infrastructure Object Storage service encrypts all of your objects by using the Advanced Encryption Standard (AES) algorithm with 256-bit keys. Each object is encrypted using a separate key.

  • The object-encryption keys are, in turn, encrypted by using an Oracle-managed master encryption key that's assigned to each bucket.
  • Configure buckets to use your own master encryption key that you store in the Oracle Cloud Infrastructure Vault service and rotate at a schedule that you define.

Maintain Application Secrets in Oracle Cloud Infrastructure Vault

Enterprise Architect, Security Architect, Data Architect

Oracle Cloud Infrastructure Vault can be used to store secrets like passwords, ssh keys, and certificates that applications may use to access resources. Storing secrets in a vault provides greater security than using code or local files.
  • Define a specific key to encrypt secrets and rotate it periodically.
  • Limit resources that access Oracle Cloud Infrastructure Vault to private subnets.
  • Periodically rotate secret contents to reduce impact if a secret is exposed.
  • Define a Secret Reuse Rule to prevent the reuse of secret contents across different versions of a secret.
  • Define a Secret Expiry Rule to limit the period of time a secret version can be used.

Learn More