Protect Your Workloads in the Cloud Using Security Zones

Maximize the security of your compute, networking, and storage resources in the cloud by placing them in an Oracle Cloud Infrastructure Security Zone.

Oracle Cloud Infrastructure (OCI) offers best-in-class security technology and operational processes to secure its enterprise cloud services. Customers are responsible for securing their workloads and configuring their services and applications securely to meet their compliance obligations. Oracle Security Zones can assist with the cloud security shared responsibility model in the following ways:

  • Deny public access to Oracle Cloud Infrastructure resources, such as databases and object storage buckets
  • Enforce the policy that requires detached storage resources to reside in the same secure compartment as the compute instance
  • Encrypt storage resources, such as block volumes, object storage buckets, and databases, with a customer-managed key

Architecture

This reference architecture shows a typical three-tier architecture that you can use to securely run applications such as e-commerce applications. Data persistence is achieved using an Oracle Autonomous Transaction Processing database. Media and image files for the application are stored in Oracle Cloud Infrastructure Object Storage.

The following diagram shows a basic compartment architecture.



The architecture has the following security limitations:

  • Object storage: Unencrypted object storage is exposed directly to the internet.
  • Database: The database is not encrypted with customer-managed key and can be exposed to the internet with a single configuration change (public IP address).
  • Compartment: The compartment does not restrict movement of data, assets, volumes in or out of the environment.
  • Virtual machines: VMs do not use encrypted boot volumes or storage.
  • Internet: Web application firewall (WAF) protections are not provided.
  • Network: All resources are on a single plane and provide insufficient isolation.

The following diagram shows an architecture that addresses these concerns by providing a highly secure environment that isolates multiple spoke networks, each representing an application tier, such as web, application, and database. This architecture works in specific environments, such as production, test, and development environments, and on different infrastructures, such as cloud region, on-premises data center, and multicloud infrastructures.



The architecture has the following components:

  • Region

    An Oracle Cloud Infrastructure region is a localized geographic area that contains one or more data centers, called availability domains. Regions are independent of other regions, and vast distances can separate them (across countries or even continents).

  • Availability domain

    Availability domains are standalone, independent data centers within a region. The physical resources in each availability domain are isolated from the resources in the other availability domains, which provides fault tolerance. Availability domains don’t share infrastructure such as power or cooling, or the internal availability domain network. So, a failure at one availability domain is unlikely to affect the other availability domains in the region.

  • Fault domain

    A fault domain is a grouping of hardware and infrastructure within an availability domain. Each availability domain has three fault domains with independent power and hardware. When you distribute resources across multiple fault domains, your applications can tolerate physical server failure, system maintenance, and power failures inside a fault domain.

  • Compartment

    A compartment is a collection of related resources. Compartments are a fundamental component of Oracle Cloud Infrastructure for organizing and isolating cloud resources. Compartments are tenancy-wide and cross all regions.

  • Security zone

    Security zones ensure Oracle's security best practices from the start by enforcing policies such as encrypting data and preventing public access to networks for an entire compartment. A security zone is associated with a compartment of the same name and includes security zone policies or a "recipe" that applies to the compartment and its sub-compartments. You can't add or move a standard compartment to a security zone compartment.

    In this use-case, the security zone enforces the following policies:

    • Encrypt boot volumes of the compute instances and object storage buckets
    • Prevent compute resources from being accessed from the public internet
    • Encrypt resources using customer-managed keys
    • Regularly and automatically back up all resources
  • Virtual cloud network (VCN) and subnets

    A VCN is a customizable, private network that you set up in an Oracle Cloud Infrastructure region. Like traditional data center networks, VCNs give you complete control over your network environment. You can segment VCNs into subnets, which can be scoped to a region or to an availability domain. Both regional subnets and availability domain-specific subnets can coexist in the same VCN. A subnet can be public or private.

  • Security lists

    For each subnet, you can create security rules that specify the source, destination, and type of traffic that must be allowed in and out of the subnet.

  • Load balancers

    The Oracle Cloud Infrastructure Load Balancing service provides automated traffic distribution from a single entry point to multiple servers in the back end.

    This architecture uses separate load balancers for the administrator's applications and the self-service applications, for tighter security and traffic separation. You can upgrade the load balancer shape if needed.

  • Service gateway

    The service gateway provides access from a VCN to other services, such as Oracle Cloud Infrastructure Object Storage. The traffic from the VCN to the Oracle service travels over the Oracle network fabric and never traverses the internet.

  • Local peering gateway (LPG)

    An LPG enables you to peer one VCN with another VCN in the same region. Peering means the VCNs communicate using private IP addresses, without the traffic traversing the internet or routing through your on-premises network.

  • Object storage

    Object storage provides quick access to large amounts of structured and unstructured data of any content type, including database backups, analytic data, and rich content such as images and videos. Use standard storage for "hot" storage that you need to access quickly, immediately, and frequently. Use archive storage for "cold" storage that you retain for long periods of time and seldom or rarely access.

  • Compute

    Oracle Cloud Infrastructure Compute lets you provision and manage compute hosts. You can launch compute instances with shapes that meet your resource requirements (CPU, memory, network bandwidth, and storage). After creating a compute instance, you can access it securely, restart it, attach and detach volumes, and terminate it when you don't need it.

  • Web Application Firewall

    Oracle Cloud Infrastructure Web Application Firewall (WAF) is a cloud-based, payment card industry (PCI) compliant, global security service that protects applications from malicious and unwanted internet traffic. WAF can protect any internet-facing endpoint, providing consistent rule enforcement across a customer's applications.

Recommendations

Your requirements might differ from the architecture described here. Use the following recommendations as a starting point.

  • VCN

    When you create the VCN, determine how many IP addresses your cloud resources in each subnet require. Using the Classless Inter-Domain Routing (CIDR) notation, specify a subnet mask and a network address range that's large enough for the required IP addresses. Use an address range that's within the standard private IP address space.

    Select an address range that doesn’t overlap with any other network (in Oracle Cloud Infrastructure, your on-premises data center, or in another cloud provider) that you intend to set up private connections to.

    After you create a VCN, you can't change its address range.

    When you design the subnets, consider your traffic flow and security requirements. Attach all the resources within a specific tier or role to the same subnet, which can serve as a security boundary.

    Use regional subnets.

  • Security zones

    A security zone compartment complies with strict security policies that are preconfigured and can’t be modified. These security policies impose strict requirements on resources in the compartment, such as ensuring that compute instances use customer-managed encryption keys through the Oracle Key Management Cloud Service (KMS). Oracle recommends that you create resources in a security zone-enabled compartment whenever using a private subnet. You can’t create a VNC with a public subnet or an internet gateway in a security zone-enabled compartment.

  • Object Storage

    Use Oracle Cloud Infrastructure Object Storage to store backups of the database and other data.

    Create object storage in a compartment with Security Zones enabled and set its visibility to private only. This configuration ensures that the Object Storage bucket adheres to the strict security policies of Security Zones.

Considerations

  • Availability

    Some regions offer multiple availability domains, which allow higher availability with higher redundancy. Consider deploying your e-commerce solution on multiple availability domains to take advantage of this redundancy. Also, consider having a disaster recovery plan in a different region with the appropriate redundancy.

  • Cost

    Use flexible shapes so you can select the number of CPUs and the amount of memory that you need for the workloads that run on the instance. This flexibility enables you to build VMs that match your workload, allowing you to optimize performance and minimize cost.

  • Monitoring and Logging

    Set up Logging service, monitoring, and alerts on CPU and memory usage for your nodes, so that you can scale the shape up or down as needed.

Deploy

The Terraform code for deploying the MuShop basic sample application on Oracle Cloud Infrastructure using security zones is available in GitHub.

  1. Go to GitHub.
  2. Clone or download the repository to your local computer.
  3. Follow the instructions in the README_MSZ.md document.

Explore More

Learn more about the features of this architecture.