Learn About Cyber-Resilience Capabilities in OCI

Through the past number of decades cyber defense has evolved to match the nature of the threats it has faced. Initially when there were fewer and less sophisticated attackers, the focus was on keeping attackers out of the network. This initial approach of prevention proved to be successful until the number of attacks increased and varied by technique and tactic. The notion of detection was layered upon prevention to identify attackers that made it behind the firewall.

Over time, antivirus and malware technology signatures could no longer keep up and attackers increasingly made their way into the internal network where they sat dormant, moved laterally, and began orchestrating sophisticated operations such as ransomware attacks. This didn't obviate the need for protection and detection, but it did introduce the need to augment with defense-in-depth, zero-trust, and data resilience inside of internal networks.

This refers to the NIST cyber-security model which calls out defensive best practices centered around the security continuum and the CIA (Confidentiality, Integrity, and Availability) Triad, and is best described using the following:

1. Protect: Prevention of a threat to either data confidentiality, integrity, or availability.
2. Detect: Detection of anomalous activity that may be construed as evidence of attempted and/or successful subversive activity.
3. Respond: Addressing, deterring and counteracting a successful compromise.
4. Recover: Assumes that the compromise has occurred and involves mechanisms that restore an environment to a known good state.

In this solution, you will learn about the Cyber-Security pillar which includes "Protect and Detect" and the Cyber-Resilience pillar which includes "Respond and Recover".

You can leverage the various Oracle Cloud Infrastructure (OCI) services and capabilities to protect, detect, and recover from data integrity threats such as ransomware attacks.

Note:

High availability and disaster tolerance are not in scope of this solution but is the third essential pillar. High availability and disaster tolerance provide the standard mechanisms to account for hardware and network outages that are either local or regional in nature.

Before You Begin

To set up a CIS Landing Zone, see the Deploy a secure landing zone that meets the CIS Foundations Benchmark for Oracle Cloud reference architecture.

Review these related resources:

• OCI Maximum Availability Architecture documentation

• Oracle Maximum Availability Architecture

• OCI Network Firewall documentation

• OCI Zero-Trust Security Model

Ask the Architect

Replay the Ask the Architect episode:

The following lists the various points (mins:secs) in the video where these topics begin:

1. Evolution of the cyber-threat landscape: 0:00‒5:31
2. Lessons learned around cyber-resilience: 5:31‒9:52
3. Cyber-security pillar and reference architecture walkthrough—(CIS Landing Zone): 9:52–16:30
4. Cyber-resilience pillar and the OCI cyber-resilience reference architecture walkthrough: 16:31–33:00
5. Block volume/boot volume replication and Object Storage immutability: 33:01–34:40
6. Oracle Zero Data Loss Recovery Appliance and Autonomous Recovery Service: 33:41–36:58
7. Solution recap, next steps, and supporting assets: 36:59–43:40

Architecture

Use the OCI Cyber-Resilience reference architecture as a template for specific Recovery Time Objective (RTO) and Recovery Point Objective (RPO) requirements to ensure business continuity during data integrity threats and breaches, and to complement and enhance existing or standard Disaster Recovery architectures.

The following shows the reference architecture for implementing cyber resilience in OCI.

Description of the illustration oci-tenancy-cyber-resilience-capabilities.png

oci-tenancy-cyber-resilience-capabilities-oracle.zip

This architecture supports the following components:

• Tenancy

  A tenancy is a secure and isolated partition that Oracle sets up within Oracle Cloud when you sign up for Oracle Cloud Infrastructure. You can create, organize, and administer your resources in Oracle Cloud within your tenancy. A tenancy is synonymous with a company or organization. Usually, a company will have a single tenancy and reflect its organizational structure within that tenancy. A single tenancy is usually associated with a single subscription, and a single subscription usually only has one tenancy.

• Region

  An Oracle Cloud Infrastructure region is a localized geographic area that contains one or more data centers, called availability domains. Regions are independent of other regions, and vast distances can separate them (across countries or even continents).

• Compartment

  Compartments are cross-region logical partitions within an Oracle Cloud Infrastructure tenancy. Use compartments to organize your resources in Oracle Cloud, control access to the resources, and set usage quotas. To control access to the resources in a given compartment, you define policies that specify who can access the resources and what actions they can perform.

• Virtual cloud network (VCN) and subnet

  A VCN is a customizable, software-defined network that you set up in an Oracle Cloud Infrastructure region. Like traditional data center networks, VCNs give you complete control over your network environment. A VCN can have multiple non-overlapping CIDR blocks that you can change after you create the VCN. You can segment a VCN into subnets, which can be scoped to a region or to an availability domain. Each subnet consists of a contiguous range of addresses that don't overlap with the other subnets in the VCN. You can change the size of a subnet after creation. A subnet can be public or private.

• Security list

  For each subnet, you can create security rules that specify the source, destination, and type of traffic that must be allowed in and out of the subnet.

• Service gateway

  The service gateway provides access from a VCN to other services, such as Oracle Cloud Infrastructure Object Storage. The traffic from the VCN to the Oracle service travels over the Oracle network fabric and never traverses the internet.

• Security zone

  Security zones ensure Oracle's security best practices from the start by enforcing policies such as encrypting data and preventing public access to networks for an entire compartment. A security zone is associated with a compartment of the same name and includes security zone policies or a "recipe" that applies to the compartment and its sub-compartments. You can't add or move a standard compartment to a security zone compartment.

• Object storage

  Object storage provides quick access to large amounts of structured and unstructured data of any content type, including database backups, analytic data, and rich content such as images and videos. You can safely and securely store and then retrieve data directly from the internet or from within the cloud platform. You can seamlessly scale storage without experiencing any degradation in performance or service reliability. Use standard storage for "hot" storage that you need to access quickly, immediately, and frequently. Use archive storage for "cold" storage that you retain for long periods of time and seldom or rarely access.

• FastConnect

  Oracle Cloud Infrastructure FastConnect provides an easy way to create a dedicated, private connection between your data center and Oracle Cloud Infrastructure. FastConnect provides higher-bandwidth options and a more reliable networking experience when compared with internet-based connections.

• Autonomous Database

  Oracle Autonomous Database is a fully managed, preconfigured database environments that you can use for transaction processing and data warehousing workloads. You do not need to configure or manage any hardware, or install any software. Oracle Cloud Infrastructure handles creating the database, as well as backing up, patching, upgrading, and tuning the database.

• Autonomous Data Warehouse

  Oracle Autonomous Data Warehouse is a self-driving, self-securing, self-repairing database service that is optimized for data warehousing workloads. You do not need to configure or manage any hardware, or install any software. Oracle Cloud Infrastructure handles creating the database, as well as backing up, patching, upgrading, and tuning the database.

• Autonomous Transaction Processing

  Oracle Autonomous Transaction Processing is a self-driving, self-securing, self-repairing database service that is optimized for transaction processing workloads. You do not need to configure or manage any hardware, or install any software. Oracle Cloud Infrastructure handles creating the database, as well as backing up, patching, upgrading, and tuning the database.

• Exadata Database Service

  Oracle Exadata Database Service enables you to leverage the power of Exadata in the cloud. You can provision flexible X8M and X9M systems that allow you to add database compute servers and storage servers to your system as your needs grow. X8M and X9M systems offer RDMA over Converged Ethernet (RoCE) networking for high bandwidth and low latency, persistent memory (PMEM) modules, and intelligent Exadata software. You can provision X8M and X9M systems by using a shape that's equivalent to a quarter-rack X8 and X9M system, and then add database and storage servers at any time after provisioning.

  Oracle Exadata Database Service on Dedicated Infrastructure provides Oracle Exadata Database Machine as a service in an Oracle Cloud Infrastructure (OCI) data center. The Oracle Exadata Database Service on Dedicated Infrastructure instance is a virtual machine (VM) cluster that resides on Exadata racks in an OCI region.

  Oracle Exadata Database Service on Cloud@Customer provides Oracle Exadata Database Service that is hosted in your data center.

• Web Application Firewall (WAF)

  Oracle Cloud Infrastructure Web Application Firewall (WAF) is a payment card industry (PCI) compliant, regional-based and edge enforcement service that is attached to an enforcement point, such as a load balancer or a web application domain name. WAF protects applications from malicious and unwanted internet traffic. WAF can protect any internet facing endpoint, providing consistent rule enforcement across a customer's applications.

• Cloud Guard

  You can use Oracle Cloud Guard to monitor and maintain the security of your resources in Oracle Cloud Infrastructure. Cloud Guard uses detector recipes that you can define to examine your resources for security weaknesses and to monitor operators and users for risky activities. When any misconfiguration or insecure activity is detected, Cloud Guard recommends corrective actions and assists with taking those actions, based on responder recipes that you can define.

• Identity and Access Management (IAM)

  Oracle Cloud Infrastructure Identity and Access Management (IAM) is the access control plane for Oracle Cloud Infrastructure (OCI) and Oracle Cloud Applications. The IAM API and the user interface enable you to manage identity domains and the resources within the identity domain. Each OCI IAM identity domain represents a standalone identity and access management solution or a different user population.

• Policy

  An Oracle Cloud Infrastructure Identity and Access Management policy specifies who can access which resources, and how. Access is granted at the group and compartment level, which means you can write a policy that gives a group a specific type of access within a specific compartment, or to the tenancy.

• Audit

  The Oracle Cloud Infrastructure Audit service automatically records calls to all supported Oracle Cloud Infrastructure public application programming interface (API) endpoints as log events. Currently, all services support logging by Oracle Cloud Infrastructure Audit.

• Bastion service

  Oracle Cloud Infrastructure Bastion provides restricted and time-limited secure access to resources that don't have public endpoints and that require strict resource access controls, such as bare metal and virtual machines, Oracle MySQL Database Service, Autonomous Transaction Processing (ATP), Oracle Container Engine for Kubernetes (OKE), and any other resource that allows Secure Shell Protocol (SSH) access. With Oracle Cloud Infrastructure Bastion service, you can enable access to private hosts without deploying and maintaining a jump host. In addition, you gain improved security posture with identity-based permissions and a centralized, audited, and time-bound SSH session. Oracle Cloud Infrastructure Bastion removes the need for a public IP for bastion access, eliminating the hassle and potential attack surface when providing remote access.

• Network security group (NSG)

  Network security group (NSG) acts as a virtual firewall for your cloud resources. With the zero-trust security model of Oracle Cloud Infrastructure, all traffic is denied, and you can control the network traffic inside a VCN. An NSG consists of a set of ingress and egress security rules that apply to only a specified set of VNICs in a single VCN.

• Block volume

  With block storage volumes, you can create, attach, connect, and move storage volumes, and change volume performance to meet your storage, performance, and application requirements. After you attach and connect a volume to an instance, you can use the volume like a regular hard drive. You can also disconnect a volume and attach it to another instance without losing data.

• File storage

  The Oracle Cloud Infrastructure File Storage service provides a durable, scalable, secure, enterprise-grade network file system. You can connect to a File Storage service file system from any bare metal, virtual machine, or container instance in a VCN. You can also access a file system from outside the VCN by using Oracle Cloud Infrastructure FastConnect and IPSec VPN.

• Dynamic routing gateway (DRG)

  The DRG is a virtual router that provides a path for private network traffic between VCNs in the same region, between a VCN and a network outside the region, such as a VCN in another Oracle Cloud Infrastructure region, an on-premises network, or a network in another cloud provider.

• Application server

  Application servers use a secondary peer that, like the database, will take over processing in the event of a disaster. Application servers use configuration and metadata that is stored both in the database and the file system. Application server clustering provides protection in the scope of a single region but ongoing modifications and new deployments need to be replicated to the secondary location on an ongoing basis for a consistent disaster recovery.

• Compute

  The Oracle Cloud Infrastructure Compute service enables you to provision and manage compute hosts in the cloud. You can launch compute instances with shapes that meet your resource requirements for CPU, memory, network bandwidth, and storage. After creating a compute instance, you can access it securely, restart it, attach and detach volumes, and terminate it when you no longer need it.

• Functions

  Oracle Cloud Infrastructure Functions is a fully managed, multitenant, highly scalable, on-demand, Functions-as-a-Service (FaaS) platform. It is powered by the Fn Project open source engine. Functions enable you to deploy your code, and either call it directly or trigger it in response to events. Oracle Functions uses Docker containers hosted in Oracle Cloud Infrastructure Registry.

• Oracle Services Network

  The Oracle Services Network (OSN) is a conceptual network in Oracle Cloud Infrastructure that is reserved for Oracle services. These services have public IP addresses that you can reach over the internet. Hosts outside Oracle Cloud can access the OSN privately by using Oracle Cloud Infrastructure FastConnect or VPN Connect. Hosts in your VCNs can access the OSN privately through a service gateway.

• Logging
  Logging is a highly scalable and fully managed service that provides access to the following types of logs from your resources in the cloud:

  • Audit logs: Logs related to events emitted by the Audit service.
  • Service logs: Logs emitted by individual services such as API Gateway, Events, Functions, Load Balancing, Object Storage, and VCN flow logs.
  • Custom logs: Logs that contain diagnostic information from custom applications, other cloud providers, or an on-premises environment.
• On-premises network

  This network is the local network used by your organization. It is one of the spokes of the topology.

• Vulnerability Scanning Service

  Oracle Cloud Infrastructure Vulnerability Scanning Service helps improve the security posture in Oracle Cloud by routinely checking ports and hosts for potential vulnerabilities. The service generates reports with metrics and details about these vulnerabilities.

• Oracle Database Zero Data Loss Autonomous Recovery Service

  Oracle Database Zero Data Loss Autonomous Recovery Service is a fully managed, standalone, and centralized cloud backup and recovery solution for Oracle Cloud Infrastructure (OCI) databases. It brings real-time data protection to OCI with enforced backup encryption to provide high security. Backup retention safeguards protect against accidental or malicious deletion.

• Oracle Database Autonomous Recovery Service

  Oracle Database Autonomous Recovery Service lets you make a point-in-time snapshot of the data on block volumes, boot volumes, and in Oracle Databases. With backup automation and enhanced data protection capabilities for OCI databases, you can offload all backup processing and storage requirements to Oracle Database Autonomous Recovery Service, thereby eliminating backup infrastructure costs and manual administration overhead.

• Oracle Base Database Service

  Oracle Base Database Service is an Oracle Cloud Infrastructure (OCI) database service that enables you to build, scale, and manage full-featured Oracle databases on virtual machines. Oracle Base Database Service uses OCI Block Volumes storage instead of local storage and can run Oracle Real Application Clusters (Oracle RAC) to improve availability.

• Network Firewall

  Network Firewall is a next-generation managed network firewall and intrusion detection and prevention service for your Oracle Cloud Infrastructure virtual cloud network (VCN), powered by Palo Alto Networks.

• Data Safe

  Oracle Data Safe is a fully-integrated, regional cloud service focused that provides a complete set of features for protecting sensitive and regulated data in Oracle databases. Data Safe also supports on-premises databases, Oracle Exadata Database Service on Cloud@Customer, and multicloud deployments. All Oracle Database customers can reduce the risk of a data breach and simplify compliance by using Oracle Data Safe to assess configuration and user risk, monitor and audit user activity, and to discover, classify, and mask sensitive data.

• Oracle Database Vault

  Oracle Database Vault provides controls to prevent unauthorized privileged users from accessing sensitive data, prevent unauthorized database changes, and helps customers meet industry, regulatory, or corporate security standards.

• Oracle Audit Vault and Database Firewall

  Oracle Audit Vault and Database Firewall provides a comprehensive way to deal with a large amount of audit data, risk from SQL injection, application bypass attacks over the network, and problems of unauthorized access. it audits databases and monitors network-based activities to help manage the security posture of Oracle and non-Oracle databases, hosted in the cloud or on-premises.

• Transparent Data Encryption (TDE)

  Transparent Data Encryption (TDE) transparently encrypts data at rest in an Oracle Database. It stops unauthorized attempts from the operating system to access database data stored in files, without impacting how applications access the data using SQL. TDE is fully integrated with Oracle Database and can encrypt entire database backups (RMAN), Data Pump exports, entire application tablespaces, or specific sensitive columns. Encrypted data remains encrypted in the database, whether it is in tablespace storage files, temporary tablespaces, undo tablespaces, or other files such as redo logs.