1. Incorporate Cyber-Resilience Capabilities Into Your OCI Tenancy
  2. Plan

Plan

Cyber resilience in the cloud is a journey and it can be daunting to understand where to start and the waypoints as you progress. These waypoints guide you in building your solution using Bronze, Silver, and Gold classifications. You can build a foundation with Bronze and get familiar with elements of the Cyber-Resilience Framework.

Bronze Waypoint

When implementing, consider if the Bronze waypoint is the right starting point for you.

Protect

  • OCI IAM: Enable MFA for local break glass accounts and minimize number of break-glass accounts to one or two.
  • Network: At a minimum, have segmentation between various security zones using NSGs or Security Lists. NSGs are preferred.
  • Unstructured Data Controls: Leverage Security Zone policies to restrict unstructured data configurations.
  • Oracle Database Controls: Deploy Databases on a private subnet with security list traffic restrictions at a minimum.
  • Vulnerability Scanning and Patch Management: Enable OCI Vulnerability Scanning Service and conduct network scans of resources in production compartments at a minimum.

Detect

  • Network: Enable VCN Flow logs for production VCNs at a minimum.
  • Unstructured Data Controls: Enable Object Storage logs for buckets used in production for write events.
  • Oracle Database Controls: Monitor standard local database audit logs.
  • OCI Cloud Security Posture Management: At a minimum, enable Cloud Guard, clone the standard configuration and activity detectors, and link them to the root of the OCI tenancy.
  • SIEM: At a minimum leverage, use Logging Analytics to surface log group data in OCI if no SIEM is available.

Backup

  • Object Storage: Start by enabling retention rules for Object Storage buckets.
  • Block Storage: Backup Block Storage using Oracle Backup and Recovery Bronze policies at a minimum.
  • Oracle Database: Leverage Oracle Database Backup services Bronze policy at a minimum.
  • OCI Network File Storage: Take file storage snapshots every two weeks.

Recovery Automation and Orchestration

  • Object Storage: Any data that was protected using retention rules will be available and accessible as long as the access operation falls within the defined retention time limits or in perpetuity for object versioning.
  • Block Storage: Block storage can be restored using the OCI API or the OCI Control plane within the region where it was backed up.
  • Oracle Database: Oracle Databases backed using the Database Backup and Recovery Service can be restored using the OCI Console or API using any backups that are available at the time through the service.
  • OCI Network File Storage: Restore latest known good file storage using the OCI API or the OCI Control Plane. Pick amongst available two week options.

Silver Waypoint

When implementing, consider if the Silver waypoint is the right starting point for you.

Protect

  • OCI IAM: Enable MFA for local break-glass accounts and minimize number of break glass accounts to one or two. Leverage an IdP such as Azure AD or another and enable MFA there.
  • Network: Deploy a hub-and-spoke network per region and control cross-enclave traffic using NSGs.
  • Unstructured Data Controls: Leverage Security Zone policies to restrict unstructured data configurations. Use the OCI Backup and Recovery Service to backup Block Volumes. The OCI Backup and Recovery Service sits in its own air-gapped OCI Services Network enclave that can't be accessed directly, even by OCI Tenancy administrators. Use Silver policies at a minimum.
  • Oracle Database Controls: Oracle Databases should be deployed in a private subnet using NSGs with maximum traffic flow restrictions.
  • Vulnerability Scanning and Patch Management: Enable OCI Vulnerability Scanning Service and conduct network scans of resources in all compartments or use a third-party Vulnerability Scanner. Leverage the OCI OS Management Service or third-party patch management tooling.

Detect

  • Network: Enable VCN Flow logs for all VCNs.
  • Unstructured Data Controls: Enable Object Storage logs for all buckets in the tenancy for write events.
  • Oracle Database Controls: Enable Oracle Data Safe and register production databases with Data Safe.
  • OCI Cloud Security Posture Management: At a minimum, enable Cloud Guard, clone the standard configuration and activity detectors, and link them to the root of the OCI tenancy. Enable the Cloud Guard Threat Detector, clone it, and link it to the root of the tenancy.
  • SIEM: Use a third-party SIEM.

Backup

  • Object Storage: Start by enabling retention rule locks for Object Storage buckets.
  • Block Storage: Backup Block Storage using Oracle Backup and Recovery Silver policies at a minimum.
  • Oracle Database: Leverage Oracle Database Backup and Recovery Silver or Gold.
  • OCI Network File Storage: Take file storage snapshots as needed.

Recovery Automation and Orchestration

  • Object Storage: Any data that was protected using retention rules or object versioning will be available and accessible as long as the access operation falls within the defined retention time limits and the associated retention rule locks or in perpetuity for object versioning. Scan object data stores in the Safe Room enclave before restoring to a Production enclave.
  • Block Storage: Block storage can be restored using the OCI API or the OCI Control Plane within the region where it was backed up. Scan backups for malware in a "Clean Room" enclave before restoring to the existing Production enclave.
  • Oracle Database: Oracle Databases backed using the Database Backup and Recovery Service can be restored using the OCI Console or API using any backups that are available at the time through the service.
  • OCI Network File Storage: Restore the latest known good file storage from snapshot using the OCI API or console.

Gold Waypoint

When implementing, consider if the Gold waypoint is the right starting point for you.

Protect

  • OCI IAM: Enable MFA for local break-glass accounts and minimize number of break-glass accounts to one or two. Leverage an IdP such as Azure AD or another and establish SCIM integration between the IdP and OCI. Minimal restrictive policies should be in place that enforce the principle of least privilege on a per enclave basis. (Sample policies forthcoming).
  • Network: Deploy a hub-and-spoke network per region and control cross-enclave traffic using a next-generation firewall appliance or the OCI Network Firewall service.
  • Unstructured Data Controls: Leverage Security Zone policies to restrict unstructured data configurations. Use the OCI Backup and Recovery Service to back up Block Volumes. The OCI Backup and Recovery Service sits in its own air-gapped OCI Services Network enclave that can't be accessed directly, even by OCI Tenancy administrators. Use Gold Backup policies or custom policies defined to meet specific backup and recovery requirements.
  • Oracle Database Controls: Deploy Databases in a private subnet using NSGs with maximum traffic flow restrictions. Deploy Oracle PaaS/DBaaS Databases using private endpoints only. Back up Databases using theOracle Zero Data Loss Recovery Appliance. For privileged access management of the database and database hardening, use Oracle Data Safe to conduct user access analysis, hardening analysis, and sensitive data discovery.
  • Vulnerability Scanning and Patch Management: Enable OCI Vulnerability Scanning Service and conduct and host-based scans of resources in all compartments at a minimum or a third-party Vulnerability Scanner. Leverage the OCI OS Management Service or third-party patch management tooling.

Detect

  • Network: Enable VCN Flow Logs for All VCNs and stream to an external SIEM using the OCI Service Connector Hub and OCI Streaming Services.
  • Unstructured Data Controls: Enable Object Storage logs for all buckets in the tenancy for read/write events and stream to an external SIEM using OCI Service Connector Hub and OCI Streaming Services.
  • Oracle Database Controls: Enable Oracle Data Safe and register all databases with Data Safe. Periodically analyze database hardening configurations using Data Safe and conduct periodic Database User Privilege Analysis. Monitor optimized centralized Oracle Database Logs.
  • OCI Cloud Security Posture Management: At a minimum, enable Cloud Guard, clone the standard configuration and activity detectors, and link them to the root of the OCI tenancy. Enable the Cloud Guard Threat Detector, clone it, and link it to the root of the tenancy. Consider using the OCI Events Service to stream Cloud Guard Events using Service Connector Hub to an OCI Kafka Stream to be consumed by an external SIEM.
  • SIEM: Use a third-party SIEM and create dashboard reporting metrics of correlated events that represent Indicators of Compromise (IOCs) within OCI.

Backup

  • Object Storage: Continue using retention rules with retention rule locks for Object Storage buckets and increase retention time limits and lock duration based on business requirements.
  • Block Storage: Configure cross-region replication of Block storage from Primary Region 1 to Secondary Region 2. Backup the block storage in Regions 1 and 2 using Oracle Backup and Recovery Gold policies. Oracle recommends that you use Volume Groups to ensure point-in-time consistency across multiple block volumes, such as block volumes supporting one or more related applications.
  • Oracle Database: Use the Oracle Database Zero Data Loss Autonomous Recovery Service for zero data loss.
  • OCI Network File Storage: Take file storage snapshots as needed and replicate file storage from Primary Region 1 to Secondary Region 2. Also take snapshots of file storage in Region 2 as needed.

Recovery Automation and Orchestration

  • Object Storage: Any data that was protected using retention rules or object versioning is available and can be accessed as long as the access operation falls within the defined retention time limits within the primary or secondary replicated region. Scan Object Storage buckets using malware detection in the Clean Room enclave before restoring to the Safe Production enclave.
  • Block Storage: Restore Block storage using the OCI API or the OCI Control plane within the region where it was backed up. You can restore them in unison leveraging volume groups as defined within the context of the original backup set. You can restore them either in the Primary or Secondary replicated region. Mount the block storage to a compute instance in the private subnet of the Clean Room VCN in the Clean Room Compartment and conduct anti-virus checks and other data integrity checking to validate the data is in a known good state before restoration. Ideally this is done on a continual and automated basis. Once a backup is marked as "clean", tag it with a digital signature identifying it as clean. Then snapshot and position it for immediate use for restoration in the "Safe Production Compartment" enclave.
  • Oracle Database: Use a single transaction point-in-time recovery using the Oracle Database Zero Data Loss Autonomous Recovery Service within the region where it was backed up. Restore to Safe production VCN in region or out of region depending on your requirements.
  • OCI Network File Storage: Restore the latest known good file storage from snapshot using the OCI API or console in either the source or target region as needed in the "Safe Room Compartment" enclave. Leverage a compute instance in the same VCN in the "Safe Room Compartment" enclave to scan the file system using an anti-virus. Once determined as known good, snapshot and tag it as such with a representing digital signature.