1. Deploy SCCA-compliant workloads using Oracle Cloud Native SCCA Landing Zone
  2. Deploy an SCCA-Compliant Workload Using Cloud Native SCCA LZ in Oracle Cloud

Deploy an SCCA-Compliant Workload Using Cloud Native SCCA LZ in Oracle Cloud

This reference architecture provides guidance to US Department of Defense (DoD) mission owners and implementation partners for using Oracle cloud native platform automation in connection with secure cloud computing architecture requirements.

Use an Oracle Cloud Native Secure Cloud Computing Architecture Landing Zone (SCCA LZ) solution to rapidly deploy SCCA into your tenancy with minimal intervention. Doing so deploys a highly secure architecture into your tenancy in a timely fashion.

The purpose of the Department of Defense (DoD) SCCA is to provide a barrier of protection between the DoD Information System Network (DISN), and commercial cloud services used by the DoD while optimizing the cost-performance trade in cyber security. SCCA will proactively and reactively provide a layer of overall protection against attacks upon the DISN infrastructure and mission applications operating within the commercial cloud.

It specifically addresses attacks originating from mission critical applications that reside within the Cloud Service Environment (CSE) upon both the DISN infrastructure and neighboring tenants in a multi-tenant environment. It provides a consistent Content Security Policy (CSP) independent level of security that enables the use of commercially available Cloud Service Offerings (CSO) for hosting DoD mission applications operating at all DoD Information System Impact Levels (2, 4, 5, and 6). Core SCCA components include Cloud Access Point (CAP), Virtual Data Center Managed Services (VDSS), Virtual Data Center Management Services (VDMS), and Trusted Cloud Credential Manager (TCCM).

This reference architecture has been published by Oracle DoD Cloud to be compliant with the SCCA standards.

Architecture

This landing zone supports DISA SCCAs and provides the framework for securing US DoD Impact Level (IL) 4 and 5 workloads on Oracle Cloud Infrastructure Government Cloud realm key OC2 and OC3 government Regions. It is designed for the DoD, but available to any customers who desire enhanced security in their landing zone.

Oracle Cloud Native SCCA Landing Zone Reference Architecture

This reference architecture diagram shows the abstract building blocks for constructing SCCA components and configurations for you to become SCCA compliant. You may deploy this architecture based on Oracle Cloud Infrastructure (OCI) cloud native services found here. This reference architecture is based on the DISA FRD and has components of CAP/BCAP, VDSS, VDMS, and TCCM.


Description of oracle-cloud-native-scca-reference-diagram.png follows
Description of the illustration oracle-cloud-native-scca-reference-diagram.png

Monitoring Architecture or Oracle Cloud Work Deployment to be DoD SCCA Compliant

As part of this cloud native SCCA solution, there is a monitoring structure in the VDSS, VDMS, and workload compartments that fulfills your initial SCCA requirement. This may be adjusted according to your administrator's operational model. Services inside OCI provide metrics and events that may be monitored through your metrics dashboard. You may create alerts based upon queries of these metrics and events. You may organize these alerts into groups with topics you create. You may create different topics by compartment (VDSS, VDMS, and workload) and assign different monitoring rules assigned to them.


Description of oracle-cloud-native-scaa-monitoring-diagram.png follows
Description of the illustration oracle-cloud-native-scaa-monitoring-diagram.png

Oracle Cloud Native SCCA Landing Zone Technical Architecture


Description of oracle-cloud-native-scaa-technical-diagram.png follows
Description of the illustration oracle-cloud-native-scaa-technical-diagram.png

Abbreviations

Abbreviation Definition
ARCYBER US Army Cyber Command
BCAP Boundary CAP
BCND Boundary CND
CAC Common Access Card
CAP Cloud Access Point
CND Computer Network Defense
CSE Cloud Service Environment
CSO Cloud Service Offerings
CSP Cloud Service Provider
CSSP Cyber Security Service Providers
DISA Defense Information Systems Agency
DISN Defense Information System Network
DoD CIO Department of Defense Chief Information Officer
DoD Department of Defense
DoDIN Department of Defense Information Networking
FRD Functional Requirements Document
IaaS Infrastructure as a Service
IL Impact Level
LZ Landing Zone
MCD Mission Cyber Defense
NSG Network Security Groups
PaaS Platform as a Service
PIV Personal Identify Verification
RoT Root of Trust
SaaS Software as a Service
SCCA Secure Cloud Computing Architecture
SCCA LZ Secure Cloud Computing Architecture Landing Zone
SRG Security Resource Guide
STIG Security Technical Implementation Guides
TCCM Trusted Cloud Credential Manager
USCYBERCOM United States Cyber Command
VDMS Virtual Data-center Managed Services
VDSS Virtual Data-center Security Services
VTAP Virtual Testing Access Point

The architecture has the following components:

  • Availability domains

    Availability domains are standalone, independent data centers within a region. The physical resources in each availability domain are isolated from the resources in the other availability domains, which provides fault tolerance. Availability domains don’t share infrastructure such as power or cooling, or the internal availability domain network. So, a failure at one availability domain is unlikely to affect the other availability domains in the region.

  • Autonomous Database

    Oracle Autonomous Database is a fully managed, preconfigured database environments that you can use for transaction processing and data warehousing workloads. You do not need to configure or manage any hardware, or install any software. Oracle Cloud Infrastructure handles creating the database, as well as backing up, patching, upgrading, and tuning the database.

  • Cloud Guard

    You can use Oracle Cloud Guard to monitor and maintain the security of your resources in Oracle Cloud Infrastructure. Cloud Guard uses detector recipes that you can define to examine your resources for security weaknesses and to monitor operators and users for risky activities. When any misconfiguration or insecure activity is detected, Cloud Guard recommends corrective actions and assists with taking those actions, based on responder recipes that you can define.

  • Compartment

    Compartments are cross-region logical partitions within an Oracle Cloud Infrastructure tenancy. Use compartments to organize your resources in Oracle Cloud, control access to the resources, and set usage quotas. To control access to the resources in a given compartment, you define policies that specify who can access the resources and what actions they can perform.

  • DRG

    Your virtual router to which you can attach VCNs and IPSec tunnels.

  • Exadata Database Service

    Oracle Exadata Database Service enables you to leverage the power of Exadata in the cloud. You can provision flexible X8M and X9M systems that allow you to add database compute servers and storage servers to your system as your needs grow. X8M and X9M systems offer RDMA over Converged Ethernet (RoCE) networking for high bandwidth and low latency, persistent memory (PMEM) modules, and intelligent Exadata software. You can provision X8M and X9M systems by using a shape that's equivalent to a quarter-rack X8 and X9M system, and then add database and storage servers at any time after provisioning.

    Oracle Exadata Database Service on Dedicated Infrastructure provides Oracle Exadata Database Machine as a service in an Oracle Cloud Infrastructure (OCI) data center. The Oracle Exadata Database Service on Dedicated Infrastructure instance is a virtual machine (VM) cluster that resides on Exadata racks in an OCI region.

    Oracle Exadata Database Service on Cloud@Customer provides Oracle Exadata Database Service that is hosted in your data center.

  • FastConnect

    Oracle Cloud Infrastructure FastConnect provides an easy way to create a dedicated, private connection between your data center and Oracle Cloud Infrastructure. FastConnect provides higher-bandwidth options and a more reliable networking experience when compared with internet-based connections.

  • Fault domains

    A fault domain is a grouping of hardware and infrastructure within an availability domain. Each availability domain has three fault domains with independent power and hardware. When you distribute resources across multiple fault domains, your applications can tolerate physical server failure, system maintenance, and power failures inside a fault domain.

  • Firewall

    Provides intrusion detection and prevention service and filters out incoming traffic based on rules.

  • Identity

    The SCCA LZ assumes that the identity domain feature is available in the realm where it will be deployed. The X.509 feature flag will be enabled in this deployment of landing zones. DoD customers will need to provide their own X.509 identity provider (IdP), which should also support the SAML Holder-of-Key (HOK) profile. Once this is configured, federated users will be able to sign in to the OCI console with their Common Access Card (CAC) or Personal Identity Verification (PIV) Card. In order to support SCCA access requirements with the above compartment configuration, the following IAM groups will be deployed: VDSSAAdmin Group, VDMS Admin Group, and Workload Admin Group.

  • Independent services

    These are tenancy-wide services that will be activated to be used with the LZ, Cloud Guard, and VSS.

  • Load balancer

    The Oracle Cloud Infrastructure Load Balancing service provides automated traffic distribution from a single entry point to multiple servers in the back end.

  • Local peering gateway (LPG)

    An LPG enables you to peer one VCN with another VCN in the same region. Peering means the VCNs communicate using private IP addresses, without the traffic traversing the internet or routing through your on-premises network.

  • Logging

    This service is available within your tenancy for auditing and includes a compartment where all the audit logs will be dumped into a shared location with retention rules so the logs may not be modified. The DoD requirement is for the bucket to be accessible to external users, auditors, and the like without modifying the permissions of the remaining environment.

  • Logging Analytics

    Oracle Logging Analytics is a cloud solution in OCI that lets you index, enrich, aggregate, explore, search, analyze, correlate, visualize, and monitor all log data from your applications and system infrastructure on-premises or in the cloud.

  • Monitoring

    OCI and the landing zone provide several services that work together to provide monitoring capabilities across your tenancy. They create a monitoring structure in the VDSS, VDMS, and workload components that set you up for the initial monitoring requirement.

    They provide a starting point that administrators can tweak according to their own operational model. In order to avoid excessive cost and a lot of messages, the landing zone deployment will have all of these alerts disabled by default. Based upon your operational model, you can enable the relevant alerts from the OCI console.

  • Network address translation (NAT) gateway

    A NAT gateway enables private resources in a VCN to access hosts on the internet, without exposing those resources to incoming internet connections.

  • Networking

    To protect all the traffic flows (North-South and East-West), OCI recommends segmenting the network using a hub-and-spoke topology, where traffic is routed through a central hub called Virtual Datacenter Security Stack (VDSS) VCN and is connected to multiple distinct networks (spokes) called Virtual Datacenter Managed Services (VDMS) VCN and Workload VCNs.

    All traffic between VDMS and Workload, whether to and from the internet, to and from on-premises, or to the Oracle Services Network or between them, is routed through the VDSS and inspected with the Network firewall’s multi-layered threat prevention technologies. The role of the Network Firewall is critical and, being a PaaS service, performance is managed by OCI. The VDSS VCN contains a Network Firewall based on Palo Alto Technologies, an Oracle internet gateway, a DRG, and an Oracle Service Gateway. The VDSS VCN connects to the spoke (VDMS and Workload) VCNs through a DRG. Each VCN has an attachment to the DRG, which allows them to communicate with each other. See Explore More for details about DRG and VCN Attachment. All spoke (from VDMS and Workload) traffic uses route table rules to route traffic through the DRG to the VDSS for inspection by the Network Firewall.

    The architecture also presents the option to use the new packet capture service in OCI called Virtual Testing Access Point (VTAP). Another key component of the architecture is the integration between the load balancer (deployed in VDMS and Workload) and the web application firewall (WAF).

  • Object storage

    Object storage provides quick access to large amounts of structured and unstructured data of any content type, including database backups, analytic data, and rich content such as images and videos. You can safely and securely store and then retrieve data directly from the internet or from within the cloud platform. You can seamlessly scale storage without experiencing any degradation in performance or service reliability. Use standard storage for "hot" storage that you need to access quickly, immediately, and frequently. Use archive storage for "cold" storage that you retain for long periods of time and seldom or rarely access.

  • Region

    An Oracle Cloud Infrastructure region is a localized geographic area that contains one or more data centers, called availability domains. Regions are independent of other regions, and vast distances can separate them (across countries or even continents).

  • Security

    The following OCI cloud native services will be implemented by the SCCA Landing Zone to help your organization meet the SCCA VDMS security requirements.

    • Vault (Key Management)
    • Log Archiving Storage Bucket
    • Streams & Events
    • Default Log Group
    • Service Connector
    • Vulnerability Scanning Service (VSS)
    • Cloud Guard
    • Bastion
  • Security list

    For each subnet, you can create security rules that specify the source, destination, and type of traffic that must be allowed in and out of the subnet.

  • Security zone

    Security zones ensure Oracle's security best practices from the start by enforcing policies such as encrypting data and preventing public access to networks for an entire compartment. A security zone is associated with a compartment of the same name and includes security zone policies or a "recipe" that applies to the compartment and its sub-compartments. You can't add or move a standard compartment to a security zone compartment.

  • Service Connector Hub

    Your service to transfer data between services.

  • Service gateway

    The service gateway provides access from a VCN to other services, such as Oracle Cloud Infrastructure Object Storage. The traffic from the VCN to the Oracle service travels over the Oracle network fabric and never traverses the internet.

  • Streaming

    This capability will ingest and consuming high-volume data streams in real time.

  • Tenancy

    A tenancy is a secure and isolated partition that Oracle sets up within Oracle Cloud when you sign up for Oracle Cloud Infrastructure. You can create, organize, and administer your resources in Oracle Cloud within your tenancy. A tenancy is synonymous with a company or organization. Usually, a company will have a single tenancy and reflect its organizational structure within that tenancy. A single tenancy is usually associated with a single subscription, and a single subscription usually only has one tenancy.

  • Tenancy-side services

    These services include Identity Domains, IAM, Policies, Auditing, and Cloud Guard.

  • Virtual cloud network (VCN) and subnets

    A VCN is a customizable, software-defined network that you set up in an Oracle Cloud Infrastructure region. Like traditional data center networks, VCNs give you complete control over your network environment. A VCN can have multiple non-overlapping CIDR blocks that you can change after you create the VCN. You can segment a VCN into subnets, which can be scoped to a region or to an availability domain. Each subnet consists of a contiguous range of addresses that don't overlap with the other subnets in the VCN. You can change the size of a subnet after creation. A subnet can be public or private.

  • Virtual Data-center Managed Services (VDMS)

    Corresponds to all the core services required for managing the operations of the environment such as vault, VSS, and Object Storage.

  • Virtual Data-center Security Services (VDSS)

    The VCN is the single access point in and out for your traffic within your environment and your traffic is isolated and network controlled for routing.

  • Virtual Private Vault (VPV)

    Encryption management service that stores and manages encryption keys and secrets to securely access resources. The VPV will be replicated to a DR region for redundancy and key management in case of a disaster.

  • Vulnerability Scanning Service (VSS)

    You must use this to continuously monitor all enclaves within your cloud provider environment.

  • Workload compartment

    Every workload has a dedicated compartment and VCN routing through the VDSS and the Network Firewall to communicate with on-premises systems.

Disclaimer

This document is for informational purposes only and is intended solely to assist you in planning for the implementation and upgrade of the product features described. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described in this document remains at the sole discretion of Oracle. This document may reference products/services or security controls that currently are in the process of obtaining DISA Impact Level 5 provisional authorization.

Recommendations

Use the following recommendations as a starting point. Your requirements might differ from the architecture described here.
  • VCN

    When you create a VCN, determine the number of CIDR blocks required and the size of each block based on the number of resources that you plan to attach to subnets in the VCN. Use CIDR blocks that are within the standard private IP address space.

    Select CIDR blocks that don't overlap with any other network (in Oracle Cloud Infrastructure, your on-premises data center, or another cloud provider) to which you intend to set up private connections.

    After you create a VCN, you can change, add, and remove its CIDR blocks.

    When you design the subnets, consider your traffic flow and security requirements. Attach all the resources within a specific tier or role to the same subnet, which can serve as a security boundary.

  • Cloud Guard

    Clone and customize the default recipes provided by Oracle to create custom detector and responder recipes. These recipes enable you to specify what type of security violations generate a warning and what actions are allowed to be performed on them. For example, you might want to detect Object Storage buckets that have visibility set to public.

    Apply Cloud Guard at the tenancy level to cover the broadest scope and to reduce the administrative burden of maintaining multiple configurations.

    You can also use the Managed List feature to apply certain configurations to detectors.

  • Security Zones

    For resources that require maximum security, Oracle recommends that you use security zones. A security zone is a compartment associated with an Oracle-defined recipe of security policies that are based on best practices. For example, the resources in a security zone must not be accessible from the public internet and they must be encrypted using customer-managed keys. When you create and update resources in a security zone, Oracle Cloud Infrastructure validates the operations against the policies in the security-zone recipe, and denies operations that violate any of the policies.

  • Network security groups (NSGs)

    You can use NSGs to define a set of ingress and egress rules that apply to specific VNICs. We recommend using NSGs rather than security lists, because NSGs enable you to separate the VCN's subnet architecture from the security requirements of your application.

  • Load balancer bandwidth

    While creating the load balancer, you can either select a predefined shape that provides a fixed bandwidth, or specify a custom (flexible) shape where you set a bandwidth range and let the service scale the bandwidth automatically based on traffic patterns. With either approach, you can change the shape at any time after creating the load balancer.

Considerations

Consider the following points when deploying this SCCA LZ architecture.

  • Performance

    Within a region, performance isn’t affected by the number of VCNs. When you peer VCNs in different regions, consider latency. When deciding which components and applications will be deployed within the VDMS and MO Workload Compartments (spoke VCNs) you will need to carefully consider the throughput that will need to be implemented at the connectivity level with the on-premises environment on your VPN or OCI FastConnect.

  • Security

    Use appropriate security mechanisms to protect the topology. The topology that you deploy by using the provided Terraform code incorporates the following security characteristics:

    • The default security list of the VDSS VCN allows SSH traffic from 0.0.0.0/0. Adjust the security list to allow only the hosts and networks that should have SSH access (or whatever other services ports are required) to your infrastructure.
    • Spoke VCNs (VDMS and MO Workload) are not accessible from the internet.
  • Management

    Route management is simplified as most routes will be at the DRG. Using the DRG as the VDSS, it is possible to have up to 300 attachments.

  • Operational Costs

    Cloud consumption should be monitored closely to ensure that operational costs are within the designed budget. Basic compartment-level tagging has been configured for the VDSS and VDMS compartments. Certain Cloud resources such as Virtual Private Vault (dedicated HSM) and Network Firewall are SCCA requirements. These services have a higher operating cost and alternative services can be considered in non-production environments (for example, a shared software vault could be used instead in a non-production environment.

Deploy

The Terraform code for this reference architecture is available as a sample stack in Oracle Cloud Infrastructure Resource Manager. You can also download the code from GitHub, and customize it to suit your specific business requirements.
  • Deploy using the sample stack in Oracle Cloud Infrastructure Resource Manager:
    1. Go to Oracle Cloud Infrastructure Resource Manager.
    2. Sign in (if you haven't already), entering the tenancy and user credentials.
    3. Select the region where you want to deploy the stack.
    4. Follow the on-screen prompts and instructions to create the stack: click Create Stack, click Template, click Select Template, click Architecture, click the OCI SCCA Landing Zone template, and then click Select Template.
    5. After creating the stack, click Terraform Actions, and select Plan.
    6. Wait for the job to be completed, and review the plan.
    7. If changes are required, return to the Stack Details page, click Edit Stack, and make the required changes; then run the Plan action again.
    8. If no further changes are necessary, return to the Stack Details page, click Terraform Actions, and select Apply.
  • Deploy using the Terraform code in GitHub:
    1. Go to GitHub.
    2. Clone or download the repository to your local computer.
    3. Follow the instructions in the README document.

Explore More

Learn more about Oracle Cloud for Government and DoD realm, and SCCA.

Acknowledgments

Authors: Rakesh Kumar, John Horton, George Boateng, Aditya Uppu

Contributors: John Sulyok