OCI Security Zones

 

This article is all about OCI network and environment security,  OCI Security Zones and accidentally opening back doors.

Have you ever left the back door of your home open and not realised it?

Hopefully, if you've ever done this by accident then you were lucky, and no one noticed.    It's easy to do and in the rush to leave the house it's easy to forget to close the back door.

What about your corporate network? It's possible to  make a network change and inadvertently cause a back door to swing open unnoticed?  A back door might be a network routing or internet gateway which allows inbound traffic to a sensitive part of your network, or a user account that hasn't enabled MFA,  or a misconfiguration on the firewall which fails to whitelist the required endpoints.

There are some solutions to help with this door problem:-

1) You could fit a sensor to the door. If the door is not closed when you leave the house then the sensor would pick this up and send you an alert.  The same sensor can be used to alert you if the the door opens when you're not in the house (burglar alarm).

2) You could remove the door and doorway altogether. If you brick up the doorway then there's no risk of someone coming in !  Sounds extreme? Yes... but it's effective.   If you brick it up you better not leave a sledge hammer lying around as someone could just re-open the doorway (and with less effort than bricking it up in the first place).  You could, of course, hide the sledge hammer or leave the sledge hammer with a trusted neighbour.

Ok.... all analogies are inadequate representations of reality so let's stop there and focus on how this applies to our OCI environments.

All corporate networks need to be secure and they need to be accessible by those who need to access them.  If you build a secure network then can you answer the following questions:
  • Assurance: Is it still secure?  In other words, you built it secure yesterday... is it still secure today?
  • Detection: Do you know when someone tried to create a back door?  Someone on the inside just took a sledge hammer to the bricked up wall and punched a hole through.  They may have done it accidentally or deliberately.
  • Prevention: Is the sledge hammer locked away with a trusted neighbour?  In other words have you prevented anyone from opening up a back door in the first place ?
Prevention is always best and Assurance that something is still secure tells you that your Prevention methods are still working. But, no system is 100% secure and so Detection is a vital fail safe. If it's secure and you've prevented someone from making it insecure then detecting when that state changes is vital to ongoing security.

OCI Cloud Guard

If you use OCI for any of your applications then you will automatically have Cloud Guard.  This is a built in, complimentary security service that will constantly watch for security issues appearing in your environment.  Cloud Guard will watch for user activity, changes to networks, vulnerabilities in server operating systems, and is the Assurance and Detection element of the overall solution to safeguarding your systems.   It rates risks and threats according to a standard set of rules defined in what's called a Cloud Guard Threat Detector Recipe.     More on Cloud Guard's comprehensive Detection and Assurance benefits another time.  This article is about Prevention.  (aka open back doors).

Introducing OCI Security Zones

OCI Security Zones ensures that the Resources within a specified Compartment continue to comply with your security policies.  

For example:  

A Security Zone policy forbids the creation of a public OCI Storage Bucket. If a user, with the required permissions to create OCI Buckets, attempts to create a public one then the Security Zone policies will detect this breach of policy, deny the action and throw an alert to Cloud Guard. This is Prevention.

Deny Creation of Public Storage Bucket

Change operations to Resources within the protected Compartment, which violate security policies are denied. This gives you the assurance that no one can accidentally or maliciously make changes to your production environment which might open a back door to your environment.

Example Security Zone around Compartment B

How does it work?

I'm going to walk through the setup of a Security Zone around my Compartment called GrahamTest and activate the Oracle delivered Maximum Security Recipe.

Step 1 - Understanding Security Recipes

 A Security Zone Recipe defines the security policies to be applied to the Resources within the Compartment and Oracle delivers a pre-defined one called Maximum Security Recipe.  Whilst you can't edit the Oracle delivered Maximum Security recipe you can create Custom Recipes either by cloning an existing one or from scratch.

Security Recipes allow you to define policies such as denying the creation or modification of resources which would grant public access, moving of resources to a different compartment, preventing weak SSL encryption, and many more policies which are classified under a number of  major security principles including:
  • Restrict Resource Movement
  • Deny Public Access  (ie opening a Back Door)
  • Require Encryption
Creating a New Custom Recipe to Deny Public Access

Step 2 - Define the Security Zone

A Security Zone is a set of controls which govern what you can do to the resources in a Compartment. This is likely to be your production Compartment in which you have the production VCN, Gateways, Instances, Storage etc.  In my example the Compartment name is GrahamTest and  it contains a VCN and a number of Compute Instances.

  • Navigate: Identify & Security >  Security Zones
  • Select the Compartment you want to secure.
  • Click Create Security Zone
  • Select the desired Zone Recipe - Oracle Managed or Customer Managed.
  • Enter a sensible Name, Description
  • and that's it.
Creating a new Security Zone on Compartment GrahamTest


New Security Zone showing the Protected Compartments


Step 3 - Verify the Security Zone is active

You can see from the screenshot below of my GrahamTest Compartment details, that it is now protected by a Security Zone. There's a handy drill through link which then takes you to the Security Zone definition.

Compartment Details view showing Security Zone

See the effect of the Security Zone protection

We've been talking about opening backdoors so let's go ahead and try and create one now that our Compartment is protected with a Security Zone.

An example backdoor into an OCI network would be the creation of an Internet Gateway.  See the video below for just one example of how the Security Zone Recipe protects your environment.




I hope this writeup has been useful.  If you're thinking of running PeopleSoft on OCI or you already do then this is a feature that's well worth implementing to gain some additional protection of accidental or malicious changes to your environment.

Comments