Oracle Cloud Infrastructure – Security first: Cloud Guard and Security Zones – a first View
Two new Oracle Cloud Infrastructure Cloud Security Services
Good news: Oracle has provided two new services for cloud security. Cloud Guard to get an overview of existing possible security breaches and Security Zones, which allows to create a full restricted compartment. In this blog, I will give you a short overview about this brand new services.
Cloud Guard
The Cloud Guard service helps you to identify security issues in your tenancy. Before the first use, it has to be enabled and a base region and for a minimum one compartment has to be selected. It needs a new policy which Cloud Guard allows to gather information in your tenancy. Oracle Cloud Guard discovers available object in compartments like Compute Instances, Object Storage and many more and checks Oracle Cloud Infrastructure security best practices.
Link to documentation: https://docs.cloud.oracle.com/en-us/iaas/cloud-guard/using/index.htm
Enable Cloud Guard first
Based on recipes, it show you security recommendations for the findings and can execute corrective actions. There are two different receipes types available:
- Oracle Managed Detector Recipe – provided by Cloud Guard, doesn’t allow to disable rules
- User Managed Detector Recipe – a clone of an Oracle managed recipe, allows to disable individual rules
Examples for recipes – docs.cloud.oracle.com
| Oracle Managed Recipe | User Managed Recipe | |||
| Rule | Status | Risk Level | Status | Risk Level |
| Bucket is public | ENABLED | HIGH | DISABLED | HIGH |
| Instance has public IP address | ENABLED | CRITICAL | ENABLED | HIGH |
| VCN has no inbound Security List | ENABLED | MEDIUM | DISABLED | MEDIUM |
Based on detected findings, Cloud Guard is able to to corrective actions. This feature called Responder Rules requires a policy. Problems can be fixed on three ways:
- Remediated – Fix using Cloud Guard responder
- Resolved – Fixed by other process
- Dismissed – Ignore and close
Example for a Cloud Guard Responder Action
Example – Cloud Guard has detected a Public IP
Cloud Guard Dashboard
The dashboard gives you an overview of the findings and actions. There are direct links to the findings and recommendations. Ok, It looks I have to review my test compartment 😉
Security Zones
A security zone is associated on a compartment and a security zone recipe. For example when in the recipe is defined, users cannot create an Internet Gateway in a defined compartement, an error message occurs when he tries to create one.
Link to documentation: https://docs.cloud.oracle.com/en-us/iaas/security-zone/using/security-zones.htm
Create a new Security Zone
Recipes
There are some basic rules in the Oracle defined recipe (at the moment you can not create a customer based recipe) – for example:
- Resources can’t be moved out from a security zone to a regular compartment
- Resources are not accessible by Internet
- Resources must be regularly backed up
Test – Create an Internet Gateway in the new created Security Zone
A violation message occurs, the security zone recipe doesn’t allow creating Internet Gateways.
Summary
I really like these two new services. Cloud Guard which helps me to identify possible security issues and Security Zones to create secure compartments without writing manual policies. This is only a short overview, in next days I will definitely take a deeper look, especially in Cloud Guard and the corrective actions. I have a great interest to find out how it works in the background for example when a public IP is detected and so on. The Oracle Cloud Infrastructure security is definitely on track!