X

Best Practices from Oracle Development's A‑Team

OCI Security Monitoring Using Oracle CASB Cloud Service – Security Controls and Policy Alerts

Customers can use Oracle CASB Cloud Service (hereafter referred to as CASB) to monitor and gain deeper visibility into their OCI environments to protect against security threats.

CASB supports security monitoring of a rich set of cloud applications. This link describes the set of applications that CASB can monitor and how to prepare them for monitoring. This post is focused on OCI as a target application for CASB.

CASB provides some capabilities out-of-the box for all the monitored applications without the need of any configuration by customers. For example, CASB monitors users’ activities and builds behavior profile for the users which can be used to detect anomalous behavior. Similarly CASB receives threat intelligence data which is used to detect threats. More information about anomalous behavior is here.

However, customers need to configure some other aspects of security monitoring to enable CASB monitor cloud applications. Security Controls and Policy Alerts are two such aspects that need to be configured for each individual cloud application. It is our expectation that this blog post will serve as a quick reference to these two specific aspects of OCI monitoring with CASB.

Readers who need a refresher on CASB should refer to the documentation here.

Please note that future versions of CASB might provide enhanced features than is covered here and hence readers should refer to the documentation for the latest and greatest.

The documentation also includes some video tutorials that could be useful for users. They are located here

The current set of OCI resources that could be monitored with CASB is documented here. More OCI resources could be included in this set in future. New features are documented here.

Security Controls and Policy Alerts are the two of the multiple important aspects that could be monitored by CASB for supported targets. We will focus on these two categories of CASB monitoring for OCI in this blog post. The complete list of categories could be found here.

Before we get into the core topic of this blog post, here is a blog post that could help you quickly set-up CASB monitoring for OCI and here is the CASB product documentation for the same. A video tutorial for visually inclined folks is here.

Now, lets’ get to the main focus of this blog post.

Security Controls:

Security Controls are the best practices configuration settings that CASB can monitor for and alert on any deviations. For the most part users don’t need to perform any configuration. Now it is possible to create and activate Security Control Templates that CASB can utilize as its baseline. Details about how to view/modify the Security Control Baseline and uptake the Template feature for OCI are documented here.

Some security controls allow for configuring exceptions in order to control the volume of Risk Events that are created. In addition, some security controls need additional configuration items as these may be different for different customers based on their respective security policies. For example, following is a screen capture of a security control parameter for OCI that allows for providing values for exceptions as well as expects values for configuration parameters:

Tip – For contextual documentation about a certain parameter, click the more information icon besides the name of the Security Control Parameter. This applies, in general, for other UI pages of CASB – Wherever you see this icon, you could get contextual help by clicking on it.

The comprehensive list of all the Security Controls that CASB supports for OCI is documented here

Policy Alerts:

CASB Policies are rules/guidelines that customers want to evaluate on-going events against and capture the events that match a policy so that these events could be reviewed and rectified, if necessary. CASB Cloud Service generates an alert whenever an event that matches the policy occurs. CASB supports two different kinds of policies:

Managed Policies - CASB provides a predefined set of policies for each application type. These are based on general good practices for the respective application types. You should examine the existing policies for your application type, and consider implementing managed policies, before creating your own custom policies. Managed policies could also be duplicated in the Custom Policies section and then customized if the use-case that you are trying to meet is slightly different than that covered by the managed policy. Managed Policies are of two types:

  • Tier-1 Policies – These are related to information security events and changes. These policies are enabled by default.
  • Tier-2 Policies – These are related to IT and information security events and changes and generally need to be customized to provide an enterprise related context (for example – domain name) before it can be enabled. Policy descriptions provide information on what context is needed for an individual policy. These policies should be copied to the Custom Policies section to be modified and enabled

Custom Policies – Customers also have the capability of defining their own custom policies. Customers may need to define custom policies when:

  • A Managed Policy as defined out-of-the-box for a cloud application doesn’t exactly cover their use-case and needs some tweaking (for example to add exceptions to exclude resources for which alerts are raised). In order to modify a Managed Policy, it needs to be copied to the Custom Policies section. Once a copied over Policy has been modified, it should be enabled in the Custom Policies section and disabled in the Managed Policies section if the original policy is no longer needed.
  • A Custom Policy is needed for a use-case which is not covered by a Managed Policy.

More information about CASB Policies can be found here.

This link describes how to create Custom Policies for OCI.

CASB Managed Policies for OCI:

In order to list and view the Managed Policies for OCI:

  • Log-in to CASB console and click the Navigation menu (Hamburger icon) towards the top left of the CASB console and then navigate to Configuration and then to Policy Management.
  • Click on the Managed tab.

  • Filter on Application Type “OCI” by clicking on the filter icon between “APPLICATION” and “SUBSCRIBED” as shown in the following screen capture. Select OCI from the drop-down and click on Filter button:

  • All the Managed Policies for OCI are listed. These policies monitor various resources in an OCI tenancy like – Compute Instances, DB Systems, Identity Users/Groups/Policies, Load Balancers, VCNs, Object Storage, and Block Volumes etc. 

As I mentioned above, the list of resources monitored by OCI are listed here. Additionally, in order to modify/customize any Managed Policy follow this section of CASB documentation. Individual policy descriptions explain what is a policy is meant to do and what additional information, if necessary, should be provided (for example with Tier-2 policies).

Please note that new Managed Policies could get added by CASB Engineering for the supported applications from time to time as new features are released. Hence it is a good idea to keep an eye on the new features which are announced here.

I would like to thank my colleague Uday Sambhara for contributing to this blog post.

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.Captcha