This blog is a continuation of our overview blog, and the purpose is to provide a detailed process and easy steps to follow to ensure your new Oracle Cloud Infrastructure (OCI) tenancy will be configured to have a high security posture and will be aligned with cloud security best practices as provided by the Center for Internet Security (CIS) OCI Foundations Benchmark and Oracle.
You will come across resources on how to expand your knowledge on OCI security capabilities.
We will take you through the planning and deployment of a CIS OCI Landing Zone, setting up foundational integrations that improve your security posture, and how to periodically assess the tenancy to detect potential configuration drift.
Throughout the blog we will reference our Security Guide Github repo that hosts a wealth of links to blogs, integration guides and Oracle documentation.
For a new tenancy the high-level process we recommend is:
There are a lot of options and considerations when setting up a new OCI tenancy and we recommend that you leverage many of the available resources to learn more about OCI and how best to leverage the native services your tenancy provides.
Our recommendation is to evaluate the use of the prescriptive CIS OCI Landing Zone Quickstart as a starting point as it will provision foundational resources according to the CIS OCI Benchmark and setup your tenancy to meet controls like Separation of Duties and scalable networks.
Many aspects of the Landing Zone and what it deploys can be customized without code changes by simply providing different configuration input via the Resource Manager UI or in the tfvars file directly.
It is important to understand if your organization requires customizations that would introduce Terraform code changes. Customizing the Terraform code of the Landing Zone is generally not recommended because it will make updating to new versions harder.
In the case where you have specific requirements for your compartment structure, IAM policies, or network topology and the Quickstart Landing Zone can’t easily meet them, we recommend evaluating the CIS OCI Module Collections as they provide you the freedom to define these constructs in JSON format while still enforcing CIS Controls.
There are different deployment options to consider, and it really comes down to preference, comfort level and existing tooling. OCI provides the resource manager service as a simple way to deploy the Landing Zone and maintain any stateful metadata related to the deployment, including the Terraform state file. You can also use any 3rd party tooling to deploy the Landing Zone if you already have processes and tooling in place.
It is important to note that the Landing zone is deployed in a regional fashion, and you would need to deploy it into each region you anticipate using for your workloads.
Once the Landing Zone has been deployed you will already have a lot of resources created and configured in a way that follow the CIS OCI Benchmark. However, there are several integrations that can’t be fully provisioned by the Landing Zone either because they depend on external systems or need review by different teams. As next steps we recommend going through the highly recommended tasks listed below.
An important part of the process is to verify that your tenancy has been configured according to the CIS recommendations, that test/demo resources were cleaned up and that the right people will be alerted when misconfiguration is detected.
The following verification should be done::
Now that you have tested and verified your tenancy has foundational security controls in place, it is time for planning your workload deployment. We recommend that you review the section below to continue your security journey with OCI.
Abhi Mukherjee is a Principal Cloud Architect who drives cloud security programs as part of the North America Cloud Technology and Engineering Team.