Security Best Practices Guide for new OCI Tenancy

Purpose

This blog is a continuation of our overview blog, and the purpose is to provide a detailed process and easy steps to follow to ensure your new Oracle Cloud Infrastructure (OCI) tenancy will be configured to have a high security posture and will be aligned with cloud security best practices as provided by the Center for Internet Security (CIS) OCI Foundations Benchmark and Oracle. 

You will come across resources on how to expand your knowledge on OCI security capabilities. 
We will take you through the planning and deployment of a CIS OCI Landing Zone, setting up foundational integrations that improve your security posture, and how to periodically assess the tenancy to detect potential configuration drift.

Throughout the blog we will reference our Security Guide Github repo that hosts a wealth of links to blogs, integration guides and Oracle documentation. 

Steps to secure your OCI tenancy

For a new tenancy the high-level process we recommend is:

Learn:

There are a lot of options and considerations when setting up a new OCI tenancy and we recommend that you leverage many of the available resources to learn more about OCI and how best to leverage the native services your tenancy provides.

Plan:

Our recommendation is to evaluate the use of the prescriptive CIS OCI Landing Zone Quickstart as a starting point as it will provision foundational resources according to the CIS OCI Benchmark and setup your tenancy to meet controls like Separation of Duties and scalable networks.

Many aspects of the Landing Zone and what it deploys can be customized without code changes by simply providing different configuration input via the Resource Manager UI or in the tfvars file directly.
It is important to understand if your organization requires customizations that would introduce Terraform code changes. Customizing the Terraform code of the Landing Zone is generally not recommended because it will make updating to new versions harder.

In the case where you have specific requirements for your compartment structure, IAM policies, or network topology and the Quickstart Landing Zone can’t easily meet them, we recommend evaluating the CIS OCI Module Collections as they provide you the freedom to define these constructs in JSON format while still enforcing CIS Controls.

Execute:

There are different deployment options to consider, and it really comes down to preference,  comfort level and existing tooling. OCI provides the resource manager service as a simple way to deploy the Landing Zone and maintain any stateful metadata related to the deployment, including the Terraform state file. You can also use any 3rd party tooling to deploy the Landing Zone if you already have processes and tooling in place.

It is important to note that the Landing zone is deployed in a regional fashion, and you would need to deploy it into each region you anticipate using for your workloads.

Once the Landing Zone has been deployed you will already have a lot of resources created and configured in a way that follow the CIS OCI Benchmark. However, there are several integrations that can’t be fully provisioned by the Landing Zone either because they depend on external systems or need review by different teams. As next steps we recommend going through the highly recommended tasks listed below.

1. OCI Audit Log SIEM Integration : Find instructions for your SIEM
2. CSPM Integrated with your Tenancy: Review recommendations for using and tuning OCI Cloud Guard
3. OCI Console integrated with your Enterprise IdP or OCI Identity Domains: Find instructions here
4. Centralized User/Group lifecycle Management: Find instructions for your IDP and how to use SCIM
5. Ensure MFA is enforced for OCI Console access: Review your Enterprise IDP or OCI Identity Domains documentation to ensure MFA is enforced. 
6. Compartment structure supports access controls and grouping: Review the “IAM Policies, Groups and Compartments” section  on how to design compartment hierarchies 
7. Secure and Scalable networks: Review our blogs on Network design
8. Resilient Connectivity: Review our blogs on resilient Network connectivity
9. Visibility into unexpected OCI Cloud Spending: Review our blogs on Cloud Governance
10. Database Security: Review our blogs on Data Safe and how to get started using it

Test and Verify Compliance:

An important part of the process is to verify that your tenancy has been configured according to the CIS recommendations, that test/demo resources were cleaned up and that the right people will be alerted when misconfiguration is detected.

The following verification should be done::

1. Run the CIS Checker script following these instructions and review any findings. This will show if there are any deviations from the CIS recommendations.
2. Review the emails and distribution lists used for sending alerts related to security and network events. Run simple tests changing security/network resources and verify alerts are sent, received and people know how to react.
3. For the SIEM integration we recommend verifying that Audit data is flowing from all regions and the SIEM team understands the structure of the data and what to alert on/look for.
4. A review, tuning period, and adjustment of severity for detected issues is recommended for the CSPM. Based on this, adjustment to the security baseline should be made if needed. The goal is to have a high fidelity in the detected issues. It is important that the security team has been trained on using the CSPM tooling. In the case of OCI Cloud Guard we recommend reviewing the following blogs.

Now that you have tested and verified your tenancy has foundational security controls in place, it is time for planning your workload deployment. We recommend that you review the section below to continue your security journey with OCI.

Next Steps on your OCI Cloud security journey

• We suggest to review the Best Practices Framework for Oracle Cloud Infrastructure solution playbook as it provides a broader overview of the key items that should be on any customer's project plan to deploy their first workload on OCI or to check their existing tenancy to ensure that they are leaning on the experiences gained by other Oracle customers.
   
• Establish a 6-month or yearly process for running the CIS Compliance checker and assessing compliance with the CIS OCI Benchmark.
   
• Review our solution playbook about incorporating Cyber-Resilience capabilities into your OCI tenancy.