Genesis

Oracle Cloud Infrastructure (OCI) is the most innovative, agile, and cost-effective cloud services provider (CSP). It has consistently provided the best overall value proposition to our customers for their public and government cloud computing needs when compared to our competitors. It is also certified for various standards, regulations, and frameworks – regional (GDPR, BSI C5 etc.), government (DoD DISA SRG IL5, NIST etc.), industry (PCI-DSS, HIPAA etc.) and global standards (SOC 1, 2, 3; ISO 27001, CSA Level 2 etc.).

But many a times, before a customer can move their sensitive application and database IaaS or PaaS workloads to OCI from their on-premises datacenters or from other CSPs, they are required to engage in an certification exercise where they must independently verify that the security controls implemented within OCI are in compliance with the controls required to comply with local, state or federal security regulatory requirements (like 23 NYCRR Part 500 [NYDFS], PCI-DSS, FedRAMP etc.) and privacy regulatory requirements (like GDPR, CCPA, SAMA etc.) that are applicable to their business. They also are often required to verify compliance with the security policy and standards set by their internal security, risk, and compliance teams, before an approval to operate on OCI can be granted by their security team.

Introduction:

To reduce delays in on-boarding customers to OCI without compromising the integrity of their compliance and privacy requirements, this blog post highlights the best practices that can help streamline and speed up the certification of OCI before it can be approved as an authorized CSP for all customer IaaS (applications, databases etc.), and PaaS workloads. The certification is done by testing each service in scope and verifying that the implemented security controls are operating in compliance with a reference framework (like NIST 800-53).

Best Practices:  

  • Identify Customer SMEs – Identify the customer Security, IT, Compliance and Risk Management subject matter experts (SME) that would be conducting the service reviews.
  • Identify Oracle SMEs – Identify the Oracle Security Specialists and Enterprise Architects (EA) that would engage in dialog with the customer SMEs to aid the certification.
  • Service Discovery – Based on customer compute and application requirements, identify all the OCI services in scope for the certification (e.g., Compute, Identity and Security, Networking, Storage, Observability and Management, Developer Services, Container and Databases etc.).
  • Service Prioritization – Prioritize the services based on need (e.g., 1,2,3) or by Phases (e.g., Phase 1, Phase 2). Generally, the best practice is to club all the Priority 1 (critical) services into the Phase 1.
  • Level of Effort – Generally Customer SMEs are very busy, and the best practice is to identify level of impact on the Customer SMEs required to certify each service (e.g., High/Med/Low) and ensure that their limited time is prioritized for Phase 1 or Priority 1 services certification.
  • Compliance Reports Proactive Review – OCI performs annual compliance assessments, independent penetration tests, and third-party audits to generate reports (e.g., SOC, HIPAA, HITRUST, ISO, PCI-DSS, CSA Star etc.) to assert their compliance with various security and privacy regulations and standards. The best practice is to review these (audit) reports and security controls documentation (e.g., NIST 800-53) proactively with the customer SMEs.
  • Update Certification Scope – After the review of the compliance reports and security controls documentation, the best practice is to update the scope of certification since the customer may waive the need to certify certain services based on the assessment reports and documentation already shared with them.
  • Finalize Services – Finalize the services list for each of the infrastructure platforms to create a basis for certification. E.g., for (a) Security and Identity – the services that may need to be certified may include Cloud Guard, Identity and Access Management (IAM), Vault, Security Zones, and Certificates, or for (b) Compute – autoscaling, monitoring, dedicated virtual hosts, capacity reservations, and Bare metal & VM instances etc.
  • Certification Schedule – the best practice is to create and publish a resource loaded certification schedule for each OCI service to be certified.  
  • Training workshop – If the customer is new to OCI, before any certification testing begins, the Oracle SMEs can conduct technical workshops on Identity, Network, Infrastructure, and Security, to provide hands on training for each service to be certified within the tenancy.
  • POC Tenancy – It is best to create a proof of concept (POC) tenancy, where the certification and testing would be conducted and verified by the customer SMEs. Oracle SMEs can also provide over the shoulder configuration and testing support within this tenancy. The POC tenancy should be created such that it can promptly be migrated to a Production Tenancy once the testing and services certification have been completed.
  • Testing – The customer SMEs conduct testing and assessments on the identified OCI services that need to be certified and verify that the implemented security controls and features are operating in compliance with a reference framework they use (like NIST 800-53 or ISO 27001).

Conclusion:

The above-mentioned best practices can help organize, prioritize, and speed up the testing and assessments required to certify OCI as a preferred and authorized cloud services provider for a given customer.