Overview

The world is evolving faster than we can keep up. The advancement in technology, like it or not, has given new tools to bad actors. Cyber is turning out to be the new frontier of war and the most dangerous one by far. On the other hand, the usage of cloud is growing faster than we had imagined. It is ironic that cyber war and usage of cloud are both growing at the same time. It is the responsibility of cloud service providers to step up and up level their game to beat bad actors. We take that responsibility very seriously. Security of every service on OCI is the utmost priority and we do not compromise on security for an additional feature. Along with many other things, we follow OWASP security design principles. I will talk about some of those principles in the context of OCI services and how we adhere to those principles.

Minimize attack surface area

Every service, every interface, or every feature of a service increases surface area and risk of vulnerability. The principle of minimizing attack surface area restricts the functions that users are allowed to access, to reduce potential vulnerabilities. While it is necessary to support every interface API, UI, SDK; we can mitigate the risk by centralizing the business logic and implementing strong audit and monitoring on the centralized component. For example, in OCI, irrespective of what interface you use to create a compute instance (Terraform, cli, UI) same authorizations are enforced and every request is audited.

One other approach to reduce the risk is to require registered user or actor to perform any operation from any interface. In other words, require authentication and authorization to invoke a function. That is what zero trust is all about. We don’t allow a user to perform an operation just because the user tried from enterprise network or from OCI network. Continuous authentication is enforced irrespective of the interface used.

Establish secure defaults