The on-demand availability of cloud services has provided a way to develop and deliver new applications and services that are more flexible, more responsive to changing demand, and more cost effective than traditional approaches. This is made possible by the just-in-time nature of virtual cloud infrastructure combined with the ‘shift left’ DevOps trend, and increasingly based on containers and micro services. However, this trend towards dynamic virtual infrastructure creates security challenges. The legacy approach to IT security assumes a comparatively static environment and this is not optimal for the needs of today’s dynamic infrastructure and development methodologies. Dynamic just-in-time infrastructure and development requires a dynamic just-in-time approach to IT security.
When IT services were delivered directly from owned physical equipment, the procurement costs, processes, and delays meant that change was slow, and innovation was hard. IT security tools and approaches evolved to manage the security risks associated with this static environment. Controls could be applied after equipment was installed, and the IT estate could be accurately catalogued in a Configuration Management Database (CMDB). Because change was highly managed, risks were relatively static, and manual or partially automated security management processes were enough. For example, weekly scanning could find and fix any newly discovered vulnerabilities and identities, and manual processes were adequate to manage access permissions.
This is no longer the case when using cloud services where infrastructure is virtual, and resources are created and destroyed dynamically as they are needed. The inventory of these virtual resources is not fixed but is constantly changing as demand fluctuates and applications are deployed. In this dynamic environment all the well-known risks, such as unpatched vulnerabilities, still exist but, in addition, there are new risks. These new risks may arise from the new kinds of services that the cloud offers, such as serverless computing, or result from the misconfiguration of cloud services by users that haven’t fully mastered the components or platform that they are using.
One area of concern is around DevOps and rapid deployment. The traditional approach to the deployment of IT service elements involved prior risk assessment and the implementation of appropriate security controls. However, the flexibility provided by DevOps and the elastic nature of cloud services makes it easy to rapidly deploy new service elements without strictly enforced checks. In the race to deploy functionality, it is often the case that security takes second place.
This can lead to the cloud service elements being misconfigured in ways that can then be exploited by cyber adversaries. Furthermore, in this dynamic environment the virtual infrastructure components have privileges and, where these are excessive, there are additional vulnerabilities that can be exploited. It is important that cloud environments provide cyber security capabilities to ensure that security and compliance policies are enforced dynamically during application development and deployment, without slowing DevOps down.
Dynamic just-in-time IT needs dynamic just-in-time security controls. These controls must be policy based and implemented automatically as IT service elements are created, modified, moved, and deleted. This is best implemented by the cloud service itself since this has intimate knowledge of the customers’ resources as well as the control plane to enforce controls.
This report describes how these objectives are achieved by Oracle Cloud Security Zones which are a set of security capabilities provided by the OCI (Oracle Cloud Infrastructure).