Computing environments configured to provide nearly full-time availability are known as high availability systems
Well-designed high availability systems avoid having single points-of-failure by the redundancy of resources
When failures occur, the failover process moves the processing performed by the failed component to the backup component
OCI Services and High Availability
AD, Availability domains are isolated from each other, fault-tolerant, and very unlikely to fail simultaneously annd do not share physical infrastructure, such as power or cooling
Fault Domains (FD) enable you to distribute your instances so that they are not on the same physical. hardware within a single AD. Each AD will have 3 FDs.
Load Balancer, Regional service, used to distribute load among AD
In Storage service, Block Volume is AD service and replicated in AD, can be used volume replication. Object Storage is Highly Available in regional. File System is also regional and shared among AD. Highly available.
Compute as AD service, ASG [Auto Scaling group] can be used ot make service highly available.
Best Practices
Networking
To provide high availability across availability domains, you can configure multiple private load balancers on Oracle Cloud Infrastructure and use on-premises or private DNS servers to set up a round-robin DNS configuration with the IP addresses of the private load balancers. The following is an overview of this process:
Deploy two private load balancers, one in each availability domain.
Configure two custom DNS VMs in the VCN.
Modify the VCN Default DHCP options to use a Custom DNS Resolver and set the DNS servers to the IP addresses of the DNS VMs.
Add a new round-robin DNS zone entry for the private load balancer FQDN with a low TTL.
Add two A records with the IP addresses of the two private load balancers.
Use the FQDN of the private load balancer when accessing the private load balancer.
The most robust option is to use multiple FastConnect connections with circuits from different network service providers.
Protects from cross-site scripting, sql injection, bot management
Allow request to pass / error page due to blocked request/audit log the request
Actions: Log and allow, Detect only, Block, Redirect, By-Pass, Show Captcha
Condition include [country region/ url path/ ip address/ http header]
Vault
Dedicated Hardware [Virtual Private Vault]
Shared Hardware
Protection Mode
HSM [Hardwar]
Software : those are not kept inside the vault
Algorithm
AWS
RSA
ECDSA
Master encryption will provide a Data encryption key, which will be used for encryption
Master encryption key can be rotated without affecting encrypted data
Vault are not available for direct deletion, there is a grace period of 30 days
There are two endpoints, cryptographic and management
After rotation, a new version is created for the master key and old will also remain
Security Zone
A security zone is associated with a compartment and a security zone recipe.OCI validates the creation/update operations of resources against the list of policies defined in the security zone recipe. If any security zone policy is violated, then the operation is denied.
Resources can’t be moved from a security zone to a standard compartment because it might be less secure.
Data in a security zone can’t be copied to a standard compartment because it might be less secure.
All the required components for a resource in a security zone must also be located in a security zone. Resources that are not in a security zone might be vulnerable. For example, a compute instance (Compute) in a security zone can’t use a boot volume that is not in a security zone.
Resources in a security zone must not be accessible from the public internet.
Resources in a security zone must be encrypted using customer-managed keys.
Resources in a security zone must be regularly and automatically backed up.
Resources in a security zone must use only configurations and templates approved by Oracle.
Security Advisor
Available for
Secure Bucket
Secure File System
Secure Instance
Secure Block Volume
Cloud Guard
Cloud Guard examines your Oracle Cloud Infrastructure resources for security weakness related to configuration, and your operators and users for risky activities. Upon detection, Cloud Guard can suggest, assist, or take corrective actions, based on your configuration.
there are
Target
Detecter / Detected Receipe
Responder
Oracle recommends that you enable Cloud Guard in your tenancy. You can configure a Cloud Guard target to examine your entire tenancy (root compartment and all subcompartments), or you can configure targets to check only specific compartments
Security Best Practices
Secure Your Database
Data Safe is a unified control center for Oracle cloud and on-premises databases. Use Data Safe to asses database and data security configuration, detect associated risk for user accounts, identify existing sensitive data, implement controls to protect data, and audit user activity.
Extend Data Safe audit retention policy to one year.
Mask data identified as sensitive by Data Discovery.
Use Security Assessment to identify recommended security controls by Center for Internet Security (CIS), General Data Protection Regulation (GDPR), and Department of Defense library of Security Technical Implementation Guides (STIG).
Setup alerts for key events in Data Safe Activity Auditing
Securing Compute
Putting up the instance in private subnet and access to instance utilizing Bastion Host
Instance Shield while provision the instance for boot time security
To prevent inadvertent or malicious termination of critical instances (for example, production instances), Oracle recommends that you give INSTANCE_DELETE permission to a minimal set of groups. Give DELETE permissions only to tenancy and compartment admins.
Securing Object Storage
Bucket PAR to allow writes to a bucket
Object PAR for reading an object
Object PAR for writing an object
Object PAR to read or write an object
All data in Object Storage is encrypted at rest by using AES-256. Encryption is on by default and cannot be turned off. Each object is encrypted with its encryption key, and the object encryption keys are encrypted with a master encryption key
By default bucket is private
Securing Block Storage
The resource types in volume-family arevolumes ,volume-attachments, and volume-backupsVOLUME_DELETE, VOLUME_ATTACHMENT_DELETE and VOLUME_BACKUP_DELETE
By default, volumes and their backups are encrypted at rest using AES-256
General
Separate the internet-facing components from the back-end, not just using subnets and security lists, but by separating the compartments completely into their own Virtual Cloud Networks, linked by a Local Peering Gateway
Added Web Application Firewall to protect the load balancer, and ultimately the web application.
Made the Autonomous Database and Object Storage only available over private IP addresses.
Changed from using Oracle-managed keys to customer-managed encryption keys for all block, boot, and object storage.
You can enforce MFA for a resource in the access policy that allows access to the resource. For example, the following policy enforces MFA when users in GroupA manage resources that belong to the instance family in any compartment.
allow group GroupA to manage instance-family in tenancy where request.user.mfaTotpVerified='true'
the following policy only allows users in the PolicyAdmins group to create policies, but not to edit or delete them.
Allow group PolicyAdmins to manage policies in tenancy where
request.permission='POLICY_CREATE'
