Secure End To End Data Oriented Microservices Architecture

[vishalmmehra]

Secure End To End Data Oriented Microservices Architecture Leveraging Oracle Kubernetes Engine and Converged Oracle Database Abstract What is data to today’s organizations ? On one hand greatest asset manager customers and employees and stay ahead of the competition but in the wrong hands the same data can become a liability, risking the privacy and security of both your customers and your employees and the possibility of fines and litigation in the event of a breach. This document captures security workflows and best practices for implementing an online financial application CloudBank, a N-Tier data oriented microservices architecture on Oracle Cloud. This includes hosting a secure Center for Internet Security (CIS) compliant OCI landing zone, CIS compliant OCI Container Engine for Oracle Kubernetes, CIS compliant Docker Engine, Web Application Firewall (WAF), Oracle Advance Security (ASO), Oracle Key Vault (OKV), Database Vault (DBV), Database Masking and Subsetting (DMS), Audit and Database Firewall (AVDF), Label Security (OLS), and Oracle Database Tools. 1 CloudBank Application Take the system supporting a typical online application CloudBank – you have end-users connecting to an application, which in turn connects to a backend database. The database runs on a host server with associated storage, is supported by database and server administrators. There are usually copies of the system for test and development (the average is five non-production copies per production system). There may be partner systems interconnected. As part of the workshop, for the end

• [email protected] user persona, we will perform following transactions (a) User Onboarding, (b) Credits, and (c) Debits. Let us discuss how to protect this system. Figure 1: CloudBank Provisioning Architecture 2 Secure Landing Zone Architecture The architecture [1] starts with the compartment design for the tenancy along with groups and policies for segregation of duties. We will leverage Landing Zone V2 for provisioning of Landing Zone compartments within a designated parent compartment. Each of the Landing Zone compartments will be assigned a group with the appropriate permissions for managing resources in the compartment and for accessing required resources in other compartments. . Figure 2 illustrates this reference architecture. The architecture will have the following components: Tenancy The CloudBank application will be provisioned into (a) customer provided OCI tenancy or (b) free tier Vishal Mehra* December 15, 2021 1

Figure 2: Secure Landing Zone OCI tenancy. Policies An Oracle Cloud Infrastructure Identity and Access Management policy specifies who can access which resources, and how. Policies will be implemented to provide a specific type of access within a specific compartment, or to the tenancy. Compartments Compartments are cross- region logical partitions within an Oracle Cloud Infrastructure tenancy The OCI resources will be provisioned in the following compartments: 􏰀 A Network compartment for all the networking resources, including the required network gateways. 􏰀 A Security compartment for the logging, key management, and notifications resources. 􏰀 An AppDev compartment for the application- related services, including compute, storage, functions, streams, Kubernetes nodes, API gateway, and so on. 􏰀 A Database compartment for all database resources. This compartment design reflects a basic functional structure observed across different organizations, where IT responsibilities are typically separated among networking, security, application development, and database administrators. CloudBank application will be provisioned on a standard three-tier VCN, with one public subnet and two private subnets. A public subnet will be used for the load balancers and bastion servers. The application and database tiers will be attached to separate private subnets. Internet gateway The internet gateway will be leveraged for traffic between the public subnets in a VCN and the public internet. NAT gateway A NAT gateway will be leveraged for private resources in a VCN to access hosts on the internet, without exposing those resources to incoming internet connections. Service gateway For secure traffic communication from a VCN to other services, such as Oracle Cloud Infrastructure Object Storage, the architecture will leverage Service Gateway. The traffic from the VCN to the Oracle service travels over the Oracle network fabric and never traverses the internet. Network security groups (NSGs) NSGs act as virtual firewalls for the OCI cloud resources. With the zero-trust security model of Oracle Cloud Infrastructure, all traffic is denied. Multiple NSGs will be implanted to support a set of ingress and egress security rules. These rules will be Vault Oracle Cloud Infrastructure Vault will be used to centrally manage the encryption keys that protect CloudBank application’s data and the secret credentials. Logs Logging, a highly scalable and fully managed service will be used to access the following types of logs from your resources in the Oracle cloud: 􏰀 Audit logs: Logs related to events emitted by the Audit service. 􏰀 Service logs: Logs emitted by individual services such as API Gateway, Load Balancing, Object Storage, and VCN flow logs. 􏰀 Custom logs: Logs that contain diagnostic information from the CloudBank application. Cloud Guard Oracle Cloud Guard will be used to achieve and to maintain a strong security posture in Oracle Cloud by monitoring the tenancy for 2 Virtual cloud network (VCN) and subnets

configuration settings and actions on resources that could pose a security problem. Vulnerability Scanning Service Oracle Cloud Infrastructure Vulnerability Scanning Service helps improve the security posture in Oracle Cloud by routinely checking ports and hosts for potential vulnerabilities. The service will be used to generate reports with metrics and details about these vulnerabilities. Bastion service Oracle Cloud Infrastructure Bastion service provides restricted access from specific IP addresses to target OCI resources that do not have public endpoints using Identity-based, audited and time-bound Secure Shell (SSH) sessions. All incoming SSH traffic to other VMs will be routed through the Bastion service. 3 Database Maximum Security Architecture Figure 3: Database Maximum Security Architecture We start by checking the system to make sure it’s configured in accordance with our standard, or with an accepted third-party standard like the CIS Benchmarks or Defense Information Systems Agency (DISA) Security Technical Implementation Guides (STIGs). To do this in an Oracle Cloud, we’d use the Database Security Assessment Tool for a one-time look at the system, and upgrade to the Configuration and Compliance Cloud Service for continuous monitoring. We’ll monitor system activity, collecting audit data from the application, the database, and the host server operating systems using Oracle Audit Vault. We’ll apply machine learning to the activity monitoring data and tie it into the broader corporate security operations center using Oracle Security Monitoring and Analytics, where we also bring in activity data from network routers, application servers and other infrastructure components. For those non-production copies of the system, we’ll remove security risk by exchanging sensitive data for realistic looking artificial data using Oracle Data Masking. For the production system, and for any non- production environments that absolutely MUST have production data, we’ll encrypt the data to prevent out-of-band access. Encryption implies an encryption key, and we’ll want to properly manage and secure those keys. Here, we’ll use Oracle Advanced Security’s Transparent Data Encryption for the encryption piece, and Oracle Key Vault to store, manage, and protect the encryption keys. Encryption is only part of the puzzle – we’ll also use context-sensitive access controls that enforce separation of system administration from data administration, and that lock down application data access to well-defined trusted paths. Here, our tool will be Oracle Database Vault. We will use another feature of Database Vault, Privilege Analysis, to check those end users and administrators, comparing the privileges they use in the system with the privileges they’ve been granted. Removing unnecessary privileges reduces the potential attack surface AND simplifies our periodic privilege recertification requirements. We’ll take a look at especially sensitive data attributes – think customers’ social security numbers, account numbers and the like – and place rules around how those data values can be viewed – a common goal is to completely or partially block access to the most sensitive data columns from outside of the application. Here, we’ll use Data Redaction, another feature of Oracle Advanced Security. To prevent any database configuration drift, we will use Data Safe to identify, categorize, and prioritize risks, and deliver comprehensive assessment reports on security parameters, security controls in use, and user roles and privileges. Our final control is to plan for the worst case – 3

assume our application may be compromised, or that our internal network firewalls may be circumvented. We’ll use Database Firewall, to examine SQL statements being sent to the database for anomalies. Has the application suddenly started issuing queries it’s never used before? Are our power users trying to connect to the database using programs we haven’t certified? Database Firewall will let us know, and if desired, will actually block that anomalous activity. 4 Oracle Cloud Infrastructure (OCI) Database Tools Service CloudBank application will implement Database Tools[2], a managed service in Oracle Cloud Infrastructure (OCI), to create connections to thee Oracle Database in OCI that can be reused by multiple users, resources and services. The database connections will used within the Oracle Kubernetes Cluster (via SDK) to provide direct SQL access to the CloudBank ATP pluggable databases. Using Database Tool Connection service, sensitive information such as passwords and Autonomous Database client credentials (wallet files) will be stored securely and encrypted in the OCI vault. 5 Oracle Web Application Firewall (WAF) CloudBank application will adapt a layered defense (edge and in-region) security strategy with a web application firewall thataggregates threat intelligence from multiple sources including WebRoot BrightCloud® and more than 250 predefined OWASP, application, and compliance- specific rules. By combining threat intelligence with consistent rule enforcement on Oracle Flexible Load Balancer, Oracle Cloud Infrastructure Web Application Firewall will strengthen defenses and protect internet-facing CloudBank application servers (public subnet) and internal applications (private subnets). 6 Security Workshop - Planned Labs To incrementally implement end to end secure architecture and to showcase various OCI capabilities mentioned above, following labs have been identified for the LiveLabs Secure End To End Data Oriented Microservices Architecture workshop. o Lab 1: Infrastructure setup using Secure Landing Zone o Lab 2: Database access security (authentication, privileges) 􏰀 MFA (OCI – RADIUS) o Lab 3: Microservices access security (OAuth) o Lab 4: Application access security (with LB, API Gateway) 􏰀 North/South 􏰀 East/West 􏰀 WAF – Top 10 Attack Vector 􏰀 CVC – K8 Cluster Vulnerabilities Check o Lab 5: Data security (user activity, sensitive data) o Lab 6: Messaging security (queues, streams) o Lab 7: HA security (FD/AD, across regions) o Lab 8: Data DevOps Security (Migration, Upgrades) 􏰀 Data Transfer 􏰀 Data Migration Tool (across Cloud Providers) References [1] “Deploy a secure landing zone that meets the cis foundations benchmark for oracle cloud,” Oct 2021. [Online]. Available: https://docs.oracle.com/en/ solutions/cis-oci-benchmark/index.html# GUID-4572A461-E54D-41E8-89E8-9576B8EBA7D8 4

[2] “Database tools,” Nov 2021. [Online]. Available: https://docs.oracle.com/en-us/iaas/Content/ Database-Tools/dbtools topic-overview.htm 5