What is the customers responsibility on the Oracle Cloud infrastructure database system?
This guide describes security for an Oracle Exadata Cloud@Customer System. It includes information about the best practices for securing the Oracle Exadata Cloud@Customer System. Show
Security Configurations and Default Enabled Features
ResponsibilitiesExadata Cloud@Customer is jointly managed by the customer and Oracle. The Exadata Cloud@Customer deployment is divided into two major areas of responsibilities:
Customers control and monitor access to customer services, including network access to their VMs (through layer 2 VLANs and firewalls implemented in the customer VM), authentication to access the VM, and authentication to access databases running in the VMs. Oracle controls and monitors access to Oracle-managed infrastructure components. Oracle staff are not authorized to access customer services, including customer VMs and databases. Customers access Oracle Databases running on Exadata Cloud@Customer through a layer 2 (tagged VLAN) connection from customer equipment to the databases running in the customer VM using standard Oracle Database connection methods, such as Oracle Net on port 1521. Customers access the VM running the Oracle Databases through standard Oracle Linux methods, such as token based SSH on port 22. Guiding Principles Followed for Security Configuration Defaults
Security Features
Guest VM Default Fixed UsersSeveral user accounts regularly manage the components of Oracle Exadata Cloud@Customer. In all Exadata Cloud@Customer machines, Oracle uses and recommends SSH based login only. No Oracle user or processes use password based authentication system. Below described are the different kind of users created by default.
Guest VM Default Security SettingsIn addition to all of the Exadata features explained in Security Features of Oracle Exadata Database Machine, the following security settings are also applicable.
Guest VM Default Processes
Guest VM Network SecurityTable 35-1 Default Port Matrix for Guest VM Services
Default iptables rules for Guest VM: The default iptables are setup to ACCEPT connections on input, forward, and output chains.
Additional Procedures for Updating Security Posture
Customer ResponsibilitiesTable 35-2 Resposibilities
Enabling Additional Security CapabilitiesMigrating TDE Keys to HSM For more information, see Managing the Keystore and the Master Encryption Key. Migrating from a Password-Protected Software Keystore to a Hardware Keystore You can migrate from a password-protected software keystore to a hardware keystore.
Modifying Password Complexity Requirements Using host_access_control Table 35-3 host_access_control password-aging
Table 35-4 host_access_control pam-auth
Implementing or Updating the iptables firewall Configuration in Guest VM iptables configuration and firewall rules are stored in
Refer to earlier section "Guest VM Network Security" for details on what ports may be required on Guest VM. To configure the firewall manually, create commands like the following example. Note that it is possible to lock yourself out of the system by blocking the ports over which you connect, so it's recommended to consult a test system and engage an experienced iptables administrator if possible.
Changing passwords and Updating Authorized Keys To change a user password the Default Oracle Exadata Users and Passwords - See My Oracle Support note https://support.oracle.com/epmos/faces/DocContentDisplay?id=1291766.1. Other accounts not included in that note are listed below. Table 35-5 User Accounts
Pay Attention to What Actions May Impact Service-Related Logins for Cloud Automation For example, procedures will include ensuring that authorized keys used for cloud automation actions remain intact. For more information about Physical Network access controls including guidelines for Oracle Cloud Automation, see Oracle Gen2 Exadata Cloud@Customer Security Controls. Oracle Cloud Automation access to the customer VM is controlled through token based SSH. Public keys for Oracle Cloud Automation access are stored in the authorized keys files of the Configure Encrypted Channels for Database Listener (Oracle Net) Connectivity For more information, see Configuring Oracle Database Native Network Encryption and Data Integrity. Related Topics
Which of the following OCI security tasks are customer's responsibilities?You are responsible for securely configuring and managing your compute (virtual hosts, containers), storage (object, file, local storage, block volumes), and platform (database configuration) services.
Which three are customer's responsibilities in the shared responsibilities model for security?Customers are responsible for managing their data (including encryption options), classifying their assets, and using IAM tools to apply the appropriate permissions.
Which three are Oracle's responsibilities in the shared security model in Oracle cloud infrastructure?Oracle is responsible for providing effective IAM services such as identity management, authentication, authorization, and auditing.
What is Oracle cloud customer?Oracle Cloud@Customer enables you to consolidate applications and databases on high-performance cloud infrastructure without moving to the public cloud. Reliably run your Oracle and third-party applications, create cloud native applications, and upgrade existing ones with machine learning and modern cloud services.
|