noodls browser compatibility check

The security settings of your browser are blocking the execution of scripts.

To use noodls, javascript support must be enabled. Please change your browser's security settings to enable javascript.

If you have changed your browser's security settings, you can click here.

related announcements

News

State of North Carolina

$800,000 Awarded to 18 Districts for Coding & Mobile App Development
University of Evansville

University of Evansville Receives Leading Colleges Award for Social[...]
Marquette University

Combining arts and dentistry: A Q&A with new Associate Dean of Academic[...]

Technology

Oracle Corporation

10/15/2024 | Press release | Distributed by Public on 10/15/2024 05:23

OCI helps you to optimize your data protection

In today's data-driven world, securing your information is paramount. This blog post explores how Oracle Cloud Infrastructure (OCI) helps enterprises protect their data using the CIA triad: Confidentiality, integrity, and availability.

Understanding the CIA triad

Most enterprises are regulated to ensure the best security of the most important asset: Data. The National Institute of Standards and Technology (NIST) describes the pillars of information security with the following attributes:

Confidentiality: Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information

Integrity: Guarding against improper information modification or destruction and helping ensure information non-repudiation and authenticity

Availability: Timely and reliable access to and use of information

Figure 1: A presentation of important attributes for organizational, personal, and physical information security for hardware, software, and communication: The CIA triad.

Destructive malware, ransomware, malicious insider activity, and even honest mistakes all set the stage for why organizations must detect and respond to an event that impacts data integrity. Businesses must be confident that these events are detected in a timely fashion and responded to appropriately.

While OCI Vault addresses confidentiality and integrity, features such as storage replication in OCI Block Volume can address availability. Let's bring both together.

Encryption in OCI

OCI automatically encrypts your data, typically using Oracle-managed keys. However, many customers prefer the flexibility of using customer-managed keys which they can effectively replicate for enhanced security. For more details on the encryption that OCI services offer, see the following resources:

Oracle Cloud Infrastructure Vault: Block Volume Encryption

Managing Vault Encryption Keys for Block Volume

How Oracle Cloud Infrastructure (OCI) helps you protect data with default encryption

A data encryption key is crucial for securing your data, while the master encryption key encrypts the DEK.

Figure 2: Hierarchy of encryption keys in OCI.

Now that we understand the levels of encryption in OCI, let's explore best practices for key management.

Key management best practices

The solution playbooks, Best practices framework for Oracle Cloud Infrastructure and Encrypt Data in Block Volumes, recommend using customer-managed keys. Based on the best practices framework for OCI, we encourage you to periodically rotate secret contents to reduce impact if a secret is exposed.

If you like to rotate your secret you will update the master encryption key, meaning that you must reencrypt your data encryption key attached to a master key. Updating your master key doesn't change the underlying data encryption key inherited from a volume, which is required to access the data. This change only applies to customer-managed keys in a vault and not the master key for an availability domain. Availability domain master key rotation occurs with existing key rotation activities.

Key rotation means updating the version of the key. Currently, automatic updates for Block Storage customer-managed keys in Key Management Service (KMS) aren't supported. So, when you rotate your KMS key to a new version in the OCI Vault service, volumes continue to use the old version of the key. When you rotate the KMS key in Vault, you can run an update volume operation on your block volume to apply the new version. You can update your KMS key to a new key or the same one that uses the latest version in Vault without any downtime.

Based on Best practices framework for Oracle Cloud Infrastructure we ask you to periodically rotate secret contents to reduce impact if a secret is exposed.

The update is only for Master Encryption Key (MEK), meaning re-encrypt Data Encryption Key (DEK) with a given MEK. This doesn't change the underlying Data Encryption Key (DEK) inherited from volume (which is required to access the data). This change is just for KMS key in a vault and not for AD master key. AD master key rotation is taken care by existing key rotation activities.

Key rotation means updating the version of the key. We currently do not support automatic version update for Block Storage customer managed (KMS) keys. In other words, when customer rotates their KMS key (to a new version) in the OCI Vault Service, volumes still continue to use the old version KMS key prior to the rotation. When the KMS key is rotated in Vault Service, customer can run "update volume" operation on Block volume to apply the new version. KMS key can be updated by customer to a new key, or the same key (which will use the latest version in Vault Service) without any downtime.

Now that we understand key management best practices, let's discuss a crossregion replication setup.

Crossregion replication

Let's explore an example of crossregion replication. We have the following assets:

Source region: Frankfurt

Source block volume (located in Frankfurt)

Source vault (located in Frankfurt)

Source master encryption key

Source data encryption key

Target region: London

Backup policy with crossregion copy target: London

As a prerequisite, we must replicate the data encryption key to the target region. For details on how to replicate your vault, including your master and data encryption keys, see the tutorial on GitHub. This replication gives you the OCID of the target data encryption key in the target region, London.

The GitHub tutorial, Cloud Resilience by default, introduces an automated crossregion replication of block volumes. Now, we only have to add the OCID of the target data encryption key to set up a server with resilience by default, using the Oracle Cloud Console. To automate this process using the OCI CLI, see Set up your Server with Resilience by default using CLI.

This process enables you to automate your production environment and improve confidentiality, integrity, and availability for all your servers. You can observe all technical details how OCI helps you to optimize your data protection.

Conclusion

With OCI services, you can meet your goal of optimal confidentiality, integrity, and availability for the security of your information. Senior Principal Product Manager Max Verun provides more details in the blog post, Customer-managed keys support for crossregion volume replication and scheduled policy-based backup copy. You can rely on us. We're here to help you be successful in your security needs.

Explore OCI's capabilities today by signing up for the Free Tier and let us know how we can support your journey in cloud security! Share your feedback in the comments, and let us know how we can continue to improve your experience on Oracle Cloud Infrastructure.

Sharing and Personal Tools

Please select the service you want to use:

Back