34. Demo: Security Zone and Security Advisor - Oracle Cloud Infrastructure Foundations - video Dailymotion

Psycho Killer

Watch 34. Demo: Security Zone and Security Advisor - Oracle Cloud Infrastructure Foundations - Psycho Killer on Dailymotion

Transcript

00:00Hello and welcome. In this demo, let us look at security zones. When you create a security zone,

00:11you select one or more compartments and a recipe. A security zone recipe specifies which policies

00:18you want to enforce. Oracle provides a default set of policies, but you can create your own

00:24policies. Any attempt to create or modify resources in the security zone that violates one of the zone's

00:32policies is denied. Security zone uses Cloud Guard, as you can see in the diagram here,

00:38to routinely scan your zones and report any zone policy violation. And this is important.

00:44You must enable Cloud Guard before you can use security zones. So let us look at security zones

00:51in action. Here I'm logged on to the Oracle Cloud console. And if I click on the navigation menu,

00:59I can bring up identity and security services. And I can see security zones listed here as security

01:06zone zones is part of OCI security portfolio. So when I click on it, it gives me a nice landing page,

01:14which describes the workflow in order for security zone to work. So it shows all the steps.

01:20I need to enable in order for security zones to work. So first I need to write policies. I need

01:26to enable Cloud Guard, and then I can create these zones. Now in this account, I'm not sure if I have

01:32Cloud Guard enabled. So it gives me a nice kind of a prompt here. So if I click on enable Cloud Guard,

01:38it again gives me a workflow on how to enable Cloud Guard because security zone uses Cloud Guard in the

01:45background. So it looks like I don't have Cloud Guard enabled. So I'll click on enable Cloud Guard.

01:51And it tells me that Cloud Guard requires these policies, which are not existing in my current

01:57tenancy. You can read, see through a long list of policies which are needed. So I will go ahead and

02:03create these policies. All these policy statements have been added. Click next. And then it's asking,

02:09what's my reporting region? I'll use Ashburn as my reporting region. And it asks whether I want to

02:15monitor all compartments or select compartment. I'll click, click all is, is, is fine. And then I'll

02:21click on detector recipes and I'll click on, uh, uh, uh, activity detector recipe. Uh, and these are

02:29optional parameters, but I'll click on those. And then I'll click enable here. And as I do that,

02:34you will see that Cloud Guard is enabled in my account. You saw that workflow, which says Cloud

02:40Guard is getting enabled. And now if I go back to identity and security, uh, menu again, and click

02:48on security zones and click on overview, I can see, uh, that I can create a security zone. So I'll click

02:55on create security zone. And here you can see that I can pick recipe. I can pick Oracle managed, or I can

03:03pick customer managed, uh, as we discussed Oracle managed is fine. That's the default, uh, recipe,

03:08uh, security zone comes with. So I will, uh, give it a name.

03:20And I'll create this security, uh, zone in the sandbox compartment and I'll click on create security

03:26zones. And that's as simple as it is to create a security zone within a couple of seconds, you will

03:31see that security zone is now created. And in essence, what it's being done is I have a sandbox

03:37compartment. Now it is associated with this security zone and, and the policies are listed right here.

03:44So if I click on these policies, I just want to quickly show you, these are security policies around

03:49compute storage, uh, networking and database. And one of the policies here says that you cannot create object

03:56storage buckets without a vault key. So what it's saying is, um, by default, we encrypt your buckets

04:04using Oracle managed keys. But in this case, it's saying that you need to create buckets with customer

04:11managed keys. So you need to have a valid key and you need to have access to a vault, uh, where the key

04:18is stored. So if you don't have that, then you cannot create an object storage bucket in the sandbox,

04:24uh, compartment. So to test it, let me click on storage here and let me click on object storage

04:30bucket here and, uh, we'll, we'll test this, uh, security zone, uh, policy violation. So you can see

04:36on the right, uh, on the left-hand side, I'm logged on to the sandbox compartment. And if I click on create

04:41bucket now, uh, uh, it, there's a default name, which comes up and right here, you can see that by default,

04:47we use, uh, Oracle managed keys to encrypt the bucket, but the security zone policy says that I

04:54need to use customer managed keys. And of course I don't have a vault, uh, access here and I don't

04:59have a key. So if I create this bucket, it will not let me do that because it's a security zone policy

05:05violation. So if I click here, you will see that it says that there's a security zone violation.

05:11And it also gives me a reason that the exact policy, which is, uh, violated, it says encrypt

05:17the bucket with a customer managed encryption key. And it also gives me a workflow on how to go ahead

05:22and, uh, create a new key and use that key, uh, to encrypt this, uh, bucket. So this was a quick

05:29demo on how you can use security zones. Remember security zones and cloud guard working together,

05:36help you, uh, increase the security posture in your, uh, organization. So I hope you, uh,

05:41found this demo useful. Thanks for your time.

34. Demo: Security Zone and Security Advisor - Oracle Cloud Infrastructure Foundations

Category

Transcript

Be the first to comment

Recommended