Enhance Oracle Cloud Security with Landing Zones

Enhance Oracle Cloud Security with Landing Zones

Build your OCI security onion with Landing Zones

Oracle Enterprise Landing Zones are frameworks within Oracle Cloud Infrastructure (OCI) designed to create secure and scalable cloud environments for enterprises. They include various versions such as OELZ v1, OELZ v1 Lite, OELZ v2, and CIS OCI Landing Zone, each offering different levels of security, compliance, and complexity to accommodate organizational needs. OELZ v2 is the most comprehensive for advanced enterprise setups, while CIS focuses on stringent security. Selecting a landing zone depends on your enterprise's priorities such as scalability, security compliance, or industry-specific requirements. Deployment is facilitated through Terraform scripts, and a GitHub repository is available for quick deployment.

The CIS OCI Landing Zone is a publicly available reference architecture for creating the foundations of a secure tenancy on OCI following best practices from the CIS Benchmark for OCI; along with best practices developed in OCI for our own Oracle PaaS, SaaS, and IT services. In addition to the reference architecture, the Landing Zone includes easy-to-deploy Terraform code (Quick Start) that automates the creation of a secure tenancy and a compliance checking script that can be used on new or existing tenancies that validates configuration in the tenancy for compliance with the CIS benchmark recommendations.

if you have read anything about them before the confusion starts quickly. Landing Zone V1 or V2? CIS or non CIS?

Oracle OCI Landing Zones provide structured environments to set up Oracle Cloud Infrastructure (OCI) following best practices and compliance standards.

Which one?

https://docs.public.oneportal.content.oci.oraclecloud.com/en-us/iaas/Content/cloud-adoption-framework/technology-implementation.htm#how-do-i-choose

Oracle Enterprise Landing Zone (OELZ) v1

Purpose and Scope:

  • The initial version is designed to provide a foundational setup for enterprises on OCI.

  • Focused on establishing a secure and scalable environment.

Key Features:

  • Standardized Architecture: Provides a predefined architecture based on Oracle’s best practices.

  • Security and Compliance: Basic security controls and compliance measures.

  • Automated Deployment: Uses Terraform scripts for automated setup.

  • Networking: Basic network configuration including VCNs, subnets, and security lists.

  • IAM: Implements foundational IAM policies and compartments.

  • Monitoring and Logging: Basic integration with OCI monitoring and logging services.

  • Cost Management: Initial cost management practices included.

Oracle Enterprise Landing Zone (OELZ) v1 Lite

Purpose and Scope:

  • A simplified version of OELZ v1, designed for smaller organizations or initial cloud adoption phases.

  • Focused on providing a quick and straightforward setup.

Key Features:

  • Simplified Architecture: Provides a minimal viable architecture to get started on OCI.

  • Basic Security Controls: Essential security measures to protect the environment.

  • Automated Deployment: Uses Terraform scripts for easy deployment.

  • Networking: Basic network setup with essential components.

  • IAM: Implements necessary IAM policies and compartments.

  • Monitoring and Logging: Basic monitoring and logging configurations.

  • Cost Management: Basic cost management practices.

Oracle Enterprise Landing Zone (OELZ) v2

Purpose and Scope:

  • Designed for enterprises looking for a comprehensive cloud environment setup.

  • Provides a scalable and secure architecture that adheres to Oracle’s best practices.

Key Features:

  • Modular Design: Allows for customization and scalability based on organizational needs.

  • Security and Compliance: Built-in security controls and compliance with various regulations (e.g., GDPR, HIPAA).

  • Automated Deployment: Uses Terraform scripts for automated provisioning and configuration.

  • Networking: Configures a robust network architecture with VCN, subnets, security lists, and DRG.

  • Identity and Access Management (IAM): Implements IAM policies and compartments to segregate and control access.

  • Monitoring and Logging: Integrated with OCI monitoring and logging services for visibility and troubleshooting.

  • Cost Management: Incorporates tagging and cost management best practices.

CIS OCI Landing Zone

Purpose and Scope:

  • Developed by the Center for Internet Security (CIS) to provide a secure foundation for OCI based on CIS Benchmarks.

  • Focused primarily on security hardening and compliance.

Key Features:

  • Security Hardening: Aligns with CIS OCI Foundations Benchmark to implement stringent security measures.

  • Compliance: Ensures compliance with CIS standards, often a requirement for regulated industries.

  • Automated Deployment: Utilizes Terraform scripts for quick deployment of a compliant OCI environment.

  • Networking and IAM: Configures secure network architecture and IAM policies as per CIS recommendations.

  • Auditing and Monitoring: Enables auditing and logging to track compliance and detect security incidents.

Other OCI Landing Zones

  1. OCI Well-Architected Framework (WAF) Landing Zone:

    • Purpose: Implements OCI best practices based on the Well-Architected Framework.

    • Features: Focuses on reliability, security, cost optimization, performance efficiency, and operational excellence.

    • Use Case: Suitable for organizations seeking a balanced approach across all cloud operation aspects.

  2. Industry-Specific Landing Zones:

    • Purpose: Tailored for specific industries (e.g., healthcare, finance) with unique compliance and operational requirements.

    • Features: Customized configurations to meet industry standards and regulatory requirements.

  3. Custom Landing Zones:

    • Purpose: Tailored to the specific needs of an organization.

    • Features: Can be built from scratch or by modifying existing landing zone templates to meet unique requirements.

Comparison Summary

Feature / AspectOELZ v2CIS OCI Landing ZoneOELZ v1OELZ v1 LiteOther Landing Zones
Primary FocusEnterprise setup, scalabilitySecurity hardening, complianceFoundational enterprise setupSimplified initial setupVaries (e.g., balanced architecture, industry-specific)
Security ComplianceBuilt-in security controlsCIS Benchmark alignmentBasic security controlsEssential security measuresVaries (e.g., Well-Architected, industry standards)
Customization and FlexibilityHigh, modular designModerate, focused on CIS complianceModerate, standardized architectureLow, simplified architectureHigh, varies by specific landing zone
Automated DeploymentYes, using TerraformYes, using TerraformYes, using TerraformYes, using TerraformYes, using Terraform or other tools
Network ArchitectureRobust, enterprise-gradeSecure, CIS compliantBasic network configurationBasic network setupVaries, can be tailored to needs
IAM and Access ControlDetailed policies and compartmentsSecure policies as per CISFoundational IAM policiesEssential IAM policiesVaries, based on specific requirements
Monitoring and LoggingIntegrated with OCI servicesExtensive logging for complianceBasic monitoring and loggingBasic monitoring and loggingVaries, can be tailored to needs
Cost ManagementBest practices includedNot primary focusInitial cost management practicesBasic cost management practicesVaries, often included

Summary of Key Differences:

  • OELZ v2 offers the most comprehensive and customizable setup, suitable for large enterprises with advanced needs.

  • CIS OCI Landing Zone focuses on security hardening and compliance, ideal for organizations with strict security requirements.

  • OELZ v1 provides a foundational setup for enterprises, less advanced than v2 but still robust.

  • OELZ v1 Lite is a simplified version for smaller organizations or those starting their cloud journey.

  • Other Landing Zones vary widely and can be tailored to specific industries or organizational needs.

Choosing the right landing zone depends on your organization's priorities, whether it's comprehensive enterprise architecture, stringent security compliance, or specific industry requirements.

Deploy from Github

Here is the official GitHub repo, the simplest way to get started is the Deploy to Oracle Cloud button.

https://github.com/oracle-quickstart/oci-cis-landingzone-quickstart

Click deploy to the landing zone, log in and you will have a terraform wizard prompt to fill out. The 2 important options are

Service Label: A unique label that gets prepended to all resources created by the Landing Zone. I used lz

Use an enclosing compartment? - uncheck to prevent the creation of a “top” compartment.

I recommend most of the other security options like vuln scanning, key vault etc. However, the service connector can generate enough logs to become billable.