Enhance Oracle Cloud Security with Landing Zones
Build your OCI security onion with Landing Zones
Oracle Enterprise Landing Zones are frameworks within Oracle Cloud Infrastructure (OCI) designed to create secure and scalable cloud environments for enterprises. They include various versions such as OELZ v1, OELZ v1 Lite, OELZ v2, and CIS OCI Landing Zone, each offering different levels of security, compliance, and complexity to accommodate organizational needs. OELZ v2 is the most comprehensive for advanced enterprise setups, while CIS focuses on stringent security. Selecting a landing zone depends on your enterprise's priorities such as scalability, security compliance, or industry-specific requirements. Deployment is facilitated through Terraform scripts, and a GitHub repository is available for quick deployment.
The CIS OCI Landing Zone is a publicly available reference architecture for creating the foundations of a secure tenancy on OCI following best practices from the CIS Benchmark for OCI; along with best practices developed in OCI for our own Oracle PaaS, SaaS, and IT services. In addition to the reference architecture, the Landing Zone includes easy-to-deploy Terraform code (Quick Start) that automates the creation of a secure tenancy and a compliance checking script that can be used on new or existing tenancies that validates configuration in the tenancy for compliance with the CIS benchmark recommendations.
if you have read anything about them before the confusion starts quickly. Landing Zone V1 or V2? CIS or non CIS?
Oracle OCI Landing Zones provide structured environments to set up Oracle Cloud Infrastructure (OCI) following best practices and compliance standards.
Which one?
Oracle Enterprise Landing Zone (OELZ) v1
Purpose and Scope:
The initial version is designed to provide a foundational setup for enterprises on OCI.
Focused on establishing a secure and scalable environment.
Key Features:
Standardized Architecture: Provides a predefined architecture based on Oracle’s best practices.
Security and Compliance: Basic security controls and compliance measures.
Automated Deployment: Uses Terraform scripts for automated setup.
Networking: Basic network configuration including VCNs, subnets, and security lists.
IAM: Implements foundational IAM policies and compartments.
Monitoring and Logging: Basic integration with OCI monitoring and logging services.
Cost Management: Initial cost management practices included.
Oracle Enterprise Landing Zone (OELZ) v1 Lite
Purpose and Scope:
A simplified version of OELZ v1, designed for smaller organizations or initial cloud adoption phases.
Focused on providing a quick and straightforward setup.
Key Features:
Simplified Architecture: Provides a minimal viable architecture to get started on OCI.
Basic Security Controls: Essential security measures to protect the environment.
Automated Deployment: Uses Terraform scripts for easy deployment.
Networking: Basic network setup with essential components.
IAM: Implements necessary IAM policies and compartments.
Monitoring and Logging: Basic monitoring and logging configurations.
Cost Management: Basic cost management practices.
Oracle Enterprise Landing Zone (OELZ) v2
Purpose and Scope:
Designed for enterprises looking for a comprehensive cloud environment setup.
Provides a scalable and secure architecture that adheres to Oracle’s best practices.
Key Features:
Modular Design: Allows for customization and scalability based on organizational needs.
Security and Compliance: Built-in security controls and compliance with various regulations (e.g., GDPR, HIPAA).
Automated Deployment: Uses Terraform scripts for automated provisioning and configuration.
Networking: Configures a robust network architecture with VCN, subnets, security lists, and DRG.
Identity and Access Management (IAM): Implements IAM policies and compartments to segregate and control access.
Monitoring and Logging: Integrated with OCI monitoring and logging services for visibility and troubleshooting.
Cost Management: Incorporates tagging and cost management best practices.
CIS OCI Landing Zone
Purpose and Scope:
Developed by the Center for Internet Security (CIS) to provide a secure foundation for OCI based on CIS Benchmarks.
Focused primarily on security hardening and compliance.
Key Features:
Security Hardening: Aligns with CIS OCI Foundations Benchmark to implement stringent security measures.
Compliance: Ensures compliance with CIS standards, often a requirement for regulated industries.
Automated Deployment: Utilizes Terraform scripts for quick deployment of a compliant OCI environment.
Networking and IAM: Configures secure network architecture and IAM policies as per CIS recommendations.
Auditing and Monitoring: Enables auditing and logging to track compliance and detect security incidents.
Other OCI Landing Zones
OCI Well-Architected Framework (WAF) Landing Zone:
Purpose: Implements OCI best practices based on the Well-Architected Framework.
Features: Focuses on reliability, security, cost optimization, performance efficiency, and operational excellence.
Use Case: Suitable for organizations seeking a balanced approach across all cloud operation aspects.
Industry-Specific Landing Zones:
Purpose: Tailored for specific industries (e.g., healthcare, finance) with unique compliance and operational requirements.
Features: Customized configurations to meet industry standards and regulatory requirements.
Custom Landing Zones:
Purpose: Tailored to the specific needs of an organization.
Features: Can be built from scratch or by modifying existing landing zone templates to meet unique requirements.
Comparison Summary
Feature / Aspect | OELZ v2 | CIS OCI Landing Zone | OELZ v1 | OELZ v1 Lite | Other Landing Zones |
Primary Focus | Enterprise setup, scalability | Security hardening, compliance | Foundational enterprise setup | Simplified initial setup | Varies (e.g., balanced architecture, industry-specific) |
Security Compliance | Built-in security controls | CIS Benchmark alignment | Basic security controls | Essential security measures | Varies (e.g., Well-Architected, industry standards) |
Customization and Flexibility | High, modular design | Moderate, focused on CIS compliance | Moderate, standardized architecture | Low, simplified architecture | High, varies by specific landing zone |
Automated Deployment | Yes, using Terraform | Yes, using Terraform | Yes, using Terraform | Yes, using Terraform | Yes, using Terraform or other tools |
Network Architecture | Robust, enterprise-grade | Secure, CIS compliant | Basic network configuration | Basic network setup | Varies, can be tailored to needs |
IAM and Access Control | Detailed policies and compartments | Secure policies as per CIS | Foundational IAM policies | Essential IAM policies | Varies, based on specific requirements |
Monitoring and Logging | Integrated with OCI services | Extensive logging for compliance | Basic monitoring and logging | Basic monitoring and logging | Varies, can be tailored to needs |
Cost Management | Best practices included | Not primary focus | Initial cost management practices | Basic cost management practices | Varies, often included |
Summary of Key Differences:
OELZ v2 offers the most comprehensive and customizable setup, suitable for large enterprises with advanced needs.
CIS OCI Landing Zone focuses on security hardening and compliance, ideal for organizations with strict security requirements.
OELZ v1 provides a foundational setup for enterprises, less advanced than v2 but still robust.
OELZ v1 Lite is a simplified version for smaller organizations or those starting their cloud journey.
Other Landing Zones vary widely and can be tailored to specific industries or organizational needs.
Choosing the right landing zone depends on your organization's priorities, whether it's comprehensive enterprise architecture, stringent security compliance, or specific industry requirements.
Deploy from Github
Here is the official GitHub repo, the simplest way to get started is the Deploy to Oracle Cloud
button.
https://github.com/oracle-quickstart/oci-cis-landingzone-quickstart
Click deploy to the landing zone, log in and you will have a terraform wizard prompt to fill out. The 2 important options are
Service Label: A unique label that gets prepended to all resources created by the Landing Zone.
I used lz
Use an enclosing compartment?
- uncheck to prevent the creation of a “top” compartment.
I recommend most of the other security options like vuln scanning, key vault etc. However, the service connector can generate enough logs to become billable.