Need the highest level of boot security for your OCI instances? Unable to migrate to cloud due to stringent security compliance requirements around server boot security? OCI Shielded instances may be for you.
Oracle has recently launched Shielded Instances. Shielded Instances are the same VM and bare-metal instances as before, just with an additional layer of security. They’re not for everyone nor are they appropriate for every cloud server. However, for those applications where you absolutely must have the highest level of security - for whatever reason whether regulatory, internal security policy, data sensitivity etc. - then Shielded Instances are worth consideration.
Before delving into the details, Oracle’s documentation gives a good concise description of what Shielded Instances are:
Shielded instances harden the firmware security on bare metal hosts and virtual machines (VMs) to defend against malicious boot level software.
In simple terms, Shielded Instances are designed to protect the integrity of the instance boot process. Security of platforms - whether cloud-based or on-prem - must always be approached as multi-layered. No one thing will lead to bullet-proof security. It is the summation of various layers of security and security configuration working together that determines the overall security posture of a platform. Shielded instances are merely another security feature that, when deployed appropriately, can prevent (or at least identify) certain specific attack vectors - in this context to defend against malicious software that has been designed to interfere or in some cases replace, a server’s boot sequence. Returning to the notion of security layers, it is the responsibility of other security tools and best practices to defend against malicious software being injected into the boot process in the first place. However, if these tools and best practices fail in that defence, the next layer of protection is provided by Shielded Instances. Shielded Instances are designed to identify anomalies with the boot process before the instance fully boots, to then act accordingly. Malicious boot sequence software - typically called rootkits or bootkits, depending on where in the boot sequence they embed - is extremely difficult to detect once installed as it’s not uncommon for them, as part of the modified boot sequence, to disable, degrade or uninstall software whose role is to detect them.
Oracle Cloud Infrastructure Shielded Instances are available on either bare metal or VMs. On a security side note, irrespective of the new Shielded Instances offering, it’s worth remembering that OCI has offered bare-metal instances from inception, giving you sole access and control of that instance. If concerns exist with respect to running VMs on co-tenanted physical hosts and the phenomenon of virtual machine escape - essentially a bad actor exploiting a weakness to gain access to the underlying hypervisor of the host - the use of dedicated bare-metal instances eliminates those concerns.
Shielded Instances harden the hardware firmware of the instance using a combination of the following three security features:
Many of the limitations above will mean, as already stated, Shielded Instances are not appropriate for all instances. However, they are appropriate for those instances where the integrity of the boot process is deemed essential or maximum security is a must. Shielded Instances are yet another welcome security tool in the OCI security toolkit.
Creating a Shielded Instance is as simple as selecting the required functionality - Secure Boot, Measured Boot, TPM - from the instance creation page as shown in the screenshot below. Or, of course, through other means of Instance Creation – such as APIs, CLIs, Terraform – that you might use to create any OCI resource.
There’s a lot more detail related to Shielded Instances than is presented in this short blog. Further research, therefore, is recommended if Shielded Instances may be of interest to you. Please feel free to get in touch to organise a call with one of our technical consultants to discuss Shielded Instances further.
For more information, check out our Oracle Cloud Services and get in touch with an Oracle Cloud expert today.