Securing Oracle SaaS and PaaS solutions using IP whitelisting and MFA
Published on: Author: Richard Velden Category: OracleWith more and more business applications in the cloud, the need for tighter security increases. Setting up Multi-Factor Authentication (MFA) is one way to achieve this. In this article, we will show how to set up MFA and IP whitelisting for the Oracle Cloud.
User laptops can be hacked, and malware can accidentally be installed, thus passwords will be compromised. However, in the pre-cloud era, business applications were less exposed to the outside world. Now, anyone in the world could in theory access your business application. The only security measure in between: a username/password combination.
IP whitelisting
Using IP whitelisting, we can make sure only IP addresses coming from a specific country (or continent) can access your cloud applications. More elaborate schemes one can implement are those in which you restrict specific roles (admin and such) to only login from a short list of IP addresses.
For the Oracle cloud, you can configure this using the Oracle Identity Cloud Service (IDCS).
Defining sign-on policies
In Oracle IDCS, we can define multiple sign-on policies. Each policy defines a set of rules, and a list of applications for which these rules apply. The default sign-on policy allows any authenticated user access to the IDCS application (see fig 1).
Each rule within a sign-on policy helps in determining whether a user may or may not sign on. Each rule can either grant or restrict access. By means of setting a rule priority, we can control the order in which rules are evaluated.
Adding a second sign-on policy for a specific application allows us to configure access specifically for a single application (see figures 2 and 3). In our example, we are going to define specific sign-on policies for Oracle Integration Cloud (PaaS). If one defines a specific sign-on policy for a particular application, IDCS will use that instead of the ‘Default’ one.
Now, we need to allow access to this application, based on a particular (corporate) IP range.
In figures 4, 5 and 6 you can see how to:
- Define a network perimeter.
- Add a rule to the policy to allow access for all users within a particular IP address range.
We add a second rule to restrict all other access to Oracle Integration Cloud (fig 7 and 8).
Say, we would like people outside the corporate address range to be able to login, but with additional authentication.
Setting up MFA in Oracle Cloud
Enabling Multi-Factor Authentication (MFA) in the Oracle Cloud is rather simple. In your IDCS console, navigate to Security -> MFA and simply check some boxes (see figures 9 and 10).
Next, we add a new rule to our Integration sign-on policy. This rule will allow all other IP addresses to access the system, but it will require the user to present an additional factor (see figure 11 and 12).
Log in using MFA
With the new sign-on policy in place, we’re going to try to log in our Oracle Integration Cloud instance.
Oracle now requests a second authentication token (figure 14). To get access, we download a mobile app (Oracle Verificator). After downloading, the app needs to be matched with this particular cloud account. Luckily, this is very easy. On the first login attempt, IDCS detects that no mobile app was coupled to this account. A quick and easy QR code pops up to match this account to your mobile authenticator app.
