A study of Oracle Cloud Infrastructure : Demonstration of the vulnerability or reliability of certain services through penetration attacks / En studie av Oracle Cloud Infrastructure : demonstration av sårbarheten eller tillförlitligheten hos vissa tjänster genom penetrationsattacker

Feller, Shanly

January 2023

This thesis aims to assess the security of Oracle Cloud Infrastructure (OCI) through penetration testing of some of its services. Targeted at cloud, cybersecurity, governance, and compliance professionals as well as administrators or cyber enthusiasts in general, this research uncovers specific best practices to OCI. We employ a methodology in three steps published by Astra aimed at cloud services auditing, combining penetration testing techniques and thorough documentation review to evaluate the security posture of OCI services. The scope encompasses IAM and MySQL Managed Databases. We found that unproperly supervised ABAC policies could lead to privilege escalation through the tagging of computing resources and that the MySQL service does not present the major issues that occurred in the managed services of OCI’s main competitors. This research contributes to the growing body of knowledge on cloud security and offers practical recommendations to strengthen OCI deployments, ultimately fostering greater confidence in adopting OCI services. / Syftet med denna uppsats är att undersöka säkerheten hos Oracle Cloud Infrastructure (OCI) genom penetrationstestning av några av dess tjänster. Riktad till moln-, cybersäkerhets-, styrnings- och efterlevnadsproffs, bidrar denna forskning till best-practice metoder för OCI. Vi tillämpar en metodik i tre steg som publicerats av Astra och som är inriktad på granskning av molntjänster. Metodiken kombinerar tekniker för penetrationstester och noggrann dokumentationsgenomgång för att utvärdera säkerhetsläget för OCI. Omfattningen inkluderar IAM och hanterade MySQL-databaser. Vi fann att bristfälligt övervakade ABAC-policyer kunde leda till privilegieeskaleringsproblem genom taggning av beräkningsresurser och att Oracles MySQL-tjänst inte har de större problem som hittades i hanterade tjänster hos OCIs främsta konkurrenter. Denna forskning bidrar till den växande kunskapsmängden om molnsäkerhet och erbjuder praktiska rekommendationer för att stärka implementeringar av OCI, vilket i slutändan främjar större förtroende för och antagandet av OCItjänster.

Oracle Cloud Infrastructure

penetration testing

security practices

cloud security

vulnerability assessment.

Computer Sciences

Datavetenskap (datalogi)

A Qualitative Comparative Analysis of Data Breaches at Companies with Air-Gap Cloud Security and Multi-Cloud Environments

T Richard Stroupe Jr. (17420145)

20 November 2023

<p dir="ltr">The purpose of this qualitative case study was to describe how multi-cloud and cloud-based air gapped system security breaches occurred, how organizations responded, the kinds of data that were breached, and what security measures were implemented after the breach to prevent and repel future attacks. Qualitative research methods and secondary survey data were combined to answer the research questions. Due to the limited information available on successful unauthorized breaches to multi-cloud and cloud-based air gapped systems and corresponding data, the study was focused on the discovery of variables from several trustworthily sources of secondary data, including breach reports, press releases, public interviews, and news articles from the last five years and qualitative survey data. The sample included highly trained cloud professionals with air-gapped cloud experience from Amazon Web Services, Microsoft, Google and Oracle. The study utilized unstructured interviews with open-ended questions and observations to record and document data and analyze results.</p><p dir="ltr">By describing instances of multi-cloud and cloud-based air gapped system breaches in the last five years this study could add to the body of literature related to best practices for securing cloud-based data, preventing data breach on such systems, and for recovering from breach once it has occurred. This study would have significance to companies aiming to protect secure data from cyber attackers. It would also be significant to individuals who have provided their confidential data to companies who utilize such systems. In the primary data, 12 themes emerged. The themes were Air Gap Weaknesses Same as Other Systems, Misconfiguration of Cloud Settings, Insider Threat as Attack Vector, Phishing as Attack Vector, Software as Attack Vector, and Physical Media as Attack Vector, Lack of Reaction to Breaches, Better Authentication to Prevent Breaches, Communications, and Training in Response to Breach, Specific Responses to Specific Problems, Greater Separation of Risk from User End, and Greater Separation of Risk from Service End. For secondary data, AWS had four themes, Microsoft Azure had two, and both Google Cloud and Oracle had three.</p>

Cloud computing

air-gapped systems

cloud-based air-gapped systems

cybersecurity

cybersecurity breach

multi-cloud environments

security measures

cybersecurity attack

Amazon Web Services (AWS)

Google Cloud Platform

Microsoft Azure Cloud

oracle cloud infrastructure