Review Changes to the Security Policy for OCI Console Sign-On Policy
Oracle Cloud Infrastructure (OCI) has recently announced updates to the Security Policy for Console Sign-On, which are now being rolled out with a pop-up notification
in the OCI Console. This blog post will walk you through the changes, their implications, and the steps you can take to decide whether to keep these changes or restore them to their default settings.
Understanding the Update
The new security policy update focuses on enhancing the security of user authentication in OCI. This policy includes changes to password complexity,
session timeouts, and multi-factor authentication (MFA) enforcement, among other aspects. When you log into the OCI Console, a pop-up notification will inform you about the changes and provide you with two options:
Keep Changes: By selecting this option, the updated security policy will remain in effect for your tenancy.
Restore to Defaults: This option reverts the security settings to their previous default state.
The notification ensures that administrators are aware of the changes and can make an informed decision based on their organizational requirements.
Key Changes in the Security Policy
Some of the notable updates include:
Stronger Password Policies: Passwords must meet stricter complexity requirements, including length and the use of special characters.
Session Management Enhancements: Sessions will automatically expire after a specified period of inactivity to minimize risks associated with unattended sessions.
Mandatory Multi-Factor Authentication (MFA): Enabling MFA is now emphasized as a best practice for secure access.
MFA for Administrators: MFA is enforced for all administrators to ensure that only authorized users can perform administrative tasks.
MFA for All Users: MFA is also being enforced for all users accessing the OCI Console. This ensures that all users must provide a second form of authentication, such as an OTP or device-based authentication, to enhance overall security.
Improved Audit and Monitoring Capabilities: Enhanced visibility into sign-on events and security logs.
Additionally, OCI has issued reminders and announcement in OCI console to ensure users are informed and can take timely action. Administrators are encouraged to actively review these changes to maintain secure and compliant cloud operations.
Deciding Between "Keep Changes" and "Restore to Defaults"
When to Select Keep Changes - You should select "Keep Changes" if:
Organization managing sensitive customer data may benefit from stricter password policies and mandatory MFA to prevent unauthorized access. Also If your organization is adhering to industry standards like GDPR, HIPAA, or PCI DSS, adopting the new policies ensures alignment with security best practices.
If any organization has another IDP like Azure AD and user is authenticated in OCI console through Azure then keep changes makes sense that they have different kind of security measures already set so they need to keep those changes.
When to Select Restore to Defaults - You should select "Restore to Defaults" if:
Your Existing Policies Differ: For example, if your organization uses custom password policies that meet specific business needs and stricter requirements may hinder operations. Organizations with a large user base might prefer less stringent policies to maintain ease of access for users.
Any organization who has not modified the sign-On policy, can select restore by Defaults.
Steps to Review and Decide
- To manage the security policy changes, follow these steps:
- Log In: Access the OCI Console using your credentials.
- Review the Pop-Up: Read the notification carefully to understand the proposed changes.
- Assess the Impact: Consider how these changes align with your organization’s security policies and compliance requirements.
Access Sign-On Policies:
- Navigate to Identity & Security > Domains.
- Select the Default Domain (or your specific domain).
- Go to the Security tab and review the Sign-On Policies.
References:-
Modify Security Policy For OCI Console Sign-On Policy
No comments:
Post a Comment