forked from diegoecab/oci-deal-accelerator
Diagram generation: ref-arch-driven procedure + spec validator + KB enrichment
The diagram path now follows a documented standard procedure (lookup the closest Oracle Architecture Center reference → confirm components → author absolute_layout → spec validator → render → visually verify) and ships persistent guardrails so layout regressions can't recur. Persistent procedure changes (apply to all users, all sessions): - tools/diagram_spec_validator.py — geometry checks (CONTAINER_TOO_THIN, CONTAINER_PADDING_VIOLATION, LABEL_OVERFLOW_PARENT) run BEFORE either renderer (drawio + PPTX). Catches the subnet-collapse / label-overflow bugs that the post-render drawio validator missed. - tools/oci_diagram_gen.py + tools/oci_pptx_diagram_gen.py — call the spec validator before emitting any output. Adds mysql / mysql_heatwave type aliases. - tools/archcenter_pattern_lookup.py — scores against cached page descriptions (not just the 1-line summary), supports --queries for multi-fragment composition, and applies synonym expansion via kb/architecture-center/synonyms.yaml so "LB HA cross AD" matches "load balancer high availability availability domain". - kb/architecture-center/synonyms.yaml — canonical synonym table (load balancer, autonomous database, data guard, …) used by the lookup scorer. KB enrichment: - tools/archcenter_description_fetcher.py + 121 cached _description.md under kb/diagram/assets/archcenter-refs/<slug>/. Removes the runtime dependency on docs.oracle.com when authoring specs and feeds the pattern-lookup scorer. - 110+ cached .drawio / .svg / .png references for offline reuse, plus the OCI Toolkit v24.2 import (kb/diagram/assets/oci-toolkit-drawio). Documentation: - docs/skill/output-formats.md — new "Standard diagram-generation procedure (MANDATORY)" + geometry rules + the new validator entry. - SKILL.md option 2 — references the mandatory procedure. - README.md — describes the spec validator, archcenter_pattern_lookup and description fetcher, and updates the KB-health table. Tooling that backs the procedure (cumulative across recent sessions): tools/archcenter_case_runner.py, archcenter_batch_driver.py, archcenter_zip_downloader.py, drawio_visual_validator.py, drawio_fidelity_eval.py, harvest_drawio_icon.py, import_oci_library.py, oci_pptx_diagram_gen.py, oci_pptx_render.py, refresh_pptx_icon_index.py. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -0,0 +1,362 @@
|
||||
# Incorporate Cyber-Resilience Capabilities Into Your OCI Tenancy
|
||||
|
||||
- Source: https://docs.oracle.com/en/solutions/oci-tenancy-cyber-resilience-architecture/index.html
|
||||
- Date: 2025-08
|
||||
- Type: reference-architecture
|
||||
- Services: cloud-guard, vault, data-safe
|
||||
- Tags: security
|
||||
|
||||
## Summary (catalog)
|
||||
|
||||
Cyber-resilience architecture for OCI tenancies. Immutable backups, isolated recovery environments, threat detection with Cloud Guard, and database activity monitoring with Data Safe.
|
||||
|
||||
## Architecture (fetched from source)
|
||||
|
||||
Learn About Cyber Resilient Architectures that Protect Data from Ransomware
|
||||
|
||||
|
||||
|
||||
|
||||
-
|
||||
|
||||
-
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
-
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
-
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
-
|
||||
|
||||
-
|
||||
|
||||
-
|
||||
|
||||
-
|
||||
|
||||
-
|
||||
|
||||
-
|
||||
|
||||
-
|
||||
|
||||
-
|
||||
|
||||
-
|
||||
|
||||
-
|
||||
|
||||
-
|
||||
|
||||
-
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
Previous
|
||||
Next
|
||||
JavaScript must be enabled to correctly display this content
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
Learn About Cyber Resilient
|
||||
Architectures that Protect Data from Ransomware
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
Ransomware attacks are among the most egregious cybercrimes facing
|
||||
businesses today. They can disrupt operations, damage your reputation, and lead to
|
||||
escalating recovery and remediation costs.
|
||||
|
||||
|
||||
|
||||
|
||||
Ransomware is an advanced form of malware that uses complex algorithms to
|
||||
encrypt your data and lock you out of your systems. Threat actors demand a
|
||||
ransom—usually in cryptocurrency to protect their identity—in exchange for a decryption
|
||||
key to restore access.
|
||||
|
||||
|
||||
Modern ransomware attacks often use a double extortion method: not
|
||||
only is your data encrypted, but it is also exfiltrated, with attackers threatening to
|
||||
publicly release it if you do not pay.
|
||||
|
||||
|
||||
|
||||
In this solution playbook, you learn about Cybersecurity measures to "Protect and Detect" your environment, and Cyber Resilience strategies to "Respond and Recover" your data
|
||||
from ransomware.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
About the NIST Cybersecurity
|
||||
Framework
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
The NIST cybersecurity framework which calls out defensive
|
||||
best practices centered around the security continuum and the CIA (Confidentiality,
|
||||
Integrity, and Availability) Triad, and is best described using the
|
||||
following:
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
- Protect : Prevent a threat to either data confidentiality,
|
||||
integrity, or availability.
|
||||
|
||||
|
||||
- Detect : Detect anomalous activity that may be construed as
|
||||
evidence of attempted and/or successful malicious activity.
|
||||
|
||||
|
||||
- Respond : Address, deter, and counteract a successful
|
||||
compromise.
|
||||
|
||||
|
||||
- Recover : Assume that the compromise has occurred and use
|
||||
mechanisms to restore an environment to a known good state.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
About the Cyber Triad
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
In the early days of cybersecurity, the focus was primarily on preventing
|
||||
attackers from entering networks. However, as threats became more sophisticated with the
|
||||
rise of advanced viruses and malware, it became clear that prevention alone was not
|
||||
enough. In addition to prevention strategies, detection techniques were introduced to
|
||||
identify and flag attackers that breached the firewall.
|
||||
|
||||
|
||||
|
||||
Today's antivirus and malware solutions can't keep up. Attackers
|
||||
increasingly make their way into the internal networks where they sit dormant, move
|
||||
laterally, and orchestrate sophisticated ransomware attacks.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
Description of the illustration oci-cyber-triad-venn-diagram.png
|
||||
|
||||
To avoid being a victim of extortion, supply chain disruptions, and
|
||||
operational shutdowns that often accompany ransomware breaches, Oracle recommends that
|
||||
your cloud architecture addresses the cyber triad:
|
||||
|
||||
|
||||
|
||||
- Cybersecurity
|
||||
|
||||
- Cyber resilience
|
||||
|
||||
- Disaster recovery
|
||||
|
||||
|
||||
By considering all three aspects of the cyber triad, your organization will
|
||||
be well positioned to recover from ransomware while meeting your organization's RTO
|
||||
(Recovery Time Objective) and RPO (Recovery Point Objective) requirements.
|
||||
|
||||
|
||||
While enhancing your OCI environment security, retain focus on the core
|
||||
security fundamentals and disaster recovery methods to ensure availability of your
|
||||
workloads. For example, if you replicate data that has been compromised, your recovery
|
||||
site will be affected in the same way as your primary site and does not address the
|
||||
problem of preventing deletion, encryption or modification by threat actors.
|
||||
|
||||
|
||||
Designing a cyber resilient architecture protects your backups and ensures
|
||||
that you determine if a threat actor modified, deleted, or tampered with the data before
|
||||
restoring it.
|
||||
|
||||
|
||||
Bringing together the cyber triad, traditional security measures, and
|
||||
disaster recovery helps you ensure cyber resilience and better prepare your organization
|
||||
to recover from ransomware.
|
||||
|
||||
|
||||
|
||||
|
||||
Note:
|
||||
High availability and disaster recovery
|
||||
are important parts of your architecture, but they are outside the scope of this
|
||||
solution playbook.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
Ask the Architect
|
||||
|
||||
|
||||
|
||||
|
||||
Replay the Ask the Architect episode:
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
The following lists the various points (mins:secs) in the video where
|
||||
these topics begin:
|
||||
|
||||
|
||||
|
||||
|
||||
- 00:00 - Opening
|
||||
|
||||
- 02:54 - Introducing the Cyber Triad
|
||||
|
||||
- 10:00 - Enclaves and Cyber Resilient Architecture (CRA)
|
||||
|
||||
- 17:31 - Understanding Cybersecurity Pillar
|
||||
|
||||
- 25:00 - Understanding Cyber Resilience - Concepts and Controls
|
||||
|
||||
- 38:15 - Oracle Database Zero Data Loss Autonomous Recovery Service - details and demo
|
||||
|
||||
|
||||
- 44:26 - Demo of the CRA Terraform stack for Unstructured Data
|
||||
|
||||
- 49:34 - Summary
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
Before You Begin
|
||||
|
||||
|
||||
|
||||
|
||||
Before you can begin setting up cybersecurity, deploy
|
||||
the foundational Core Landing Zone using the Deploy a secure landing
|
||||
zone that meets the CIS OCI Foundations Benchmark reference architecture.
|
||||
|
||||
|
||||
|
||||
Review these related resources:
|
||||
|
||||
|
||||
|
||||
- OCI
|
||||
IAM
|
||||
|
||||
|
||||
|
||||
-
|
||||
|
||||
|
||||
Overview of security best practices in OCI tenancy blog
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
-
|
||||
|
||||
|
||||
Oracle
|
||||
Database Cloud Best Practices
|
||||
|
||||
|
||||
|
||||
|
||||
-
|
||||
|
||||
|
||||
OCI
|
||||
Zero-Trust Security Model site
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
-
|
||||
|
||||
OCI Core Landing Zone documentation
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
Title and Copyright Information
|
||||
|
||||
|
||||
|
||||
|
||||
Incorporate cyber resilience capabilities into your OCI tenancy
|
||||
|
||||
|
||||
F85043-05
|
||||
|
||||
|
||||
August 2025
|
||||
|
||||
|
||||
Copyright © 2023,2025,
|
||||
|
||||
Oracle and/or its affiliates.
|
||||
Reference in New Issue
Block a user