As more businesses adopt digital solutions, having effective security measures in place is critical for certain industries, such as the banking sector. Now more than ever, customers must work closely with their IT teams and vendors to establish security protocols to protect the confidentiality, integrity, and availability of data and the systems that process and store it.

This is the first blog in a series that will address how Oracle Exadata Cloud@Customer can support industries like financial services and give them the tools to move to Oracle Cloud with the confidence that their systems are protected from exposure to cyberthreat activity. Jeffrey Wright, Product Manager at Oracle specializing in security, discusses how Oracle Operator Access Control (OpCtl) can help customers control access to Exadata Cloud@Customer and Autonomous Database Dedicated infrastructure, and the unique advantages a customer gets when they choose Exadata Cloud@Customer with OpCtl.

Jeff explains, “The great thing about Exadata Cloud@Customer is that you as the customer retain physical control of the cloud infrastructure behind your firewall.” The next thing customers need is control of remote access into the infrastructure. OpCtl is a Privileged Access Management (PAM) service integrated into Oracle Cloud Infrastructure (OCI) and Exadata Cloud@Customer so that customers can govern how Oracle staff can access the infrastructure. Jeff adds, “This permits a bank, for example, to have the Preventive, Detective, and Responsive controls necessary to govern and regulate how Oracle people take care of the system, just like they are already doing in the current environment.”

OpCtl for Exadata Cloud@Customer is based on common goals shared by financial services, healthcare, and other industries, such as controlling human access such that:

  • Access is temporary and for a specific and stated purpose
  • Access is made with the minimum level of privileges to perform the stated purposes
  • Access is made using a named account specific to an identifiable person

Jeff continues, “The key is that when Oracle delivers a cloud, the reason we can deliver a secure cloud at low cost, high quality, and immense scale is that Oracle is the identity provider for our staff and Oracle can leverage this staff for all Oracle customers. This means we get the right staff, at the right place, and at the right time to solve any problem, and access is only permitted when a problem needs solving.”  An interesting aspect of the cloud is that Oracle separates duties such that Oracle picks the work to do and the person to do the work, and then the customer reviews the work request and authorizes the access to do the work. This separation of duties is a nice middle ground to minimize risk and maximize value when adopting a cloud service.

Oracle learned from Swiss banking law, UK bank laws, and a lot of EMEA banking laws, and studied the regulations in the United States for financial services, aerospace, and defense, to craft a service that has Preventive controls to truly govern minimum privilege access. OpCtl prevents Oracle from gaining access to the equipment until the customer authorizes it and prevents lateral motion and privilege escalation within the equipment.  Oracle does this by engineering an Oracle Linux chroot jail inside of the Exadata Database Machine.  This novel approach using established technology strikes the necessary balance of making something safe enough to use, easy enough to maintain, and straightforward enough that customer security IT administrators can understand and evaluate the technology.

Oracle has a Detective control implemented through the Oracle Linux audit service command and keystroke logging.  This proven and familiar industry standard for logging makes for easy integration into existing customer security information event management (SIEM) systems and fast reviews with auditors.

And last, for Responsive controls, Oracle offers customer interfaces that terminate an OpCtl Access Request. Jeff adds, “When customers terminate an OpCtl access request, the OpCtl software terminates the operator’s ssh connections, all of the running processes, subprocesses, and credentials used by any people involved with an OpCtl Access Request.  After a customer terminates an OpCtl Access Request, OpCtl prevents Oracle staff from logging into the system until the customer approves a new request.”

Oracle, having worked with leading industries, such as banks, healthcare, energy, and defense, understands that the Exadata platform is well known. What Oracle has learned from these customers is respect for how people need to be controlled when accessing the equipment and the importance of controlling people that have access. Operator Access Control is an important feature so that Oracle Cloud can permit Oracle staff to solve problems safely, but also mitigate the risk of people getting into systems when not permitted. The important differentiator with Oracle Cloud is that it is architected from the ground up concerning security and mission-critical infrastructure. OpCtl is a logical outcome of engineering security into a system (not bolting it on) and making it so that the security control can be used by customers and that Oracle understands their operations to make it so Oracle can be permitted to do the work to support their services, and to do it in a way that mitigates risk.  Jeff concludes, “Oracle is a cloud services company, and this service integrates the people and the process and the technology. This is the technology that customers can use to control Oracle people, so those customer systems are safely maintained. People + Process + Technology = Integrated together”

To learn more: Visit Exadata Cloud@Customer

Jeffrey Wright, Product Manager at Oracle Corporation, specializes in confluence security controls, IT administration, and software engineering knowledge and how it applies to our industry’s current and future data centers. His background includes security, networking, automation, data analysis, software development, electronics, lasers, optics, machine control, and manufacturing. Jeff’s current focus is cybersecurity for Exadata Cloud@Customer and Exadata Cloud Service help Database Administrators and DevOps staff in regulated markets to make the transition to pure and hybrid cloud environments.