Customers in highly regulated industries often have strict security requirements and need to maintain physical control of the infrastructure. Exadata Cloud@Customer (ExaC@C) with Operator Access Control (OpCtl) helps customers meet these strict requirements for dedicated Exadata Database Service and Autonomous Database Service deployments by providing enhanced preventive, detective, and responsive security controls. This third blog of the series will take a deep dive into detective controls, which show what Oracle Cloud Operators staff are doing on the ExaC@C system including the commands they are executing and the keystrokes they are entering. Jeffrey Wright, Product Manager at Oracle, explains how Oracle Operator Access Control can help customers control access to Exadata Cloud@Customer and dedicated infrastructure for Autonomous Database. Jeff explains, “OpCtl provides operator command and keystroke logging via the Oracle Linux (OL) audit service running on the infrastructure components.”

The information from the Oracle Linux audit service is available to the customer via 2 interfaces:

• OCI Logging Service

• Direct send of audit logs in syslog format to a customer-supplied IP address or hostname of a customer-controlled syslog server, which is useful for transmitting audit logs to a customer Security Information Event Management (SIEM) system

Oracle Linux audit service content is typically available in the OCI Logging Service within 30 seconds of command execution.

Jeff adds, “Deutsche Bank is a great example of a large Oracle customer that subscribed to Exadata Cloud@Customer because the architecture is behind their firewall, and they get the value of the cloud.  OpCtl provides privileged access management (PAM) so that customers can control Oracle Cloud Operations staff just like they control their staff and OpCtl is included free of charge with Exadata Cloud@Customer.”  The detective controls, command, and keystroke logging, that Oracle records for Oracle operators are externalized to customers so that customers can monitor the activity of Oracle operators. Jeff explains, “The key is, not only do you have command and keystroke monitoring, but you also have two independent companies that get independent copies of those records.  This separation of duties and technology helps to reduce the risk of tampering compared to a single company maintaining the records.” OpCtl is easy to turn on through Oracle Cloud interface by a simple point and click that is supported under all Oracle APIs. It takes less than 8 minutes to set up Oracle Operator Access and assign to select Exadata Infrastructure – you can see how to do it on youtube.

Jeff further explains how detective controls work, “You usually have a requirement to prove to your regulators that the system has been governed to standard. What is interesting is it is very hard to make a statement that something can’t happen on a computer, but it’s not that hard to show what happened on a computer.” The first thing Oracle does with detective controls is to inform the customer, before access is initiated, what limits (via chroot jails) are placed on Oracle operators when accessing the Exadata Cloud@Customer system. Within these limits, OpCtl subsequently provides a record of what has happened on the system in a command by command and keystroke by keystroke via the Oracle Linux audit service. This industry-standard utility is easy to import into common security information and event management systems (SIEM) and easy to parse with tools a customer is likely to already be using. With this information, customers see what is happening in near real time, and have a log of what has happened on the system. This kind of detective control can help customers prove to their regulators and auditors that the system was governed as it was supposed to be governed with Oracle cloud just like they can with the systems they own and operate themselves.

To access the first two blogs in this series:

Blog 1: Exadata Cloud@Customer Takes Cloud Security to the Next Level

Blog 2: In-Depth Look at Operator Access Control and Preventive Controls

Also, to learn more please attend the Oracle CloudWorld session, Meet Regulatory Mandates with Operator Access Control on Exadata Cloud@Customer (LRN1492)

Speakers:

  • Jeffrey Wright, Senior Principal Product Manager, Oracle
  • Rohit Muttepawar, Director of Infrastructure, Honeywell
  • Mathew Coutard, Lead Infrastructure Architect, Banque Internationale à Luxembourg (BIL)

Abstract:

Learn how to use operator access control with Exadata Cloud@Customer to support mission-critical and regulated applications. We discuss how it works, how to process Oracle access requests to manage when Oracle staff can access your infrastructure, how to integrate the Oracle Cloud Infrastructure (OCI) events and notifications services with ServiceNow to integrate OpCtl into your change management system, and how to integrate the OCI logging service into your Splunk system to process Oracle operator commands and keystrokes.