How We Aim to Keep You Out of the News

May 11, 2023 | 7 minute read
Robert Azzopardi
Distinguished SaaS Cloud Technologist
Text Size 100%:

Making headlines for experiencing a cyber breach is a top concern for executives. Cybersecurity firm Proofpoint and MIT’s Sloan School of Management recently conducted a study of board member views about cybersecurity. The study found that 65% of board members believe their company is at risk of experiencing a material cyber incident within the next 12 months, but almost half feel that their organization isn’t prepared to deal with a targeted cyber-attack.  

Oracle’s approach to securing our cloud applications and their deployment follows a Defense in Depth Strategy and that is how we aim to keep our customers (and ourselves) out of the news. This strategy builds upon our unique capabilities such as full stack ownership as well as the adoption and development of industry and internal best practices, standards, and certifications. The diagram below lists the layers that make up Oracle Defense in Depth approach.

Defense in Depth spans three key areas the physical, the procedural, and the actual software.

Layered Security

Physical Security

Data centers where the applications are deployed must meet stringent security and infrastructure requirements.

The facilities that house the Oracle Cloud Applications are built and managed by leading co-location vendors; all of which meet Oracle’s strict criteria for service and infrastructure. All facilities meet the following criteria:

Construction, Power, and Cooling:

  • Concrete, stone, and/or steel construction
  • Redundant utility feeds
  • Redundant UPS
  • Redundant standby power
  • Excess power capacity
  • Cooling capacity that matches or exceeds power capacity
  • Redundant ISPs

Physical Security:

  • 24x7 human guards
  • Secure ingress/egress always includes multiple levels of physical technology, including:
  • Man traps
  • Biometric scanners
  • Proximity card readers and identification badges
  • Audible alarms when security is breached
  • Access limited by defined access lists
  • Physical access logging
  • Cage space secured by physical key or hand scanner
  • Compulsory visitor escort
  • Closed circuit TVs and recorders

Network Security

There are multiple elements to Oracle’s network security. In addition to firewalls, intrusion detection, traffic encryption and a host of other technologies, as part of our Oracle Cloud Infrastructure (OCI), Oracle maintains and provides a world class DNS service which is even used by other major providers. Oracle’s DNS has its origins in the Dyn acquisition and has the benefits of providing OCI and the applications that run on it with DDOS protection operating at layer 3 and 4 of the protocol stack.

Monitoring

Our state-of-the-art Cloud Service Centers (CSCs) follow the sun 24 hours a day every day. We have multiple CSCs that are staffed 24x7x365 and are connected to all production pods worldwide, providing up-to-the-minute visibility into components of the environment. Our CSCs are responsible for monitoring and addressing stability of the pods and customer sites, managing customer events, and handling proactive communications with customers.

Detection and prevention capabilities are staffed by a dedicated 24x7x365 team of database and systems administrators at each CSC, and hand-offs between CSCs are both written and verbal at the end of every shift.

Oracle uses an extensive monitoring framework to provide a 360-degree view across our cloud services. It not only provides visibility of the Oracle Cloud infrastructure itself, but also provides monitoring of the end user experience. For the Oracle Fusion Cloud Applications, this is provided by Real User Experience Insight (RUEI)

All the logs collected are stored in our Security and Incident Event Monitoring System (SIEM) environment.  Network data, and system logs generated by the application are correlated by the SIEM and analyzed to help ensure that the security of the platform is not compromised. Dedicated security monitoring software is used to analyze and correlate security events and raise the relevant alerts when suspicious activity occurs. As a result, Oracle Cloud Operations has a precise indication of where issues arise.

And finally, for Oracle Fusion Cloud Applications, additional layers of protection are provided by Oracle Cloud Guard (CASB) and Web Application Firewall (WAF). For more details on these, a great reference is the Oracle Cloud Applications Blog and posts by David Cross (SVP, CISO SaaS Cloud Security)

The diagram below shows the monitoring framework supporting Oracle’s Fusion Cloud Applications.

OCI

Organization Security

Oracle has a very deep and broad security organization covering both operational aspects and product security. This also includes a dedicated SaaS Security organization. For more details, please refer to https://www.oracle.com/corporate/security-practices/corporate/governance.html

Oracle Cloud Services operate under Policies which are aligned with the ISO/IEC 27002 Code of Practice for information security controls, from which a set of controls are selected.

The internal controls of Oracle Cloud Services are subject to periodic testing by independent third-party audit organizations. Such audits may be based on the Statement on Standards for Attestation Engagements (SSAE) No. 18, Reporting on Controls at a Service Organization (“SSAE 18”), the International Standard on Assurance Engagements (ISAE) No. 3402, Assurance Reports on Controls at a Service Organization (“ISAE 3402”), or such other third-party auditing standard or procedure applicable to the specific Oracle Cloud Service. Audit reports of Oracle Cloud Services are periodically published by Oracle’s third-party auditors.

Business Continuity

Oracle Cloud Applications provide an uptime SLA of 99.9%. Services are deployed on resilient computing infrastructure designed to maintain service availability and continuity in the case of an incident affecting the services and data centers are required to provide component and power redundancy. Services such as Fusion Cloud Applications also provide Disaster Recovery with a Recovery Time Objective (RTO) of 12 hours and a Recovery Point Objective (RPO) of 1 hour.

Data Security

For Oracle Fusion Cloud Applications:

  • Data in transit is protected using Transport Layer Security (TLS 1.2).
  • Data at rest is encrypted using Oracle Database Transparent Database Encryption.

In Oracle’s Cloud Infrastructure (Gen 2), files systems are encrypted using 256 AES encryption.

Secure Development

Software security begins well before any coding is done.

Oracle Software Security Assurance (OSSA) is Oracle’s methodology for building security into the design, build, testing, and maintenance of its products, whether they are used on-premises by customers, or delivered through Oracle Cloud. Oracle’s goal is to architect Oracle’s products to help customers meet their security requirements while providing for the most cost-effective ownership experience.

Over many decades, Oracle has developed Secure Coding Standards and practices to address the safety and security of our products.

Please refer to  https://www.oracle.com/corporate/security-practices/assurance/

Application Security

Arguably the final components of the security lifecycle are the applications themselves. The Oracle Fusion Cloud Applications include a comprehensive range of security features including, but not limited to:

Ransomware Protection

A final comment about ransomware. Oracle Fusion Cloud Applications take a number of steps to protect customers against ransomware:

  • All uploaded file attachments are scanned with up-to-date anti-malware software
  • Attachments are stored in the database as part of Universal Content Management – so they never touch the file system.
  • Customers do not have direct access to the file system and have no need to access the file system.
  • Oracle Administrators access customer systems through a dedicated VPN that does a posture check to confirm that the computer used to connect meets specific Oracle security requirements. Once granted, system access is done through a bastion host in order to provide additional security, logging and prevent exfiltration of data.
  • Systems are deployed on Oracle Linux

All these measures and more combine to greatly reduce the attack surface presented to malware and ransomware.

In Summary

Oracle’s Defense in Depth security strategy has one goal – to protect our customers data so that both you and Oracle stay out of the headlines.

Please let us know how Oracle can help you at any step in your Oracle Applications journey. Come back soon for future posts in this series on Why Technology Matters for Oracle Cloud Applications. For more information on Oracle Cloud Security, please refer to the following: How Oracle Cloud Applications Protect Your Data and Oracle Corporate Security Practices

Read the first two blogs in the series here: Introduction and Why Technology Matters – A Strong Foundation

Visit the Oracle Cloud Applications and OCI  page and read The IT & Business Leader’s Guide to Oracle Cloud Applications ebook for more information.

 

Additional Notes:

The author is a member of Oracle’s North American Applications Advanced Technology team, dedicated to helping customers modernize their businesses through technical innovation. He provides subject matter expertise and vision on SaaS, platform technology, operations, and data management.

This document is provided for information purposes only, and the contents hereof are subject to change without notice. This document is not warranted to be error-free, nor subject to any other warranties or conditions, whether expressed orally or implied in law, including implied warranties and conditions of merchantability or fitness for a particular purpose. We specifically disclaim any liability with respect to this document, and no contractual obligations are formed either directly or indirectly by this document.

 

 

 

 

Robert Azzopardi

Distinguished SaaS Cloud Technologist


Previous Post

A 7-step recipe for data governance: Perfecting your digital foundation

Guest Author | 5 min read

Next Post


Looking to the future: Innovative approaches to connected planning

Guest Author | 6 min read