Organizations have many choices to make about the technology they’ll use to support their critical business processes.  They can opt for various cloud services (IaaS or SaaS, private or public cloud) or chose to operate their critical applications on-premises or a mixture of both.  Business leaders need to be aware that there are fundamental differences in how compliance is to be achieved under these various scenarios. 

 

Approach to Compliance Objectives

Oracle customers can have stringent security, compliance and privacy objectives from internal and external sources. To effectively manage operations while meeting these objectives, Oracle customers must seek to analyze the management model associated with their use of Oracle products and services, as well as understand any independent certifications or audits already performed by Oracle which can be leveraged as part of their security, compliance and supplier management programs.

Oracle offers a variety of products and services, from the building blocks customers use to create computing environments they fully manage to business-ready cloud hosted applications. This blog entry is intended to provide guidance to help customers:

  1. Define the categories of Oracle offerings and associated management roles for Oracle and customers.
  2. Identify the security testing, assurance and third-party product and cloud service validations performed by Oracle.
  3. Highlight operational security and security assurance activities which are customer responsibility.
  4. Suggest how to leverage Oracle-performed security validations when customers are validating compliance to their objectives.

 

Roles and Responsibilities per Category of Oracle Products and Services

It’s helpful to start this analysis by defining the categories of Oracle offerings and summarizing “who does what” per category. This will help clarify the notion of “shared management model” that is predominant in the cloud as well as the relative scope of available security assurance validations. Oracle products and services in different categories may have similar names, so links to examples are provided.

On-Premises Products

This category applies to the hardware and software that Oracle develops and supports, but doesn’t host on behalf of its customers. Deployment of these products into a computing environment is entirely controlled by the customer. The customer is wholly responsible for the management of the entire technology environment in which these products are deployed and operated, as well as the data they process. This encompasses the build, configure, and use of these offering in the customer-controlled technology environment. Example products include Exadata engineered systems, Linux operating system and E-Business Suite.

Oracle Cloud Infrastructure (OCI) Services

OCI services can be used to build and operate computing environments which include data analysis, storage, system integrations, enterprise workloads and “cloud native” or containerized applications. Oracle manages the hosted “tools”, but the customer is responsible for how they build, configure, and use these tools, and for the data processed in their tenancies. Example services include Compute, Analytics and Autonomous Database

Oracle Cloud Application Services

These applications are hosted using a Software as a Service (SaaS) model in which Oracle manages the cloud applications and underlying infrastructure. Customers are responsible for how they configure and use the applications, and for the data processed in their tenancies. Example services include Sales, Enterprise Resource Planning (ERP), and Human Capital Management (HCM).  Customers are also responsible for securing any third-party integration associated with these SaaS offerings, as well as any custom code or scripts they build to extend the applications.

Dedicated Region Cloud@Customer (DRCC)

In this offering, Oracle deploys a cloud service region into the customer’s data center, hosting OCI and/or cloud applications. In addition to the customer responsibilities for the respective cloud service above, the customer is also responsible for physical security and network management of the facility, including the connections to Oracle for the delivery of cloud services.

“Configure and Use”

Customer operational tasks encompassed within “configure” and “use” for all Oracle products and services include:

  • Implement settings for authentication and authorization such as requirements for accounts and passwords
  • Manage logical access for user accounts, including auditing which user accounts have access to what data
  • Monitor via available logs and reports
  • Determine what data to process and manage that data per your organization’s security and privacy objectives
  • Securely develop custom code, application extensions and integrations you build
  • Response to incidents

 

Third-Party Certifications, Audits and External Evaluations

Given the range of respective responsibilities between Oracle and its customers outlined above, it is logical that the third-party security assurance attestations available from Oracle differ by product category. This simply reflects the variance in the respective role of the customers and Oracle across cloud and on-premises offerings.

On-premises product certifications encompass validation and testing of the code and components delivered with the product. Oracle validates certain products to the international Common Criteria (CC) standard and to the Federal Information Processing Standard (FIPS) 140 cryptographic standard developed by the National Institute of Standards and Technology (NIST) in the US. Since the customer controls the computing environment, Oracle cannot certify products to any compliance framework or security standard which focuses on the how the computing environments are built, configured or used. Customers wishing to assess their computing environments against any operational requirements should pursue those assurance activities independent of Oracle.

Oracle’s cloud services (OCI and cloud applications) are assessed by third party independent auditors to a variety of compliance frameworks. These frameworks and standards include requirements to a variety of operational controls that are the performed by Oracle. Customers can explore the outcome of these audits in the form of attestations (audit reports), bearing in mind that attestations are specific to a set of cloud services and data centers.

 

Frequently Asked Questions about Compliance

1. If I build my application on OCI services, and OCI has the required certifications, is my application/computing environment also compliant to those framework requirements as well?

No, but you can leverage OCI’s certifications for the underlying infrastructure supporting your application or other system you’ve built. Customers are responsible for the security of what they create within their cloud tenancy.

2. My organization hired Consultants to build, configure and/or operate our computing environments (including cloud tenancies). Are we still responsible for the security of these?

Yes. Even when outsourcing the implementation or operational of information technology (IT) management of products or cloud service tenancies to a third-party consulting or services provider, the customer retains full responsibility for managing and operating these systems. The service provider acts on customer direction, as an extension of their staff.

3. Who is responsible for vulnerability management (including patching) of software my organization deployed in our OCI tenancy?

Customers deploying Oracle products, whether in their own data center or in OCI, are responsible for keeping up with supported released and applying security updates delivered through the  Critical Patch Update (CPU) and Security Alert programs. Oracle recommends that customers subscribe to notifications about the security updates and apply patches without delay.

 

Recommendations

When evaluating alignment with your organization’s security, privacy and compliance objectives in relation to use of Oracle products and services, you need to :