Customers sometimes ask Oracle about available security attestations for on-premises products. To answer that question, we’ll need to clarify some terms and lay a foundation for a common understanding of key concepts. 

What are on-premises products?

As mentioned in the “Compliance implications of operating in the cloud vs. on-premises” post, “on-premises products” are hardware and software that Oracle develops and supports, but does not host or manage on behalf of its customers. Deployment of these products into a computing environment is entirely controlled by the customer, who’s wholly responsible for the management of the technology environment in which these products are operated, as well as the data they process. Customers are responsible for how they deploy, configure, and use these products in their environments. People may also refer to these as “traditionally licensed products” or “off the shelf” products. Example on-premises products include the Oracle database software, Linux operating system and E-Business Suite software. 

In contrast, cloud products are hosted by the service provider. Examples of cloud products include Oracle Cloud Infrastructure and Cloud Applications. Keep in mind that cloud security management responsibilities are shared by customers and cloud providers.

What is a compliance attestation?

In the context of technology, compliance attestations are the reports generated after an assessment to a particular set of requirements defined in a standard. These assessments are evidence-driven validations against the standard’s security, privacy, quality or other requirements. Compliance assessments may reflect an entire company’s operations, but are most often applied to a specific scope, such as certain products, operational functions, systems, or locations. The compliance attestation documents the assessor’s findings regarding the level of compliance within the audited scope to the requirements in the standard. Standards may also be referred to as compliance frameworks.

Which security standards apply to on-premises products?

This post categorizes standards based on applicability to either the product and its components or to the computing environment in which the products are operated.

Validations to Product-Focused Standards

These evaluations involve testing by independently accredited organizations (“labs”) with further oversight and certification completed by government bodies. Independent verification helps provide additional assurance to users about the security posture of the validated products. 

Validations for on-premises products generally focus on the state of the product when delivered to the customer as well as associated configurations when deploying these products. Examples of product-focused standards include:

  • Federal Information Processing Standard (FIPS) 140: a set of security requirements related to the design, implementation and operation of cryptographic modules. FIPS 140 is intended for United States federal agencies that use cryptographic-based security systems to protect sensitive information in computer and telecommunication systems. 
  • Common Criteria (ISO/IEC 15408), an international framework which defines collaborative Protection Profiles (cPPs) for certain types of hardware and software. Each cPP defines security requirements relevant to that category of product. For example, the database management systems cPP includes security objectives for access control, security features, auditability, documentation and user authentication capabilities. 

Environment-Focused Standards

In contrast to product-focused standards, environment-focused standards define holistic requirements for a computing environment in which technology is operated. Requirements extend beyond the technology itself, into administrative/procedural, technical and physical security controls.

Standards in the environment-focused category may include diverse requirements such as employee training, contractual agreements, network design, access controls, change management, data encryption, configuration, security testing, monitoring, resilience, risk management, etc.  Example “environment-focused” standards include:

  • ISO 27001: an international standard for information security management systems (ISMS)
  • SOC 2: a standard focused on Trust Services Criteria: security, availability, processing integrity, confidentiality, and privacy
  • PCI DSS: a standard that applies to systems handling payment card (credit and debit card) transactions

An analogy may make this distinction clearer. A product-focused standard is similar to health and safety regulations applicable to the food sold in a grocery store. The fresh and packaged foods must meet certain quality and safety mandates. An environment-focused standard is similar to the health and safety requirements for restaurants that prepare meals. Requirements for restaurants encompass operational practices such as employee training, food handling, sanitation, service processes and other functions.

What does this mean in practice?

Let’s explore the important implications of the standard types and their applicability:

  • Suppliers of on-premises products can only submit their products to validations (product-focused standards)
    • Suppliers cannot evaluate on-premises products using environment-focused standards because there is no environment to assess.  The deployments of these products and the operational practices around these deployments are solely the responsibility of the customers.
    • Since on-premises products are operated by the customer, Oracle cannot provide attestations for ISO 27001, SOC 2 or other environment-focused standards for on-premises products.
  • Customers deploying on-premises products into environments under their sole operational control can choose to assess security using environment-focused standards
    • Suppliers of on-premises products have no role in these assessments of customer-managed environments.

For cloud, security management responsibilities are shared by the customers and cloud providers.  As a result, Oracle does offer attestations for environment-focused standards for Oracle-managed environments such as Oracle Cloud.

Recommendations

Oracle offers resources and guidance for customers of on-premises products and of Oracle-managed environments such as Oracle Cloud:

  1. Explore Oracle’s Trust Center to read about Oracle’s security practices, or watch the tour video.
  2. Learn about Oracle’s product-focused evaluations for on-premises products.
  3. Explore Oracle’s cloud compliance dashboard of attestations for environment-focused standards.
  4. Gain confidence for interpreting and evaluating cloud service attestations and learn about the sources of compliance frameworks
  5. Contact Sales to request compliance attestations.