The Oracle Cloud Infrastructure provides comprehensive security infrastructure to protect all Oracle Cloud Services. Oracle Utilities SaaS Cloud Services take advantage of that security infrastructure, with native capabilities, to allows customers to secure their services.
The additional key capabilities used by the Oracle Utilities SaaS Cloud Services include:
- Flexible Identity Solution. Identity and access control can be established using a flexible Identity Solution. This solution includes options for using the embedded Oracle Identity Cloud Service, an existing Oracle Identity Cloud Service or a federated identity solution.
- Accelerator Provided Security. The accelerators provided with the Oracle Utilities SaaS Cloud implementations include a predefined pre-loaded authorization model that can be adapted to suited individual needs. Customers migrating from on-premise solutions can migrate to the accelerator to reduce migration costs or retain their existing authorization definitions.
- Pre-built Identity Provisioning. The Oracle Identity Cloud Service (embedded or existing) includes a prebuilt adapter to optimize the provisioning and de-provisioning processes to save time and costs. The adapter supports coarse grained or fine grained provisioning.
- Encryption At Rest. The Oracle Utilities SaaS Cloud Services utilizes Oracle's Transparent Data Encryption capability to protect the storage of all data. This includes protections of any extracts and backups to prevent data loss.
- Encryption On the Wire. The Oracle Utilities SaaS Cloud Services take advantage of the network encryption capabilities of Oracle Cloud Infrastructure to protect transmission of data between all network layers in the architecture.
- Key Rotation. With the implementation of encryption, the keys used to provide this encryption are rotated automatically in accordance with Oracle Cloud Infrastructure guidelines.
- Protecting Privileged Accounts. By default, privileged accounts such as database administrators, have SQL data manipulation language (DML) access to the data within the database schema's they manage. In accordance with Oracle Cloud Infrastructure policy, Oracle Database Vault has been implemented to limit privileged accounts to appropriate access to manage the database without accessing the data within the database.
- Whitelist enabled and locked. Capabilities to extend the Oracle Utilities SaaS Cloud are subject to several security based whitelists to protect the integrity of the service, reduce risk and reduce costs. The whitelists are consistent with other Oracle Cloud Services on Oracle Cloud Infrastructure. The whitelists cover the following areas:
- Groovy Whitelist. This whitelist defines the subset of the Groovy language permitted for use in extensions on the Oracle Utilities SaaS Cloud Services.
- URL Whitelist. Interfaces, including protocols, into and out of the service via URL are controlled via a whitelist to prevent data leakage.
- SQL Functions Whitelist. Use of functions within SQL statements used in queries and code is subject to a whitelist to prevent bypass of access controls in code.
- HTML Whitelist. The tags used in any HTML based extension, including generated content, are subject to a whitelist to maintain security compliance.
- Security Checked Code. In line with Oracle policy, all product code is inspected, using Oracle's Software Security Assurance practices, as part of the build process for security compliance against a raft of security standards and security attacks. These checks are performed using internal tools used for all Oracle Cloud Services as well as third party compliance tools.
- Utilitizes Oracle Security Practices. Oracle implements corporate security practices that encompass all the functions related to security, safety, and business continuity for Oracle’s internal operations and its provision of services to customers, across all its products. They include a suite of internal information security policies as well as different customer-facing security practices that apply to different service lines including the cloud.
- Data Masking Support. Data in the service can be masked, using configuration, to ensure properly authorized users have appropriate access to data.
- Inbuilt Information Lifecycle Management/Object Erasure Support. Life-cycle and state of storage of key master and transaction data is predefined with the option of additional configuration to support specific privacy and data retention legislation.
- Key Chain Support. Security key integration with other Oracle Cloud services is managed internally to ensure compliance and availability.
- Security Policy Support. Integration using the SOAP or REST protocols supports a wide range of compliant security policies including specific policies supported by the integration services provided on the Oracle Cloud Infrastructure.
- Backup and Recovery. The Oracle Utilities SaaS Cloud service takes advantage of the Oracle Cloud Infrastructure backup and recovery mechanisms to allow flexible management of data and protect data state using the techniques and principles outlined in Oracle's Maximum Availability Architecture.
- Cloud Service Foundation Extended Support. Compliance and management of security configuration at a service level is provided by the Oracle Utilities Cloud Service Foundation provided with each service.
The Oracle Utilities SaaS Cloud Services extends the security provided by the Oracle Cloud Infrastructure to provide flexible security capabilities. The capabilities enhance and protect cloud services. Refer to the Oracle Utilities SaaS Cloud Service documentation and Cloud Service Descriptions for further details.
This information is available via Oracle Utilities SaaS Cloud Security (Doc Id: 2595978.1) available from My Oracle Support.
Additionally the following links are useful for additional information related to this topic: