Oracle Cloud Infrastructure has reimagined cloud for the most important enterprise applications. It runs with a Generation 2 offering and provides consistent high performance and unmatched governance and security controls.
|Location of Data Center Infrastructure||Frankfurt (Germany)|
|IT Security||Comprehensive Defence in Depth (English)|
|List of Security Certificates & Compliance||Oracle-Compliance (List of certificates) (English)|
|Privacy||General Data Protection Regulation (GDPR) (English)|
|Physical and Environmental Security||Oracle Cloud Infrastructure data centers are designed for security and availability of customer data. Oracle protects the global infrastructure that runs all of the services offered in Oracle Cloud Infrastructure. This infrastructure consists of the hardware, software, networking, and facilities that run Oracle Cloud Infrastructure services. Oracle security model is built around people, process, tooling, and a common security “platform” of methodologies and approaches from which Oracle build their products. Oracle apply this model to the core security components that they use to protect and secure customers and business, like Security Culture, Security Design and Controls, Secure Software Development, Personnel Security, Physical Security and Security Operations. Oracle Cloud Infrastructure data centers align Tier 3 or Tier 4 standards and follow a N2 redundancy methodology for critical equipment operation. Data centers that house Oracle Cloud Infrastructure services use redundant power sources and maintain generator backups in case of widespread electrical outage. Server rooms are closely monitored for air temperature and humidity, and fire suppression systems are in place. Data-center staff are trained in incident response and escalation procedures to address security or availability events that may arise.|
|Network Security||Oracle provide a secure network infrastructure. Oracle Cloud Access Security Broker (CASB) monitors the security of Oracle Cloud Infrastructure deployments through a combination of predefined, Oracle Cloud Infrastructure–specific security controls and policies, customer-configurable security controls and policies, and advanced security analytics using machine learning for detecting anomalies. Oracle follows rigorous processes and use effective security controls in all phases of cloud service development and operation. Demonstrate adherence to Oracle’s strict security standards through third-party audits, certifications, and attestations. The Oracle Cloud Infrastructure Identity and Access Management (IAM) provides authentication and authorization for all their Oracle Cloud Infrastructure resources and services. By default, customer communications with Oracle Cloud Infrastructure services are done using the latest TLS ciphers and configuration to secure customer data in transit, and hinder any man-in-the-middle attacks. The services also deploy proven, industry-leading tools and mechanisms to mitigate DDoS attacks and maintain high availability.|
|Encryption||Always-on encryption that protects customer data at-rest and HTTPS-only public APIs. Oracle protects customer data at-rest and in-transit in a way that allows customers to meet their security and compliance requirements with respect to cryptographic algorithms and key management. All of the data that customers store with any of the Oracle Cloud Infrastructure data services (Block Volumes including Boot Volumes, Object Storage, and File Storage) is protected by encryption keys that are securely stored and controlled by Oracle. Currently, all keys are Advanced Encryption Standard (AES) keys used in Galois Counter Mode (GCM), and customers can choose from three key lengths: AES-128, AES-192, and AES-256.|
|Secure Design||Security is integrated into Oracle products and operations through Oracle Cloud Infrastructure Security Methodology. This centralized methodology defines Oracles approach for the core security areas that form the security foundation from which Oracle build products. This approach lends itself to agility and helps Oracle apply best practices and lessons learned from one product across the business, thus raising the security of all Oracle products, like User authentication and access control, Change management, Vulnerability management and Incident response.|
|Change Management||Oracle Cloud Infrastructure follows a defined and rigorous change management and deployment process that uses purpose-built proprietary testing and deployment tools. All changes deployed into Oracle production environment follow a testing and approval process prior to release. This process is designed to ensure that changes operate as intended, and can otherwise be rolled back to a previous known good state to recover gracefully from unforeseen bugs or operational issues. Oracle also track the integrity of critical system configurations to ensure that they align with expected state.|
|Business Continuity Management||Oracle offers fault-independent data centers that enable high availability scale-out architectures and are resilient against network attacks, ensuring constant uptime in the face of disaster and security attack. In the case of a detected or reported security issue that affects Oracle Cloud Infrastructure servers or networks, Security Operations staff is available 24/7 to respond, escalate, or take required corrective action. When necessary, Oracle will escalate and coordinate with external parties (including network and hosting service providers, hardware vendors, or law enforcement) to protect Oracle Cloud Infrastructure, Oracle customers, and network’s security and reputation. All actions performed in response to a security issue by the Security Operations team are done according to Oracle documented process, and are logged in accordance with compliance requirements. Care is always taken to protect the goals of service and data integrity, privacy, and business continuity.|
|Incident Management Process||Oracle created automated mechanisms to log various security-relevant events (for example, API calls and network events) in the infrastructure, and monitor the logs for anomalous behavior. Alerts generated by monitoring mechanisms are tracked and triaged by the security team. Oracle employs some of the world’s foremost security experts in information, database, application, infrastructure, and network security. Oracle have developed strong processes and mechanisms to enable them to respond to and address incidents as they arise. Oracle maintain 24/7 incident response teams ready to detect and respond to events. Oracle critical staff members carry paging devices that enable us to call on the expertise needed to bring issues to resolution. Oracle have also built process to help learn from incidents. Oracle perform root cause analysis through Corrective Action/Preventative Action (CAPA) process. CAPAs are intended to discover process gaps and changes that should be made by the business after an incident. CAPAs act as a common language that Oracle can use to reflect on an issue and capture concrete steps to improve future operational readiness. CAPAs capture the root cause of an issue, what is required to contain or fix the issue, and what steps Oracle need to take to ensure that the issue does not recur. Oracle leadership team reviews all CAPAs, looks for cross-organizational applications for learned lessons, and ensures that actions are implemented in a timely manner.|
|Employee Awareness||Oracle believe that a dynamic security-first culture is vital to building a successful security-minded organization. Oracle have cultivated a holistic approach to security culture in which all team members internalize the role that security plays in Oracles business and are actively engaged in managing and improving Oracles products security posture. Oracle have also implemented mechanisms that assist in creating and maintaining a security-aware culture, like Security-minded leadership, Embedded expertise, Common security standards, Values of openness, constructive debate, and encouraged escalation and Security training awareness.|
|Employee Management||Oracle provide effective IAM services such as identity management, authentication, authorization, and auditing. Oracle allows customers to deploy their application and data assets in an environment that commits full isolation from other tenants and Oracle’s staff.|
|Safeguards for potential data transfer (Art. 44 GDPR)||Oracle maintains Binding Corporate Rules|
This information is provided by third parties. Questback does not take responsibility for any error or misrepresentations.
Last updated August 2020.