Oracle Integration Cloud Service (ICS) Security & Compliance

1 An Oracle White Paper May 2016. Oracle Integration Cloud Service (ICS). Security & Compliance Oracle Integration Cloud Service (ICS) Security & Compliance Contents Introduction .. 1. Governance, Risk & Compliance .. 1. Auditing and Reporting of Operational & Business 1. People, Roles & Identities .. 2. Protection of Data & Information .. 3. Operational 3. Security Architecture .. 4. Privacy Policies .. 5. Security Provisions for Cloud Applications .. 6. Cloud Networks & Connection Security .. 7. Security Controls on the Physical Infrastructure & Facilities .. 8. Oracle Integration Cloud Service (ICS) Security & Compliance Introduction Oracle Integration Cloud Service (ICS) runs within the Oracle Cloud where the architecture is designed to provide customers with a unified suite of Cloud services with best-in-class performance, scalability, availability, and Security .

2 The Cloud services are designed to run on a unified data center, hardware, software, and network architecture. This document is based on the Cloud Security Assessment section of the Security for Cloud Computing: 10 Steps to Ensure Success document, which is produced by the Cloud Standards Customer Council where Oracle is a member. From a development perspective, all of Oracle 's Cloud services adhere to Oracle Software Security Assurance (OSSA). OSSA is Oracle 's methodology for building Security into the design, build, testing, and maintenance of its products. Oracle 's goal is to ensure that Oracle 's products, as well as the customer systems that leverage those products, remain as secure as possible.

3 OSSA is a set of industry-leading standards, technologies, and practices aimed at: Fostering Security innovations. Oracle has a long tradition of Security innovations. Today this legacy continues with Oracle 's market leading database Security and identity management solutions. Reducing the incidence of Security weaknesses in Oracle products. OSSA key programs include Oracle 's Secure Coding Standards, mandatory Security training for development, the cultivation of Security leaders within development groups, and the use of automated analysis and testing tools. Reducing the impact of Security weaknesses in released products on customers. Oracle has adopted transparent Security vulnerability disclosure and remediation policies.

4 The company is committed to treating ALL customers equally, and delivering the best possible Security patching experience through the Critical Patch Update and Security Alert programs. Governance, Risk & Compliance ICS is part of the Oracle Cloud services and is deployed in world-class Tier IV Data Centers that are designed to provide customers with the highest levels of performance, availability, network access bandwidth, and Security . The Data Centers are currently located in 4 locations in North America (Chicago, Ashburn, Austin, and Toronto) and 4 locations in Europe (Linlithgow, Slough, Amsterdam, and Frankfurt). As ICS adoption continues to grow, a continual effort is in place to evaluate additional Data Center locations.

5 Auditing and Reporting of Operational & Business Processes Compliance audits are conducted to ensure that Oracle is meeting requirements and commitments when managing and running the Oracle Cloud . Oracle often engages independent third-party auditors to verify Compliance with requirements and adherence to its attestations. Third-party auditors are engaged for both new Compliance efforts and renewals as well performing network and application vulnerability assessments and penetration tests. The Oracle Cloud is built on a well-defined Security and identity management architecture that also leverages a broad range of tools for added protection. These tools include intrusion detection prevention where the Oracle Cloud services are monitored 24x7 using McAfee IntruShield.

6 Taking it further, a variety of Security Information, Event Management, and Cyber- Security tools are also used to Page 1. Oracle Integration Cloud Service (ICS) Security & Compliance monitor the infrastructure continually. Finally, all servers, switches, firewalls, network and storage devices use IDPS software and Antivirus Software at all ingress and egress points and are scanned by SIEM, Cyber- Security , and malware prevention software. As for auditing and governance, Oracle uses a strict set of independent software auditing and governance software to audit its own Cloud services . These include daily Qualys blackbox scans that are run against all Cloud services ; monthly Security patch, configuration and version comparison and reviews using Oracle 's own Security best practices; and daily code application scans using a variety of tools including Security Innovation, McAfee Foundstone, BlackDuck, WebInspect, and Fortify.

7 Also, there is an independent Security audit team from Oracle Cloud Operations that carries out monthly reviews of access patterns to Cloud services using a combination of audit reports from Oracle Identity Manager and keystroke logs from Powerbroker. Oracle evaluates and responds to incidents that create suspicions of unauthorized access to, or handling of, Customer data whether the data resides on Oracle hardware assets or on the personal hardware assets of Oracle employees and contingent workers. When Oracle 's Global Information Security (GIS). organization is informed of such incidents, GIS defines escalation paths and response teams to address those incidents, depending on the nature of the activity.

8 GIS will work with the Customer, the appropriate technical teams, and law enforcement where necessary to respond to the incident. The goal of the incident response team will be to restore the confidentiality, integrity, and availability of the Customer's environment, and to establish root causes and remediation steps. Operations staff has documented procedures for addressing incidents where handling of data may have been unauthorized, including prompt and reasonable reporting, escalation procedures, and chain of custody practices. If Oracle determines that Customer data has been misappropriated, Oracle will report such misappropriation to the Customer within 72 hours of making such determination, unless prohibited by law.

9 People, Roles & Identities Oracle Cloud services utilize a multi-factor authentication process. Oracle Cloud uses a central Identity and Access infrastructure to authenticate users. Users are challenged for Web or Mobile Sign-On with single factor and multi-factor authentication including username-token, SSL, and biometrics as possible forms of authentication; access to Web services requires (for SOAP) and OAuth (for REST). authentication and identity propagation. Identities for users accessing Oracle 's Cloud services are stored and managed centrally in a Cloud Identity Service . User accounts are created once and stored securely in an Identity Management Directory where they are mapped to Enterprise Groups.

10 Each Cloud Service stores its own Service specific roles to which are granted authorization policies. Customers map these Service specific roles to the Enterprise Groups in the Identity Service thereby enabling role-based access control for users. From an identity Integration perspective, customers can also use their on-premise Identity Management infrastructure Directory services , Access Management/Single Sign-On solutions as the source of truth for user identity and access control with Oracle Cloud services using SAML or WS-Trust based Federation protocols. ICS Users will be created by Tenant Administrators in the Shared IDM. Once provisioned the ICS. administration can assign different ICS Roles to its respective users - seeded in the Shared IDM.