Post on 31-May-2020
Security Features of Remote Service Delivery
via the Oracle Advanced Support Platform
O R A C L E W H I T E P A P E R | D E C E M B E R 2 0 1 6
ORACLE WHITE PAPER: SECURITY FEATURES OF REMOTE SERVICE DELIVERY VIA THE ORACLE ADVANCED SUPPORT PLATFORM
Disclaimer
The following is intended to outline our general product direction. It is intended for information
purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any
material, code, or functionality, and should not be relied upon in making purchasing decisions. The
development, release, and timing of any features or functionality described for Oracle’s products
remains at the sole discretion of Oracle.
ORACLE WHITE PAPER: SECURITY FEATURES OF REMOTE SERVICE DELIVERY VIA THE ORACLE ADVANCED SUPPORT PLATFORM
Table of Contents
Introduction 1
Oracle Support and Remotely Delivered Services 2
Architecture of the Oracle Advanced Support Platform 3
User Interfaces 7
Access Management 8
Secure Features for Management of Services Data 11
Qualifications and Security Practices 13
Summary 16
Further Information 17
.
1 | ORACLE WHITE PAPER: SECURITY FEATURES OF REMOTE SERVICE DELIVERY VIA THE ORACLE ADVANCED SUPPORT PLATFORM
Introduction
Oracle Support is delivering an increasing number of services such as ISO27001:2013 certified
Advanced Monitoring and Resolution, and Oracle Platinum Services through a remote service delivery
system, the Oracle Advanced Support Platform.
Current delivery processes are based on the IT Infrastructure Library (ITIL) framework. The security
architecture of the Oracle Advanced Support Platform includes multiple layers of encryption,
authorization, and access control, to facilitate the confidentiality, integrity, and availability of customer
data. A strong Oracle policy and process framework guides the service delivery. Security controls are
managed by a dedicated information security team, and verified by internal and external audits.
This white paper describes the safeguards incorporated into the delivery of Oracle support services
using the Oracle Advanced Support Platform, including delivery architecture and policies.
2 | ORACLE WHITE PAPER: SECURITY FEATURES OF REMOTE SERVICE DELIVERY VIA THE ORACLE ADVANCED SUPPORT PLATFORM
Oracle Support and Remotely Delivered Services
Oracle Support is a global organization intended to enable the success of customers’ Oracle infrastructure -
throughout the IT lifecycle, and across the Oracle stack. Oracle Support includes Oracle Premier Support and
Oracle Advanced Customer Support (ACS). Both organizations deliver portions of their service portfolio remotely via
the Oracle Advanced Support Platform.
TABLE 1: OVERVIEW OF ORACLE SUPPORT SERVICES, AND EXAMPLES OF REMOTELY DELIVERED SERVICES
Support Organization Description and Remote Services
Oracle Premier Support provides essential support services including 24/7 technical
assistance, proactive support resources, and product updates. With global
coverage and 50,000+ development engineers and customer support specialists,
Oracle Premier Support delivers complete, dependable, fully-integrated services.
Remotely delivered services include Oracle Platinum Services: Enhanced support
provided at no additional cost to Oracle customers running eligible configurations of
Oracle Engineered Systems. The service includes 24/7 fault monitoring, accelerated
response, and system patching services.
Oracle Advanced Customer Support provides important support services for
complex IT environments. These services are intended to help maximize
performance, achieve high availability and reduce risk across all Oracle solutions—
from applications, middleware, and database to server and storage systems, and
across Oracle Cloud solutions.
ACS offers remotely delivered services based upon industry standards and
automation such as:
Oracle Advanced Monitoring and Resolution (AM&R) with 24/7 predictive
systems event monitoring and incident resolution across the entire IT
stack (from servers to applications) intended to help maximize uptime and
reduce risks for mission critical environments.
Oracle Advanced Database Support can enhance security, performance
and availability of Oracle databases through fault management, security
compliance reporting, proactive health checks, and patch management.
Cloud Operations for Oracle Cloud at Customer machines. Cloud at
Customer machines deliver Oracle Cloud services in customers’ data
centers, fully managed by Oracle. Customers can take advantage of the
agility, innovation and subscription-based pricing of Oracle Cloud while
meeting data-residency requirements.
Oracle Lifecycle Support Services can help customers with migration,
consolidation, and load testing of a planned technology change, as well as
with performance tuning of their Oracle database environment.
3 | ORACLE WHITE PAPER: SECURITY FEATURES OF REMOTE SERVICE DELIVERY VIA THE ORACLE ADVANCED SUPPORT PLATFORM
Oracle Support follows internationally recognized standards and uses a global security framework based on the
ISO27000 family of standards for their service offerings. At the time of publication Oracle Advanced Monitoring and
Resolution, Oracle Advanced Database Support, and Oracle Platinum Services have obtained the following
certifications and attestations:
ISO 27001:2013 by the International Organization for Standardization. It specifies the requirements for
establishing, implementing, maintaining and continually improving an information security management
system within the context of the organization.
SSAE16/SOC 1 Type II, the Statement of Standards for Attestation Engagement No. 16, which is an
auditing standard for service organizations by the Auditing Standards Board of the American Institute of
Certified Public Accountants (AICPA).
Oracle Support can follow the requirements of HIPAA, the Health Insurance Portability and Accountability Act of the
United States of America, which defines policies, procedures and guidelines for maintaining the privacy and security
of individually identifiable health information. Oracle Support also follows relevant regulatory requirements imposed
directly onto Oracle by the applicable regulatory bodies relevant to the countries and services provided.
Architecture of the Oracle Advanced Support Platform
Oracle Support delivers many remote services via the unique Oracle Advanced Support Platform. This platform is a
combination of a gateway, back end systems, and access portals. It is operated using processes based on the IT
Infrastructure Library (ITIL) framework intended to facilitate confidentiality, integrity, and availability of customer data.
In this context, Oracle installs the appropriate critical security patches onto relevant Oracle managed components of
the platform, including the gateway. A strong policy and process framework defines the service delivery with multiple
layers of encryption, authorization, and access control.
All those procedures are approved and controlled by a high-level Oracle security committee under the Oracle
Corporate Security Solution Assurance Process (CSSAP), which will be discussed in more detail later in this
document.
Information Security Team for Oracle Services Delivered through the Platform
A dedicated team in Oracle Support – The Information Security (InfoSec) team – is focused on assisting the service
delivery through the platform. The team’s activities span across internal security consulting, risk assessments and
mitigations, compliance and assurance programs, continuity, as well as certifications and attestations. The InfoSec
team is also responsible for key internal security operations management processes, such as end-to-end security
incident management, and threat and vulnerability management.
4 | ORACLE WHITE PAPER: SECURITY FEATURES OF REMOTE SERVICE DELIVERY VIA THE ORACLE ADVANCED SUPPORT PLATFORM
Key Components of the Oracle Advanced Support Platform
The graphic and table below show the basic architecture of the platform and highlight the interactions and data flows
between its components.
Figure 1. Components and architecture
TABLE 2: MAIN COMPONENTS USED IN THE PLATFORM ARCHITECTURE, SHOWN IN FIGURE 1
Name Function Security Features
Configuration
Items
Devices and software components
monitored, analyzed or patched by Oracle
Support.
Access via Oracle Advanced Support
Gateway using secure protocols.
Procedures limit data access to telemetry
data that is required for service delivery.
Firewall Secures data flow between
Oracle Advanced Support Gateway and
customers’ monitored devices.
Oracle Advanced Support Gateway and
the Oracle back-end.
Detailed firewall rules and templates are
provided to customers during the
implementation process.
5 | ORACLE WHITE PAPER: SECURITY FEATURES OF REMOTE SERVICE DELIVERY VIA THE ORACLE ADVANCED SUPPORT PLATFORM
Name Function Security Features
Oracle Advanced
Support Gateway
and Portal
Software appliance for provisioning and
delivery of remote Oracle services and
tools. Collects telemetry and relays it to the
Oracle back-end system. The gateway is
located within the customer’s data center
on a dedicated general-purpose server (or
on Oracle Virtual Machine), and is
managed and maintained by Oracle. It
includes an additional portal for customer
access. The Oracle Advanced Support
Gateway hosts a number of applications
such as Oracle Enterprise Manager, as well
as Java based applications including Auto
Service Request and Oracle Configuration
Manager.
Authentication and encryption. Accepts
incoming remote management connections
only from an authorized access
management host within the platform.
If a telemetry message passes through the
rules engine and the rules determine that
the message should be sent to the Oracle
back-end system for processing, the
message is then encoded in an XML data
structure and sent to the Oracle back-end
system via HTTPS, using the latest TLS
protocol for encryption.
Recommended to be placed into a
demilitarized zone (DMZ) or trusted
network. The gateway portal is accessed
via the secure HTTPS protocol. Customers
can specify from where the portal is
viewable.
Oracle Continuous
Connection
Network OCCN
Secures connectivity between Oracle and
customer. Hosts the access management
system. Used for remote access to
customer environments. Access to
customer authentication data and customer
site is only possible from this network.
Closed VPN and segregated from Oracle’s
internal network. Limited access by
authorized and trained Oracle Support
engineers with special approval. Two-factor
authentication with hardware token and
password. Connectivity via a TLS-
encrypted VPN connection. VPN session
keys are replaced regularly through a key
exchange protocol. Sessions are logged for
auditing purposes.
VPN Tunnel /
HTTPS
Software VPN client within Oracle
Advanced Support Gateway to encrypt
inbound connections from Oracle.
HTTPS for outbound connections from
Oracle Advanced Support Gateway to
Oracle. Not all services require a
continuous inbound connection .For those
services that do not require a continuous
connection, customers can request
activation of the remote access control,
which allows the inbound connection to be
switched on/off.
TLS-based VPN client. Encryption.
Failover, backup, and disaster recovery
functions.
HTTPS with 128-bit SSL transport
encryption.
ITIL Procedures,
Analysis,
Reporting
ITIL based incident, problem, change, and
knowledge management. Monitoring,
analysis, and report generation based on
defined thresholds and recommended
practices.
Only authenticated and trained Oracle
Support engineers have system access to
deliver the contracted services.
6 | ORACLE WHITE PAPER: SECURITY FEATURES OF REMOTE SERVICE DELIVERY VIA THE ORACLE ADVANCED SUPPORT PLATFORM
Name Function Security Features
Oracle Advanced
Support Portal
Web portal for configuring and maintaining
the Configuration Management Database
(CMDB), managing monitoring events,
handling changes, and documenting
customer requests. Accessible internally by
authorized Oracle Support engineers and
online by authorized customers.
Sessions are encrypted. Near real-time
authentication. Input data validation prior to
processing intended to block malicious
scripting, SQL injection, and remote
command injection attacks. Data presented
on the portal to users is encoded.
Configuration
Management
Database (CMDB)
Database within the platform to store
telemetry required to deliver the services.
CMDB contains the data related to an
individual asset - such as device name, IP
address, port - required to access the
device remotely.
No direct, outside data access. Only
accessible via APIs. Data is segregated at
a customer level through a multitenancy
security model. Multiple layers of API-based
access and authorization controls.
More details on security aspects of Oracle Advanced Support Platform are discussed in the “Oracle Advanced
Support Gateway Security Guide” and Oracle Global Customer Support Security Practices, Section 6, “Advanced
Support Gateway Services.”
Oracle Support has included security features into layers of the remote delivery architecture and processes.
Customers must also ensure data security from their end, too by applying appropriate precautions. A remote access
environment should be protected in the same way as an on-premise environment.
Oracle Support experts can assist customers with Oracle recommendations and services to identify potential risk
areas proactively, and to increase the security level of their data environments.
Examples of Oracle Advanced Customer Support’s service portfolio addressing this need:
Oracle Security Review and Recommendation can help customers understand their current level of
security against Oracle’s recommended practices.
Oracle Preproduction Readiness Review can help customers assess the supportability and readiness of
their setup and implementation plans.
Oracle Advanced Support Knowledge Workshop provides tailored information on the production
optimization and supportability of Oracle products or technology.
7 | ORACLE WHITE PAPER: SECURITY FEATURES OF REMOTE SERVICE DELIVERY VIA THE ORACLE ADVANCED SUPPORT PLATFORM
User Interfaces
Access to the Oracle Advanced Support Platform includes
Interfaces for customer users to submit requests, track service status, administer users, and
access information
Interfaces for Oracle Support engineers to deliver remote services
Interfaces for Customer Users
Customers have multiple options to access the platform. These can vary per service or service components, as
specified in the relevant documentation.
Figure 2. Customer access
Oracle Advanced Support Portal accessible via the internet and located at Oracle.
This portal provides customers with event reports, service request status, change management status,
orientation session materials, and more.
o My Oracle Support Portal. Customers of the services discussed in this paper are current on an
Oracle technical support service contract covering the referring systems. They have access to
My Oracle Support, the one-stop support portal with Oracle single sign-on (SSO) registration.
Customers can also use these credentials for access to the Oracle Advanced Support Portal.
Oracle Advanced Support Gateway Portal located at the customer’s data center as part of the Oracle
Advanced Support Gateway. Customers can use this portal in a similar way as the Oracle Advanced
Support Portal. Applicable portals can vary per service as shown in table 3 below. The customer user
administrator of the Oracle Advanced Support Gateway, who was defined during the configuration
process, can create, delete, and modify portal users. The gateway portal is accessed via the HTTPS
protocol. The customer can decide from where the portal is viewable by opening the right ports. In most
cases, the portal does not need access from the public internet and can be limited to the customer’s
network.
Restricted command line interface on the Oracle Advanced Support Gateway located at the customer’s
data center. Customers can use this interface for strictly limited access to encrypted audit reports which
will be discussed in section ‘Auditing’ later in this document. Please note that this option is not available for
8 | ORACLE WHITE PAPER: SECURITY FEATURES OF REMOTE SERVICE DELIVERY VIA THE ORACLE ADVANCED SUPPORT PLATFORM
deployments of Oracle Advanced Support Gateways for Cloud at Customer machines due to the nature of
the service.
TABLE 3: EXAMPLES OF CUSTOMER USER INTERFACES PER SUPPORT SERVICE OFFERING
Interface
Oracle
Platinum
Services
Oracle
Advanced
Monitoring
and
Resolution
Service
Oracle
Advanced
Database
Support
Cloud
Operations for
Oracle Cloud
at Customer
Oracle
Lifecycle
Support
Services
Oracle
Advanced
Support Portal
Yes Yes No No Yes
My Oracle
Support Portal
Yes Yes Yes Yes No
Oracle
Advanced
Support
Gateway Portal
Yes No Yes No No
Command line
interface
Yes
for auditing
Yes
for auditing
Yes
for auditing
No Yes
for auditing
Interfaces for Oracle Support Engineers
The primary human interface with the platform for Oracle Support engineers is the Oracle Advanced Support Portal.
The portal is the user interface for access management administration and remote service delivery such as near
real-time event monitoring, and ITIL based management services. Oracle Support delivers remote services via the
platform using a global infrastructure. Oracle Support engineers are individually authorized to access the target
device and perform interactive remote management services.
Access Management
Access to the platform and to customers’ systems is limited to individuals with applicable roles and privileges. The
platform’s access management system, multi-level authentication and authorization, and password management
help protect against unauthorized system access. Monitoring and auditing features track and control activities.
Access Management System
Oracle Advanced Support Platform contains a role-based central access management system which controls user
accounts and privileges. It is hosted within the Oracle Continuous Connection Network (“OCCN”). The access
management system server enforces per-user connection rules to each connection request, based on defined user
permissions. The system maintains two different personal account types: customer accounts and Oracle Support
engineer accounts. Shared group accounts are not allowed. The platform does not allow direct, outside access to its
data stores.
9 | ORACLE WHITE PAPER: SECURITY FEATURES OF REMOTE SERVICE DELIVERY VIA THE ORACLE ADVANCED SUPPORT PLATFORM
Authentication and Authorization
Oracle follows the principle of least access privilege, as outlined in the internal Oracle Information Security Policy.
Accounts are reviewed regularly to verify that the authorization is applicable to the user’s role. Highly privileged
access is limited and controlled. Password quality and expiration controls are implemented. Authentication and
authorization requests—whether system-generated or human-generated—pass through multiple layers of business
logic and role-based authentication checks. Security controls have been implemented to further filter and analyze
requests against standard API signatures after they passed through the network perimeter. These controls are
designed to discard requests that violate prescribed parameters.
The internal Oracle Logical Access Controls Policy describes logical access control requirements for Oracle
systems, including authentication, authorization, access approval, provisioning, and revocation of employees.
Connection requests must successfully complete the following steps to get access to requested information:
Figure 3. Authentication system
Authentication: If the incoming request is in an approved format, the authentication credentials provided
with the request are verified against the platform’s access management system for validation.
Authorization: The request is then compared to the role based authorization model built into the system
to determine whether the user or system has the appropriate level of authorization.
Evaluation: The request is evaluated using business logic rules.
Following this process, Oracle Support engineers are authenticated via the Oracle single sign-on (SSO) system.
Access rights are removed automatically together with the termination of an Oracle Support engineer’s employee
contract or if their role no longer requires access.
The access management system uses the Configuration Management Database to route the Oracle Support
engineer’s access request to the right customer device. In this manner, the access management system initiates
remote management sessions to the proper devices within the customer’s network, as relevant connection data (IP
addresses, etc.) changes.
Access rights are limited to what is required for the task as per the principle of least access privilege.
For example monitoring activities require fewer privileges than patch implementation, and the access rights are
granted accordingly.
10 | ORACLE WHITE PAPER: SECURITY FEATURES OF REMOTE SERVICE DELIVERY VIA THE ORACLE ADVANCED SUPPORT PLATFORM
Figure 4. Example of role based access by Oracle Support engineers
Password Management and Communication
Oracle Support maintains a specially protected password vault with access restricted to the accredited Oracle
personnel who deliver these services. Customers can set expiry dates for their passwords, and get automatic expiry
warnings. After expiry date, Oracle Support does not use those passwords any more. Customers are responsible for
updating any relevant password changes back to Oracle Support for uninterrupted service.
Customers share the credentials for accessing individual assets with Oracle Support engineers through the Oracle
Advanced Support Gateway portal. Customers can share passwords, but they cannot view them there afterwards.
This allows a database administrator to share a password without the system administrator being able to see what
was shared and vice versa. Oracle Support engineers can only see and use the credentials if they have appropriate
access rights to the targets of the specific customer.
Customers are responsible for managing their own passwords on their systems.
Auditing
Oracle Advanced Support Platform includes audit features to track and control actions across the platform such as
login events, data modifications to incident, problem, change, configuration, and knowledge management, access
and modification of customer passwords, and remote access sessions. Customers may also choose to use their
internal, customer audit log tool to monitor user interactions against customer devices.
Oracle Advanced Support Gateway can retain audit logs such as logging of telemetry data, administrative upstream
and downstream messages from the platform’s central infrastructure at Oracle, changes to the configuration of
Oracle Advanced Support Gateway, and logging of incoming remote access requests from the authorized access
management system.
Audit reports are encrypted using AES-256 with a unique encryption key per user account. They are stored in the
platform for 90 days. Encrypted audit reports can only be accessed by limited authorized users via the Oracle
Advanced Support Gateway’s command line interface.
Audit data can be streamed to customers’ syslog systems via the restricted command line interface.
Please note that this option is not available for deployments of Oracle Advanced Support Gateways for Cloud at
Customer machines due to the nature of the service.
11 | ORACLE WHITE PAPER: SECURITY FEATURES OF REMOTE SERVICE DELIVERY VIA THE ORACLE ADVANCED SUPPORT PLATFORM
Secure Features for Management of Services Data
Services data in this context is data that resides on Oracle, customer, or third-party
systems to which Oracle is provided access in order to perform services. Oracle treats
services data as confidential, and manages it in accordance with Oracle Services
Privacy Policy. Oracle does not use services data except as stated in the contract or
Services Policy.
Data Gathering
Mapping configuration and performance data of customers’ Oracle products against Oracle recommended practices
and compliance standards, is an essential part of many Oracle Support services such as ACS Review and
Recommendation Services for Systems Optimization. Oracle processes and policies help ensure that gathering of
services data is limited to what is required to deliver the service. Oracle will not disclose any services data located
on Oracle systems except as stated contractually or as required to perform the services. Customers should limit
Oracle’s access to their data to the extent necessary for Oracle to perform the services.
TABLE 4: DATA GATHERING
Item Description
Data Types Configuration data is gathered on a ‘need-to-know’ basis, limited to what is required to
deliver the specific Oracle services. Data may include incident, ticket, and fault telemetry,
database snapshots of configuration and performance data, system diagnostic,
configuration, version and patch data, and access privileges.
Method Near real-time access to the customer’s core infrastructure exclusively via Oracle
Continuous Connection Network. Oracle support tools; SQL scripts.
Data Transport Encrypted data transport via Oracle Continuous Connection Network infrastructure and
VPN connection.
Data Storage Oracle Advanced Support Platform
Data Analysis
and Report
Generation
Automated.
Report Storage
and Provisioning
to Customers
Oracle Advanced Support Platform. Provisioning with encryption and authentication.
Reports may also be made available in PDF format in the ‘uploads’ area of the portal.
The Oracle control center will notify customers of any critical issues that require
immediate corrective action.
Figure 5. Data management
12 | ORACLE WHITE PAPER: SECURITY FEATURES OF REMOTE SERVICE DELIVERY VIA THE ORACLE ADVANCED SUPPORT PLATFORM
Data Access
Oracle does not use or access services data except as stated in the contract or Services Privacy Policy.
Authentication and authorization of system access are discussed in section ‘Access Management’ of this document.
Data Protection
Oracle is committed to the security of its customers’ services data, and has physical, administrative, and technical
measures in place designed to prevent unauthorized access to that information. These measures and practices are
defined in Oracle security policies, namely Oracle Global Customer Support Security Practices, Section 7, “Data
Management and Protection.”
Oracle is also committed to reducing risks of human error, theft, fraud, and misuse of Oracle facilities. Oracle
employees are required to take training on security policies and protection of confidential information, and to comply
with those rules. A dedicated information security team for services delivered via the platform supervises safe
guards and data protection.
TABLE 5: DATA PROTECTION
Item Description
Physical
Protection
Oracle maintains physical security standards, which are designed to prohibit unauthorized
physical access.
Administrative
Protection
Oracle Support validates and tracks collected data, where it is stored, and how it is
disposed of.
Network Security Service data is segregated at a customer level through a multi-tenancy security model.
Security includes multiple layers of access and authorization controls.
Oracle Continuous Connection Network is a network separated from Oracle’s internal
network, for connectivity to Oracle customers. Connection between Oracle Continuous
Connection Network and the customer environment is managed through a VPN. The VPN
session keys are replaced regularly through a key exchange protocol.
Desktop and
Laptop Security
Oracle Desktop and Laptop Security Policy is designed to facilitate a high level of desktop
security. Virus and malware scanning is mandatory. Disk encryption is required for staff
storing sensitive data.
Logging and
Auditing
Oracle Advanced Support Platform includes audit features as described above.
Customers may also choose to redirect the generated audit logs to their central auditing
log files or systems. Please note that this option is not available for deployments of
Oracle Advanced Support Gateways for Cloud at Customer machines due to the nature
of the service.
Critical Incidents Oracle promptly evaluates and responds to incidents that create suspicion of
unauthorized handling of services data as per Oracle Information Security Incident
Reporting and Response Policy. If Oracle determines that customers’ services data has
been misappropriated (including by an Oracle employee) or otherwise wrongly acquired
by a third party, Oracle will promptly report such misappropriation or acquisition to
customers.
13 | ORACLE WHITE PAPER: SECURITY FEATURES OF REMOTE SERVICE DELIVERY VIA THE ORACLE ADVANCED SUPPORT PLATFORM
Data Retention
Upon termination of services, customers’ data will be archived, stored, and removed according to Oracle’s and/or
specific legislation requirements and in accordance with the terms of the applicable contract.
TABLE 6: DATA RETENTION
Item Description
Data Retention
and Data Purge
Data is classified based on its purpose of the business engagement and is retained
according to Oracle’s records retention schedule. Customers’ telemetry data that has
been identified as falling into a Legal Hold category will be stored for a maximum of six
years from the date of commencement of services. Data that is not requiring a Legal Hold
retention will be deleted after the business purpose for which it was created has ended.
Where practical the original data will be removed from the Oracle production
environments using methods designed to ensure that they cannot be reasonably
accessed or read. The archived data will then be kept in an Oracle Legal Hold
environment that will be controlled as per Oracle’ policies and standards. Once the
retention period has elapsed, the archived data will be removed using industry-accepted
data eradication processing and methods.
Qualifications and Security Practices
Oracle has a comprehensive set of internal corporate security policies.
In addition to and in accordance with the Oracle corporate security policies, the Oracle Support organization has
defined detailed security practices and policies for service delivery.
Corporate Security Policies
The Oracle security program includes the policies, standards, guidelines, procedures, compliance enforcement
measures, devices, software, awareness training, and personnel that work together to protect Oracle and its assets.
More than twenty corporate security policies cover the management of security for both its internal operations as
well as the services Oracle provides to its customers, which apply to all Oracle employees. These policies are
aligned with the ISO/IEC 27002:2013 and ISO/IEC 27001:2013 standards, and govern areas of security applicable
to the services. Oracle employees are trained on these internal policies. Security reviews, assessments, and audits
are conducted periodically. Employees who fail to comply with information security policies, procedures, and
practices may be subject to disciplinary action, up to and including termination.
Supporting these policies are standards, procedures and guidelines intended to ensure that Oracle can deliver,
develop, maintain and support their respective services provided internally, to customers and partners.
The goal of Oracle’s standards is to ensure consistency in the use of company assets, users' actions, and
approaches to security. The procedures are the operating procedures, processes, and practices through which
policies and standards are implemented. The guidelines are recommended actions and operational guides when a
specific standard does not apply.
14 | ORACLE WHITE PAPER: SECURITY FEATURES OF REMOTE SERVICE DELIVERY VIA THE ORACLE ADVANCED SUPPORT PLATFORM
A number of internal Oracle policies that directly apply to the delivery of Oracle Support services are:
Oracle Information Security Policy: Provides the framework for Oracle Corporation’s direction and support
for information security.
Oracle Information Protection Policy: Describes guidelines regarding information classification and
handling requirements to ensure proper protection of Oracle and customer information assets.
Oracle Information Management and Record Retention Policy: Governs the retention and disposal of the
information and records of Oracle Corporation, its subsidiaries, and affiliates.
Oracle Global Information Security instructions “Securely Exchanging Confidential Information”: Describe
guidelines and technologies that must be used to transmit confidential information securely.
Oracle Desktop and Laptop Security Policy: Sets forth the minimum security requirements for desktop and
laptop computers holding Oracle confidential information, as well as information held on behalf of Oracle’s
customers, partners, suppliers, or any other third parties.
Oracle Logical Access Controls Policy: Describes key access controls that are required for Oracle’s
information assets.
Oracle Password Policy: Describes value sets for password controls to be set up for systems and to be
followed by employees.
Oracle Information Security Incident Reporting and Response Policy: Requires reporting of and response
to information security incidents in a timely and efficient manner.
Oracle Network Security Policy: Requires a range of controls to secure the data in networks and protect
connected services from unauthorized access.
Oracle Server Security Policy: Requires servers to be physically and logically secured according to their
criticality.
Oracle Support Security Policies
Oracle Global Customer Support Security Practices: Covers the Information Security Program, Oracle
Corporate Security Practices, and the security practices when performing standard program and hardware
technical support for Oracle customers.
Oracle Services Privacy Policy: Covers the privacy practices that Oracle Corporation employs when
providing support, consulting, or other services.
Oracle Consulting and Advanced Customer Support Security Practices: Defines specific rules under which
Oracle ACS services are being delivered.
If metadata is required to deliver a service, it is gathered on a limited basis and may include organizational assets,
incident, ticket, and fault telemetry.
15 | ORACLE WHITE PAPER: SECURITY FEATURES OF REMOTE SERVICE DELIVERY VIA THE ORACLE ADVANCED SUPPORT PLATFORM
During the performance of Oracle Support services, customers maintain responsibility for any data residing in the
environments. Oracle does not and will not
Change any data, other than as required for the performance of the services.
Have any role in determining or maintaining the accuracy of any data.
Control how data is hosted, processed, stored, or destroyed by customers.
Control customers’ access to data, other than restricted access to data through applying physical and
logical access controls, as applicable, as part of the services.
Monitor customers’ use of or access to their data, except as necessary to provide the services.
Any new services or significant changes to existing services delivered via the platform receive a security review
under the Oracle Corporate Security Solution Assurance Process (CSSAP). This security review process is
overseen by the Oracle Corporate Security Architecture Group and is supported by Oracle Global Information
Security (GIS), Oracle Global IT Risk Management, Oracle Global Product Security (GPS), Oracle Legal and
respective Oracle's IT organizations, to provide a comprehensive information security management review. The
process is endorsed by the Oracle Security Oversight Committee.
The services and Oracle Support teams are subject to an annual security review to verify that they meet Oracle’s
strict security, policies, standards, and third-party requirements.
Qualifications of Oracle Support Engineers
The Oracle Support teams delivering services discussed in this paper have been trained on the respective products
and security-specific topics. Oracle Support engineers are certified in their field of expertise and have passed the
necessary Oracle product qualifications to design, install, configure and support the respective services, systems
and applications Oracle provides for the services in scope of this paper. Oracle Support engineers, technical
account managers and support staff are required to attend role based training on an annual basis and to update
their Oracle certifications when necessary.
Oracle Support engineers are required to take internal training courses that cover information security, data
protection, and incident management. Engineers are encouraged to complete external certifications such as
Certified Information Systems Auditor by the Information Systems Audit and Control Association ISACA, or Certified
Information Systems Security Professional CISSP, to complement their existing Oracle security qualifications.
The Oracle Support delivery teams and the supporting teams and processes operate based on recognized security
frameworks and Oracle recommended practices, and conform to appropriate legislation and certification
requirements where applicable. Engineers have completed Oracle internal security training consistent with relevant
security requirements.
16 | ORACLE WHITE PAPER: SECURITY FEATURES OF REMOTE SERVICE DELIVERY VIA THE ORACLE ADVANCED SUPPORT PLATFORM
Summary
Many customers take advantage of Oracle Support’s attractive portfolio of remote services to monitor, manage, or
optimize their Oracle systems. Security and privacy of customers’ systems and data is one of Oracle Support’s top
priorities while delivering these services. Safeguards span across the delivery technology, processes, and Oracle
Security Management, to facilitate appropriate security levels throughout.
The Oracle Advanced Support Platform has sophisticated authentication mechanisms and data security features
built into its architecture designed to prevent unauthorized access or usage.
Service delivery processes follow detailed security practices and policies and are audited regularly. Core services
are designed to meet industry standards.
Oracle Support engineers are experienced in IT security and trained on Oracle security practices. An internal Oracle
Security board and a service specific security team supervise service delivery.
Customers can be confident of Oracle’s emphasis on the security and privacy of their systems and data while taking
advantage of remote services from Oracle Support.
.
17 | ORACLE WHITE PAPER: SECURITY FEATURES OF REMOTE SERVICE DELIVERY VIA THE ORACLE ADVANCED SUPPORT PLATFORM
Further Information
TABLE 7: GLOSSARY
Acronym / Term Description
ACS Advanced Customer Support
AES-256 Advanced Encryption Standard with cryptographic keys of 256 bits
API Application programming interface
CMDB Configuration management database
HTTPS HTTP over SSL or HTTP Secure; communications protocol for secure communication
over a computer network
ISO/IEC Information security standard published by the International Organization for
Standardization (ISO) and the International Electrotechnical Commission (IEC)
ISO/IEC 17799:2005 ISO guidelines and general principles for initiating, implementing, maintaining, and
improving information security management in an organization
ISO 27001:2013 Information security standard by the International Organization for Standardization
ITIL IT Infrastructure Library
OCCN Oracle Continuous Connection Network
RDP Remote desktop protocol; A Microsoft protocol
SQL Structured query language; A programming language
SSAE 16 Statement on Standards for Attestation Engagements No. 16 by the Auditing Standards
Board of the American Institute of Certified Public Accountants (AICPA)
SSH Secure shell; A security protocol for logging into a remote server
SSL Secure socket layer
TLS Transport layer security; A protocol that ensures privacy between communicating
applications and their users on the internet
VPN Virtual private network
XML Extensible markup language
18 | ORACLE WHITE PAPER: SECURITY FEATURES OF REMOTE SERVICE DELIVERY VIA THE ORACLE ADVANCED SUPPORT PLATFORM
TABLE 8: LINKS
Item Link
Oracle Support Oracle Support
Oracle Premier Support
o Oracle Platinum Services
Oracle Advanced Customer Support
o Oracle Advanced Monitoring and Resolution
o Oracle Advanced Database Support
o Cloud Operations for Oracle Cloud Machine
o Oracle Lifecycle Support Services
Documentation Oracle Advanced Support Gateway Security Guide
Oracle Policies and
Practices
Oracle Global Customer Support Security Practices
Oracle Platinum Services Policies
Oracle Consulting and Oracle Advanced Customer Support Services Security Practices
Oracle Services Privacy Policy
Oracle Corporation, World Headquarters
500 Oracle Parkway
Redwood Shores, CA 94065, USA
Worldwide Inquiries
Phone: +1.650.506.7000
Fax: +1.650.506.7200
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. This document is provided for information purposes only, and the contents hereof are subject to change without notice. This document is not warranted to be error-free, nor subject to any other warranties or conditions, whether expressed orally or implied in law, including implied warranties and conditions of merchantability or fitness for a particular purpose. We specifically disclaim any liability with respect to this document, and no contractual obligations are formed either directly or indirectly by this document. This document may not be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without our prior written permission. Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners. Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. AMD, Opteron, the AMD logo, and the AMD Opteron logo are trademarks or registered trademarks of Advanced Micro Devices. UNIX is a registered trademark of The Open Group. 1216 White Paper: Secure Remote Delivery of Oracle Support Services via the Oracle Advanced Support Platform December 2016 Author: Jan de Bock, Birgit Kreuz Contributing Authors: Keith Black, Andy Cowling, Jon Ford, Neville Wallace, Glenn Webb
C O N N E C T W I T H U S
blogs.oracle.com/oracle
facebook.com/oracle
twitter.com/oracle
oracle.com