Security Features of Remote Service Delivery

via the Oracle Advanced Support Platform

O R A C L E W H I T E P A P E R | D E C E M B E R 2 0 1 6

ORACLE WHITE PAPER: SECURITY FEATURES OF REMOTE SERVICE DELIVERY VIA THE ORACLE ADVANCED SUPPORT PLATFORM

Disclaimer

The following is intended to outline our general product direction. It is intended for information

purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any

material, code, or functionality, and should not be relied upon in making purchasing decisions. The

development, release, and timing of any features or functionality described for Oracle’s products

remains at the sole discretion of Oracle.

ORACLE WHITE PAPER: SECURITY FEATURES OF REMOTE SERVICE DELIVERY VIA THE ORACLE ADVANCED SUPPORT PLATFORM

Table of Contents

Introduction 1

Oracle Support and Remotely Delivered Services 2

Architecture of the Oracle Advanced Support Platform 3

User Interfaces 7

Access Management 8

Secure Features for Management of Services Data 11

Qualifications and Security Practices 13

Summary 16

Further Information 17

.

1 | ORACLE WHITE PAPER: SECURITY FEATURES OF REMOTE SERVICE DELIVERY VIA THE ORACLE ADVANCED SUPPORT PLATFORM

Introduction

Oracle Support is delivering an increasing number of services such as ISO27001:2013 certified

Advanced Monitoring and Resolution, and Oracle Platinum Services through a remote service delivery

system, the Oracle Advanced Support Platform.

Current delivery processes are based on the IT Infrastructure Library (ITIL) framework. The security

architecture of the Oracle Advanced Support Platform includes multiple layers of encryption,

authorization, and access control, to facilitate the confidentiality, integrity, and availability of customer

data. A strong Oracle policy and process framework guides the service delivery. Security controls are

managed by a dedicated information security team, and verified by internal and external audits.

This white paper describes the safeguards incorporated into the delivery of Oracle support services

using the Oracle Advanced Support Platform, including delivery architecture and policies.

2 | ORACLE WHITE PAPER: SECURITY FEATURES OF REMOTE SERVICE DELIVERY VIA THE ORACLE ADVANCED SUPPORT PLATFORM

Oracle Support and Remotely Delivered Services

Oracle Support is a global organization intended to enable the success of customers’ Oracle infrastructure -

throughout the IT lifecycle, and across the Oracle stack. Oracle Support includes Oracle Premier Support and

Oracle Advanced Customer Support (ACS). Both organizations deliver portions of their service portfolio remotely via

the Oracle Advanced Support Platform.

TABLE 1: OVERVIEW OF ORACLE SUPPORT SERVICES, AND EXAMPLES OF REMOTELY DELIVERED SERVICES

Support Organization Description and Remote Services

Oracle Premier Support provides essential support services including 24/7 technical

assistance, proactive support resources, and product updates. With global

coverage and 50,000+ development engineers and customer support specialists,

Oracle Premier Support delivers complete, dependable, fully-integrated services.

Remotely delivered services include Oracle Platinum Services: Enhanced support

provided at no additional cost to Oracle customers running eligible configurations of

Oracle Engineered Systems. The service includes 24/7 fault monitoring, accelerated

response, and system patching services.

Oracle Advanced Customer Support provides important support services for

complex IT environments. These services are intended to help maximize

performance, achieve high availability and reduce risk across all Oracle solutions—

from applications, middleware, and database to server and storage systems, and

across Oracle Cloud solutions.

ACS offers remotely delivered services based upon industry standards and

automation such as:

Oracle Advanced Monitoring and Resolution (AM&R) with 24/7 predictive

systems event monitoring and incident resolution across the entire IT

stack (from servers to applications) intended to help maximize uptime and

reduce risks for mission critical environments.

Oracle Advanced Database Support can enhance security, performance

and availability of Oracle databases through fault management, security

compliance reporting, proactive health checks, and patch management.

Cloud Operations for Oracle Cloud at Customer machines. Cloud at

Customer machines deliver Oracle Cloud services in customers’ data

centers, fully managed by Oracle. Customers can take advantage of the

agility, innovation and subscription-based pricing of Oracle Cloud while

meeting data-residency requirements.

Oracle Lifecycle Support Services can help customers with migration,

consolidation, and load testing of a planned technology change, as well as

with performance tuning of their Oracle database environment.

3 | ORACLE WHITE PAPER: SECURITY FEATURES OF REMOTE SERVICE DELIVERY VIA THE ORACLE ADVANCED SUPPORT PLATFORM

Oracle Support follows internationally recognized standards and uses a global security framework based on the

ISO27000 family of standards for their service offerings. At the time of publication Oracle Advanced Monitoring and

Resolution, Oracle Advanced Database Support, and Oracle Platinum Services have obtained the following

certifications and attestations:

ISO 27001:2013 by the International Organization for Standardization. It specifies the requirements for

establishing, implementing, maintaining and continually improving an information security management

system within the context of the organization.

SSAE16/SOC 1 Type II, the Statement of Standards for Attestation Engagement No. 16, which is an

auditing standard for service organizations by the Auditing Standards Board of the American Institute of

Certified Public Accountants (AICPA).

Oracle Support can follow the requirements of HIPAA, the Health Insurance Portability and Accountability Act of the

United States of America, which defines policies, procedures and guidelines for maintaining the privacy and security

of individually identifiable health information. Oracle Support also follows relevant regulatory requirements imposed

directly onto Oracle by the applicable regulatory bodies relevant to the countries and services provided.

Architecture of the Oracle Advanced Support Platform

Oracle Support delivers many remote services via the unique Oracle Advanced Support Platform. This platform is a

combination of a gateway, back end systems, and access portals. It is operated using processes based on the IT

Infrastructure Library (ITIL) framework intended to facilitate confidentiality, integrity, and availability of customer data.

In this context, Oracle installs the appropriate critical security patches onto relevant Oracle managed components of

the platform, including the gateway. A strong policy and process framework defines the service delivery with multiple

layers of encryption, authorization, and access control.

All those procedures are approved and controlled by a high-level Oracle security committee under the Oracle

Corporate Security Solution Assurance Process (CSSAP), which will be discussed in more detail later in this

document.

Information Security Team for Oracle Services Delivered through the Platform

A dedicated team in Oracle Support – The Information Security (InfoSec) team – is focused on assisting the service

delivery through the platform. The team’s activities span across internal security consulting, risk assessments and

mitigations, compliance and assurance programs, continuity, as well as certifications and attestations. The InfoSec

team is also responsible for key internal security operations management processes, such as end-to-end security

incident management, and threat and vulnerability management.

4 | ORACLE WHITE PAPER: SECURITY FEATURES OF REMOTE SERVICE DELIVERY VIA THE ORACLE ADVANCED SUPPORT PLATFORM

Key Components of the Oracle Advanced Support Platform

The graphic and table below show the basic architecture of the platform and highlight the interactions and data flows

between its components.

Figure 1. Components and architecture

TABLE 2: MAIN COMPONENTS USED IN THE PLATFORM ARCHITECTURE, SHOWN IN FIGURE 1

Name Function Security Features

Configuration

Items

Devices and software components

monitored, analyzed or patched by Oracle

Support.

Access via Oracle Advanced Support

Gateway using secure protocols.

Procedures limit data access to telemetry

data that is required for service delivery.

Firewall Secures data flow between

Oracle Advanced Support Gateway and

customers’ monitored devices.

Oracle Advanced Support Gateway and

the Oracle back-end.

Detailed firewall rules and templates are

provided to customers during the

implementation process.

5 | ORACLE WHITE PAPER: SECURITY FEATURES OF REMOTE SERVICE DELIVERY VIA THE ORACLE ADVANCED SUPPORT PLATFORM

Name Function Security Features

Oracle Advanced

Support Gateway

and Portal

Software appliance for provisioning and

delivery of remote Oracle services and

tools. Collects telemetry and relays it to the

Oracle back-end system. The gateway is

located within the customer’s data center

on a dedicated general-purpose server (or

on Oracle Virtual Machine), and is

managed and maintained by Oracle. It

includes an additional portal for customer

access. The Oracle Advanced Support

Gateway hosts a number of applications

such as Oracle Enterprise Manager, as well

as Java based applications including Auto

Service Request and Oracle Configuration

Manager.

Authentication and encryption. Accepts

incoming remote management connections

only from an authorized access

management host within the platform.

If a telemetry message passes through the

rules engine and the rules determine that

the message should be sent to the Oracle

back-end system for processing, the

message is then encoded in an XML data

structure and sent to the Oracle back-end

system via HTTPS, using the latest TLS

protocol for encryption.

Recommended to be placed into a

demilitarized zone (DMZ) or trusted

network. The gateway portal is accessed

via the secure HTTPS protocol. Customers

can specify from where the portal is

viewable.

Oracle Continuous

Connection

Network OCCN

Secures connectivity between Oracle and

customer. Hosts the access management

system. Used for remote access to

customer environments. Access to

customer authentication data and customer

site is only possible from this network.

Closed VPN and segregated from Oracle’s

internal network. Limited access by

authorized and trained Oracle Support

engineers with special approval. Two-factor

authentication with hardware token and

password. Connectivity via a TLS-

encrypted VPN connection. VPN session

keys are replaced regularly through a key

exchange protocol. Sessions are logged for

auditing purposes.

VPN Tunnel /

HTTPS

Software VPN client within Oracle

Advanced Support Gateway to encrypt

inbound connections from Oracle.

HTTPS for outbound connections from

Oracle Advanced Support Gateway to

Oracle. Not all services require a

continuous inbound connection .For those

services that do not require a continuous

connection, customers can request

activation of the remote access control,

which allows the inbound connection to be

switched on/off.

TLS-based VPN client. Encryption.

Failover, backup, and disaster recovery

functions.

HTTPS with 128-bit SSL transport

encryption.

ITIL Procedures,

Analysis,

Reporting

ITIL based incident, problem, change, and

knowledge management. Monitoring,

analysis, and report generation based on

defined thresholds and recommended

practices.

Only authenticated and trained Oracle

Support engineers have system access to

deliver the contracted services.

6 | ORACLE WHITE PAPER: SECURITY FEATURES OF REMOTE SERVICE DELIVERY VIA THE ORACLE ADVANCED SUPPORT PLATFORM

Name Function Security Features

Oracle Advanced

Support Portal

Web portal for configuring and maintaining

the Configuration Management Database

(CMDB), managing monitoring events,

handling changes, and documenting

customer requests. Accessible internally by

authorized Oracle Support engineers and

online by authorized customers.

Sessions are encrypted. Near real-time

authentication. Input data validation prior to

processing intended to block malicious

scripting, SQL injection, and remote

command injection attacks. Data presented

on the portal to users is encoded.

Configuration

Management

Database (CMDB)

Database within the platform to store

telemetry required to deliver the services.

CMDB contains the data related to an

individual asset - such as device name, IP

address, port - required to access the

device remotely.

No direct, outside data access. Only

accessible via APIs. Data is segregated at

a customer level through a multitenancy

security model. Multiple layers of API-based

access and authorization controls.

More details on security aspects of Oracle Advanced Support Platform are discussed in the “Oracle Advanced

Support Gateway Security Guide” and Oracle Global Customer Support Security Practices, Section 6, “Advanced

Support Gateway Services.”

Oracle Support has included security features into layers of the remote delivery architecture and processes.

Customers must also ensure data security from their end, too by applying appropriate precautions. A remote access

environment should be protected in the same way as an on-premise environment.

Oracle Support experts can assist customers with Oracle recommendations and services to identify potential risk

areas proactively, and to increase the security level of their data environments.

Examples of Oracle Advanced Customer Support’s service portfolio addressing this need:

Oracle Security Review and Recommendation can help customers understand their current level of

security against Oracle’s recommended practices.

Oracle Preproduction Readiness Review can help customers assess the supportability and readiness of

their setup and implementation plans.

Oracle Advanced Support Knowledge Workshop provides tailored information on the production

optimization and supportability of Oracle products or technology.

7 | ORACLE WHITE PAPER: SECURITY FEATURES OF REMOTE SERVICE DELIVERY VIA THE ORACLE ADVANCED SUPPORT PLATFORM

User Interfaces

Access to the Oracle Advanced Support Platform includes

Interfaces for customer users to submit requests, track service status, administer users, and

access information

Interfaces for Oracle Support engineers to deliver remote services

Interfaces for Customer Users

Customers have multiple options to access the platform. These can vary per service or service components, as

specified in the relevant documentation.

Figure 2. Customer access

Oracle Advanced Support Portal accessible via the internet and located at Oracle.

This portal provides customers with event reports, service request status, change management status,

orientation session materials, and more.

o My Oracle Support Portal. Customers of the services discussed in this paper are current on an

Oracle technical support service contract covering the referring systems. They have access to

My Oracle Support, the one-stop support portal with Oracle single sign-on (SSO) registration.

Customers can also use these credentials for access to the Oracle Advanced Support Portal.

Oracle Advanced Support Gateway Portal located at the customer’s data center as part of the Oracle

Advanced Support Gateway. Customers can use this portal in a similar way as the Oracle Advanced

Support Portal. Applicable portals can vary per service as shown in table 3 below. The customer user

administrator of the Oracle Advanced Support Gateway, who was defined during the configuration

process, can create, delete, and modify portal users. The gateway portal is accessed via the HTTPS

protocol. The customer can decide from where the portal is viewable by opening the right ports. In most

cases, the portal does not need access from the public internet and can be limited to the customer’s

network.

Restricted command line interface on the Oracle Advanced Support Gateway located at the customer’s

data center. Customers can use this interface for strictly limited access to encrypted audit reports which

will be discussed in section ‘Auditing’ later in this document. Please note that this option is not available for

8 | ORACLE WHITE PAPER: SECURITY FEATURES OF REMOTE SERVICE DELIVERY VIA THE ORACLE ADVANCED SUPPORT PLATFORM

deployments of Oracle Advanced Support Gateways for Cloud at Customer machines due to the nature of

the service.

TABLE 3: EXAMPLES OF CUSTOMER USER INTERFACES PER SUPPORT SERVICE OFFERING

Interface

Oracle

Platinum

Services

Oracle

Advanced

Monitoring

and

Resolution

Service

Oracle

Advanced

Database

Support

Cloud

Operations for

Oracle Cloud

at Customer

Oracle

Lifecycle

Support

Services

Oracle

Advanced

Support Portal

Yes Yes No No Yes

My Oracle

Support Portal

Yes Yes Yes Yes No

Oracle

Advanced

Support

Gateway Portal

Yes No Yes No No

Command line

interface

Yes

for auditing

Yes

for auditing

Yes

for auditing

No Yes

for auditing

Interfaces for Oracle Support Engineers

The primary human interface with the platform for Oracle Support engineers is the Oracle Advanced Support Portal.

The portal is the user interface for access management administration and remote service delivery such as near

real-time event monitoring, and ITIL based management services. Oracle Support delivers remote services via the

platform using a global infrastructure. Oracle Support engineers are individually authorized to access the target

device and perform interactive remote management services.

Access Management

Access to the platform and to customers’ systems is limited to individuals with applicable roles and privileges. The

platform’s access management system, multi-level authentication and authorization, and password management

help protect against unauthorized system access. Monitoring and auditing features track and control activities.

Access Management System

Oracle Advanced Support Platform contains a role-based central access management system which controls user

accounts and privileges. It is hosted within the Oracle Continuous Connection Network (“OCCN”). The access

management system server enforces per-user connection rules to each connection request, based on defined user

permissions. The system maintains two different personal account types: customer accounts and Oracle Support

engineer accounts. Shared group accounts are not allowed. The platform does not allow direct, outside access to its

data stores.

9 | ORACLE WHITE PAPER: SECURITY FEATURES OF REMOTE SERVICE DELIVERY VIA THE ORACLE ADVANCED SUPPORT PLATFORM

Authentication and Authorization

Oracle follows the principle of least access privilege, as outlined in the internal Oracle Information Security Policy.

Accounts are reviewed regularly to verify that the authorization is applicable to the user’s role. Highly privileged

access is limited and controlled. Password quality and expiration controls are implemented. Authentication and

authorization requests—whether system-generated or human-generated—pass through multiple layers of business

logic and role-based authentication checks. Security controls have been implemented to further filter and analyze

requests against standard API signatures after they passed through the network perimeter. These controls are

designed to discard requests that violate prescribed parameters.

The internal Oracle Logical Access Controls Policy describes logical access control requirements for Oracle

systems, including authentication, authorization, access approval, provisioning, and revocation of employees.

Connection requests must successfully complete the following steps to get access to requested information:

Figure 3. Authentication system

Authentication: If the incoming request is in an approved format, the authentication credentials provided

with the request are verified against the platform’s access management system for validation.

Authorization: The request is then compared to the role based authorization model built into the system

to determine whether the user or system has the appropriate level of authorization.

Evaluation: The request is evaluated using business logic rules.

Following this process, Oracle Support engineers are authenticated via the Oracle single sign-on (SSO) system.

Access rights are removed automatically together with the termination of an Oracle Support engineer’s employee

contract or if their role no longer requires access.

The access management system uses the Configuration Management Database to route the Oracle Support

engineer’s access request to the right customer device. In this manner, the access management system initiates

remote management sessions to the proper devices within the customer’s network, as relevant connection data (IP

addresses, etc.) changes.

Access rights are limited to what is required for the task as per the principle of least access privilege.

For example monitoring activities require fewer privileges than patch implementation, and the access rights are

granted accordingly.

10 | ORACLE WHITE PAPER: SECURITY FEATURES OF REMOTE SERVICE DELIVERY VIA THE ORACLE ADVANCED SUPPORT PLATFORM

Figure 4. Example of role based access by Oracle Support engineers

Password Management and Communication

Oracle Support maintains a specially protected password vault with access restricted to the accredited Oracle

personnel who deliver these services. Customers can set expiry dates for their passwords, and get automatic expiry

warnings. After expiry date, Oracle Support does not use those passwords any more. Customers are responsible for

updating any relevant password changes back to Oracle Support for uninterrupted service.

Customers share the credentials for accessing individual assets with Oracle Support engineers through the Oracle

Advanced Support Gateway portal. Customers can share passwords, but they cannot view them there afterwards.

This allows a database administrator to share a password without the system administrator being able to see what

was shared and vice versa. Oracle Support engineers can only see and use the credentials if they have appropriate

access rights to the targets of the specific customer.

Customers are responsible for managing their own passwords on their systems.

Auditing

Oracle Advanced Support Platform includes audit features to track and control actions across the platform such as

login events, data modifications to incident, problem, change, configuration, and knowledge management, access

and modification of customer passwords, and remote access sessions. Customers may also choose to use their

internal, customer audit log tool to monitor user interactions against customer devices.

Oracle Advanced Support Gateway can retain audit logs such as logging of telemetry data, administrative upstream

and downstream messages from the platform’s central infrastructure at Oracle, changes to the configuration of

Oracle Advanced Support Gateway, and logging of incoming remote access requests from the authorized access

management system.

Audit reports are encrypted using AES-256 with a unique encryption key per user account. They are stored in the

platform for 90 days. Encrypted audit reports can only be accessed by limited authorized users via the Oracle

Advanced Support Gateway’s command line interface.

Audit data can be streamed to customers’ syslog systems via the restricted command line interface.

Please note that this option is not available for deployments of Oracle Advanced Support Gateways for Cloud at

Customer machines due to the nature of the service.

11 | ORACLE WHITE PAPER: SECURITY FEATURES OF REMOTE SERVICE DELIVERY VIA THE ORACLE ADVANCED SUPPORT PLATFORM

Secure Features for Management of Services Data

Services data in this context is data that resides on Oracle, customer, or third-party

systems to which Oracle is provided access in order to perform services. Oracle treats

services data as confidential, and manages it in accordance with Oracle Services

Privacy Policy. Oracle does not use services data except as stated in the contract or

Services Policy.

Data Gathering

Mapping configuration and performance data of customers’ Oracle products against Oracle recommended practices

and compliance standards, is an essential part of many Oracle Support services such as ACS Review and

Recommendation Services for Systems Optimization. Oracle processes and policies help ensure that gathering of

services data is limited to what is required to deliver the service. Oracle will not disclose any services data located

on Oracle systems except as stated contractually or as required to perform the services. Customers should limit

Oracle’s access to their data to the extent necessary for Oracle to perform the services.

TABLE 4: DATA GATHERING

Item Description

Data Types Configuration data is gathered on a ‘need-to-know’ basis, limited to what is required to

deliver the specific Oracle services. Data may include incident, ticket, and fault telemetry,

database snapshots of configuration and performance data, system diagnostic,

configuration, version and patch data, and access privileges.

Method Near real-time access to the customer’s core infrastructure exclusively via Oracle

Continuous Connection Network. Oracle support tools; SQL scripts.

Data Transport Encrypted data transport via Oracle Continuous Connection Network infrastructure and

VPN connection.

Data Storage Oracle Advanced Support Platform

Data Analysis

and Report

Generation

Automated.

Report Storage

and Provisioning

to Customers

Oracle Advanced Support Platform. Provisioning with encryption and authentication.

Reports may also be made available in PDF format in the ‘uploads’ area of the portal.

The Oracle control center will notify customers of any critical issues that require

immediate corrective action.

Figure 5. Data management

12 | ORACLE WHITE PAPER: SECURITY FEATURES OF REMOTE SERVICE DELIVERY VIA THE ORACLE ADVANCED SUPPORT PLATFORM

Data Access

Oracle does not use or access services data except as stated in the contract or Services Privacy Policy.

Authentication and authorization of system access are discussed in section ‘Access Management’ of this document.

Data Protection

Oracle is committed to the security of its customers’ services data, and has physical, administrative, and technical

measures in place designed to prevent unauthorized access to that information. These measures and practices are

defined in Oracle security policies, namely Oracle Global Customer Support Security Practices, Section 7, “Data

Management and Protection.”

Oracle is also committed to reducing risks of human error, theft, fraud, and misuse of Oracle facilities. Oracle

employees are required to take training on security policies and protection of confidential information, and to comply

with those rules. A dedicated information security team for services delivered via the platform supervises safe

guards and data protection.

TABLE 5: DATA PROTECTION

Item Description

Physical

Protection

Oracle maintains physical security standards, which are designed to prohibit unauthorized

physical access.

Administrative

Protection

Oracle Support validates and tracks collected data, where it is stored, and how it is

disposed of.

Network Security Service data is segregated at a customer level through a multi-tenancy security model.

Security includes multiple layers of access and authorization controls.

Oracle Continuous Connection Network is a network separated from Oracle’s internal

network, for connectivity to Oracle customers. Connection between Oracle Continuous

Connection Network and the customer environment is managed through a VPN. The VPN

session keys are replaced regularly through a key exchange protocol.

Desktop and

Laptop Security

Oracle Desktop and Laptop Security Policy is designed to facilitate a high level of desktop

security. Virus and malware scanning is mandatory. Disk encryption is required for staff

storing sensitive data.

Logging and

Auditing

Oracle Advanced Support Platform includes audit features as described above.

Customers may also choose to redirect the generated audit logs to their central auditing

log files or systems. Please note that this option is not available for deployments of

Oracle Advanced Support Gateways for Cloud at Customer machines due to the nature

of the service.

Critical Incidents Oracle promptly evaluates and responds to incidents that create suspicion of

unauthorized handling of services data as per Oracle Information Security Incident

Reporting and Response Policy. If Oracle determines that customers’ services data has

been misappropriated (including by an Oracle employee) or otherwise wrongly acquired

by a third party, Oracle will promptly report such misappropriation or acquisition to

customers.

13 | ORACLE WHITE PAPER: SECURITY FEATURES OF REMOTE SERVICE DELIVERY VIA THE ORACLE ADVANCED SUPPORT PLATFORM

Data Retention

Upon termination of services, customers’ data will be archived, stored, and removed according to Oracle’s and/or

specific legislation requirements and in accordance with the terms of the applicable contract.

TABLE 6: DATA RETENTION

Item Description

Data Retention

and Data Purge

Data is classified based on its purpose of the business engagement and is retained

according to Oracle’s records retention schedule. Customers’ telemetry data that has

been identified as falling into a Legal Hold category will be stored for a maximum of six

years from the date of commencement of services. Data that is not requiring a Legal Hold

retention will be deleted after the business purpose for which it was created has ended.

Where practical the original data will be removed from the Oracle production

environments using methods designed to ensure that they cannot be reasonably

accessed or read. The archived data will then be kept in an Oracle Legal Hold

environment that will be controlled as per Oracle’ policies and standards. Once the

retention period has elapsed, the archived data will be removed using industry-accepted

data eradication processing and methods.

Qualifications and Security Practices

Oracle has a comprehensive set of internal corporate security policies.

In addition to and in accordance with the Oracle corporate security policies, the Oracle Support organization has

defined detailed security practices and policies for service delivery.

Corporate Security Policies

The Oracle security program includes the policies, standards, guidelines, procedures, compliance enforcement

measures, devices, software, awareness training, and personnel that work together to protect Oracle and its assets.

More than twenty corporate security policies cover the management of security for both its internal operations as

well as the services Oracle provides to its customers, which apply to all Oracle employees. These policies are

aligned with the ISO/IEC 27002:2013 and ISO/IEC 27001:2013 standards, and govern areas of security applicable

to the services. Oracle employees are trained on these internal policies. Security reviews, assessments, and audits

are conducted periodically. Employees who fail to comply with information security policies, procedures, and

practices may be subject to disciplinary action, up to and including termination.

Supporting these policies are standards, procedures and guidelines intended to ensure that Oracle can deliver,

develop, maintain and support their respective services provided internally, to customers and partners.

The goal of Oracle’s standards is to ensure consistency in the use of company assets, users' actions, and

approaches to security. The procedures are the operating procedures, processes, and practices through which

policies and standards are implemented. The guidelines are recommended actions and operational guides when a

specific standard does not apply.

14 | ORACLE WHITE PAPER: SECURITY FEATURES OF REMOTE SERVICE DELIVERY VIA THE ORACLE ADVANCED SUPPORT PLATFORM

A number of internal Oracle policies that directly apply to the delivery of Oracle Support services are:

Oracle Information Security Policy: Provides the framework for Oracle Corporation’s direction and support

for information security.

Oracle Information Protection Policy: Describes guidelines regarding information classification and

handling requirements to ensure proper protection of Oracle and customer information assets.

Oracle Information Management and Record Retention Policy: Governs the retention and disposal of the

information and records of Oracle Corporation, its subsidiaries, and affiliates.

Oracle Global Information Security instructions “Securely Exchanging Confidential Information”: Describe

guidelines and technologies that must be used to transmit confidential information securely.

Oracle Desktop and Laptop Security Policy: Sets forth the minimum security requirements for desktop and

laptop computers holding Oracle confidential information, as well as information held on behalf of Oracle’s

customers, partners, suppliers, or any other third parties.

Oracle Logical Access Controls Policy: Describes key access controls that are required for Oracle’s

information assets.

Oracle Password Policy: Describes value sets for password controls to be set up for systems and to be

followed by employees.

Oracle Information Security Incident Reporting and Response Policy: Requires reporting of and response

to information security incidents in a timely and efficient manner.

Oracle Network Security Policy: Requires a range of controls to secure the data in networks and protect

connected services from unauthorized access.

Oracle Server Security Policy: Requires servers to be physically and logically secured according to their

criticality.

Oracle Support Security Policies

Oracle Global Customer Support Security Practices: Covers the Information Security Program, Oracle

Corporate Security Practices, and the security practices when performing standard program and hardware

technical support for Oracle customers.

Oracle Services Privacy Policy: Covers the privacy practices that Oracle Corporation employs when

providing support, consulting, or other services.

Oracle Consulting and Advanced Customer Support Security Practices: Defines specific rules under which

Oracle ACS services are being delivered.

If metadata is required to deliver a service, it is gathered on a limited basis and may include organizational assets,

incident, ticket, and fault telemetry.

15 | ORACLE WHITE PAPER: SECURITY FEATURES OF REMOTE SERVICE DELIVERY VIA THE ORACLE ADVANCED SUPPORT PLATFORM

During the performance of Oracle Support services, customers maintain responsibility for any data residing in the

environments. Oracle does not and will not

Change any data, other than as required for the performance of the services.

Have any role in determining or maintaining the accuracy of any data.

Control how data is hosted, processed, stored, or destroyed by customers.

Control customers’ access to data, other than restricted access to data through applying physical and

logical access controls, as applicable, as part of the services.

Monitor customers’ use of or access to their data, except as necessary to provide the services.

Any new services or significant changes to existing services delivered via the platform receive a security review

under the Oracle Corporate Security Solution Assurance Process (CSSAP). This security review process is

overseen by the Oracle Corporate Security Architecture Group and is supported by Oracle Global Information

Security (GIS), Oracle Global IT Risk Management, Oracle Global Product Security (GPS), Oracle Legal and

respective Oracle's IT organizations, to provide a comprehensive information security management review. The

process is endorsed by the Oracle Security Oversight Committee.

The services and Oracle Support teams are subject to an annual security review to verify that they meet Oracle’s

strict security, policies, standards, and third-party requirements.

Qualifications of Oracle Support Engineers

The Oracle Support teams delivering services discussed in this paper have been trained on the respective products

and security-specific topics. Oracle Support engineers are certified in their field of expertise and have passed the

necessary Oracle product qualifications to design, install, configure and support the respective services, systems

and applications Oracle provides for the services in scope of this paper. Oracle Support engineers, technical

account managers and support staff are required to attend role based training on an annual basis and to update

their Oracle certifications when necessary.

Oracle Support engineers are required to take internal training courses that cover information security, data

protection, and incident management. Engineers are encouraged to complete external certifications such as

Certified Information Systems Auditor by the Information Systems Audit and Control Association ISACA, or Certified

Information Systems Security Professional CISSP, to complement their existing Oracle security qualifications.

The Oracle Support delivery teams and the supporting teams and processes operate based on recognized security

frameworks and Oracle recommended practices, and conform to appropriate legislation and certification

requirements where applicable. Engineers have completed Oracle internal security training consistent with relevant

security requirements.

16 | ORACLE WHITE PAPER: SECURITY FEATURES OF REMOTE SERVICE DELIVERY VIA THE ORACLE ADVANCED SUPPORT PLATFORM

Summary

Many customers take advantage of Oracle Support’s attractive portfolio of remote services to monitor, manage, or

optimize their Oracle systems. Security and privacy of customers’ systems and data is one of Oracle Support’s top

priorities while delivering these services. Safeguards span across the delivery technology, processes, and Oracle

Security Management, to facilitate appropriate security levels throughout.

The Oracle Advanced Support Platform has sophisticated authentication mechanisms and data security features

built into its architecture designed to prevent unauthorized access or usage.

Service delivery processes follow detailed security practices and policies and are audited regularly. Core services

are designed to meet industry standards.

Oracle Support engineers are experienced in IT security and trained on Oracle security practices. An internal Oracle

Security board and a service specific security team supervise service delivery.

Customers can be confident of Oracle’s emphasis on the security and privacy of their systems and data while taking

advantage of remote services from Oracle Support.

.

17 | ORACLE WHITE PAPER: SECURITY FEATURES OF REMOTE SERVICE DELIVERY VIA THE ORACLE ADVANCED SUPPORT PLATFORM

Further Information

TABLE 7: GLOSSARY

Acronym / Term Description

ACS Advanced Customer Support

AES-256 Advanced Encryption Standard with cryptographic keys of 256 bits

API Application programming interface

CMDB Configuration management database

HTTPS HTTP over SSL or HTTP Secure; communications protocol for secure communication

over a computer network

ISO/IEC Information security standard published by the International Organization for

Standardization (ISO) and the International Electrotechnical Commission (IEC)

ISO/IEC 17799:2005 ISO guidelines and general principles for initiating, implementing, maintaining, and

improving information security management in an organization

ISO 27001:2013 Information security standard by the International Organization for Standardization

ITIL IT Infrastructure Library

OCCN Oracle Continuous Connection Network

RDP Remote desktop protocol; A Microsoft protocol

SQL Structured query language; A programming language

SSAE 16 Statement on Standards for Attestation Engagements No. 16 by the Auditing Standards

Board of the American Institute of Certified Public Accountants (AICPA)

SSH Secure shell; A security protocol for logging into a remote server

SSL Secure socket layer

TLS Transport layer security; A protocol that ensures privacy between communicating

applications and their users on the internet

VPN Virtual private network

XML Extensible markup language

18 | ORACLE WHITE PAPER: SECURITY FEATURES OF REMOTE SERVICE DELIVERY VIA THE ORACLE ADVANCED SUPPORT PLATFORM

TABLE 8: LINKS

Item Link

Oracle Support Oracle Support

Oracle Premier Support

o Oracle Platinum Services

Oracle Advanced Customer Support

o Oracle Advanced Monitoring and Resolution

o Oracle Advanced Database Support

o Cloud Operations for Oracle Cloud Machine

o Oracle Lifecycle Support Services

Documentation Oracle Advanced Support Gateway Security Guide

Oracle Policies and

Practices

Oracle Global Customer Support Security Practices

Oracle Platinum Services Policies

Oracle Consulting and Oracle Advanced Customer Support Services Security Practices

Oracle Services Privacy Policy

Oracle Corporation, World Headquarters

500 Oracle Parkway

Redwood Shores, CA 94065, USA

Worldwide Inquiries

Phone: +1.650.506.7000

Fax: +1.650.506.7200

Copyright © 2016, Oracle and/or its affiliates. All rights reserved. This document is provided for information purposes only, and the contents hereof are subject to change without notice. This document is not warranted to be error-free, nor subject to any other warranties or conditions, whether expressed orally or implied in law, including implied warranties and conditions of merchantability or fitness for a particular purpose. We specifically disclaim any liability with respect to this document, and no contractual obligations are formed either directly or indirectly by this document. This document may not be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without our prior written permission. Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners. Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. AMD, Opteron, the AMD logo, and the AMD Opteron logo are trademarks or registered trademarks of Advanced Micro Devices. UNIX is a registered trademark of The Open Group. 1216 White Paper: Secure Remote Delivery of Oracle Support Services via the Oracle Advanced Support Platform December 2016 Author: Jan de Bock, Birgit Kreuz Contributing Authors: Keith Black, Andy Cowling, Jon Ford, Neville Wallace, Glenn Webb

C O N N E C T W I T H U S

blogs.oracle.com/oracle

facebook.com/oracle

twitter.com/oracle

oracle.com