Difference between revisions of "Oracle Cloud Infrastructure"
Shawndouglas (talk | contribs) m (→Managed security services: Grammar) |
Shawndouglas (talk | contribs) (→Provider research: Chapter number) |
||
Line 40: | Line 40: | ||
==Provider research== | ==Provider research== | ||
This section uses public information to provide some answers to the 18 questions posed in Chapter | This section uses public information to provide some answers to the 18 questions posed in Chapter 6 of the wiki-based guide ''[[LII:Choosing and Implementing a Cloud-based Service for your Laboratory|Choosing and Implementing a Cloud-based Service for your Laboratory]]''. In some cases, public information could not be found, and a recommendation to further discuss the question with the cloud service provider (CSP) is made. | ||
Line 157: | Line 157: | ||
It is unclear if support personnel are local to the customer or if support is outsourced to another business and country. Discuss this with an Oracle Cloud Infrastructure representative. | It is unclear if support personnel are local to the customer or if support is outsourced to another business and country. Discuss this with an Oracle Cloud Infrastructure representative. | ||
==Managed security services== | ==Managed security services== |
Revision as of 16:00, 4 June 2021
Industry | Cloud computing, Web services |
---|---|
Founder(s) |
Larry Ellison Bob Miner Ed Oates |
Headquarters | Redwood City, California, United States |
Area served | Worldwide |
Key people | Clay Magouyrk (EVP) |
Products | IaaS, PaaS, DBaaS, DaaS |
Revenue | $6.85 billion (2020, Q4)[1] |
Website | oracle.com/cloud/ |
Oracle Cloud Infrastructure is a a collection of public, private, hybrid, and multicloud cloud computing services offered by Oracle Corporation, an American multinational information technology company. Oracle Cloud Infrastructure deploys to unknown number of data centers in 29 cloud regions in various locations around the world.[2] More than 65 different products and services are associated with Oracle Cloud Infrastructure, representing elastic computing, networking, content delivery, data storage, database management, security management, enterprise management, data analysis, and developer support.[2]
Provider research
This section uses public information to provide some answers to the 18 questions posed in Chapter 6 of the wiki-based guide Choosing and Implementing a Cloud-based Service for your Laboratory. In some cases, public information could not be found, and a recommendation to further discuss the question with the cloud service provider (CSP) is made.
1. What experience do you have working with laboratory customers in our specific industry?
Oracle has the Oracle for Research program, which helps researchers, scientists, and academic institutions "leverage Oracle Cloud technology and become part of a global community that is working to address complex problems and drive meaningful change in the world."[3] Through this program, labs at Flinders University, Royal Holloway University of London, University of Bristol, and University of Southern California have used Oracle Cloud towards its objectives.[4] Laboratory informatics vendors that have turned to Oracle Cloud include AgiLab SAS[5], OPTIMIZA[6], and Triniti.[7] An Oracle representative is likely to be able to supply more examples of laboratories and laboratory informatics developers that use or have used Oracle Cloud Infrastructure.
2. Can your solution readily integrate with our other systems and business processes, making it easier for our end users to perform their tasks?
It will ultimately be up to your organization to get an answer from Linode tailored to your systems and business processes. However, this much can be said about Oracle Cloud Infrastructure integrations. The Oracle Integration collection of h database, application, social, and productivity adapters "offers innovative methods for accelerating all types of application connection and process automation projects. They include out-of-the-box templates and adapters to connect virtually any data store, process, application, service, or API across modern and legacy sales, marketing, HCM, finance, and order-management systems."[8]
3. What is the average total historical downtime for the service(s) we're interested in?
Some public information is made available about historic outages and downtime. Oracle Cloud Infrastructure has a systems status page with status history (you have to click on the "Incident History" link at the bottom, then the date range arrows in the top right of the subsequent page). You should be able to read through the incident details for each issue, going back through a fair amount of history. This will give you a partial picture of the issues experienced in the past, as well as any scheduled maintenance and currently impacted services. A follow-up on this question with an Oracle Cloud Infrastructure representative may reveal more historical downtime history for the services you are interested in.
4. Do we receive comprehensive downtime support in the case of downtime?
Oracle Cloud Infrastructure does not make this answer clear. However, the answer is likely tied to what after-sales support plan you choose. Confirm with Oracle what downtime support they provide based on the services your organization are interested in.
5. Where are your servers located, and how is data securely transferred to and from those servers?
Oracle Cloud Infrastructure is split up into 29 regions, each with various availability domains and fault domains. As for data transfers, Oracle Cloud Infrastructure provides multiple ways to better ensure safer data transmission. In its disaster recovery documentation, Oracle discusses networking services such as virtual cloud networks, reserved public IP addresses, Load Balancing, and FastConnect. For example, FastConnect can be used in hybrid cloud data transfers between on-premises and Oracle cloud infrastructures for "a more reliable and consistent networking experience compared to internet-based connections."[9] As for the security of data in transit, Oracle Cloud Infrastructure addresses this with encryption mechanisms like TLS v1.2.[10]
6. Who will have access to our data (including subcontractors), and what credentials, certifications, and compliance training do they have?
Oracle broadly describes physical security controls at its facilities, but it doesn't discuss who is allowed into the heart of data centers and how access to those areas is controlled. It also doesn't describe any certifications or training that applies to the individuals who could access your data. This is a conversation to have with a Oracle Cloud Infrastructure representative.
7. Will our sensitive and regulated data be stored on a machine dedicated to complying with the necessary regulations?
Not all Oracle Cloud Infrastructure machines have the same controls on them; it will depend on the region, product, and compliance requirements of your lab. That said, verify with a representative that the machine your data will land on meets all the necessary regulations affecting your data.
8. How segregated is our cloud data from another customer's, i.e., will lapses of security of another customer's cloud affect our cloud? (It typically won't, but asking the question will hopefully prompt the provider to better explain how your data is segregated.)
Similar to IBM, Oracle appears to allow for both physical (bare metal) separation and logical separation for some of its services[11]:
Compute instances are based on high-performance server hardware that uses latest-generation, multi-core server CPUs, large amounts of memory, and high-throughput NVMe local storage. Oracle Cloud Infrastructure provides bare metal (BM) and virtual machine (VM) instances. Customers can choose instances that fit their performance, cost, and software flexibility requirements.
As for tenant isolation, the concept is addressed in Oracle's security documentation, in reference to both bare metal and virtual machine instances, as well as within the scope of networking. For details beyond the documentation, consult a representative.
9. Do you have documented data security policies?
Oracle Cloud Infrastructure documents its security practices in several places:
Some security-related documents, like the SOC 2 report, may not be publicly available, requiring direct discussion with an Oracle Cloud Infrastructure representative to obtain them.
10. How do you test your platform's security?
Oracle has this to say about internal and customer cloud security testing[12]:
Oracle regularly performs penetration and vulnerability testing and security assessments against the Oracle cloud infrastructure, platforms, and applications. These tests are intended to validate and improve the overall security of Oracle Cloud Services.
However, Oracle does not assess or test any components (including, non-Oracle applications, non-Oracle databases or other non-Oracle software, code or data, as may be applicable) that you manage through or introduce into—including introduction through your development in or creation in—the Oracle Cloud Services (the “Customer Components”). This policy does not address or provide any right to conduct testing of any third party materials included in the Customer Components.
Except as otherwise permitted or restricted in your Oracle Cloud Services agreements, your service administrator who has system level access to your Oracle Cloud Services may run penetration and vulnerability tests for the Customer Components included in certain of your Oracle Cloud Services in accordance with the following rules and restrictions.
It also appears that Oracle may have a Red Team that handles its penetration and vulnerability testing.[13] Discuss this with a representative to learn more.
11. What are your policies for security audits, intrusion detection, and intrusion reporting?
Audits: Customers are able to audit their security by using the built-in Audit service. "Using the Audit service, customers can achieve their own security and compliance goals by monitoring all user activity within their tenancy. Because all Console, SDK, and command line (CLI) calls go through our APIs, all activity from those sources is included."[11] As for internal security audits, Oracle notes in its 2020 SOC 3 report that "[a]t least annually, Oracle Cloud Infrastructure completes an internal audit of the system. The internal audit is conducted by qualified auditors and as per the requirements set out in Clause 9 of ISO/IEC 27001:2013."[14]
Intrusion detection and reporting: Oracle Cloud Infrastructure has the following to say about its internal intrusion detection processes[15]:
Oracle employs intrusion-detection systems within the Oracle intranet to provide continuous surveillance for intercepting and responding to security events as they are identified. Oracle utilizes a network-based monitoring approach to detect attacks on open firewall ports within Oracle's intranet. Events are analyzed using signature detection, which is a pattern matching of environment settings and user activities against a database of known attacks. Oracle updates the signature database as soon as new releases become available for commercial distribution. Alerts are forwarded to Oracle's IT security for review and response to potential threats.
Customers also have intrusion detection and reporting mechanisms at their disposal, including Cloud Guard and Vulnerability Scanning.
12. What data logging information is kept and acted upon in relation to our data?
In its Oracle Services Privacy Policy, Oracle uses the term "systems operations data" to "include log files, event files, and other trace and diagnostic files, as well as statistical and aggregated information that relates to the use and operation of our Services, and the systems and networks these Services run on."[16] Oracle Cloud Infrastructure may use system logs related to your data to keep their services secure, investigate and prevent potential fraud, to administrate backup and disaster recovery plans, confirm compliance, research and development activities, and to comply with applicable laws.[16] Of course, customers can maintain and act upon their own data logs using tools like Logging Analytics.
13. How thorough are those logs and can we audit them on-demand?
It's not clear how thorough the logs are, but Oracle does state: "To the extent provided under applicable laws, Users may request to access, correct, update or delete personal information contained in Systems Operations Data in certain cases, or otherwise exercise their choices with regard to their personal information by filling out an inquiry form."[16] Consult with a representative to learn more.
14. For HIPAA-eligible data (e-PHI) we may have, will you sign a business associate agreement?
Yes, Oracle Cloud Infrastructure will sign a business associate agreement.[17] Consult their blog post or a representative for more details on their approach to HIPAA compliance.
15. What happens to our data should the contract expire or be terminated?
From the Oracle Cloud Hosting and Delivery Policies[18]:
For a period of 60 days upon termination of the Oracle Cloud Services, Oracle will make available, via secure protocols and in a structured, machine-readable format, Your Content residing in the production Cloud Services environment, or keep the service system accessible, for the purpose of data retrieval by You.
16. What happens to our data should you go out of business or suffer a catastrophic event?
It's not publicly clear how Oracle Cloud Infrastructure would handle your data should they go out of business; consult with a representative about this topic. As for catastrophic events, Oracles uses "fault domains" for ensuring data availability and redundancy. Those regions with availability domains typically have three fault domains. "Fault domains enable you to distribute your resources so that they don't depend on the same physical hardware within a single availability domain. As a result, hardware failures or maintenance events that affect one fault domain do not affect the resources in other fault domains."[9] It's highly unlikely that all three fault domains would be affected in a catastrophic event. However, if this is a concern, discuss further data redundancy with an Oracle Cloud Infrastructure representative.
17. Can we use your interface to extract our data when we want, and in what format will it be?
From question 15, we found that data can be extracted "via secure protocols and in a structured, machine-readable format." Verify with a representative the finer details, including when such extractions of files, database dumps, whole disks, backups, etc. may occur.
18. Are your support services native or outsourced/offshored?
It is unclear if support personnel are local to the customer or if support is outsourced to another business and country. Discuss this with an Oracle Cloud Infrastructure representative.
Managed security services
Oracle doesn't appear to explicitly advertise "managed security services." Oracle does, however, offer some managed services through its Oracle Advanced Customer Services offering.[19] Under its "Security Support" section, Oracle addresses cybersecurity, identity management, and database security.[20] Per its cybersecurity brochure, it appears they provide[21]:
- vulnerability and threat prevention
- data security and protection
- identity and access management
- regulatory security compliance services
Additional information
Documentation and other media
- Cloud Hosting and Delivery Policies
- Cloud integration guide
- Cloud security portal
- Compliance offering descriptions
- Cybersecurity services brochure
- Disaster recovery documentation
- HIPAA Assessed Regions and Services
- Infrastructure security guide
External links
- Oracle Advanced Customer Services
- Oracle Cloud Infrastructure architecture framework or description
- Oracle Cloud Infrastructure shared responsibility model
- Oracle Cloud Infrastructure trust center
References
- ↑ Novet, J. (16 June 2020). "Oracle slides on revenue decline". CNBC. https://www.cnbc.com/2020/06/16/oracle-orcl-earnings-q4-2020.html. Retrieved 28 April 2021.
- ↑ 2.0 2.1 "Oracle Cloud Regions—Data Centers Reimagined". Oracle. https://www.oracle.com/cloud/architecture-and-regions/. Retrieved 28 April 2021.
- ↑ "Oracle for Research". Oracle. https://www.oracle.com/oracle-for-research/. Retrieved 18 April 2021.
- ↑ "Oracle for Research - Case Studies". Oracle. https://www.oracle.com/oracle-for-research/case-studies.html. Retrieved 18 April 2021.
- ↑ Munoz-Willery, I. (15 September 2017). "Agilab LIMS Solutions moves to Oracle Cloud". Paperless Lab Academy. https://www.paperlesslabacademy.com/2017/09/15/agilab-moves-to-oracle-cloud/. Retrieved 18 April 2021.
- ↑ "OPTIMIZA’s AccuLab: Powered By Oracle, Now Available in Oracle Cloud Marketplace". OPTIMIZA. 15 July 2019. https://optimiza.me/acculab-oracle-cloud-marketplace/. Retrieved 18 April 2021.
- ↑ "Lab Diagnostics Industry Solution for Oracle Cloud". Triniti. https://www.triniti.com/lab-diagnostics-industry-solution-oracle-cloud. Retrieved 18 April 2021.
- ↑ "Integrate and Automate Business Processes" (PDF). Oracle. 2020. https://www.oracle.com/a/ocom/docs/cloud-essentials-integration-3885458.pdf. Retrieved 18 April 2021.
- ↑ 9.0 9.1 "Learn About the Disaster Recovery Capabilities of Oracle Cloud". Oracle Help Center. Oracle. https://docs.oracle.com/en/solutions/design-dr/learn-dr-building-blocks-oracle-cloud1.html. Retrieved 18 April 2021.
- ↑ "Using In-transit Encryption". Oracle Cloud Infrastructure Documentation. Oracle. https://docs.oracle.com/en-us/iaas/Content/File/Tasks/intransitencryption.htm. Retrieved 18 April 2021.
- ↑ 11.0 11.1 "Security Services and Features". Oracle Cloud Infrastructure Documentation. Oracle. https://docs.oracle.com/en-us/iaas/Content/Security/Concepts/security_features.htm. Retrieved 18 April 2021.
- ↑ "Oracle Cloud Security Testing Policy". Oracle Help Center. Oracle. https://docs.oracle.com/en/cloud/get-started/subscriptions-cloud/mmocs/oracle-cloud-security-testing-policy.html. Retrieved 18 April 2021.
- ↑ Cross, D.B. (7 January 2020). "Why Red Team Rule the Cloud!". Oracle Cloud Security Blog. https://blogs.oracle.com/cloudsecurity/post/why-red-teams-rule-the-cloud. Retrieved 18 April 2021.
- ↑ "System and Organization Controls (SOC 3) Report". Oracle. 2020. https://www.oracle.com/a/ocom/docs/oci-soc-3-report.pdf. Retrieved 18 April 2021.
- ↑ "Security Principles for Network Communications". Oracle. https://www.oracle.com/corporate/security-practices/corporate/network-communications-security.html. Retrieved 18 April 2021.
- ↑ 16.0 16.1 16.2 "Privacy @ Oracle: Oracle Services Privacy Policy". Oracle. https://www.oracle.com/legal/privacy/services-privacy-policy.html. Retrieved 18 April 2021.
- ↑ Karabulut, Y. (30 May 2018). "Oracle Announces HIPAA Attestation for Oracle Cloud Infrastructure". Oracle Cloud Infrastructure Blog. Oracle. https://blogs.oracle.com/cloud-infrastructure/oracle-announces-hipaa-attestation-for-oracle-cloud-infrastructure. Retrieved 18 April 2021.
- ↑ "Oracle Cloud Hosting and Delivery Policies" (PDF). Oracle. December 2020. https://www.oracle.com/assets/ocloud-hosting-delivery-policies-3089853.pdf. Retrieved 18 April 2021.
- ↑ "Oracle Advanced Customer Services". Oracle. https://www.oracle.com/support/advanced-customer-services/services/. Retrieved 27 May 2021.
- ↑ "Solutions for Enhanced Security". Oracle. https://www.oracle.com/support/advanced-customer-services/solutions/security.html. Retrieved 27 May 2021.
- ↑ "Reinforce Your Cybersecurity" (PDF). Oracle. 2020. https://www.oracle.com/a/ocom/docs/support/advanced-customer-support/managed-security-services-brief.pdf. Retrieved 27 May 2021.