Oracle IaaS and PaaS Security and Compliance

 
 
 

Oracle’s mission is to build cloud infrastructure and platform services where Oracle customers can have effective and manageable security to run their important workloads. Oracle’s cloud security approach is based on seven core pillars. Each pillar has multiple components with the goal to improve security and compliance with certain standards applicable to the platform.

Customer Isolation: Allow customers to deploy their application and data assets in an environment that is based on isolation from other tenants.

Data Encryption: Provide controls that can protect customer data at-rest and in-transit in a way that allows customers to meet their security and compliance requirements with respect to cryptographic algorithms and key management.

Security Controls: Offer customers effective and easy-to-use security management controls that allow them to manage access to their services and segregate operational responsibilities to help reduce risk associated with malicious and accidental user actions.

Visibility: Offer customers comprehensive log data that they can use to audit and monitor actions on their resources, to allow them to meet their audit requirements and help them reduce security and operational risk.

Hybrid Cloud: Enable customers to use their existing security assets, such as user accounts and policies, as well as third-party security solutions when accessing their cloud resources and securing their data and application assets in the cloud.

High Availability: Offer fault-tolerant data centers that enable high availability scale-out architectures and are resilient against network attacks, to provide consistent uptime in the face of disaster and security attack.

Verifiably Secure Infrastructure: Follow rigorous processes and security controls in all phases of cloud service development and operation. Demonstrate adherence to Oracle’s security standards through third-party audits, certifications, and attestations. Help customers demonstrate compliance readiness to internal security and compliance teams, their customers, auditors, and regulators.

Oracle Cloud Infrastructure Security and Compliance

ISO and SOC

Oracle has successfully completed an ISO/IEC 27001:2013 audit and obtained Service Organization Controls (SOC) 1, SOC 2 and SOC 3 reports for Oracle Cloud Infrastructure. These covered the following Oracle Cloud services in Phoenix (Arizona), Ashburn (Virginia), and Frankfurt (Germany) datacenter regions:

Oracle Cloud Infrastructure
Compute Networking Block Volumes Object Storage
Governance Load Balancing Database

Additionally, Oracle Cloud Infrastructure Edge Services successfully completed an ISO/ IEC 27001:2013 audit and obtained SOC 1, SOC 2 and SOC 3 reports for managed DNS and Email Delivery.

  • • Conducted by EY/CertifyPoint BV, Amsterdam, Netherlands, Oracle Cloud Infrastructure’s ISO/IEC 27001:2013 audit provides assurance that Oracle Cloud Infrastructure has designed and implemented an Information Security Management System (ISMS) in accordance with information security standard ISO 27002:2013 (Information technology – Security techniques – Code of practice for information security management).

  • • Conducted by Ernst & Young LLP, San Francisco, California, Oracle Cloud Infrastructure’s SOC 1 Type 2 examination provides assurance that controls relevant to internal control over financial reporting were designed and operating effectively; the SOC 2 Type 2 examination provides assurance that controls relevant to the AICPA Trust Services Security and Availability Principles were designed and operating effectively.

  • • Conducted by Ernst & Young LLP, San Francisco, California, Oracle Cloud Infrastructure’s SOC 3 attestation is designed to meet the needs of users who need assurance about the controls relevant to security, availability and confidentiality but do not have the need for or the knowledge necessary to make effective use of a SOC 2 attestation.

PCI DSS

Oracle has successfully completed a Payment Card Industry Data Security Standard (PCI DSS) audit and received an Attestation of Compliance (AoC) covering Oracle Cloud Infrastructure Services. As a PCI Level 1 Service Provider, customers can now use these services for workloads that store, process or transmit cardholder data.

  • • Conducted by independent third party Schellman & Company, LLC, Oracle Cloud Infrastructure’s AoC demonstrates compliance with all PCI DSS requirements applicable to a Service Provider and enables customers to run payment-card related applications and workloads on Oracle’s PCI compliant Cloud Infrastructure services.

Oracle Cloud Infrastructure services covered in our PCI DSS AoC include:

Oracle Cloud Infrastructure
Compute Networking Block Volumes Object Storage Archive Storage File Storage Data Transfer Service
Load Balancing FastConnect Governance Services Database Exadata Container Engine for Kubernetes Registry
HIPAA

Oracle has received an attestation for the period, 11/01/2017-03/31/2018, performed in accordance with American Institute of Certified Public Accountants (AICPA) Statement on Standards for Attestation Engagements (SSAE) 18, AT-C sections 105 and 205, covering controls aligned with the requirements of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, Breach Notification Rule and the applicable parts of the Privacy Rule. Performed by Ernst & Young LLP, our HIPAA attestation provides reasonable assurance that Oracle Cloud Infrastructure has designed and implemented administrative, physical and technical safeguards relevant to the HIPAA Security Rule, Breach Notification Rule and the applicable parts of the Privacy Rule.

The Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity and security of protected health information (PHI). The Breach Notification Rule requires covered entities and their business associates to provide notification following a breach of unsecured PHI. By law, the Privacy Rule applies only to covered entities (e.g., health plans, health care clearinghouses and certain health care providers). However, parts may be applicable to business associates.

Oracle Cloud Infrastructure is categorized as a “no-view cloud service provider” and can support customers who are in scope for HIPAA by entering into a Business Associate Agreement (BAA). The BAA is required for identifying and establishing the respective responsibilities of Oracle Cloud Infrastructure and the customer for appropriately safeguarding PHI in accordance with HIPAA and any amending legislation.

Oracle Cloud Infrastructure services covered in our HIPAA attestation include:

Oracle Cloud Infrastructure
Compute Networking Block Volumes Object Storage Archive Storage File Storage
Load Balancing FastConnect Governance Services Database Exadata Data Transfer Service

Learn more about Oracle Cloud Infrastructure Security and Compliance

Oracle Cloud Infrastructure Security White Paper
Oracle Cloud Infrastructure and European Union General Data Protection Regulation (GDPR)
Oracle offers a wide range of security solutions to help customers meet requirements of the GDPR, including services for administrative access controls, network security controls, logging, and encryption.

Oracle Cloud Infrastructure Classic and PaaS Security and Compliance

ISO 27001: 2013

Oracle has achieved ISO/IEC 27001:2013 certification for the Oracle Cloud Information Security Management System (ISMS) consumed by all SaaS, PaaS, and OCI Classic services, in all datacenters where these services reside. Additionally, ISO 27017 has been included within scope of our ISO/IEC 27001:2013 certification.

SOC 1 and 2 Reports

Oracle has obtained Service Organization Controls (SOC) 1 and 2 reports for Oracle Cloud Platform (PaaS) and Oracle Cloud Infrastructure Classic. These reports cover the following Oracle Cloud services in Chicago (Illinois), Ashburn (Virginia), and Amsterdam (Netherlands):

Oracle Cloud Infrastructure Classic
Compute Classic Dedicated Compute Object Storage Classic
Oracle PaaS
API Catalog Cloud Application Builder Cloud Application Container Cloud Big Data Cloud Service - Compute Edition
Big Data Preparation Big Data Discovery Business Intelligence Cloud Database Backup Cloud Service
Database Cloud Service Data Visualization Cloud Document Cloud Event Hub Cloud
Exadata Cloud Service Golden Gate Cloud Service Identity Cloud Integration Cloud
Internet of Things Cloud Java Cloud Service Mobile Cloud Process Cloud
SOA Suite Cloud and API Manager Cloud WebCenter Portal Cloud SPARC Cloud (Ashburn, Virginia only)
Healthcare

Oracle has successfully completed third party HIPAA assessments for the following services within both commercial and US Gov datacenters located in Chicago (Illinois) and Ashburn (Virginia):

Oracle Cloud Infrastructure Classic
Archive Storage Classic Block Storage Classic Compute Classic Container Service Classic Object Storage Classic
Oracle PaaS
API Platform Cloud Analytics Cloud Big Data Cloud Service - Compute Edition
Database Backup Cloud Service Database Cloud Service Event Hub Cloud
Exadata Cloud Service Golden Gate Cloud Identity Cloud
Internet of Things Cloud - Enterprise Java Cloud Service MySQL Cloud
Oracle Data Integrator Cloud SOA Suite Cloud  
US Public Sector

Oracle has obtained a third party assessment of available service security controls against the technical requirements of MARS-E, CJIS, IRS-1075, NIST 800-171, and FIPS 140-2 compliance frameworks. The assessments cover the following Oracle Cloud services in the US Gov Chicago (Illinois) and US Gov Ashburn (Virginia) datacenter regions:

Oracle Cloud Infrastructure Classic
Compute Classic Object Storage Classic
Oracle PaaS
Big Data Cloud Service - Compute Edition Database Backup Cloud Service Database Cloud Service
Exadata Cloud Service Golden Gate Cloud Service Java Cloud Service
 

Learn more about Oracle Cloud Infrastructure Classic Security

Oracle Cloud Infrastructure Classic and Platform Cloud Services Security

Oracle Cloud at Customer Security and Compliance

Oracle has successfully completed an ISO/IEC 27001:2013 audit and obtained Service Organization Controls (SOC) 1 reports for Oracle Cloud at Customer and Exadata Cloud at Customer, and has obtained their ISO/IEC 27001: 2013 certificate for these.

Oracle Cloud at Customer and Exadata Cloud at Customer can support customers requiring Health Insurance Portability and Accountability Act (HIPAA) if entering into a Business Associates Agreement.

×
Call us now
1-800-633-0738 (United States)

Contact
×
Call us now
1-800-633-0738 (United States)

Technical Support

Oracle Cloud Discussion Forums

Chat
×
Considering a purchase? Let one of our Sales Representatives guide you through the process and connect you to a product specialist.

Live Cloud Chat
Contact cloud advocacy team for Oracle Cloud clarifications, trial assistance, technical and functional help or any non-sales related questions. You may also find answers to common questions in FAQ of selected product.