Oracle Break Glass for Fusion Cloud Service
With Oracle Break Glass for Fusion Cloud Service, Oracle personnel must obtain explicit approval from you for temporary access to your content residing in the Fusion database for one-off, service-related activities such as support and troubleshooting.
The approval requests are made through a workflow that involves approvers defined by you. Once approved, your approval gives Oracle access to passwords for the Fusion database stored in a secured escrow account for a limited time.
In addition to such managed access, Oracle Break Glass allows you to control the master encryption key of Oracle’s Transparent Data Encryption (TDE) which encrypts data in the Fusion database. Oracle requires use of the TDE master key to operate the Fusion database, but only retains a copy of the latest key provided by you. By revoking or resetting the TDE master key, you can shut down the Fusion database and prevent anyone, including Oracle, from accessing your content residing in such Fusion database.
Oracle Break Glass for Fusion Cloud Service consists of the provisioning of the following services:
- Oracle Database Vault
- Oracle Break Glass
Oracle Database Vault Introduction
Oracle Database Vault for Fusion Cloud Service is intended to provide additional controls of Oracle Fusion Cloud Services by protecting your content from being accessed by Oracle users and controlling sensitive operations inside Oracle Fusion Cloud using multi-factor authorization.
When enabled, Oracle Database Vault for Fusion Cloud Service:
- Forms realms which act like firewalls inside Oracle Fusion Cloud
- Restricts the DBA and other Oracle users from accessing Your Content residing in the Oracle Fusion Cloud Service database
- Creates strong controls over when and where Your Content in the Oracle Fusion Cloud Service databasecan be accessed
- Protects the Oracle Database Vault for Fusion Cloud Servicefrom unauthorized changes
Oracle Break Glass Introduction
Oracle Break Glass for Fusion Cloud Service provides additional control in two ways. First, Oracle Break Glass Managed Access for Fusion Cloud Service enables you to restrict and control Oracle's access to your content stored in the Fusion database. By use of Oracle Break Glass for Fusion Cloud Service, you control access to passwords required for data level access to the Fusion database, thereby limiting access by Oracle personnel to your content residing within the Fusion database. Your passwords are stored in a secured escrow account not accessible to Oracle Fusion Cloud Service personnel.
During the Services Period of the Oracle Fusion Cloud Service, Oracle personnel may require access to those services, including data layer access to your content residing within the Fusion database, in order to perform service-related activities, such as maintenance, upgrades, support, and responding to service requests. If Oracle requires data layer access, Oracle will request approval from you through a workflow involving approvers both from Oracle and you. You may approve Oracle’s access toi the data level access passwords for a limited time period; the access will be revoked, and passwords changed after the time period defined by you for such data access. Upon your request, Oracle will provide you with a report of such access.
Oracle Break Glass Managed Access for Fusion Cloud Service provides control and management over Oracle’s access requests to your content residing in the Fusion database. There are three entitlement types for Break Glass access requests:
- Support Team Entitlements: These entitlements allow Oracle personnel to triage your service requests logged in My Oracle Support (MOS). These entitlements allow strictly read-only access to your content residing in the Fusion database.
- Database Administrator Entitlements: These entitlements allow Oracle personnel to perform database-related maintenance activities such as patching, upgrading, troubleshooting, and backup restoration.
- Application or Mid-Tier Administrator Entitlements: These entitlements allow Oracle personnel to perform application and middleware tier-related maintenance activities such as patching, upgrading, troubleshooting, and backup restoration.
To ensure that Oracle personnel do not have standing access to your content in the Fusion database, the system resets the password as well as terminates active sessions after the Support Access Duration (described below) expires. It is not only the checked-out credential password, which is reset, but also passwords for all credentials that fall under Break Glass purview.
In addition to managed access, data at rest in Fusion Database is protected using Oracle’s TDE and Database Vault. The Bring Your Own Key (BYOK) feature allows you to control the master encryption key of your Oracle Fusion Cloud Service TDE-enabled database with the exception of Oracle SaaS at Customer Cloud Service Connected, Oracle SaaS at Customer Cloud Service Disconnected and Oracle SaaS at Customer Cloud Service in Country. By utilizing the Oracle Break Glass for Fusion Cloud Service, You can create a qualified master encryption key to replace a system-generated key for the TDE-enabled Fusion database and you can revoke it or reset it later. Oracle requires use of the TDE master key to operate the Fusion database. If you revoke or reset the TDE master key, the Fusion database will shut down and the services dependent on the database will become inaccessible, and no one, including Oracle, will be able to access encrypted data or perform any operation that requires access to the locked database.
Important Considerations when using Oracle Break Glass for Fusion Cloud Service
If you have imported your keys and key versions, you are responsible for maintaining the history of those keys for a duration that aligns with the Oracle Fusion Cloud Service backup and retention policy. You must provide the correct key version to Oracle when restoring services, database access, or older backups. Failure to provide the correct key may make data backups unrecoverable. If your key is lost, access to the database and all associated data will be permanently lost.
Failure to provide Oracle with the correct key version in a timely manner may adversely affect the Oracle Fusion Cloud Service and related service performance, including target system availability, scheduled maintenance, and response times. Oracle is not responsible for such impacts and is not liable for any related service level credits.
When submitting a service request to Oracle for support involving data issues (such as data loading or duplication), you must ensure that the request contains only randomized data and does not include any of your actual content.
After creating your vaults, you must replicate each vault in your production environment to support disaster recovery. This replication step only needs to be performed once. Afterwards, your vault and keys will be synchronized automatically during disaster recovery events.
If you use an external vault through Oracle External Key Management Service (EKMS), replication of your external vault is still required for disaster recovery. Oracle’s cross-region replication for external vaults includes the vault and its key references. However, replicating externally managed keys is your responsibility and is not included in Oracle’s replication process.
With EKMS, you are also responsible for ensuring the availability of your keys. Oracle External KMS is designed so that Oracle never has access to the actual cryptographic key material. If you block or disable a key in your on-premises environment, Oracle cannot use the key reference to decrypt data or perform key management operations. This may result in your Fusion Cloud Service becoming unavailable.