Understanding EPM Cloud Security Compliance Features

Oracle employs a multi-faceted approach to ensure Oracle Enterprise Performance Management Cloud security and to protect the confidentiality, integrity, and availability of data.

In addition to physical security of data centers, Oracle has implemented the following security compliance features. These features help you satisfy the security compliance requirements of your organization.

Transport Layer Security (TLS) 1.2 for Communication

To satisfy the requirement of encrypted data communication, EPM Cloud uses TLS 1.2 with SHA-2/SHA-256 Cryptographic Hash Algorithm to secure communication with browsers, Oracle Smart View for Office, and EPM Automate. All EPM Cloud sessions are encrypted. Session information stored in cookies is encrypted and the session ID is randomly generated to ensure security.

For detailed information, see Understanding Encryption Levels and Session Timeout for detailed information on encryption level and session management.

Data Encryption Using Transparent Data Encryption

To satisfy the requirement of encryption of data-at-rest, EPM Cloud uses Transparent Data Encryption (TDE) to encrypt all data at the tablespace level. Each tablspace has its own encryption key.

Encryption keys are encrypted using a master key and stored in an Oracle Wallet for additional security.

Password Encryption for Secure EPM Automate Access

You can mandate the use of an encrypted password file to satisfy the requirement of avoiding the use of plain text sensitive information while signing into EPM Automate. The data that can be encrypted include the EPM Cloud password (not the SSO password) and proxy server password. You use the encrypt EPM Automate command to create a file that stores the encrypted password.

Data Masking in Snapshots

These EPM Cloud business processes support the masking of data in snapshots to ensure data privacy when submitting snapshots to Oracle for troubleshooting purposes. This feature randomizes current application data, rendering it meaningless.

  • Planning (including Planning Modules)
  • Financial Consolidation and Close
  • Tax Reporting
  • Oracle Strategic Workforce Planning Cloud
  • Oracle Sales Planning Cloud
You use the maskData EPM Automate command to mask data in test environments. After creating the snapshot, you must restore the data from a backup or the daily maintenance snapshot. Masking data helps you satisfy the requirement of not allowing your data to be visible to any other organization (in this case, Oracle).

Data Isolation

Oracle uses a dedicated virtual machine and a dedicated database schema for each customer to ensure that there is no mingling of data. This helps you satisfy data isolation requirements.

Externalized Authentication (Single Sign-On)

You can configure SSO to enable a SAML 2.0 compliant identity provider authenticate users against EPM Cloud environments.

Configuring SSO helps you satisfy the requirement to ensure that users are no longer able to sign in to EPM Cloud after they leave the organization. Because users use the same SSO credentials that they use to access the network resources of their organization to sign into EPM Cloud and then seamlessly access other cloud environments configured using the same identity provider, the process of removing access to EPM Cloud is completed as soon as you remove access to your network environment.

Communication between Oracle Access Manager, the default EPM Cloud service provider, and your SAML 2.0 identity provider is secured using the MD5 algorithm.

For detailed information on configuring SSO, see Configuring Single Sign-On.

Use of APIs and Commands to Manage Access to EPM Cloud

If EPM Cloud is not configured for SSO, you can satisfy the requirement to ensure that only authorized users can sign in to EPM Cloud environments by using REST APIs and EPM Automate commands to add users and assign them to predefined and application roles, and add them to groups. Use of EPM Automate commands and REST APIs to administer users, groups, and role assignments are simple but secure operations that help ensure that only authorized users have access to EPM Cloud environments.

For information on using EPM Automate commands and REST APIs, see these information sources:
  • Working with EPM Automate for Oracle Enterprise Performance Management Cloud
  • REST API for Oracle Enterprise Performance Management Cloud

Role-Based Access Control For End Users

Access to EPM Cloud business processes is strictly controlled through the use of predefined roles. These roles determine the functional access each user has within a business process. For detailed information on predefined roles, see Understanding Predefined Roles.

Additionally, Service Administrators can use Access Control to create groups comprising identity domain users or other groups. Assigning roles to such groups enables Service Administrators to grant roles to many users at once, thereby reducing administrative overheads. Assigning roles at the application-level can only enhance the access rights of users; none of the privileges granted by a predefined role can be curtailed by roles assigned at the application-level. This satisfies your role-based access control (RBAC) requirements.

For more information on Access Control, see "Overview of Access Control" in Administering Access Control for Oracle Enterprise Performance Management Cloud

Network Restricted Access

To satisfy the requirement of not allowing unauthorized access to your data, you can configure an allowlist or a blocklist to control access to EPM Cloud environments by the Internet Protocol (IP) addresses belonging to your network. An allowlist contains rules that define users from which source IP addresses can access an environment while a blocklist contains rules that exclude users from specific source IP addresses from connecting to an environment.

You use the Service Details screen of My Services to create allowlist or blocklist rules to regulate how users access an environment. See Setting up Network Restricted Access.

For detailed configuration steps, see "Managing Internet Protocol Allowlist and Blocklist Rules" in Managing and Monitoring Oracle Cloud.

Bring Your Own Key Functionality for Database Access

You use the setEncryptionKey EPM Automate command to specify a custom encryption key for accessing the data in the database. Using the setEncryptionKey command provides you a bring your own key solution that will include EPM Cloud in your standard key management and satisfies the requirement of using your own key management.

Control Manual Database Access

By default, Oracle is permitted to manually access the database of an environment in emergency situations when an environment is unresponsive and customer has not yet provided a service request to investigate and make the environment available.

You can prevent such manual database access by revoking manual data access using the setManualDataAccess EPM Automate command. If this access is revoked, Oracle cannot execute SQL commands against the tablespace under any circumstance without your explicit permission (allowing manual access) using the setManualDataAccess EPM Automate command. This helps you satisfy the requirement of not allowing unauthorized access to your data.

Monitor Manual Database Access

You can satisfy the requirement of monitoring access to your database by analyzing the Manual SQL Execution table in the Activity Report. This report identifies the SQL statements that were executed against the database and indicates why each statement was run.

Access Log for Information on Each Access to the Environment

To satisfy the requirement of monitoring every access to your environment, EPM Cloud automatically creates and maintains an Access Log, which contains information on users who logs into the environment directly or by using tools such as EPM Automate. Monitoring the Access Logs helps Service Administrators understand application usage by each active user. See these topics:

User Login Report for Security Audit

To satisfy the requirement of monitoring every user that has accessed the environment, you can review the User Login report to monitor EPM Cloud usage by each authorized user. This report contains information on the users who signed into the environment over the last 24 hours. It lists the IP address of the computer from which the user logged in and the date and time (UTC) at which the user accessed the environment.

You can regenerate this report for a custom date range or for the last 30 days, last 90 days, and last 120 days. You can also filter the report to view only the information of specific users by using a partial string of the users' first name, last name or userID as the search string.

For detailed steps to create the User Login report, see "Viewing the User Login Report" in Administering Access Control for Oracle Enterprise Performance Management Cloud.

Activity Report to Monitor Application Performance

To satisfy the requirement of application monitoring,EPM Cloud automatically creates and stores a daily Activity Report, which shows the performance of an environment from the application point of view. For detailed information, see these topics:

Oracle Software Security Assurance (OSSA)

From a security evaluation perspective, Oracle is committed to international standards such as FIPS, a cryptographic module validation scheme, and ISO standards. Oracle’s Global Product Security promotes and monitors the adoption of Oracle Software Security Assurance (OSSA) policies and practices. These include Oracle Secure Coding Standards (SCS), Critical Patch Update (CPU) and Security Alert programs. These programs satisfy your security compliance requirements related to secure coding, security patches, and so on.

Oracle's Monitoring of Environments Using Realtime Dashboards and Alerts

To satisfy the requirement of continuous monitoring, Oracle monitors all EPM Cloud environments in real-time and send appropriate alerts to Oracle Operations and Development teams. Oracle utilizes various dashboards to monitor the health of the environments and to provide visual alerts. Oracle Operations and Development teams work around the clock to rectify the alerts, ensuring that your environments are operating as designed and are secure.

Threat and Vulnerability Management

To satisfy the requirement of threat and vulnerability management, Oracle uses QualysGuard from Qualys to discover and scan EPM Cloud IT infrastructure and applications for security vulnerabilities and malware. QualysGuard delivers security intelligence data that aids with Oracle's security compliance processes.

Use of QualysGuard ensure that internet-facing servers, websites, and web applications are up to date and securely configured against malicious attacks. It also helps ensure that no uploaded malware exists in blogs and forum pages, and that web forms do not include potential hacking risks.

Secure Access to Cloud Environments by Oracle

Oracle needs to access your environments to troubleshoot issues. This access is highly secure and regulated. Only a select group of Oracle employees, who have gone through special training related to the handling of customer environments, are allowed to access EPM Cloud environments. Such access use multi-factor authentication; each access is audited.

Automatic Security Patching

Oracle issues security alerts and fixes all identified critical security concerns as soon as they are identified. Non-critical EPM Cloud issues are fixed through the monthly update to the environment. Automatic security patching helps you satisfy the requirement of applying current security patches.

Periodic Penetration Testing and Ethical Hacking to Identify and Fix Vulnerabilities

Oracle employs third party security teams to perform periodic penetration testing. Oracle also employs a dedicated team of ethical hackers who engage in the in-depth hacking of the Oracle code base. These tests ensure that there are no vulnerabilities. Any vulnerability found is immediately reported to the Development team and rectified. Oracle makes the security testing reports available to you. Penetration testing and ethical hacking are designed to satisfy your requirement of security penetration testing and reports.

External Security Reviews

Oracle engages third parties to independently conduct security reviews of EPM Cloud and create security reports, for example, SOC 1 reports (based on Statement on Standards for Attestation Engagements (SSAE) No 18), SOC 2 reports, and other independent third party reports to review the effectiveness of administrative and technical controls. These reports are available to you to satisfy your compliance requirements.

Daily Backups and Their Retention

EPM Cloud environments require a mandatory one hour window for operational maintenance. During the maintenance process, Oracle backs up the content of the environment to create a maintenance snapshot, named Artifact Snapshot, of existing artifacts and data.

The maintenance snapshot can be used to recover artifacts and data and to restore the environment to the state it was in during the last operational maintenance. For detailed information on the maintenance snapshot and retention policy, see Overview of the Maintenance Snapshot. This satisfies your backup and archive requirements.

Disaster Recovery Support

To satisfy the requirement of disaster recovery, EPM Cloud provides self-service options to restore your environments to a working state, thereby achieving near immediate Recovery Time Objective. To learn more about the self-service option of automatically keeping your Disaster Recovery environments up to date, refer to "Replicating an EPM Cloud Environment" in Working with EPM Automate for Oracle Enterprise Performance Management Cloud.

24X7 Support

To satisfy the requirement of continuous monitoring, Oracle Cloud Operations specialists monitor and support all key aspects of EPM Cloud including applications, middleware, database, and infrastructure. All cloud operations are performed by Oracle badged employees without any involvement by third parties.

Alerts are monitored 24x7 across the globe. The Oracle Operations team is dedicated to handling maintenance activities and unplanned outages and incidents and providing accurate, and timely information to internal and external stakeholders around outages and incidents. Oracle employs a tiered structure for issue resolution. Based on the complexity of the issue, experts from all over the world are within a moment's reach for timely resolution.

Within Oracle Cloud Operations, a dedicated team of hundreds of specialists handle security operations. The activities of this team include building internal tools to maintain and enhance the existing architecture, ensuring compliance with the most recent frameworks such as GDPR, policy enforcement (for example, disaster recovery testing), and design and development of the security practices (for example, system hardening procedures).

EPM Cloud for the United States Government

To satisfy the stringent requirements of US public sector, Oracle has established isolated FedRAMP ready EPM Cloud environments strictly for United States public sector customers such as local, state and federal agencies, colleges and universities, national laboratories, and government contractors. These environments provide advanced data security controls that aligns with NIST 800-37(Guide for Applying the Risk Management Framework to Federal Information Systems) and FIPS 199 (Standards for Security Categorization of Federal Information and Information Systems) as mandated by the Federal Information Security Management Act. These standards ensure greater data privacy and protection.

For public sector customers, data is processed and stored in the US. All activities are handled by US Citizens.

EPM Cloud for the United Kingdom Government

To satisfy the stringent requirements of UK public sector, Oracle has established isolated and highly secure EPM Cloud environments strictly for United Kingdom public sector customers such as local, state and federal agencies, colleges and universities, national laboratories, and government contractors. For these customers, data is processed and stored in the UK. Access it restricted to UK citizens residing in the UK.

Instances dedicated for the use of UK public sector have Cyber Essentials Plus Certification; they align with ISO 27001 and Cloud Security Principles. Oracle provides support by a UK Cloud Operations public sector compliance analyst to assist with initial assessment against the Supplier Assurance Framework and Cloud Security Principles.