Security - Support Documentation
Executive Summary
Security is a multi-faceted issue that requires comprehensive attention across all aspects of software development, deployment, and operations. We build secure software through a rigorous set of formal, continuously evolving security standards and practices that encompass every phase of the product development lifecycle.
To address SaaS security effectively, we have defined and categorized the many aspects of security into distinct domains that work together to create a robust security posture. This document outlines our comprehensive approach to SaaS security across the following categories:
- Secure Product Engineering
- Secure Deployment
- Secure Management
- Assessment and Audit
- Data Protection and Privacy
- Incident Response and Recovery
1. Secure Product Engineering
Security Development Lifecycle Implementation
Our application development follows a rigorous Security Development Lifecycle (SDL) that integrates security considerations at every phase of the software development process. All development teams are required to complete security training and follow our secure coding standards before contributing to production systems.
Development Security Controls
- OSCS scans all third-party dependencies for known vulnerabilities
Application Security Architecture
Our application architecture implements defense-in-depth security controls across all layers of the technology stack.
Security Architecture Components
- Web Application Firewall (WAF) filters malicious traffic before it reaches our application servers
- API Gateway enforces authentication, authorization, and rate limiting for all API endpoints ( APEX traffic comes through the gateway as well)
- Application servers run with minimal privileges and are hardened according to security baselines
- OCI Vault is used to store credentials and tokens
Security Coding Standards
All code developed for our application adheres to established secure coding standards based on OWASP guidelines and industry best practices.
Coding Security Requirements
- external data sources are accessed using managed credentials
- Authentication mechanisms use industry-standard protocols (AuthN, AuthZ)
- Session management implements secure session tokens with appropriate timeout values
2. Secure Deployment
Infrastructure Security Implementation
Our deployment infrastructure operates on a zero-trust security model with multiple layers of protection. All infrastructure components are deployed using Infrastructure as Code (IaC) templates that incorporate security best practices and undergo security review before deployment.
Infrastructure Security Controls
Bastion hosts for secure administrative access with session recording and monitoring
Container and Orchestration Security
Pipeline Security Controls
Our CI/CD pipeline incorporates security controls at every stage to ensure that only secure, tested code reaches production environments.
Pipeline Security Controls
- Source code repository access controlled with multi-factor authentication and branch protection
- Build environments are isolated and ephemeral with no persistent sensitive data
- Security scanning integrated into build process with automated failure on critical vulnerabilities
- Deployment automation uses service accounts with minimal required privileges
- Infrastructure changes require approval through change management process Post-deployment verification includes security configuration validation and * smoke testing
3. Secure Management
Standard Operating Procedures (SOPs)
Our application manages SaaS services based on a well-documented set of security-focused Standard Operating Procedures (SOPs). The SOPs provide direction and describe activities and tasks undertaken by Oracle’s personnel when delivering services to customers. SOPs are managed centrally and are available to authorized personnel through Oracle’s intranet on a need-to-know basis.
All SOPs undergo regular review and updates to ensure they remain current with evolving security requirements and industry best practices. Personnel are required to complete training on relevant SOPs and acknowledge their understanding before being granted access to systems or data.
Security Information and Event Management (SIEM)
All network devices, servers, operating systems, applications and databases underlying our product are configured to maintain comprehensive auditing and logging. All logs are forwarded to a Security Information and Event Management (SIEM) system. The SIEM is managed by the Security Engineering team and is monitored 24/7 by our Security Operations team.
The SIEM is configured to alert the Security Operations team regarding any conditions deemed to be potentially suspicious, for further investigation. Access given to review logs is restricted to a subset of security administrators and security operations personnel only. Log retention policies ensure that security-relevant logs are maintained for a minimum of one year, with critical security logs retained for up to seven years to support forensic investigations and compliance requirements.
Identity and Access Management (IAM) Implementation
Our comprehensive identity and access management program ensures secure authentication and authorization across all systems and applications. IAM controls are implemented at multiple layers to provide defense-in-depth protection.
IAM Components
- Centralized identity provider with single sign-on (SSO) capabilities across all application
- Role-based access control (RBAC) with predefined roles mapped to job functions and business requirements
- Attribute-based access control (ABAC) for fine-grained access decisions based on user attributes, resource properties, and environmental conditions
- Privileged access management (PAM) system with session recording, approval workflows, and just-in-time access provisioning
Data Classification and Compliance Implementation
Our development information follows the Oracle standard security protocols.
Data Classification Framework
- Public Data: Information intended for public consumption with no access restrictions
- Internal Data: Information for internal use only with basic access controls and employee confidentiality requirements
- Confidential Data: Sensitive business information requiring enhanced protection and restricted access controls
- Restricted Data: Highly sensitive information including personal data, financial information, and trade secrets requiring maximum security controls
Compliance Data Handling
- Data Design - Oracle agriculture security application minimize storing personal data. Where personal information data exists in a system, Data Minimization, Right to Access, and Right to Forget processes exist to support data privacy standards.
- Storage - Oracle agriculture security application use encryption for database storage. (data is stored outside of the DB)
- Transit - All data is encrypted in transit, Oracle agriculture security application uses TLS for secure transport of data, as documented in Oracle’s Cloud Hosting and Delivery policy.
Link to Oracle Cloud Hosting and Delivery Policies
Physical Security Implementation
Our physical security program protects facilities, equipment, and personnel through comprehensive physical and environmental controls. All facilities housing critical systems implement multiple layers of physical protection.
Governance controls are in place to minimize the resources that are able to access systems. Physical security safeguards are further detailed in Oracle’s Cloud Hosting and Delivery Policies.
Link to Oracle Cloud Hosting and Delivery Policies
4. Assessment and Audit
Oracle Cloud meets all ISO/IEC 27002 Codes of Practice for Information Security Controls. Third Party Audit Reports and letters of compliance for Oracle Cloud Services are periodically published.
5. Data Protection and Privacy
Data Protection Implementation
Our data protection program implements comprehensive technical and organizational measures to protect personal data throughout its lifecycle. All personal data processing activities are documented and assessed for privacy impact.
Data Protection Controls
- Data minimization ensures we collect only data necessary for legitimate business purposes
- Purpose limitation restricts data use to the original collection purpose unless consent is obtained
- Automated data discovery tools identify and classify personal data across all systems
- Data subject rights management system processes requests for access, rectification, and deletion
- Privacy impact assessments (PIAs) conducted for all new data processing activities
- Consent management platform provides granular control over data processing permissions
- Data retention policies automatically purge personal data after defined retention periods
- Cross-border data transfer mechanisms include Standard Contractual Clauses and adequacy decisions
Encryption and Key Management Implementation
All sensitive data is protected using industry-standard encryption algorithms with centralized key management and regular key rotation procedures.
Privacy Rights Management
Our privacy program provides customers and data subjects with comprehensive rights management capabilities in compliance with global privacy regulations.
Privacy Rights Implementation:
- Subject Access Request (SAR) portal allows individuals to request copies of their personal data
- Right to rectification allows customers to correct inaccurate personal data
- Right to erasure with automated data deletion across all systems
- Right to restrict processing with granular consent management controls
6. Incident Response and Recovery
Service Recovery Metrics
The following recovery objectives have been established to ensure business continuity and minimize service disruption during adverse events.
Recovery Time Objective (RTO): 24 Hours
- Maximum acceptable time to restore full service functionality following a disaster or significant incident
- Encompasses the complete restoration timeline from incident detection through full operational recovery
- Includes time for incident assessment, failover procedures, system validation, and service restoration
Recovery Point Objective (RPO): 1 Hour
- Maximum acceptable data loss window in the event of a disaster or system failure
- Defines the most recent point in time to which data must be recoverable without loss
*Ensures critical business data remains protected with minimal exposure to loss
Target Service Availability: 99.5%
- Expected uptime percentage for the Oracle Cloud Service over a monthly period
- Translates to approximately 3.6 hours of acceptable downtime per month (43.2 hours annually)
- Encompasses both planned maintenance windows and unplanned service interruptions
- Measured against total service availability excluding scheduled maintenance notifications
Oracle Cloud Policies and Pillar Documentation
Your order for this Oracle Cloud Service is subject to the Oracle Cloud Hosting and Delivery Policies and Oracle Industries Cloud Service Pillar Document, which may be viewed at the following link.
Oracle Cloud Service Contracts