2 OPERA Cloud Distribution SaaS Security

Security is a multi-faceted issue to address. For Oracle SaaS security, it helps to define and categorize the many aspects of security. This document addresses the following categories of SaaS security:

• Secure Product Engineering

• Secure Deployment

• Secure Management Assessment and Audits

Secure Product Engineering

Oracle builds secure software through a rigorous set of formal, always evolving security standards and practices known as Oracle Software Security Assurance (OSSA). OSSA encompasses every phase of the product development lifecycle.

More information about OSSA can be found at: https://www.oracle.com/corporate/security-practices/assurance/.

The cornerstones of OSSA are Secure Coding Standards and Security Analysis and Testing.

Secure Coding Standards include both general use cases and language specific security practices. More information about these practices can be found at: https://www.oracle.com/corporate/security-practices/assurance/development/.

Security Analysis and Testing includes product specific functional security testing and both static and dynamic analysis of the code base. Static Analysis is performed using tools including both internal Oracle tools and Fortify. Dynamic Analysis focuses on APIs and endpoints, using techniques like fuzzing to test interfaces and protocols. For more information, see: https://www.oracle.com/corporate/security-practices/assurance/development/analysis-testing.html.

Specific security details of OPERA Cloud Distribution are discussed in detail later in this document.

Secure Deployment

Secure deployment refers to the security of the infrastructure used to deploy the SaaS application. Key issues in secure deployment include Physical Safeguards, Network Security, Infrastructure Security, and Data Security.

Physical Safeguards

Oracle SaaS applications are deployed from Oracle Cloud Infrastructure Regional data centers. Access to Oracle Cloud data centers requires special authorization that is monitored and audited. The premises are monitored by CCTV, with entrances protected by physical barriers and security guards. Governance controls are in place to minimize the resources that are able to access systems. Physical security safeguards are further detailed in Oracle's Cloud Hosting and Delivery Policies.

Network Security

The Oracle Cloud network is isolated from the Oracle Corporate Network. OPERA Cloud Distribution services run in a dedicated network segment of the Oracle Cloud.

Infrastructure Security

The security of the underlying infrastructure used to deploy Oracle SaaS is regularly hardened. Critical patch updates are applied on a regular schedule. Oracle maintains a running list of critical patch updates and security alerts. Per Oracle's Cloud Hosting and Delivery Policies, these updates are applied to all Oracle SaaS systems: https://www.oracle.com/technetwork/topics/security/alerts-086861.html.

Before Oracle deploys code to SaaS, Oracle's Global Information Security team performs penetration testing on the cloud service. This penetration testing and remediation prevents software or infrastructure issues in production systems.

Data Security

Oracle uses a number of strategies and policies to ensure the customer’s data is fully secured.

• Data Design. Oracle applications avoid storing personal data. Where PII data exists in a system, data minimization, right to access, and right to forget services exist to support data privacy standards.

• Storage. Oracle applications use encrypted table spaces to store sensitive data.

• Transit. All data is encrypted in transit, SaaS uses TLS for secure transport of data, as documented in Oracle's Cloud Hosting and Delivery policy.

Secure Management

Oracle manages SaaS based on a well-documented set of security-focused Standard Operating Procedures (SOPs). The SOPs provide direction and describe activities and tasks undertaken by Oracle personnel when delivering services to customers. SOPs are managed centrally and are available to authorized personnel through Oracle's intranet on a need-to-know basis.

All network devices, servers, OS, applications, and databases underlying Oracle Cloud Services are configured and maintain auditing and logging. All logs are forwarded to a Security Information and Event Management (SIEM) system. The SIEM is managed by the Security Engineering team and is monitored 24*7 by the Security Operations team. The SIEM is configured to alert the Security Operations team regarding any conditions deemed to be potentially suspicious, for further investigation. Access given to review logs is restricted to a subset of security administrators and security operations personnel only.