LogicManager: Enterprise Risk Management (ERM) Platform Deployment on Oracle Cloud
To help companies prevent data security breaches, comply with data regulations, and manage vendor contracts, LogicManager recently deployed its cloud-native enterprise risk management (ERM) platform on Oracle Cloud Infrastructure (OCI).
Founded in 2005, the Boston-based company provides a wide range of ERM software-as-a-service offerings including cybersecurity, compliance management, policy and governance, and contract management services to companies worldwide in heavily regulated sectors, such as financial services, healthcare, utilities, and energy.
As demand for ERM software races toward $60 billion globally, LogicManager needed to give its growing base of customers a faster, smarter, and more secure way to manage vendor contracts, prepare for audits, and to build business continuity plans, while also complying with ever-changing regional data sovereignty regulations. Since moving to OCI, LogicManager has not only deployed its performance sensitive production workloads across the Oracle Cloud regions in Europe, the US, and Asia, but each of these regions also has a paired region to which the company replicates backups for disaster recovery. By using Oracle Cloud Infrastructure Data Science, LogicManager is able to build predictive contact analytics models on demand, rather than the months it would take if the team had to build this capability in house.
Architecture
Because many of LogicManager's customers have data-sovereignty restrictions, the company uses primary Oracle Cloud Infrastructure (OCI) regions in the US, Europe, and Asia Pacific, with paired secondary regions in the each of the same locales.
LogicManager uses remote VCN peering to allow deployments to be managed from a single location. All of the Oracle Autonomous Transaction Processing (ATP) instances (19c) are backed up to Oracle Cloud Infrastructure Object Storage using data pump. Object and block volume storage are replicated from primary to secondary region for backup and disaster recovery. The company uses database links between ATP database instances to maintain a single source of truth for metadata that drives services to their entire customer base.
LogicManager's customers access the platform by using Oracle Cloud Infrastructure Web Application Firewall (WAF). Once authenticated, user traffic passes through a load balancer, which only accepts traffic from the WAF. In conjunction with the WAF, the company runs Cloud Guard and Oracle Cloud Infrastructure Vulnerability Scanning Service. LogicManager has containerized its application services by using Docker in one of its compute instances, and runs its reports portal in a separate compute instance. Large compute shapes are used, ranging in size from 16 to 24 OCPUs with 128 to 256 GB of memory to handle the workload. LogicManager's customers are routed to the appropriate compute instance based on the type of their service requests and on their geolocation.
The company also provides several APIs for multicloud integration, which its customers can use to manage their risk management documents in third-party applications such as RiskRecon, SecurityScorecard, ComplianceAi, and Microsoft Office.
LogicManager administrators use the OpenVPN Access Server to access private compute instances by using secure shell (SSH) and to access private ATP instances. This allows LogicManager additional control over who has access to the production systems.
Oracle Cloud Infrastructure Application Performance Monitoring Cloud (APM) also runs in LogicManager's OCI environment, ensuring that the company's growing and globally distributed customer base always has quick and secure access to its enterprise risk management (ERM) platform. LogicManager ingests outputs from its reporting application platform into Oracle Cloud Infrastructure Logging, enabling the company to search for and identify any unusual activity or potential issues. Alarms are activated by using built-in and custom metrics to help detect performance anomalies and to avoid outages.
Oracle Cloud Infrastructure Email Delivery service is embedded in the ERM business workflow. It's used to notify users to complete tasks, such as updating clauses or renewing contracts.
Key advantages of LogicManager's solution include:
- Multiregion deployment to meet customer data-sovereignty requirements
- APIs to handle multicloud application integration
- Managed services to handle key functions:
- ATP and OCI Email Delivery handle dynamic and performance-sensitive workloads
- Oracle Cloud Infrastructure Data Science manages machine learning (ML) model development and deployment
- WAF, Oracle Cloud Infrastructure Load Balancing, Cloud Guard, and OCI Logging manage security
- APM and Alarms manage application performance
The following diagram illustrates this reference architecture.
logic-manager-oci-arch-oracle.zip
One of LogicManager's flagship services is its Contract Analyzer application. Using a JupyterLab notebook, LogicManager's machine learning engineers develop and test a model in the OCI Data Science model catalog, from where it is published as a model deployment in a Docker container. In the contract management compartment of the Contract Analyzer application, LogicManager's customers can upload their contracts and submit a request to have their contract analyzed. The customer's request is then sent to the Contract Analyzer, where the text of the customer's contract document is extracted and submitted to the model deployment. OCI Data Science makes predictions of the necessary clauses that should go into the customer's final contract. These clauses are associated and stored in an ATP database. LogicManager's customers can then view the recommended contract clauses and use them to inform business decisions. For example, if a contract renewal date is coming due, the customer can create an automation that lets the customer or its vendors, or both, know to prepare the contract 30 days in advance of the due date.
The following diagram shows the contract analyzer data flow.
logic-manager-contract-flow-oracle.zip
- End users upload contracts into the LogicManager contract management area of the web application.
- Users request a contract to be analyzed and the text of the of the document is extracted.
- The extracted text is submitted to the model deployment for analysis.
- The model deployment predicts contract clauses and stores the following in ATP:
- The original documents
- The original binary content of those documents
- Prediction results
- The user can view the predicted contract clauses in the report portal following business use cases such as getting a reminder when a contract renewal date approaches.
Future deployment plans for LogicManager include:
- Add high availability (HA) to the application tier by using Oracle Cloud Infrastructure Container Engine for Kubernetes (OKE)
- Add HA to the database tier by using an Autonomous Data Guard standby instance
- Set up active-standby geographic disaster recovery in paired regions by using Autonomous Data Guard
The architecture has the following components:
- Tenancy
A tenancy is a secure and isolated partition that Oracle sets up within Oracle Cloud when you sign up for Oracle Cloud Infrastructure. You can create, organize, and administer your resources in Oracle Cloud within your tenancy. A tenancy is synonymous with a company or organization. Usually, a company will have a single tenancy and reflect its organizational structure within that tenancy. A single tenancy is usually associated with a single subscription, and a single subscription usually only has one tenancy.
- Region
An Oracle Cloud Infrastructure region is a localized geographic area that contains one or more data centers, called availability domains. Regions are independent of other regions, and vast distances can separate them (across countries or even continents).
- Availability domain
Availability domains are standalone, independent data centers within a region. The physical resources in each availability domain are isolated from the resources in the other availability domains, which provides fault tolerance. Availability domains don’t share infrastructure such as power or cooling, or the internal availability domain network. So, a failure at one availability domain is unlikely to affect the other availability domains in the region.
- Fault domain
A fault domain is a grouping of hardware and infrastructure within an availability domain. Each availability domain has three fault domains with independent power and hardware. When you distribute resources across multiple fault domains, your applications can tolerate physical server failure, system maintenance, and power failures inside a fault domain.
- Web Application Firewall (WAF)
Oracle Cloud Infrastructure Web Application Firewall (WAF) is a payment card industry (PCI) compliant, regional-based and edge enforcement service that is attached to an enforcement point, such as a load balancer or a web application domain name. WAF protects applications from malicious and unwanted internet traffic. WAF can protect any internet facing endpoint, providing consistent rule enforcement across a customer's applications.
- Virtual cloud network (VCN) and subnets
A VCN is a customizable, software-defined network that you set up in an Oracle Cloud Infrastructure region. Like traditional data center networks, VCNs give you complete control over your network environment. A VCN can have multiple non-overlapping CIDR blocks that you can change after you create the VCN. You can segment a VCN into subnets, which can be scoped to a region or to an availability domain. Each subnet consists of a contiguous range of addresses that don't overlap with the other subnets in the VCN. You can change the size of a subnet after creation. A subnet can be public or private.
- Security list
For each subnet, you can create security rules that specify the source, destination, and type of traffic that must be allowed in and out of the subnet.
- Route table
Virtual route tables contain rules to route traffic from subnets to destinations outside a VCN, typically through gateways.
- Internet gateway
The internet gateway allows traffic between the public subnets in a VCN and the public internet.
- Dynamic routing gateway (DRG)
The DRG is a virtual router that provides a path for private network traffic between VCNs in the same region, between a VCN and a network outside the region, such as a VCN in another Oracle Cloud Infrastructure region, an on-premises network, or a network in another cloud provider.
- Service gateway
The service gateway provides access from a VCN to other services, such as Oracle Cloud Infrastructure Object Storage. The traffic from the VCN to the Oracle service travels over the Oracle network fabric and never traverses the internet.
- Remote peering
Remote peering allows the VCNs' resources to communicate using private IP addresses without routing the traffic over the internet or through your on-premises network. Remote peering eliminates the need for an internet gateway and public IP addresses for the instances that need to communicate with another VCN in a different region.
- Compute
The Oracle Cloud Infrastructure Compute service enables you to provision and manage compute hosts in the cloud. You can launch compute instances with shapes that meet your resource requirements for CPU, memory, network bandwidth, and storage. After creating a compute instance, you can access it securely, restart it, attach and detach volumes, and terminate it when you no longer need it.
- Load balancer
The Oracle Cloud Infrastructure Load Balancing service provides automated traffic distribution from a single entry point to multiple servers in the back end.
- Object storage
Object storage provides quick access to large amounts of structured and unstructured data of any content type, including database backups, analytic data, and rich content such as images and videos. You can safely and securely store and then retrieve data directly from the internet or from within the cloud platform. You can seamlessly scale storage without experiencing any degradation in performance or service reliability. Use standard storage for "hot" storage that you need to access quickly, immediately, and frequently. Use archive storage for "cold" storage that you retain for long periods of time and seldom or rarely access.
- Block volume
With block storage volumes, you can create, attach, connect, and move storage volumes, and change volume performance to meet your storage, performance, and application requirements. After you attach and connect a volume to an instance, you can use the volume like a regular hard drive. You can also disconnect a volume and attach it to another instance without losing data.
- Autonomous Transaction
Processing
Oracle Autonomous Transaction Processing is a self-driving, self-securing, self-repairing database service that is optimized for transaction processing workloads. You do not need to configure or manage any hardware, or install any software. Oracle Cloud Infrastructure handles creating the database, as well as backing up, patching, upgrading, and tuning the database.
- Application Performance Monitoring
Oracle Cloud Infrastructure Application Performance Monitoring provides deep visibility into the performance of applications and provides the ability to diagnose issues quickly in order to deliver a consistent level of service. This includes the monitoring of the multiple components and application logic spread across clients, third-party services, and back-end computing tiers, on premises or in the cloud.
- LoggingLogging is a highly scalable and fully managed service that provides access to the following types of logs from your resources in the cloud:
- Audit logs: Logs related to events emitted by the Audit service.
- Service logs: Logs emitted by individual services such as API Gateway, Events, Functions, Load Balancing, Object Storage, and VCN flow logs.
- Custom logs: Logs that contain diagnostic information from custom applications, other cloud providers, or an on-premises environment.
- Cloud Guard
You can use Oracle Cloud Guard to monitor and maintain the security of your resources in Oracle Cloud Infrastructure. Cloud Guard uses detector recipes that you can define to examine your resources for security weaknesses and to monitor operators and users for risky activities. When any misconfiguration or insecure activity is detected, Cloud Guard recommends corrective actions and assists with taking those actions, based on responder recipes that you can define.
- Data Science
Oracle Cloud Infrastructure Data Science is a fully managed, serverless platform that data science teams can use to build, train, and manage machine learning (ML) models on Oracle Cloud Infrastructure (OCI). It can easily integrate with other OCI services such as Oracle Autonomous Data Warehouse, Oracle Cloud Infrastructure Object Storage, and more. You can build and evaluate high-quality machine learning models that increase business flexibility by putting enterprise-trusted data to work quickly, and you can support data-driven business objectives with easier deployment of ML models.
- Email Delivery
Oracle Cloud Infrastructure Email Delivery is a highly scalable, cost effective, and reliable email delivery service for sending high-volume, application-generated emails for mission-critical marketing, notification, and transactional communications such as receipts, fraud detection alerts, multifactor identity verification, and password resets.
Get Featured in Built and Deployed
Want to show off what you built on Oracle Cloud Infrastructure? Care to share your lessons learned, best practices, and reference architectures with our global community of cloud architects? Let us help you get started.
- Download the template (PPTX)
Illustrate your own reference architecture by dragging and dropping the icons into the sample wireframe.
- Watch the architecture tutorial
Get step by step instructions on how to create a reference architecture.
- Submit your diagram
Send us an email with your diagram. Our cloud architects will review your diagram and contact you to discuss your architecture.