Cloud Services Edition
Oracle Corp
December 2011 Stay Connected: Mix TwitterFacebookYoutube
Back to the main page
Q&A: Oracle's Gail Coury Talks Enterprise-Grade Security in the Cloud

The buck stops with Gail Coury. As vice president for risk management for Oracle Cloud Services, it is her job to secure the data and systems of Oracle managed cloud services customers.

"We must have a laser-sharp focus on security," explains Coury. "Our brand would simply not survive if we experienced adverse incidents. That means constantly staying on top of evolving threats as well as the latest technologies."

And of course Oracle managed cloud services customers get to leverage that deep expertise without having to invest in the considerable resources necessary, Coury adds.

The former chief information security officer of PeopleSoft, Coury herself has more than 20 years of experience in information security infrastructure systems and network management, security technical consulting, and information systems auditing.

Q. What computing trends are making data centers more vulnerable to attacks—especially internal threats and stealth attacks?
A. Not so long ago, enterprise computing consisted of closed or reasonably closed networks. You just had to add extra security around your network perimeter and public-facing environments. But now the situation is much more complex, because collaboration—with customers, suppliers, and beyond—has transformed how companies manage their businesses, and this stresses our security architecture.

At the same time, rewards for hackers are much higher. In the past, they just wanted to make a statement or gain visibility for their “cause.” But now, there are significant financial rewards for hacking. Data is growing exponentially. Growth in electronic record-keeping—including health care, credit card, and financial data—results in a target-rich environment. Hacking has become profitable.

Q. Please explain how Oracle Cloud Services leverages the ISO 27000 framework?
A. The ISO 27000 framework is the leading international standard for information management, and we define our security strategy according to the 11 clauses that make up this standard.

By certifying and conforming to this framework, we have independent verification that Oracle takes information security controls seriously, and that Oracle Cloud Services has achieved the highest level of security within the scope of our operations. We are assessed annually to ensure that we continue to maintain this high standard.

Q. How does Oracle Cloud Services achieve insight into its real-time security posture?
A. First, I should say our strategy is based on layers of security, so if failure occurs at one level, there is another layer behind it to compensate.

One key layer of control is the security information and events management system (SIEM). We have collectors that gather the more than 150 million events that occur every 24 hours across our network. The SIEM then utilizes a correlations engine that we have spent three years fine-tuning.

This allows us to uncover the serious events that require human intervention. Security is often about finding a needle in the haystack. SIEM makes the haystack really small.

Q. What kinds of testing are conducted on Oracle Cloud Services security systems?
A. We undergo auditing at least a few times a month, either by customers or independent auditors. In addition, we have an internal organization of "white hackers" who have carte-blanche to attempt to break our systems from anywhere in the world, unannounced—and I am happy to say, we have identified their activities every single time.

Finally, we have certified compliance with many key security standards, including HIPAA, PCI, SOC 1, FISMA, DIACAP, and ISO 27001. We also conform to 27002 controls. Our customers are able to leverage our demonstrated compliance to ensure the security and privacy of their data hosted with Oracle Cloud Services, as well as to reduce their overall costs to achieve the same.

Q. How does Oracle Cloud Services help customers use Oracle security solutions to secure their environment?
A. Not all customers have the same risk tolerance, so we offer a number of security products and services to further enhance their systems running with us. Examples include Oracle Audit Vault, which records defined events on a separate server that privileged users, such as DBAs, do not have access to in order to preserve audit logs. Oracle Data Masking allows production data to be safely used for development, testing, or sharing. And Oracle Adaptive Access Manager provides strong authentication and fraud protection for online business transactions.

Oracle Cloud Services has invested in security and compliance that can be leveraged by our customers. We have the expertise, the layered architecture, the technology, and demonstrated compliance that delivers added value to users of our services.

Watch a short video about the security practices of Oracle Cloud Services.
Back to Top
Oracle Information InDepth newsletters bring targeted news, articles, customer stories, and special offers to business people who want to find out how to streamline enterprise information management, measure results, improve business processes, and communicate a single truth to their constituents.

Please send questions or comments to

For answers to questions about subscribing, unsubscribing, and managing your Oracle e-mail communications preferences, please see the Oracle E-Mail Communications page.

Copyright © 2011, Oracle Corporation and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners.

This document is provided for information purposes only, and the contents hereof are subject to change without notice. This document is not warranted to be error-free, nor is it subject to any other warranties or conditions, whether expressed orally or implied in law, including implied warranties and conditions of merchantability or fitness for a particular purpose. We specifically disclaim any liability with respect to this document, and no contractual obligations are formed either directly or indirectly by this document. This document may not be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without our prior written permission.