Data Security: Technical Controls

Overview

Oracle implements a wide variety of technical security controls designed to protect the confidentiality, integrity, and availability of corporate information assets. These controls are guided by industry standards and are deployed across the corporate infrastructure using a risk-based approach.

Secure Configuration

Oracle’s enterprise architecture organization defines and maintains guidance documentation and secured configurations for use within Oracle’s corporate systems and in Oracle Cloud. This guidance applies across layers of Oracle environments, including hardware, storage, operating systems, databases, middleware, and applications.

Encryption

Encryption is the process of rendering data unreadable without the specific key to decrypt the data. Oracle’s Information Protection Policy defines high-level requirements for protecting data via encryption when data is at rest (in storage) on laptops, devices, and removable media.

Oracle has corporate standards that define the approved cryptographic algorithms and protocols. Oracle products and services are required to only use up-to-date versions of approved security-related implementations, as guided by industry practice. Oracle modifies these standards as the industry and technology evolve, to enforce, for example, the timely deprecation of weaker encryption algorithms.

Encrypting Data in Transit

Oracle implements a wide variety of technical security controls designed to protect the confidentiality, integrity, and availability of corporate information assets. These controls are guided by industry standards and are deployed across the corporate infrastructure using a risk-based approach.

Encrypting Data at Rest

Oracle implements a wide variety of technical security controls designed to protect the confidentiality, integrity, and availability of corporate information assets. These controls are guided by industry standards and are deployed across the corporate infrastructure using a risk-based approach.


Encryption Key Management

Solutions for managing encryption keys at Oracle must be approved per Corporate Security Solution Assurance Process (CSSAP). Oracle Global IT defines requirements for encryption, including cipher strengths, key management, generation, exchange/transmission, storage, use, and replacement. Specific requirements in this standard include:

  • Locations and technologies for storing encryption keys
  • Controls to provide confidentiality, availability, and integrity of transmitted encryption keys, such as digital signatures
  • Changing default encryption keys
  • Replacement schedule for various types of encryption keys

Decommissioning Servers and Other Computing Resources

Oracle’s Media Sanitation and Disposal Policy defines requirements for removal of information from electronic storage media (sanitization) and disposal of information which is no longer required to protect against unauthorized retrieval and reconstruction of confidential data. Electronic storage media include laptops, hard drives, storage devices, and removable media such as tape.