The traditional lines between hardware and software are blurred as many hardware systems make use of embedded and configurable software code, such as firmware. Oracle’s security policies and practices extend to hardware systems and govern the procurement, engineering, development, and maintenance of such systems. These policies and practices apply for Oracle-engineered hardware as well as third-party hardware purchased for corporate use, Oracle Cloud use, or embedded in other Oracle products.
Hardware purchases supporting Oracle Cloud and internal data centers are routed through standard Oracle hardware supply-chain processes. These processes are intended to properly vet Oracle’s suppliers, prevent the acquisition of counterfeit products, and employ sourcing from trusted vendors only. Potential suppliers are subject to extensive evaluation of their financial health, integrity, and security practices.
Oracle maintains its own ethical hacking team to perform security assessments against non-Oracle hardware being evaluated for purchase. These security assessments seek to discover hardware or firmware security vulnerabilities and confirm the effectiveness of the security features claimed by the supplier. Oracle works collaboratively with its hardware suppliers to close noted gaps.
Hardware destined for use in Oracle Cloud or internal IT organizations is subject to these same practices. Furthermore, hardware products are formally evaluated by Oracle staff prior to their acquisition for fitness of purpose, such as scalability, as well as for inherent hardware and software security. The security assurance practices of the supplier are also formally evaluated to confirm that the vendor has adequate security remediation policies.
Most hardware products, such as firmware, have software components embedded into them. Oracle Software Security Assurance policies and practices extend to the development of Oracle code used on Oracle hardware systems. The primary objective of these policies and practices is to prevent the introduction of security flaws that could result in weakening the security controls designed in the systems.
When software updates for Oracle and third-party hardware used in Oracle Cloud are sent to Oracle, cloud-operation teams evaluate the proposed update in a test environment that is separate from and closely reflects the production environment. Once tested, the software updates are deployed from test to production through a controlled private network.
Oracle and its logistics carriers maintain custody and control of the hardware from the pickup at the point of origin to the fulfillment of the applicable Incoterm. In most cases, Oracle operates on a delivered model, meaning that Oracle has control until customer signature (DDP) or delivery to a designated airport (DAP). Each leg of the delivery process is documented in the carrier's system and freight is checked at each transfer point for damage or tampering.
Any exception is noted on shipping paperwork and/or in the logistics carrier’s system. Every DDP delivery is required to have a customer signature after inspection for damage or tampering, for example, tape or bands on hardware removed. DAP orders are deemed to be complete when the aircraft arrives where Oracle has received a confirmed on board (COB) notice from the airline.