Oracle Cloud Free Tier

Build, test, and deploy applications on Oracle Cloud—for free.

European Union Restricted Access (EURA) and SaaS Security

The ever-changing global security landscape and the rapid evolution of technology are forcing companies to make major changes to their systems, tools and infrastructure. To remain competitive, companies are seeking solutions that are compatible with current regulations and technology and that support business growth. The adoption of cloud computing and software as a service (SaaS) is helping companies gain an advantage by expanding their level of automation beyond the scope of conventional solutions.

With the growth of cloud computing and SaaS solutions, data transfer and residency issues have become a greater focus for cloud customers, especially after the adoption of new privacy laws, such as the European Union (EU) General Data Protection Regulation (GDPR). While GDPR isn’t a data residency law, trends in the EU have led to a growing customer need for cloud services that are designed for the EU, located in the EU, and operated by EU personnel.

Oracle European Union Restricted Access (EURA) Cloud Service for Oracle Fusion Applications is designed and released with such EU data residency needs in mind.

Map of EU member states

What is Oracle EURA Cloud Service?

Oracle EURA Cloud Service is designed to address the data residency and privacy needs of our EU customers by ensuring that all customer service environments and customer data in those environments, as well as derivative datasets potentially containing customer data, such as memory dumps, reside only in EU data centers. In addition, by restricting Oracle personnel access to customer data and diagnostic data by work location, only EU-based Oracle engineers can perform service management and maintenance. Oracle EURA is available for select services in the following Oracle Fusion Applications:

Oracle EURA has obtained ISO 27001 and CSA STAR certifications.

What are the key benefits?

Oracle EURA processes and stores all customer data and derivative datasets potentially containing elements of customer data, such as trace files and service logs, under EURA restrictions for data residency and data access. A few minor exceptions apply for the email and malware scan systems, as well as Oracle Fusion Cloud Learning rich media streaming delivered from Akamai data centers. (Fusion Learning customers can opt out from having media streamed from Akamai.)

EU data centers

Oracle EURA ensures that applicable Oracle Fusion customer service environments are hosted in data centers in the EU; the primary data center is in Frankfurt, Germany.

EU data access

Controls are in place to ensure Oracle grants only EU-based personnel access to the cloud service and customer data for service management. These access controls are designed to verify that personnel are employed in the EU. In addition, when logging in remotely from non-Oracle locations, Internet Protocol-based geofencing is applied to verify that personnel are physically in the EU.

By restricting data storage to EU data centers and by applying data access controls, Oracle EURA can help customers address their EU data residency needs.

EU data residency

An upgraded architecture is scheduled to be launched in 2023. It and a new stringent governance model for what will be Oracle’s sovereign cloud regions for the European Union are designed so that sovereign cloud entities will operate independently, without the possibility to transfer customer data outside of the EU. Subscribers hosted in Oracle EURA will be migrated to the sovereign cloud without charge and without the need for any additional downtime.

Advanced security solutions for Oracle EURA

On top of the Oracle corporate and service-specific controls available within the Oracle solutions, additional security features are made available with Oracle EURA.

Oracle Break Glass for Fusion

Break Glass for Fusion enables customers to restrict and control Oracle's access to customer data stored in the Oracle Fusion Cloud Service database. When using Break Glass for Fusion Cloud Service, customers can control access to passwords required for data-level access to the Oracle Fusion Cloud Service database. With Break Glass, Oracle personnel can’t access the customer cloud environment to troubleshoot issues unless they have approval from the customer.

In addition, data at rest is secured using Oracle Transparent Data Encryption (TDE) Security Cloud Service and Oracle Database Vault. Oracle requires the TDE master key for a customer to operate a database using Oracle Fusion Cloud Service but retains only a copy of the latest key provided by the customer.

  • Customer data in the database is encrypted at rest using TDE, and access is logged and audited using Database Vault.
  • Break Glass access is time bound; it secures customer data by requiring customer approval for Oracle personnel to access the environment.
  • Break Glass provides only temporary access. The access credentials are programmatically reset after a preconfigured amount of time, typically 72 hours.
  • Break Glass access is audited and logged, and reports are available.

Customers can upload, remove, or restore their TDE master encryption key from the Applications Console.

Oracle Data Masking Cloud Service

Companies run the risk of exposing sensitive data when copying production data into nonproduction environments to develop new apps, run tests, or perform data analysis. However, to perform real-world testing, nonproduction users need to access representative datasets.

Oracle Data Masking reduces this risk by replacing the original sensitive data with fictitious data so that the data can be shared safely with nonproduction users.

With Data Masking, customers can

  • Limit sensitive data proliferation: Growing security threats have increased the need for companies to limit exposure of sensitive information. At the same time, copying production data for nonproduction purposes, such as testing and development, proliferates sensitive data, expands the security and compliance boundary, and increases the likelihood of data breaches.
  • Share what’s necessary: Often, companies must share a production dataset with internal and external parties for various reasons. In some cases, it’s efficient to extract and share a portion or subset of information instead of sharing the entire production dataset.
  • Implement data minimization: Data privacy regulations, such as the GDPR, promulgate data minimization principles. Limiting sensitive information in nonproduction environments can help address these principles because these environments are often accessed by a larger number of users with more privileges than typical in-production systems.

Restricted database access and bring your own key (BYOK) features for Enterprise Performance Management

The bring your own key feature enhances Oracle Fusion Cloud EPM security by letting customers bring their own key that’s used to encrypt the database access key. This feature is available to all Oracle Fusion Cloud EPM customers, not just those provisioned to Oracle EURA environments. All data in the relational database is encrypted at rest, and the customer-provided key is used to encrypt the database access credentials. Management of this key is provided by the customer. This feature can be used with the restricted database access feature, which provides restricted access to customer data by customer DBAs and Oracle development employees. With the restricted database access feature enabled, access is controlled and authorized by the customer. All access to the customer database is audited and made visible to the customer.

Oracle enables EPM customers to restrict and control Oracle access to customer data stored in the EPM cloud service relational database. When activated, Oracle personnel can’t access the customer cloud environment to troubleshoot any issues unless they have approval from the customer.

  • In addition, data at rest is secured using Oracle Transparent Data Encryption.
  • Relational database access is time bound; it secures customer data by requiring customer approval for Oracle personnel to access the environment.
  • Once permitted by the customer, relational database access is audited and logged, and access reports are made available to the customer’s service administrators.

To learn more, contact your Oracle sales representative and ask about Oracle EURA for Oracle Fusion Applications.