Evaluate Your Organization's Security with OCI
Oracle University Podcast - A podcast by Oracle Corporation - Tuesdays
Categories:
Join Lois Houston and Nikita Abraham, along with special guests Nancy Kramer and Betina Tagle from Oracle’s corporate security organization, as they discuss the steps you can take to evaluate your organization’s security, privacy, and compliance requirements using Oracle Cloud Infrastructure. They also talk about the resources that are available to help you do so. Oracle MyLearn: https://mylearn.oracle.com/ Oracle University Learning Community: https://education.oracle.com/ou-community Subscribe to Security Updates: https://www.oracle.com/security-alerts/ Oracle Trust Center: https://www.oracle.com/trust/ OCI CAIQ: https://www.oracle.com/corporate/security-practices/cloud LinkedIn: https://www.linkedin.com/showcase/oracle-university/ Twitter: https://twitter.com/Oracle_Edu Special thanks to Arijit Ghosh, David Wright, and the OU Studio Team for helping us create this episode. -------------------------------------------------------- Episode Transcript: 00;00;00;00 - 00;00;38;16 Welcome to the Oracle University Podcast, the first stop on your cloud journey. During this series of informative podcasts, we’ll bring you foundational training on the most popular Oracle technologies. Let's get started. Hello and welcome to the Oracle University Podcast. I'm Nikita Abraham, Principal Technical Editor with Oracle University, and with me is Lois Houston, Director of Product Innovation and Go to Market Programs. 00;00;38;20 - 00;01;01;13 Hi there. In today's special episode, we're going to talk about all the steps you can take to evaluate your organization's security, privacy, and compliance requirements using Oracle Cloud Infrastructure. We'll also explore some of the resources that are available to help you do so. And to tell us all about it, we're joined by two guests from Oracle's corporate security organization. 00;01;01;16 - 00;01;32;25 Nancy Kramer is a Senior Director in Global Information Security. She has 20 years of experience in risk management, security, privacy, and compliance audits involving complex business processes and IT systems. She also provides thought leadership, including engagement with industry organizations. Dr. Betina Tagle is also with Global Information Security. She has over 20 years of experience with cybersecurity and compliance in both the private and public sector. 00;01;32;27 - 00;01;52;26 Thank you so much, Nancy and Betina, for being with us today. Yes, this is such an important topic to learn more about. I'm really interested in what you have to share with us. Thank you so much for having us. We are delighted to help our customers learn more about how to securely reap the benefits of cloud. Thanks for this opportunity, Niki and Lois. 00;01;52;28 - 00;02;25;26 As organizations adopt cloud services, they're seeking guidance on evaluating cloud service providers. Our goal is to offer helpful insights on the approach. Let's start with setting some context. What kind of challenges do organizations face in their cloud adoption journey? Organizations continue to migrate business-critical applications and workloads to the cloud. The benefits are compelling. Leveraging the cloud lets organizations focus on their core mission and minimize capital expenditure. 00;02;25;29 - 00;03;08;09 With cloud services, organizations still own their data while leveraging the expertise, economy of scale, technical flexibility, and scalability offered by their cloud providers. When organizations are considering their cloud strategy, they need to consider their security, privacy, and compliance objectives from internal and external sources, compiling their requirements for the cloud service providers. For example, external requirements may include applicable laws and regulations based on the organization's location, their customer location, industry, or the type of data they process. 00;03;08;12 - 00;03;50;02 Organizations would benefit from a thorough analysis of the regulatory environment by their legal team. Internal requirements may be defined by the organization's Board of Directors, CEO, CISO, and other executives, as well as internal policies and contractual commitments to their customers. Oracle Cloud Infrastructure, or OCI, provides services, features, and documentation resources to support these customer obligations. Oracle University and OCI also offer helpful courses to guide customers through securing their cloud tendencies using various OCI features and services. 00;03;50;03 - 00;04;22;19 I want to come back to those courses later, but first, who does what in the cloud? Which operational technology management tasks are handled by the cloud provider and which are the customer’s responsibility? I think it will help if I start by defining the categories of Oracle offerings and summarizing who does what per category. This will clarify the notion of the shared management model that is predominant in the cloud as well as the relative scope of available security assurance validations. 00;04;22;22 - 00;04;57;08 OCI services can be used to build and operate computing environments, which include data analysis, storage, system integrations, enterprise workloads, and cloud native or containerized applications. Oracle manages the hosted tools, but the customer is responsible for how they build, configure, and use these tools, and for the data processed in their tenancies. Some examples of OCI services are compute and autonomous database. 00;04;57;10 - 00;05;30;11 Exactly right, Betina. In contrast, cloud applications are hosted using a Software as a Service or SaaS model in which the cloud provider, such as Oracle, manages the cloud applications and the underlying infrastructure. Customers are responsible for how they configure and use these SaaS applications and for the data processed in their cloud tendencies. Examples of these services include Enterprise Resource Planning, ERP, and Human Capital Management, or HCM. 00;05;30;13 - 00;05;59;11 Customers are also responsible for securing any third-party integration associated with these SaaS offerings, as well as any custom code extension scripts that they add to the applications. Let me highlight the differences a bit more in relation to the traditional on-premises model where companies such as Oracle provide hardware and software that customers install, deploy, and manage in their own computing environments. 00;05;59;13 - 00;06;25;23 The customer is wholly responsible for the management of the entire technology environment in which those products are deployed and operated, as well as the data they process. That makes sense. Right, Lois. And Oracle strongly recommends that customers protect the computing environment they manage by installing security updates delivered through the Critical Patch Update, CPU, and Security Alert programs without delay. 00;06;25;26 - 00;06;59;08 Customers can view and even subscribe to notifications about these security updates at oracle.com/security-alerts. Just to summarize, cloud providers are responsible for the security of the cloud, and customers are responsible for security in the cloud. They still decide on what data to process, where, and how. No matter what type of cloud service, OCI or SaaS, customers should still do the following. 00;06;59;08 - 00;07;34;01 Implement settings for authentication and authorization per their security and privacy requirements for accounts and passwords. Manage access for user accounts, including auditing which user accounts have access to what data. Monitor the available logs and reports, and respond to security events as well as determine what data to process and manage that data per their organization's security and privacy objectives. And you're going to be joining us in the Oracle University Learning Community soon for a special live event to talk about all of this in more detail, right? 00;07;34;02 - 00;07;57;13 Yes, we are. We are so excited to talk to everyone in the community. We're going to look at this topic in-depth in the special live event that is scheduled for June 29th. We will walk you through a tour of relevant resources on oracle.com so you can make sure to plan ahead and attend. And you'll need to be a member of the community if you want to attend. 00;07;57;14 - 00;08;17;13 So be sure you join and register for the event today. If you're not already a member of the community, you can sign up by visiting mylearn.oracle.com. You'll find all the live events, including the one Nancy and Betina will be hosting, on the community home page. So Betina, how can people see a preview of those oracle.com resources? 00;08;17;14 - 00;08;52;08 Oracle offers a wealth of security and cloud compliance information on the Oracle Trust Center found at oracle.com/trust. The site includes Oracle Corporate security practices, the cloud compliance site of third-party independent attestations to various global and regional compliance frameworks, and the Oracle Security blog. You can view the independent third-party certifications for OCI in the Trust Center by clicking the Attestations link under the Cloud Compliance heading. 00;08;52;10 - 00;09;22;06 Please note that each attestation is scoped to a particular set of cloud services and data center regions. Clicking on a compliance framework name retrieves a general description and the link to the entity providing the compliance framework. Some examples of global compliance frameworks include ISO 27001, SOC 2, Cloud Security Alliance Star, and Payment Card Industry Data Security Standards or PCI DSS. 00;09;22;08 - 00;09;45;23 This site also includes geography-specific standards, such as US FedRAMP, UK CyberEssentials, European Union Cloud Code of Conduct for Privacy, and IRAP for Australia. Obviously, this information is subject to change and is updated frequently. 00;09;45;25 - 00;10;11;16 Want to learn more about modern best practices for cloud applications? Oracle University offers business processes training for Human Capital Management, Financials, Customer Experience, Supply Chain, and Procurement. From now through August 31st, you can take the training for any of these areas and get certified for free as well. Oracle Cloud training and certifications empower you to explore limitless possibilities in the cloud landscape. 00;10;11;17 - 00;10;29;10 Gain the knowledge and skills needed to design, deploy, secure, and operate modern cloud infrastructure and applications with confidence. Go to education.oracle.com for more details. What are you waiting for? Get certified today. 00;10;29;12 - 00;11;04;29 Welcome back. Let's say there's a customer who wants to view OCI compliance attestations. I know they can always contact Sales to get these audit reports, but are there any self-service options? Yes. OCI customers can download OCI attestations of compliance to various compliance frameworks, including global information security standards, via the OCI Console and the Compliance Documents screen. There are multiple types of compliance documents available depending on the compliance framework or standard. 00;11;05;02 - 00;11;50;21 These include audit reports, attestations of compliance, and certificates of compliance. While logged in to the OCI Console for your tenancy, open the navigation menu. Click Identity and Security from the left menu that appears and then click Compliance on the screen that appears. The Compliance Documents page displays all available documents. You can filter, sort, and download the compliance documents of interest from this page via the command line interface and using the OCI API. Instructions for accessing compliance documents are also in the OCI product documentation at docs.oracle.com. 00;11;50;21 - 00;12;20;04 Thanks, Betina. That's great to know. Nancy, what else does Oracle offer to help our customers secure their cloud workloads running on OCI? I can offer two additional recommendations. The first is to take advantage of the in-depth OCI courses available through Oracle University. The OCI learning subscription includes introductory as well as expert-level courses. 00;12;20;06 - 00;12;59;02 To get started, there's an OCI Foundations learning path that describes the types of services OCI offers, has some basic recommendations for configuring your tenancy so that you meet your organization's security and privacy and compliance objectives. There are some key terminology you'll be introduced to in that learning path, as well as recommendations for architecture that provide resilience and business continuity. For example, OCI regions typically have multiple availability domains which each, in turn, have multiple fault domains. 00;12;59;05 - 00;13;31;01 OCI designed these availability and fault domains to have redundant systems so that a disruption of service in one availability domain does not result in a disruption to all availability domains in that region. These kinds of architectural and system design choices will help organizations avoid disruption of their operations when using systems running in OCI. A more advanced Oracle University offering is the Cybersecurity and Oracle Cloud learning path. 00;13;31;03 - 00;13;58;21 This group of courses explains the various OCI services that can be used to implement information security controls for identity management, networks, managing encryption keys, network firewalls, vulnerability scanning, compartment management practices, and so much more. And all of our OCI training in MyLearn is available free to anyone. So, there are really no barriers to learning if you're interested in diving in. 00;13;58;23 - 00;14;36;09 Those are some great course recommendations, Nancy and Bettina. So, Nancy, you said you had two recommendations. What's the other one? My second suggestion is for customers to evaluate the suitability of OCI cloud services by downloading and reading the detailed information about security practices from oracle.com. Oracle published Consensus Assessment Initiative Questionnaires, also called CAIQ or “CAKE” for various cloud services, including for OCI. CAIQs are industry-standard questionnaires from the Cloud Security Alliance. 00;14;36;12 - 00;15;11;14 That is a global organization which defined a set of controls companies can use to evaluate all types of cloud services to essential security controls in a fair and consistent manner. Each CAIQ answers several hundred questions, encompassing important information security control domains such as audit and assurance, application security, business continuity, change management, data center physical controls, human resources, identity and access management, incident management, and finally, threat and vulnerability management. 00;15;11;14 - 00;15;38;22 These publicly-available CAIQs encompass a broad set of information security policies and practices that are most relevant for cloud services. You can download the OCI CAIQ from oracle.com/trust by drilling down on the Security Practices for Cloud section. We will also add it in the show notes so that it's easily accessible. 00;15;38;25 - 00;16;07;16 Thank you, Betina and Nancy. This has been a very informative conversation. I had no idea about all the details that went into corporate security. I can't wait for the live tour of these oracle.com public resources in the Oracle University Learning Community on June 29th. We're very much looking forward to that event as well. Thank you so much for giving us a chance to share guidance about how organizations can evaluate the security, compliance, and privacy of cloud service providers. 00;16;07;18 - 00;16;31;02 We look forward to being back here again. We’d love that. Thanks again! In our next episode, we’ll look at Oracle Machine Learning with Cloud Engineer Nick Commisso. Until then, this is Nikita Abraham and Lois Houston signing off. That's all for this episode of the Oracle University Podcast. If you enjoyed listening, please click Subscribe to get all the latest episodes. 00;16;31;04 - 00;19;04;01 We'd also love it if you would take a moment to rate and review us on your podcast app. See you again on the next episode of the Oracle University Podcast.