1 copyright © 2014 | oracle and/or its affiliates. all rights reserved. | confidential – not for...

1 Copyright 2014 | Oracle and/or its affiliates. All rights reserved. | CONFIDENTIAL Not for Distribution Outside of Oracle Oracle Cloud Service Security and Technology Aykut Celik Applications Technologist

2 Copyright 2014 | Oracle and/or its affiliates. All rights reserved. | CONFIDENTIAL Not for Distribution Outside of Oracle Safe Harbor Statement The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracles products remains at the sole discretion of Oracle.

3 Copyright 2014 | Oracle and/or its affiliates. All rights reserved. | CONFIDENTIAL Not for Distribution Outside of Oracle Oracle Cloud Service Momentum In less than three years 13 Data Centers 38,000 Square Feet >10,000 Customers >21 Million Users >19 Billion Txns/Day >1000 servers 1000s of VMs 19 PB of Storage

4 Copyright 2014 | Oracle and/or its affiliates. All rights reserved. | CONFIDENTIAL Not for Distribution Outside of Oracle Technologies Services Governance Strategy Information Cloud Security Strength in Depth Governance Secure Web Gateways End User Security Security Information and Event Management (SIEM) Endpoint Disk and Tape Encryption Multi-Factor Authentication for Administrators Segregated Networks Power Broker for Privileged Management Security Configuration Monitoring using EM Web Application Firewall Option Transparent Data Encryption Option Oracle Cloud Service Application Security Controls Security Services Security Technologies Periodic Vulnerability Assessments Automated Compliance Testing Real-time Security Event Correlation & Monitoring Auditing and Self-Assessment Business Continuity Planning & Testing Regulatory Compliance (SOX, PCI, HIPAA, Federal) Governance, Risk & Compliance Documentation Security Strategy Security Technical Design Reviews Security Technical Assessments Secure Configuration

6 Copyright 2014 | Oracle and/or its affiliates. All rights reserved. | CONFIDENTIAL Not for Distribution Outside of Oracle Oracle Public Cloud Data Centers 99.999% Availability Power & HVAC State of the Art Facilities, Gen 4 Best in Class SLO, RPO, and RTO Defense in Depth Security & Compliance 15,000 Global Support Personal, 27 Languages EMEA Operating Region. Primary and Secondary Data Centers Located within WE

7 Copyright 2014 | Oracle and/or its affiliates. All rights reserved. | CONFIDENTIAL Not for Distribution Outside of Oracle Data Centers Chicago Austin London Linlithgow Amsterdam Sydney Singapore Japan 99.999% Availability Power & HVAC State of the Art Facilities Best in Class SLA, RPO, and RTO Defense in Depth Security & Compliance Ashburn 15,000 Global Support Personal, 27 Languages

8 Copyright 2014 | Oracle and/or its affiliates. All rights reserved. | CONFIDENTIAL Not for Distribution Outside of Oracle High security rated data centers Access cards required and inventoried nightly Multiple security zones & Man Traps Biometric scanners 24 X 7 video surveillance Self-sustaining for 72 hours Personnel screening w/ formal onboarding and offboarding Physical Data Center Security

9 Copyright 2014 | Oracle and/or its affiliates. All rights reserved. | CONFIDENTIAL Not for Distribution Outside of Oracle Cloud Monitoring, Alerting, Notifications Bozeman NOC Bozeman NOC Reading NOC Reading NOC Bangalore NOC Bangalore NOC Oracle 24x7 Follow the Sun Monitoring & Support

10 Copyright 2014 | Oracle and/or its affiliates. All rights reserved. | CONFIDENTIAL Not for Distribution Outside of Oracle Oracle Cloud Operations Organization 500+ Dedicated IT Staff supporting Oracle Cloud 7x24 Operations Nerve Center staff in a follow the sun configuration Dedicated Security & Compliance management staff Functional experts and architects in all key support roles Application support Platform technologies (Middleware & DB) Infrastructure support and system administration Network administration: switches, firewalls, load balancers Facilities & project management 100% of activities performed by Oracle employees

11 Copyright 2014 | Oracle and/or its affiliates. All rights reserved. | CONFIDENTIAL Not for Distribution Outside of Oracle Security Certification Formal Change Management Secure Connection (SSL/VPN) Oracle Access Management Network Security & Intrusion Detection Segregated solution architecture Backup and Disaster Recovery Malware protection 24x7 system monitoring Logical Data Center Security

12 Copyright 2014 | Oracle and/or its affiliates. All rights reserved. | CONFIDENTIAL Not for Distribution Outside of Oracle Application Security Access Control SSO Enabled Built on Oracle Identity Mgmt Database Security Separation of duties Activity logging Application Security Role Based Access PII protection Defense in depth

14 Copyright 2014 | Oracle and/or its affiliates. All rights reserved. | CONFIDENTIAL Not for Distribution Outside of Oracle Cloud Operations Environments 1 Staging 1 Production Back up Continual incremental back up Daily Snap shot Twice weekly archive to tape and offsite storage

15 Copyright 2014 | Oracle and/or its affiliates. All rights reserved. | CONFIDENTIAL Not for Distribution Outside of Oracle Cloud Certifications Regulatory Compliance SOC 1 certified Additional certifications upon request Additional services Advanced Data Security Segregation of duties (DBA) Encryption of data at rest* VPN Access Additional environments

16 Copyright 2014 | Oracle and/or its affiliates. All rights reserved. | CONFIDENTIAL Not for Distribution Outside of Oracle Cloud Performance 24x7 automated monitoring Intrusion Detection and remediation IP Filtering/White listing Performance infrastructure Load balancers Transaction Accelerators Cloud Management Oracle Enterprise Manager Customer Cloud Portal

18 Copyright 2014 | Oracle and/or its affiliates. All rights reserved. | CONFIDENTIAL Not for Distribution Outside of Oracle Cloud Architecture Shared Resources Hardware/Storage/Network Identity Management Cloud Monitoring Environments Data isolation Application isolation Data import/export Application Clusters Virtualization Layer Hardware Layer Storage Grid Enterprise Management Database Clusters Identity & Access Management Tenant 3 Tenant 2 Tenant 1 Tenant 3 Tenant 2 Tenant 1 Shared Cloud ResourceVirtual Cloud Tenant Resource

20 Copyright 2014 | Oracle and/or its affiliates. All rights reserved. | CONFIDENTIAL Not for Distribution Outside of Oracle Data Encryption File Encryption Contents can be encrypted as created Oracle Wallet key management Personally Identifiable Information Data in Motion Data at Rest

21 Copyright 2014 | Oracle and/or its affiliates. All rights reserved. | CONFIDENTIAL Not for Distribution Outside of Oracle Upgrade Process Customer scheduled upgrades when requested Current and previous releases supported Upgrade Process Customer requests upgrade Oracle updates staging environment Customer performs acceptance testing Customer notifies Oracle when to upgrade production Oracle upgrades customer production environment

23 Copyright 2014 | Oracle and/or its affiliates. All rights reserved. | CONFIDENTIAL Not for Distribution Outside of Oracle Cloud Security Practices and Policy Documents All documents are available on Oracle.com/Contracts Select Oracle Cloud ServicesOracle Cloud Services Review cloud specific documents as listed. Direct questions regarding cloud policies to the global business practices team for guidance ORACLE CLOUD HOSTING AND DELIVERY POLICIES Oracle Cloud-SaaS Hosting and Delivery Policies (PDF)Oracle Cloud-SaaS Hosting and Delivery Policies Oracle Cloud-SaaS Enterprise Hosting and Delivery Policies (PDF)Oracle Cloud-SaaS Enterprise Hosting and Delivery Policies DATA PROCESSING SERVICE AGREEMENT Data Processing Agreement (PDF)Data Processing Agreement ORACLE CLOUD SERVICES DESCRIPTIONS Service Descriptions

24 Copyright 2014 | Oracle and/or its affiliates. All rights reserved. | CONFIDENTIAL Not for Distribution Outside of Oracle Oracle Cloud Services Policies Off-Boarding Off-boarding - To enable customers to obtain their data from their hosted SaaS environments following service contract termination Full Data file is available up to 60 days after contract termination Back up and Recovery Full backups are written to disk daily and copied to tape everyday; backup tapes are sent to offsite facility once a week and retained at an offsite facility for five weeks 1 Hour Recovery Point Objective 12 Hour Recover Time Objective Refreshes Refresh non-production environment with data from production environment Schedule performed once with each release Based on customer request through SR process(opt-in model) Support Traditional customer support through Oracle Support Level 2 & up OPC services include Premier Support with Guaranteed First Response Time for level 1 issues Availability Up to 1 week provisioning process Ability to log in and access service All Customers = 99.5% uptime Environment Upgrades Oracle will perform upgrades to the Customer environments as new services versions become available. Environment Upgrades are scheduled every quarter System Maintenance A 3-hour window will be used for all critical/emergency patches and bug fixes (change mgt policy says qtr, SLO policy says monthly) every two weeks. Targeted to occur during the statistically lightest utilization period for the deployment region. The service is unavailable during maintenance Environments Exadata/Exalogic servers 2 Environments - Production & Staging Additional environments at a fee Additional storage at a fee Cloud Hosting and Delivery policies are available at oracle.com/contractsoracle.com/contracts

25 Copyright 2014 | Oracle and/or its affiliates. All rights reserved. | CONFIDENTIAL Not for Distribution Outside of Oracle My Oracle Support Support.Oracle.com Service Request Management Priority Handling Knowledge Base Health Checks & Risk Analysis Patch Advice & Upgrade Advisors Configuration Management Automated Service Requests Web 2.0 Capabilities Oracle Expert Community Peer Community 140K+ Members Personalized Dashboard Community Knowledge Seamless Enterprise Manager Integration 24/7 Technical Support 24/7 Online Resources My Oracle Support Community Lifetime Support Product Support Alerts Software Update Tools Security Resources Oracle Explorer Data Collector Embedded Diagnostic Tools Performance Enhancements Feature Enhancements New Releases Security Patches Bug Fixes Integrated Patch Sets Integrated Software (such as Firmware) Updates

27 Copyright 2014 | Oracle and/or its affiliates. All rights reserved. | CONFIDENTIAL Not for Distribution Outside of Oracle Additional Options Additional environments Single Sign On (SAML2) IP Whitelisting Encryption at Rest Database Audit Vault (Fusion Applications only) Database Firewall (Fusion Applications only)