1. Lift and Shifted 20TBOracle EBS to
Cloud (OCI)
Oracle E-Business Suite
RunningOracle E-BusinessSuite onOracleCloud Infrastructure
Ref:Oracle Lift andShift
RunningOracleE-BusinessSuiteonOracleCloudInfrastructure | Manjunath Narayanaiah
1
2. Oracle’s Investments for EBSCustomers
BuildingUpon theStrengths of EBS as an Integrated,GlobalSuite
RunningOracleE-BusinessSuiteonOracleCloudInfrastructure| Manjunath Narayanaiah
2
3. What isOracle E-BusinessSuite onOracleCloud
RunningOracleE-BusinessSuiteonOracleCloudInfrastructure| Manjunath Narayanaiah
3
7. Oracle E-BusinessSuiteCloud Manager
UI for EBS Provisioning, Lift & Shift, and Lifecycle Management
RunningOracle E-BusinessSuite on OracleCloudInfrastructure | Manjunath Narayanaiah
7
• Environment deployment
• One-Click provisioning
Marketplace image for E85 12.2.x with Demo Database
• Advanced provisioning
Compute
VM DB Systems (single-node or RAC)
Exadata DB Systems.
• Lift and Shift
This capability enables you to migrate on-premise EBS environments
• Oracle Enterprise Command Center (ECC) Framework Marketplace image
• Lifecycle management
— Optimized backup and restore
— Snapshot-based cloning of EBS with Database in Compute
— Support for databases that have been upgraded to DB 19c in Compute
— Planned: Upgrade on DB Services, Elasticity, DR, Refresh and many more
17. Oracle E-Business Suite Provisioning
One - Click and Advanced Provisioning from EBS Cloud Manager
17
RunningOracle E-BusinessSuite on OracleCloudInfrastructure | Manjunath Narayanaiah
18. Oracle E-Business Suite Provisioning
ProvisioningOptions
18
RunningOracle E-BusinessSuite on OracleCloudInfrastructure | Manjunath Narayanaiah
28. EBS OCI: HA Security Architecture with Single Availability Domain
28
RunningOracle E-BusinessSuite on OracleCloudInfrastructure | Manjunath Narayanaiah
HPHC - NTT Data |
29. Oracle E-Business Suite Security
Oracle E-Business Suite Security in OCI – Securing Data
RunningOracleE-BusinessSuiteonOracleCloudInfrastructure| ManjunathNarayanaiah 29
30. Securing Data
Oracle E-Business Security
• Encryption, keys, and HSM
• OCI vault and secrets
• OCI storage options
• Private endpoints
• Data Safe
Running Oracle E-Business Suite on Oracle Cloud Infrastructure | Manjunath Narayanaiah 30
31. Securing Data
E-BusinessSecurity: Encryption, keys, and HSM: Encryption
31
RunningOracle E-BusinessSuite on OracleCloudInfrastructure | Manjunath Narayanaiah
Encryption
• Encryption is used to transform plain text data into ciphertext.
• Decryption is used to transform ciphertext into plain text.
• Encryption key/key pair is generated for a specific algorithm that can be used for encryption or
digital signing.
• AES symmetric keys:
Same key encrypts and decrypts data. cannot be used for digital signing
• RSA asymmetric keys:
Public key encrypts and private key decrypts data. can be used for digital signing
• ECDSA keys:
Can be used only for digital signing. not for encryption and decryption of data
32. Securing Data
E-BusinessSecurity: Encryption, keys, and HSM: HardwareSecurity Module (HSM)
32
RunningOracle E-BusinessSuite on OracleCloudInfrastructure | Manjunath Narayanaiah
• HSM is a physical computing device:
• A temper-evident hardware
• Used to manage digital keys
• Performs cryptographic functions
• OCI vault services uses HSMs that meet Federal Information Processing Standards (FIPS)
140-2 Security Level 3 security certification:
• Tamper-resistant
• Requires identity-based authentication
• Deletes keys from device when it detects tampering
33. Securing Data
E-BusinessSecurity:Types of Keys inVault
33
RunningOracle E-BusinessSuite on OracleCloudInfrastructure | Manjunath Narayanaiah
• Master encryption keys
Create master encryption keys or import master encryption keys into vault.
Master encryption keys are used to generate data encryption keys.
• Data encryption keys
Generated by the master encryption key, used to encrypt data
34. Securing Data
E-BusinessSecurity:Types of Keys inOCIVault
34
RunningOracle E-BusinessSuite on OracleCloudInfrastructure | Manjunath Narayanaiah
• Wrapping keys
Used to encrypt content that is imported content into the vault
Provided part of the vault service free of cost
35. Securing Data
E-BusinessSecurity:Types of Keys inOCIVault : Master Encryption Key – Protection Modes
35
RunningOracle E-BusinessSuite on OracleCloudInfrastructure | Manjunath Narayanaiah
• Master encryption keys can have one of two protection modes.
• HSM
Such keys are stored in an HSM, cannot be exported from HSM.
All cryptographic operations happen inside the HSM.
• Software
It's stored on a server, can be exported to perform cryptographic operations.
It is software protected while at rest and is encrypted by a root key on HSM.
36. Securing Data
E-BusinessSecurity:Types of Keys inOCIVault : Master Encryption Key – Protection Modes
36
RunningOracle E-BusinessSuite on OracleCloudInfrastructure | Manjunath Narayanaiah
• Master encryption keys can have one of two protection modes.
• HSM
Such keys are stored in an HSM, cannot be exported from HSM.
All cryptographic operations happen inside the HSM.
• Software
It's stored on a server, can be exported to perform cryptographic operations.
It is software protected while at rest and is encrypted by a root key on HSM.
37. Securing Data
E-BusinessSecurity:OCIStorageOptions
37
RunningOracle E-BusinessSuite on OracleCloudInfrastructure | Manjunath Narayanaiah
• Local NVMe devices in Dense l/O Shapes:
Provide high performance. but not protected by OCI
Protect application data in dense l/O shapes from device failure, instance failure, and
availability domain failure using 0/5 raid tools
• Block storage volumes (boot and block) are highly available within an availability domain.
Clone volumes within an availability domain.
Create block storage backup custom policies to automatically take backups and also
replicate backups to another region for disaster recovery capabilities.
Use volume groups to create point—instime and crash-consistent backups and clones.
38. Securing Data
E-BusinessSecurity:OCIStorageOptions
38
RunningOracle E-BusinessSuite on OracleCloudInfrastructure | Manjunath Narayanaiah
• File Storage
File systems are highly available within an availability domain.
Use snapshots (copy on write) available for file systems to protect from user actions.
Use scripts / tools to copy the data to Object Storage or anotherAD.
• Object Storage
Objects are highly available within a region (replicated to all availability domains in the
region).
Set retention policies to avoid accidental deletion.
Use replication policies or copy specific objects to another region to protect data from
region failures.
44. Securing Data
E-BusinessSecurity: Data Protection – Best Practices
44
RunningOracle E-BusinessSuite on OracleCloudInfrastructure | Manjunath Narayanaiah
• Encrypt Data
Block storage volumes. file systems, Object Storage objects , Exadata Cloud Service , autonomous
container database, and streaming are by default encrypted by Oracle-managed keys.
An Oracle-managed vault has a master encryption key. which provides a data encryption key to the
respective service to encrypt data
Thus, any data in these services are encrypted by default.
45. Securing Data
E-BusinessSecurity: DataSafe
45
RunningOracle E-BusinessSuite on OracleCloudInfrastructure | Manjunath Narayanaiah
• Fully integrated Cloud Service focused on protecting sensitive and regulated data in Oracle databases
Cloud databases &
On-premises databases
• Includes features such as
Security assessment
User assessment
Data discovery
Data masking
Activity auditing
46. Securing Data
E-BusinessSecurity: DataSafe :ArchitectureOptions
46
RunningOracle E-BusinessSuite on OracleCloudInfrastructure | Manjunath Narayanaiah
• Oracle Data Safe service is primarily a database and a web application.
47. Securing Data
E-BusinessSecurity: DataSafe : Private Endpoints
47
RunningOracle E-BusinessSuite on OracleCloudInfrastructure | Manjunath Narayanaiah
• It is a network endpoint in aVCN.
• Created in the sameVCN where you have OCI databases provisioned:
DB systems and autonomous databases
Only one private endpoint can be created in aVCN.
The private endpoint can be in any subnet of the sameVCN.
• The private endpoint needs access to the target database.
Using rules in a network security group in theVCN
48. Securing Data
E-BusinessSecurity: DataSafe : Private Endpoints:Architecture
48
RunningOracle E-BusinessSuite on OracleCloudInfrastructure | Manjunath Narayanaiah
• Private endpoint is a network endpoint within theVCN, through which Data Safe can interact with the
databases in OCI.
49. Securing Data
E-BusinessSecurity: DataSafe : SecurityAssessment
49
RunningOracle E-BusinessSuite on OracleCloudInfrastructure | Manjunath Narayanaiah
• Initiate security assessment for a specific database from Data Safe.
50. Securing Data
E-BusinessSecurity: DataSafe : UserAssessment
50
RunningOracle E-BusinessSuite on OracleCloudInfrastructure | Manjunath Narayanaiah
• Initiate User Assessment for a specific database from Data Safe.
51. Securing Data
E-BusinessSecurity: DataSafe : Data Discovery
51
RunningOracle E-BusinessSuite on OracleCloudInfrastructure | Manjunath Narayanaiah
• Initiate Data Discovery for a specific database from Data Safe.
52. Securing Data
E-BusinessSecurity: DataSafe : Data Masking
52
RunningOracle E-BusinessSuite on OracleCloudInfrastructure | Manjunath Narayanaiah
• Initiate Data Masking for a specific database from Data Safe.
53. Securing Data
E-BusinessSecurity: DataSafe :ActivityAuditing
53
RunningOracle E-BusinessSuite on OracleCloudInfrastructure | Manjunath Narayanaiah
• Enable Activity Auditing andView reports for a specific database from Data Safe.
57. Security Posture Management
E-BusinessSecurity : CloudGuard
57
RunningOracle E-BusinessSuite on OracleCloudInfrastructure | Manjunath Narayanaiah
An OCI service that helps identify and fix issues to achieve and maintain a strong
security posture across all your OCI global regions:
• Monitor (reactively)
• Identify
• Achieve and
• Maintain a strong security posture
58. Security Posture Management
E-BusinessSecurity : CloudGuard:SecurityZones
58
RunningOracle E-BusinessSuite on OracleCloudInfrastructure | Manjunath Narayanaiah
ComplementsCloud Guard:
• CloudGuard detects after some configuration or action happens (reactive).
• SecurityZones can prevent some insecure actions from ever happening (blocking).
Provides strong security policy sets as “recipes"
• Aligns with most compliance objectives and security requirements
Policies are enforced when insecure actions are attempted and blocked from happening.
• All attempts are logged.
• All blocked actions include information on what happened and how to correct the attempted
action.
59. Security Posture Management
E-BusinessSecurity : CloudGuard
59
RunningOracle E-BusinessSuite on OracleCloudInfrastructure | Manjunath Narayanaiah
• AnOCI service that helps customers to maintain a strong security posture.
• CoversOCI services:Compute. Networking, lAM.Object Storage. LBaaS. DBaaS. etc.
60. Security Posture Management
E-BusinessSecurity : CloudGuard: Reporting Region
60
RunningOracle E-BusinessSuite on OracleCloudInfrastructure | Manjunath Narayanaiah
• The reporting region for Cloud Guard is the default region of the tenancy.
There is no effect of changing the region in the region drop-down list.
Other regions that are monitored are called monitored regions.
• Targets in all regions can be monitored by Cloud Guard.
• Integration with Events and Notification services happen only in Reporting Region.
62. Security Posture Management
E-BusinessSecurity : CloudGuard:Concepts
62
RunningOracle E-BusinessSuite on OracleCloudInfrastructure | Manjunath Narayanaiah
• Target
Defines the scope of a compartment (all resources in it) that Cloud Guard should check
• Detector
Performs checks and identifies potential security problems based on their type and configuration
Organized as detector recipes with rules
• Detector rules
Provides a specific definition of a class of resources, with specific actions or configurations. that cause a detector to
report a problem.
• Detector recipes ( collection of Detector rules)
Provides the baselines for examining the resources and activities in the target
63. Security Posture Management
E-BusinessSecurity : CloudGuard:Concepts
63
RunningOracle E-BusinessSuite on OracleCloudInfrastructure | Manjunath Narayanaiah
• Problem
Any action or setting on a resource that could potentially cause a security problem
• Responder
An action that Cloud Guard can take when a detector has identified a problem
• Responder Rules
Define the specific actions to take. If any one responder rule is triggered. it triggers the responder.
• Responder recipes (Collection of Responder Rules)
Define the action or set of actions to take in response to a problem that a detector has identified
64. Security Posture Management
E-BusinessSecurity : CloudGuard: Problem LifeCycle
64
RunningOracle E-BusinessSuite on OracleCloudInfrastructure | Manjunath Narayanaiah
• Problems can be: Database is not backed up aut
Remediated - Fixed using Cloud Guard responder
Resolved - Fixed by other process
Dismissed - ignored/closed
• if Cloud Guard detects an issue again for an Open (unresolved) problem. it will update the problem history but
will not create a new problem.
• If Cloud Guard detects an issue for a previously resolved configuration problem, it will re-open the issue and
update the history.
• if Cloud Guard detects an issue for a previously dismissed configuration problem, it
• will update the history.
• If Cloud Guard detects an issue for a previously resolved/dismissed activityproblem, it will create a new
problem.
• Fix the problem or fix the baseline
65. Security Posture Management
E-BusinessSecurity : CloudGuard: EnableCloudGuard
65
RunningOracle E-BusinessSuite on OracleCloudInfrastructure | Manjunath Narayanaiah
• Enable Cloud Guard in the tenancy.
• lAM policies are required to allow Service Cloud Guard to read/use various resources in the tenancy.
• Configure OCI lAM groups who will have Cloud Guard related privileges.
Make OCI lAM users who need these privileges members of respective OCI lAM groups.
Configure OCI lAM policies to grant privileges to appropriate OCI lAM groups.
• In OCI Menu. go to Security -> Cloud Guard and enable Cloud Guard.
You can enable across tenancy
Or only specific compartments
• Choose detector recipe.
• Enable Cloud Guard.
• As an ongoing activity, customize the Cloud Guard configuration as required.
67. Security Posture Management
E-BusinessSecurity : CloudGuard: ManagingTargets
67
RunningOracle E-BusinessSuite on OracleCloudInfrastructure | Manjunath Narayanaiah
• Add targets to expand or change the scope of what Cloud Guard monitors.
Target can be entire tenancy or any combination of compartments.
• Change the detector and responder recipes added to a target.
• Change the settings for individual rules in the recipe.
68. Security Posture Management
E-BusinessSecurity : CloudGuard: Managing Detector Recipes
68
RunningOracle E-BusinessSuite on OracleCloudInfrastructure | Manjunath Narayanaiah
• View, clone, and modify detector recipes to fit the specific security needs of your environment.
Oracle-Managed recipes - you cannot modify them
User-Managed recipes - cloned fromOracle-Managed and can be modified by you
• Each detector recipe consists of a set of detector rules (which report a problem).
• Compartment Inheritance for recipes
Apply detector recipes to compartments, also inherited to its child compartments.
• Inheritance for Detector Rules fields (lower-level rules override)
• Oracle. tenant. target. descendant compartments of a target
69. Security Posture Management
E-BusinessSecurity : CloudGuard: Managing Responder Recipes
69
RunningOracle E-BusinessSuite on OracleCloudInfrastructure | Manjunath Narayanaiah
• View, clone, and modify responder recipes to fit the specific security needs of your environment.
• Each responder recipe uses multiple responder rules. each of which defines the specific actions to
take.
• CloneOracle-Managed Responder recipes and createUser-Managed Responder recipes to fine-
tune the recipes.
70. Security Posture Management
E-BusinessSecurity : CloudGuard: Managing Lists
70
RunningOracle E-BusinessSuite on OracleCloudInfrastructure | Manjunath Narayanaiah
• A managed list is a reusable list of parameters that makes it easier to set the scope for detector
and responder rules.
• A managed list is a tool that can be used to apply certain configurations to detectors.
• A predefined "TrustedOracle lP address space" list contains all the Oracle lP addresses that you
want to regard as trusted when you define rules for detectors and responders.
• CloudGuard also lets you define your own managed lists as needed.
71. Security Posture Management
E-BusinessSecurity : CloudGuard: Processing Reported Problems
71
RunningOracle E-BusinessSuite on OracleCloudInfrastructure | Manjunath Narayanaiah
Processing problems. which is at the core of the functionality that CloudGuard provides. involves:
• Prioritizing problems to focus on highest risks
• Examining problem details to determine what's happening
• Resolving each problem to ensure that risks are countered and "false alarms” do not continue in
the future
• Examining problem details to determine what's happening.
Problem page
• Resolving each problem to ensure that risks are countered and "false alarms" do not continue in
the future
ResponderActivity page
72. Security Posture Management
E-BusinessSecurity : CloudGuard: Notifications
72
RunningOracle E-BusinessSuite on OracleCloudInfrastructure | Manjunath Narayanaiah
• Use OCI Events and Notifications services to send notifications, whenever Cloud Guard detects a problem for
which you want to be notified.
• Use the Notification Responder - Cloud Event that can emit problem details to Events Service.
• The Cloud Event responder rule is part of the Responder recipe, which needs to be attached to a
corresponding target or targets
• You must set up Events and Notifications from your Cloud Guard Reporting Region. which aggregates
problems from the monitored regions and send out the Cloud Event from the Reporting Region.
• Ensure that the Compartment selected for the Event rule is either the compartment where the resource
exists. or a parent of that compartment
• If you are processing problems entirely within Cloud Guard, you do not need to configure notifications.
73. Security Posture Management
E-BusinessSecurity : CloudGuard: Integration with Events and NotificationsServices
73
RunningOracle E-BusinessSuite on OracleCloudInfrastructure | Manjunath Narayanaiah
74. Security Posture Management
E-BusinessSecurity : SecurityZone
74
RunningOracle E-BusinessSuite on OracleCloudInfrastructure | Manjunath Narayanaiah
• An OCI service that supplements Cloud Guard
• Customers use predefined security zone policies (provided by Oracle).
• Enforce (proactively) those policies on OCI resources in a compartment.
75. Security Posture Management
E-BusinessSecurity : SecurityZone:Tenets
75
RunningOracle E-BusinessSuite on OracleCloudInfrastructure | Manjunath Narayanaiah
• Security Zones are special - they contain sensitive data and resources.
• Security Zones are restrictive by design.
• Public access is evil - sensitive data should be protected from the Internet as much as possible.
• Security Zones make it difficult to create weak security pastures and configurations.
• Compartments are associated with a security zone only when the compartment is created.
• For GA, any child compartments are part of the same security zone as the parent compartment.
76. Security Posture Management
E-BusinessSecurity : SecurityZoneConcepts
76
RunningOracle E-BusinessSuite on OracleCloudInfrastructure | Manjunath Narayanaiah
• Security Zone
An association between a compartment and a security zone recipe
• Security Zone Recipe
A collection of security zone policies
• Security Zone Policy
A security requirement for resources in a security Zone
77. Security Posture Management
E-BusinessSecurity : SecurityZoneConcepts
77
RunningOracle E-BusinessSuite on OracleCloudInfrastructure | Manjunath Narayanaiah
OracleSecurityZones
An association between a compartment and a security zone recipe. Resource operations in a security zone are
validated against all policies in the recipe.
Security zone recipe
A collection of security zone policies.Your tenancy has a predefined recipe named Maximum Security Recipe,
which includes all available security zone policies. Oracle manages this recipe, and you can’t modify it.
78. Security Posture Management
E-BusinessSecurity : SecurityZoneConcepts
78
RunningOracle E-BusinessSuite on OracleCloudInfrastructure | Manjunath Narayanaiah
Security zone policy
A security requirement for resources in a security zone. In general. security zone policies align with these
security principles:
• Resources can't be moved from a security zone to a standard compartment because it might be less secure.
• Data in a security zone can't be copied to a standard compartment because it might be less secure
• All the required components for a resource in a security zone must also be located in a security zone.
Resources that are not in a security zone might be vulnerable. For example. a compute instance in a security
zone can't use a boot volume that is not in a security zone.
• Resources in a security zone must not be accessible from the public Internet.
• Resources in a security zone must be encrypted using customer-managed keys.
• Resources in a security zone must be regularly and automatically backed up.
• Resources in a security zone must use only configurations and templates approved by Oracle.
79. Security Posture Management
E-BusinessSecurity : SecurityZoneConcepts
79
RunningOracle E-BusinessSuite on OracleCloudInfrastructure | Manjunath Narayanaiah
• Enforce (proactively) security policies on OCI resources in a compartment.
80. Security Posture Management
E-BusinessSecurity : SecurityZone Recipes
80
RunningOracle E-BusinessSuite on OracleCloudInfrastructure | Manjunath Narayanaiah
• A recipe is a collection of security zone policies.
• When you create/manage a OCI resource in a security zone. OCI automatically validates the policies within
the recipe that is assigned to the security zone.
• Oracle has a predefined recipe named Maximum Security recipe.
You cannot edit/ manage this recipe.
81. Security Posture Management
E-BusinessSecurity : SecurityZone Policy Principles
81
RunningOracle E-BusinessSuite on OracleCloudInfrastructure | Manjunath Narayanaiah
• OCI validates resource management tasks with security policies.
If a policy is violated. then the operation is denied.
• Each policy impacts one or more OCI resources and are categorized by security principles:
Restrict resource movement
Restrict resource association
Deny public access
Require encryption
Ensure data durability
Ensure data security
Use only configurations approved by Oracle
82. Security Posture Management
E-BusinessSecurity : ManagementSecurityZones
82
RunningOracle E-BusinessSuite on OracleCloudInfrastructure | Manjunath Narayanaiah
• You can create and delete security zones.
Each security zone is associated with a single compartment.
The compartment name is the same as the security zone.
• Identify the policies to be enforced in security zones.
Each security zone is assigned a security recipe.
• A security zone can have sub/children compartments that are also security zones.
83. Security Posture Management
E-BusinessSecurity : SecurityZones: Policy Principles
83
RunningOracle E-BusinessSuite on OracleCloudInfrastructure | Manjunath Narayanaiah
• Any resource created within a security zone will have to abide by the security policies.
Examples:
84. Security Posture Management
E-BusinessSecurity : SecurityZones: IAM Policy
84
RunningOracle E-BusinessSuite on OracleCloudInfrastructure | Manjunath Narayanaiah
• Within tenancy, create OCI lAM policies to control who has access to security zones and recipes.
• Specify who has what type of control.
85. Oracle E-Business Suite Lifecycle Management
Oracle E-Business Suite Lifecycle Management with EBS Cloud Manager
RunningOracleE-BusinessSuiteonOracleCloudInfrastructure| ManjunathNarayanaiah 85
90. Oracle E-Business Suite Backup and Restore
90
RunningOracle E-BusinessSuite on OracleCloudInfrastructure | Manjunath Narayanaiah
91. Oracle E-Business Suite Backup and Restore
91
RunningOracle E-BusinessSuite on OracleCloudInfrastructure | Manjunath Narayanaiah
92. Oracle E-Business Suite Backup and Restore
Create a Backup
92
RunningOracle E-BusinessSuite on OracleCloudInfrastructure | Manjunath Narayanaiah
93. Oracle E-Business Suite Backup and Restore
Scheduling of Backups —Create Policy
93
RunningOracle E-BusinessSuite on OracleCloudInfrastructure | Manjunath Narayanaiah
94. Oracle E-Business Suite Backup and Restore
Scheduling of Backups —Attaching Backup Policv to EBS Environment
94
RunningOracle E-BusinessSuite on OracleCloudInfrastructure | Manjunath Narayanaiah
95. Oracle E-Business Suite Backup and Restore
Provisioning from Backup
95
RunningOracle E-BusinessSuite on OracleCloudInfrastructure | Manjunath Narayanaiah
107. Advanced Lift and Shift - Reduced down time
Provisioning andConfiguration Process
RunningOracleE-BusinessSuiteonOracleCloudInfrastructure| ManjunathNarayanaiah 107
108. Advanced Lift andShift - Reduced down time
Provisioning andConfiguration Process
108
RunningOracle E-BusinessSuite on OracleCloudInfrastructure | Manjunath Narayanaiah
109. Advanced Lift andShift - Reduced down time
Provisioning andConfiguration Process
109
RunningOracle E-BusinessSuite on OracleCloudInfrastructure | Manjunath Narayanaiah
110. Advanced Lift andShift
Promote EBSStandby into Production
110
RunningOracle E-BusinessSuite on OracleCloudInfrastructure | Manjunath Narayanaiah