B Security Shield Security Frequently Asked Questions

The following table lists some frequently asked questions about the Oracle Communications Security Shield Cloud Service (Security Shield) and security.

Table B-1

Question Answer
What are the encryption algorithm, key length, and rotation frequency for Security Shield data at rest in the Oracle Cloud Infrastructure? The Oracle Database feature Transparent Data Encryption (TDE) encrypts sensitive data stored in data files. To prevent unauthorized decryption, TDE stores the encryption keys in a security module external to the database, called a keystore. The Security Shield Data Base as a Service (DBaaS) is configured so that the tablespaces of each PDB are encrypted. Each PDB uses a TDE master encryption key with AES-256 encryption. Security Shield uses the Oracle Key Vault to store the Oracle held keys and to distribute the keys. Oracle rotates the keys automatically on a scheduled basis for all CDBs and PDBs. Oracle policy requires rotating keys at least annually.
Are Security events recorded and auditable, especially the events in the list show here?
  • Log in and Log out
  • Access to restricted data
  • Profile changes
  • Admin activities
  • Settings changes
  • Logging changes
  • Access to protected data

Security Shield uses a generic Identity and Access Management capability of the Oracle Cloud Infrastructure called Identity Cloud Service (IDCS). IDCS provides operations that capture log in, log out, and user profile changes and makes them auditable.

The Security Shield provides user activity logging, which records admin activities and settings changes, such as configuration modification, adding, deleting, and modifying devices, and creating, deleting, and modifying Access Control Lists. You can use the activity log for audits.

Security Shield users do not have access to restricted or protected data other than phone numbers. Phone numbers are used to identify the target or source of a fraud attempt, nuisance incident, or a potential security incident.

How does Security Shield protect user Privacy information? Security Shield processes only header information from SIP INVITE and BYTE messages. Any data fields classified as PII Personal Identifiable Information (PII), such as phone numbers and IP addresses, are removed in 30 days after which the data then will no longer retrievable.
Does Security Shield access end user's critical, sensitive information like credit card numbers, account numbers, PINs, and health information? Security Shield processes only SIP signaling messages. It does not have access to media streams, including DMTF. Security Shield does not have access to restricted and protected information such as credit card numbers, account numbers, PIN, health information.
Can access to the Security Shield management portal be restricted to specific IPs? Security Shield Identity Access Management is supported by Oracle Identity Cloud Service (IDCS). IDCS supports Assertion Grant Type (OAUTH2). But further work is needed for federation integration for Security Shield.
Can we federate authentication into the OCSS management portal? PingFederate, SAML? No.
Does the OCSS management portal support multi-factor authentication? Multi-factor authentication is supported by IDCS and can be integrated with Security Shield.
Does Oracle maintain “Break Channel” accounts that allow them to manage the service without seeing our data? General service management is done without access to the customer data. The only way Oracle could have access is viatenant provided credentials to the customer's PDB which would only be used for very specific actions.
Can we bring our own encryption keys? If yes, how to rotate these keys? No, Security Shield does not use static encryption keys with hard-coded algorithms.
Can we bring our own certificates? Yes. TLS certificates must be supplied and configured by the customer for on-premises SW (SBC and CCS). The Cloud Communications Service (CCS) server certificate for TLS-interface facing Oracle Cloud (between CCS and OCSS cloud) should be signed by a trusted CA. Oracle manages the TLS certificates for Security Shield TLS interfaces, which are signed by the Oracle CA (a digicert CA).
Can we rotate the certificates? Yes. Oracle recommends to rotate your certificates every 6 months, at minimum, or every 12 months. Security Shield cloud certificates are required to be rotated annually.
Does the management portal support...
  • Role Based Access (RBAC): Not supported at this time.
  • Users and groups: Partially supported st time.
  • Entitlement reviews: Currently user have all entitlements.
  • Setting password policies (length, content, expiration) Yes; supported through Oracle IDCS (OCI IAM).
Is data stored in the cloud encrypted at rest? Yes. TDE (Oracle Transparent Data Encryption) is used with strong ciphers like AES-256.
Can subscribers back up and restore configurations made in the cloud? No. Security Shield internally backs up configurations and restores them when needed.