Oracle Diagnosibility Products.doc
Upcoming SlideShare
Loading in...5
×
 

Oracle Diagnosibility Products.doc

on

  • 1,524 views

 

Statistics

Views

Total Views
1,524
Views on SlideShare
1,524
Embed Views
0

Actions

Likes
0
Downloads
33
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft Word

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Oracle Diagnosibility Products.doc Oracle Diagnosibility Products.doc Document Transcript

  • Oracle Security, Identity Management and Governance, Risk and Compliance Solutions Overview By: Roger Drolet CPA, MBA, CISA, CITP Copyright © Roger Drolet, CPA, MBA, CISA, CITP 2010. All rights reserved. Oracle Security in Release 12 Effective 13-Apr-2009 Page 1 of 23 Rev 1
  • Summary I wrote this whitepaper to help you become familiar with the Oracle Applications included in the Oracle Security, Identity Management (IDM) and Governance, Risk and Compliance (GRC) suites. Most of these applications are relatively new and your company may not have purchased the licenses to use these applications. Use Oracle’s Incentive to your Advantage Through acquisitions and/or development, Oracle offers several Oracle Diagnosibility Products for free. It is in Oracle’s best interests to do this because Oracle Support can significantly reduce their support cost if your Oracle users learned to effectively and efficiently use these diagnostic tools. Obviously, it is also in your company’s best interests to reduce the time it currently takes to resolve service requests (SRs) with Oracle. This provides more time for your employees to spend working on core business activities. Facilitate Risk Assessment and Risk Management As you review this whitepaper you will come to realize that Oracle Security, IDM and GRC applications provide an Enterprise Security Solution. Using these applications, your companies can centralize all security, identity management and Governance, Risk and Compliance (GRC) activities and provide senior management with dashboards that they can use to drill down into individuals business process and controls. Unfortunately, these solutions are not free and they require the purchase of hardware, software licenses, consulting and other project related products and services. Cost-Effective Risk Assessment Tools The Oracle Diagnosibility Products are free. They require no additional hardware or software licenses. You may have to apply a few patches, but the effort is minimal compared to the benefits you will realize by using these tools. You can use these tools immediately to assess Oracle E-Business Security and to access Oracle Application Configuration for compliance with Oracle and Industry best practices. Monitor Implementation and Configuration during Implementation You can also use the Oracle Diagnosibility Products to monitor the setup and configuration of your Oracle applications concurrently with other project activities. For example, you may want to complete an initial assessment before conducting UAT, after final setup and configuration in the production instance and at other times on an ad hoc basis. Copyright © Roger Drolet, CPA, MBA, CISA, CITP 2010. All rights reserved. Oracle Security in Release 12 Effective 13-Apr-2009 Page 2 of 23 Rev 1
  • Oracle Security, IDM and GRC Solutions Introduction This whitepaper identifies the Oracle applications, which are included in the Oracle Security, Identity Management (IDM), and Governance, Risk and Compliance (GRC) solutions that are available with Release 12. This whitepaper will identify and provide a brief description of each Oracle application included in these suites of Oracle applications. I will also identify some of the other Oracle features you can define, configure and implement to improve security and ensure that your Oracle applications are configured using Oracle and Industry best practices. This whitepaper is not intended to be a definitive guide to Oracle Security, Identity Management and Governance, Risk and Compliance (GRC); however, it will provide you with a very good framework that you can use to drill down into more detail for each of these applications. Oracle Security, IDM and GRC Solutions − Security − Oracle Identity Management − Governance, Risk and Compliance Oracle Database Security Products − Oracle Database Vault − Oracle Audit Vault − Oracle Configuration Management − Oracle Total Recall − Oracle Advanced Security − Oracle Data Masking − Oracle Label Security − Oracle Secure Backup Oracle Database Vault Reduce the Cost of Protecting Data Oracle Database Vault helps organizations address regulatory mandates and increase the security of existing applications. Regulations such as Sarbanes-Oxley, Payment Card Industry (PCI) Data Security Standard (DSS), Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley Act (GLBA) and similar global directives call for separation-of-duties and other preventive controls to ensure data integrity and data privacy. With Oracle Database Vault, organizations can pro-actively safeguard application data stored in the Oracle database from being accessed by privileged database users. Application data can be further protected using Oracle Database Vault's multi-factor policies that control access based on built-in factors such as time of day, IP address, application name, and authentication method, preventing unauthorized ad-hoc access and application by-pass. Copyright © Roger Drolet, CPA, MBA, CISA, CITP 2010. All rights reserved. Oracle Security in Release 12 Effective 13-Apr-2009 Page 3 of 23 Rev 1
  • Learn More Oracle Audit Vault Reduce the Cost of Compliance Reporting and Database Monitoring Oracle Audit Vault reduces the cost and complexity of compliance and the risk of insider threats by automating the collection and consolidation of audit data. It provides a secure and highly scalable audit warehouse, enabling simplified reporting, analysis, and threat detection on audit data. In addition, database audit settings are centrally managed and monitored from within Audit Vault, reducing IT security cost. With Oracle Audit Vault, organizations are in a much better position to enforce privacy policies, guard against insider threats, and address regulatory requirements such as Sarbanes-Oxley and PCI. Learn More Other Audit Vault Resources − Audit Vault Collection Agent Configuration for RAC Database - Step by Step Guide − Mandatory Patches to be aplied on Oracle Audit Vault 10.2.2.0.0 Oracle Configuration Management Increase the security of your Oracle databases Oracle Configuration Management pack for Enterprise Manager helps organizations increase the security of their Oracle databases and comply with IT control frameworks such as Control Objectives for Information and related Technology (COBIT) and Committee of Sponsoring Organizations of the Treadway Commission (COSO) "Internal Control - Integrated Framework" as required by Sarbanes-Oxley and similar global directives. Oracle Configuration Management combines discovery, vulnerability scanning, compliance benchmarking, and central management of database configuration to detect and prevent configuration drift or unauthorized configuration changes. Additionally Configuration Management's Critical Patch Update Advisory feature alerts customers to critical patches issued by Oracle and immediately identifies those systems across the enterprise that may require the new critical patch, optionally invoking the patch wizard to automatically deploy the patch; ensuring application databases are always up-to-date and protected. Learn More Oracle Total Recall Increase Security and Reduce the Cost of Storing Historical Data Regulatory oversight such as Sarbanes-Oxley, HIPAA, Basel-II as well as internal audits, require companies to keep historical data available for long periods of time. Oracle Total Recall with Oracle Database 11g Enterprise Edition helps companies store this data in a secure, tamper proof database while keeping it accessible to existing applications. Total Recall requires no application changes or special interfaces and provides the optimal storage footprint. Managing historical data Copyright © Roger Drolet, CPA, MBA, CISA, CITP 2010. All rights reserved. Oracle Security in Release 12 Effective 13-Apr-2009 Page 4 of 23 Rev 1
  • should no longer be an onerous task. Oracle Total Recall provides a secure, efficient, easy-to-use and application-transparent solution for long-term storage and audit of historical data. Learn More Oracle Advanced Security The Most Cost-Effective Solution for Comprehensive Data Protection Oracle Advanced Security helps organizations comply with privacy and regulatory mandates such as Sarbanes-Oxley, Payment Card Industry (PCI) Data Security Standard (DSS), Health Insurance Portability and Accountability Act (HIPAA), as well as numerous breach notification laws. With Oracle Advanced Security, customers can transparently encrypt all application data or specific sensitive columns, such as credit cards, social security numbers, or personally identifiable information (PII). By encrypting data at rest in the database as well as whenever it leaves the database over the network or via backups, Oracle Advanced Security provides the most cost-effective solution for comprehensive data protection. Learn More Oracle Data Masking Reduce the Cost of Securing Your Nonproduction Environments Oracle Data Masking pack for Enterprise Manager helps organizations comply with data privacy and protection mandates such as Sarbanes-Oxley, Payment Card Industry (PCI) Data Security Standard (DSS), Health Insurance Portability and Accountability Act (HIPAA), as well as numerous laws that restrict the use of actual customer data. With Oracle Data Masking, sensitive information such as credit card or social security numbers can be replaced with realistic values, allowing production data to be safely used for development, testing, or sharing with out-source or off-shore partners for other non-production purposes. Oracle Data Masking uses a library of templates and format rules, consistently transforming data in order to maintain referential integrity for applications. Learn More Oracle Label Security Classify and mediate access to data based on its classification Oracle Label Security is a powerful and easy-to-use tool for classifying data and mediating access to data based on its classification. Designed to meet public sector requirements for multi- level security and mandatory access control, Oracle Label Security provides a flexible framework that both government and commercial entities worldwide can use to manage access to data on a "need to know" basis in order to protect data privacy and achieve regulatory compliance. Learn More Copyright © Roger Drolet, CPA, MBA, CISA, CITP 2010. All rights reserved. Oracle Security in Release 12 Effective 13-Apr-2009 Page 5 of 23 Rev 1
  • Oracle Secure Backup Integrated Data Protection for Tape Backup and Internet (Cloud) Storage Centralized tape backup management with Oracle Secure Backup provides an integrated, easy- to-use backup solution that encrypts data to tape to safeguard against the misuse of sensitive data in the event that backup tapes are lost or stolen. The Oracle Secure Backup Cloud module delivers efficient Oracle database backups to Amazon S3 through tight integration with Oracle Recovery Manager. A Versatile Solution with Innovative Licensing Oracle Secure Backup with Oracle Database 11g delivers high performance network tape backups for Oracle Databases and file systems on Linux, UNIX, and Windows platforms with support for over 200 different tape devices from leading vendors. The Oracle Secure Backup Cloud module complements your existing backup strategies and can run independent of Oracle Secure Backup tape management offerings. With a low entry cost of $3,500 per physical tape drive, Oracle Secure Backup is ideal for small and midsized businesses and large enterprises alike Learn More Oracle Identity Management Solutions − Oracle Access Manager − Oracle Adaptive Access Manager − Oracle Identity Manager − Oracle Role Manager − Oracle Identity Federation − Oracle Internet Directory − Oracle Virtual Directory − Oracle Web Services Manager − Oracle Enterprise Single Sign-On Suite − Oracle Entitlements Server − Oracle Management Pack for Identity Management − Oracle Authentication Services for Operating Systems Oracle Access Manager User Access Management for Secure Business Interactions Oracle Access Manager allows users of your applications or IT systems to log in once and gain access to a broad range of IT resources. Oracle Access Manager provides an identity management and access control system that is shared by all your applications. The result is a centralized and automated single sign-on (SSO) solution for managing who has access to what information across your entire IT infrastructure. Oracle Access Manager is available as a stand- alone product or as part of Oracle Identity & Access Management Suite. Learn More Copyright © Roger Drolet, CPA, MBA, CISA, CITP 2010. All rights reserved. Oracle Security in Release 12 Effective 13-Apr-2009 Page 6 of 23 Rev 1
  • Oracle Adaptive Access Manager Strong Authentication and Proactive, Real-Time Fraud Prevention Rapid growth in online commerce has brought increasing sophistication of internet fraud. Threats from Phishing, Pharming, Trojans, Key Logging, and Proxy Attacks, combined with regulations and mandates (such as FFIEC, HIPAA, PCI) governing online data privacy, place online security at a premium. Customers must feel protected for online business channels to grow. Oracle Adaptive Access Manager provides superior protection for businesses and their customers through strong yet easy-to-deploy multifactor authentication and proactive, real-time fraud prevention. Learn More Oracle Identity Manager Core Technology for User Provisioning and Cost-Efficient Compliance The rights and attributes of each person who accesses your IT system continually change as roles, rules, and policies evolve within your enterprise. The challenge is compounded during mergers and acquisitions, and when sharing IT privileges with business partners and customers. Add to that, the burden associated with meeting regulatory and privacy requirements such as SOX, HIPAA, HSPD12, and many others. Oracle Identity Manager is a best-in-class user provisioning and administration solution that automates the process of adding, updating, and deleting user accounts from applications and directories; and improves regulatory compliance by providing granular reports that attest to who has access to what. Oracle Identity Manager is available as a stand-alone product or as part of Oracle Identity & Access Management Suite. Learn More Oracle Role Manager Comprehensive Enterprise Role Management In today's regulatory compliance environment, organizations need a holistic view of their business users, job functions, and associated entitlements. Attempting this manually often results in chaos, frustration, and failed projects. Oracle Role Manager provides enterprise class role lifecycle management capabilities, helping strengthen regulatory compliance, and alleviating associated costs. It acts as the authoritative source for the relationships between business users, organizations, and entitlements, thus enabling automation of role based provisioning and access control across the IT infrastructure. This also provides enterprise applications rich role information enabling automation of business transactions for approval and routing. Learn More Oracle Identity Federation Cross-Domain User Access for Improved Business Integration Oracle Identity Federation is an industry-leading federation solution providing a self-contained and flexible multi-protocol federation server that can be rapidly deployed with your existing Copyright © Roger Drolet, CPA, MBA, CISA, CITP 2010. All rights reserved. Oracle Security in Release 12 Effective 13-Apr-2009 Page 7 of 23 Rev 1
  • identity and access management systems. Support for leading standards-based protocols ensures interoperability to share identities across vendors, customers, and business partners without the increased costs of managing, maintaining, and administering additional identities and credentials. Oracle Identity Federation is available as a stand-alone product or as part of Oracle Identity & Access Management Suite. Learn More Oracle Internet Directory The Foundation for Robust Identity Management Deployments The past decade has seen an explosion in the number of web-based applications. To gain control over the vast number of user accounts within these applications, many companies have deployed one or more LDAP directories. These often require multiple security systems to secure physical access, to secure legacy applications, and to secure network access. Oracle offers state-of-the-art LDAP directory services as well as integrated supporting technologies that allow large enterprises to provide greater directory functionality in a wide array of deployments. Learn More Oracle Virtual Directory The Foundation for Robust Identity Management Deployments The past decade has seen an explosion in the number of web-based applications. To gain control over the vast number of user accounts within these applications, many companies have deployed one or more LDAP directories. These often require multiple security systems to secure physical access, to secure legacy applications, and to secure network access. Oracle offers state-of-the-art LDAP directory services as well as integrated supporting technologies that allow large enterprises to provide greater directory functionality in a wide array of deployments. Learn More Oracle Web Services Manager Deploy Web Services in a Secure Environment As Web services have become a common method for integrating systems, services are now exposed to the Internet for use by customers, business partners, and partners of those partners. As a result, access control and auditing are ever more urgent requirements. To provide effective access control, the concepts of identity management and SOA management must merge. Oracle is leading this trend. Oracle Web Services Manager is a J2EE application designed to define and implement Web services security in heterogeneous environments, provide tools to manage Web services based on service-level agreements, and allow the user to monitor runtime activity in graphical charts. Learn More Copyright © Roger Drolet, CPA, MBA, CISA, CITP 2010. All rights reserved. Oracle Security in Release 12 Effective 13-Apr-2009 Page 8 of 23 Rev 1
  • Oracle Enterprise Single Sign-On Suite User Access Management across Legacy Applications Oracle Enterprise Single Sign-On Suite provides users with unified sign-on and authentication across all their enterprise resources, including desktops, client-server, and custom and host-based mainframe applications. Even if users travel or share workstations, they can enjoy the flexibility of a single log-on that eliminates the need for multiple usernames and passwords and helps enforce strong password and authentication policies. Learn More Oracle Entitlements Server Centralized Fine-Grained Authorization Policies for Enterprise Applications Evolving business and regulatory conditions can drive changes to the security and regulatory policies that govern your business. However, for most applications these policies are embedded in their code, making it difficult to change, and nearly impossible to monitor and audit. Oracle Entitlements Server (formerly BEA AquaLogic Enterprise Security) externalizes and centralizes fine-grained authorization policies for enterprise applications and web services. This is achieved via comprehensive, reusable, and fully auditable authorization policies and a simple, easy-to-use administration model. Learn More Oracle Management Pack for Identity Management Proactively Manage Performance, Availability, and Service Levels for Identity Services As identity management grows more pervasive and becomes increasingly mission-critical, organizations are looking for ways to streamline management and monitoring. Oracle Management Pack for Identity Management addresses these needs by providing a comprehensive, integrated enterprise management solution for Oracle Identity Management. Learn More Oracle Authentication Services for Operating Systems Enforcing Security and Compliance Across Diverse Platforms Traditional user management approaches such as local account management or Network Information Service (NIS) can be cost-prohibitive, lack consistent policy enforcement, and leave organizations open to significant policy concerns. The Oracle Authentication Services for Operating Systems offers Linux and UNIX environments a centralized, secure and seamless user authentication infrastructure. Oracle Authentication Services for Operating Systems is available as part of the Oracle Directory Services offering and leverages Oracle Internet Directory, which is proven to scale across billions of users. Learn More Copyright © Roger Drolet, CPA, MBA, CISA, CITP 2010. All rights reserved. Oracle Security in Release 12 Effective 13-Apr-2009 Page 9 of 23 Rev 1
  • Oracle Governance, Risk and Compliance (GRC) Solutions Oracle GRC Solutions include the following products: − GRC Reporting and Analytics − GRC Process Management − GRC Application Controls − GRC Infrastructure Controls GRC Reporting and Analytics − Fusion GRC Intelligence Fusion GRC Intelligence Gain Transparency to Control Status. Accelerate Risk Responsiveness. Deliver User- Tailored Intelligence. Oracle Fusion Governance, Risk, and Compliance Intelligence (GRC Intelligence) empowers you to stay on top of critical organizational compliance and risk management activities. Fusion GRC Intelligence offers enhanced visibility into your organization's compliance readiness and responsiveness by providing risk, control, and performance analytics and dashboards. Robust reporting capabilities help validate control design and operating effectiveness against access policies and segregation of duties conflicts. The interactive solution enables GRC professionals to effectively plan, model, report and analyze GRC activities so that potential issues are identified earlier and corrective actions are more timely and informed. GRC Process Management Oracle Governance, Risk, and Compliance Manager Through converging global compliance standards and accelerating performance expectations, organizations are facing greater complexity in coordinating and managing their governance, risk and compliance initiatives. Based on best-practice frameworks such as COSO, COBIT, ITIL and others, Oracle Governance, Risk, and Compliance Manager (GRC Manager) automates the management of internal controls and improves the efficiency of an organization's compliance processes. GRC Manager monitors business process risk and control performance across the enterprise, automatically highlighting areas of control weakness, and initiating corrective actions with automated loss and investigations management. Whether your organization leverages the Oracle E-Business Suite, PeopleSoft Enterprise, Siebel, JD Edwards World, SAP, legacy or homegrown applications, Oracle GRC Manager works across diverse applications and system environments GRC Application Controls − Application Access Controls Governor − Configuration Controls Governor − Transaction Controls Governor − Preventive Controls Governor Copyright © Roger Drolet, CPA, MBA, CISA, CITP 2010. All rights reserved. Oracle Security in Release 12 Effective 13-Apr-2009 Page 10 of 23 Rev 1
  • Application Access Controls Governor Real-Time Enforcement of Segregation of Duties and Access Policies The ability to fine-tune user access—and to track that access—is key to complying with regulatory requirements and ensuring corporate security. Oracle Application Access Controls Governor provides real-time monitoring and proactive enforcement of crucial access policies, such as those that support segregation of duties (SOD). The system anticipates potential SOD conflicts before they arise, and even prevents any assignment of roles or responsibilities within an application that would compromise proper segregation of duties. Application Access Controls Governor also extends key access controls to "super-users" and temporary or contract workers. Configuration Controls Governor Real-Time Enforcement of Segregation of Duties and Access Policies The ability to fine-tune user access—and to track that access—is key to complying with regulatory requirements and ensuring corporate security. Oracle Application Access Controls Governor provides real-time monitoring and proactive enforcement of crucial access policies, such as those that support segregation of duties (SOD). The system anticipates potential SOD conflicts before they arise, and even prevents any assignment of roles or responsibilities within an application that would compromise proper segregation of duties. Application Access Controls Governor also extends key access controls to "super-users" and temporary or contract workers. Transaction Controls Governor Continuous Monitoring of Business Transactions You can't enforce internal controls if you don't know when they are being broken. Oracle Transaction Controls Governor continuously monitors transactions against policies to detect suspicious transactions or inappropriate business practices. The system proactively alerts the appropriate stakeholders for effective and timely remediation of violations. Oracle Transaction Controls Governor tracks events that indicate: • Potential violation of internal controls - for example, an employee raises multiple requisitions for a single purchase totaling an amount greater than her approval level • Heightened levels of risk - for instance, an unexpected delay in anticipated cash receipts which would result in a shortfall in projected cash flow • Reportable events - for example, a foreign subsidiary writes off a significant bad debt Preventive Controls Governor Ensure Data Quality and Privacy with Granular Control Control over the quality of applications data starts at the user level. Without such control, your company is left open to mistakes, loss of data, and fraud. The Oracle Preventive Controls Governor provides fine-grained control over user viewing and editing of key data, while tracking changes (or attempted changes) by users. With it, you can limit or control which data fields application users can change or see, and define the types of data users can input in Copyright © Roger Drolet, CPA, MBA, CISA, CITP 2010. All rights reserved. Oracle Security in Release 12 Effective 13-Apr-2009 Page 11 of 23 Rev 1
  • various fields, and limit the values of transactions to enforce regulatory or corporate guidelines. The Oracle Preventive Controls Governor provides not only assured regulatory compliance and protection against fraud, but also the prevention of many common data-entry errors. GRC Infrastructure Controls − Identity Manager − Access Manager − Role Manager − Database Vault − Audit Vault − Advanced Security − Secure Backup − Enterprise Manager − Universal Content Management − Universal Records Management − Information Rights Management The following GRC Infrastructure Controls are also listed as either Oracle Security or Oracle Identity Management Solutions: − Identity Manager − Access Manager − Role Manager − Database Vault − Audit Vault − Advanced Security − Secure Backup Enterprise Manager − Applications Management − Database Management − Middleware Management − Configuration Management − Quality Management − User Experience Management − Heterogeneous Support Applications Management Complete Solution for Managing Oracle Applications and Infrastructure Oracle provides the most comprehensive management solution for Oracle E-Business Suite, PeopleSoft, and Siebel applications with its unique top-down approach. Only Oracle provides a single management solution that gives you the ability to proactively monitor the health of all Copyright © Roger Drolet, CPA, MBA, CISA, CITP 2010. All rights reserved. Oracle Security in Release 12 Effective 13-Apr-2009 Page 12 of 23 Rev 1
  • application processes and components—including the underlying middleware and databases as well as the virtual and physical hosts they run on. Learn More Database Management Get Maximum Performance with ROI of 100% Oracle provides an integrated management solution for managing Oracle database with a unique top-down application management approach. With new self-managing capabilities, Oracle eliminates time-consuming, error-prone administrative tasks, so database administrators can focus on strategic business objectives instead of performance and availability fire drills. Oracle Management Packs for Database provide significant cost and time-saving capabilities for managing Oracle Databases. Independent studies demonstrate that Oracle Database is 40 percent easier to manage over DB2 and 38 percent over SQL Server. Learn More Middleware Management Manage SOA Applications and Infrastructure with Less Effort Oracle provides the most complete and integrated management solution for Oracle Fusion Middleware with Oracle Enterprise Manager's unique top-down approach. Oracle Enterprise Manager automatically discovers all Oracle Fusion Middleware components and their interdependencies and provides industry best practices built into dashboards for system, services, and compliance. For Oracle WebLogic Server, Oracle Enterprise Manager provides a complete management solution in a single console. You can track diagnostics for applications and Web services, including low-overhead monitoring; view historical and real-time application performance on any JVM including Oracle JRockit; and trace in-flight transactions and cross-tier performance with the Oracle Database. Features such as auto-discovery and configuration tracking for Oracle WebLogic Server, and its underlying hardware and operating system, simplify compliance and help you diagnose hard-to-locate issues resulting from configuration changes. Oracle Enterprise Manager also offers extensive SOA management capabilities, spanning Oracle BPEL, and Oracle Service Bus. You can now use an integrated solution for managing Oracle Service Bus, Oracle BPEL, and Oracle WebLogic Server to quickly resolve performance, availability, and configuration related issues across the entire SOA environment Learn More Configuration Management Reduce the Cost of IT Compliance Copyright © Roger Drolet, CPA, MBA, CISA, CITP 2010. All rights reserved. Oracle Security in Release 12 Effective 13-Apr-2009 Page 13 of 23 Rev 1
  • Oracle Configuration Management Pack enhances Oracle Enterprise Manager with comprehensive configuration management for the entire Oracle application environment. Oracle Configuration Management Pack includes two key components; the Configuration Change Console and the Application Configuration Console. With its built-in configuration automation, the Configuration Change Console helps reduce IT costs and mitigates risk by automatically detecting, validating, and reporting authorized and unauthorized configuration changes in real time—ultimately leading to accelerated IT compliance and operational efficiencies. By automating the way configurations are managed and tracked throughout the application lifecycle, the Application Configuration Console ensures configuration consistency across development and production environments. The Application Configuration Console with its 100+ built-in application blueprints helps reduce complexity while improving application performance and availability. As a result, customers benefit from higher IT service quality, lower total cost of ownership for their enterprise applications and improved business agility Learn More Quality Management Reduce Testing Effort by Up to 80% Oracle Application Quality Management provides a comprehensive set of testing solutions for mission-critical applications. These solutions deliver a unique blend of highly automated testing functions for packaged and SOA applications and feature the industry's first and only database testing solution that employs real production workloads. Oracle Application Quality Management plays a key role in Oracle Enterprise Manager's top-down approach to application management, and ensures that applications perform well under peak load with maximum throughput, even in the face of evolving technology, limited understanding of test parameters, and resource constraints. Learn More User Experience Management Stop Online Revenue Loss in Tough Economic Times According to industry experts, over 70% of user issues are still reported by end-users not by system monitoring tools. Oracle Real User Experience Insight identifies and helps resolve user experience issues and revenue problems before business and users are impacted. Oracle Real User Experience Insight uses a state-of-the-art network protocol analysis technology to analyze performance and availability as well as user behavior. It has no impact on the performance of your applications and requires no changes. It can be used on traditional Web-based applications as well as SOA and AJAX enabled applications. Learn More Copyright © Roger Drolet, CPA, MBA, CISA, CITP 2010. All rights reserved. Oracle Security in Release 12 Effective 13-Apr-2009 Page 14 of 23 Rev 1
  • Heterogeneous Support Manage Oracle and Non-Oracle Technologies within a Single Console Oracle Enterprise Manager not-only manages Oracle Technologies, it provides rich management solutions for heterogeneous environments with its unique top-down approach. Only Oracle provides the most complete solution focused on managing business applications and related infrastructure technologies in a single management console. Get exactly what you need to manage your applications end-to-end with a rich selection of easy-to-deploy plug-ins and connectors for heterogeneous environments. Check out the partner exchange for more than two dozen heterogeneous management plug-ins and connectors including Microsoft MOM, IBM WebSphere, BEA WebLogic, JBoss, EMC storage, F5 BIG IP, Check Point Firewall, Remedy and more. Learn More Universal Content Management Oracle Universal Content Management (UCM) is the industry's most unified enterprise content management platform that enables you to leverage market-leading document management, Web content management, digital asset management, and records retention functionality to build and complement your business applications. Building a strategic enterprise content management infrastructure for content and applications helps you to reduce costs, easily share content across the enterprise, minimize risk, automate expensive, time-intensive and manual processes, and consolidate multiple Web sites onto a single platform for centralized management. Through user- friendly interfaces, roles-based authentication and security models, Oracle Universal Content Management empowers users throughout the enterprise to view, collaborate on or retire content, ensuring that all accessible distributed or published information is secure, accurate and up-to- date. Learn More Universal Records Management Oracle Universal Records Management (URM) enables you to apply your records management policies and practices on content in remote repositories such as file systems, content management systems, and email archives. URM also enables you to apply records management practices to non-records content. Learn More Information Rights Management Oracle Information Rights Management (IRM, formerly SealedMedia and Stellent Information Rights Management) is a new form of information security technology that secures and tracks sensitive digital information everywhere it is stored and used. Conventional information management products only manage documents, emails, and web pages while they remain stored within server-side repositories. Oracle Information Rights Management uses encryption to extend the management of information beyond the repository - to every copy of an organization's most sensitive information, everywhere it is stored and used - on end user desktops, laptops and Copyright © Roger Drolet, CPA, MBA, CISA, CITP 2010. All rights reserved. Oracle Security in Release 12 Effective 13-Apr-2009 Page 15 of 23 Rev 1
  • mobile wireless devices, in other repositories, inside and outside the firewall. For a quick introduction to Oracle Information Rights Management, view our 2 minute explainer. Learn More Copyright © Roger Drolet, CPA, MBA, CISA, CITP 2010. All rights reserved. Oracle Security in Release 12 Effective 13-Apr-2009 Page 16 of 23 Rev 1
  • Oracle Diagnosibility Products In this section, I will introduce you to several tools that Oracle provides for free. Oracle developed these tools to reduce Support Costs by providing automated tools that perform diagnostic tests. I included these tools because you can use these them to facilitate Risk Assessment and Risk Management Activities without having to purchase any additional hardware or software licenses. These tools enable you to take proactive measures to assess E-Business Security and Oracle Application Configuration to ensure that you have configured your applications using Oracle best practices. Oracle Support defined Diagnosibility to include: − E-Business Suite Diagnostics − Guardian − Maintenance Wizard (MW) − Remote Diagnostic Agent (RDA) − Oracle Configuration Manager (OCM) E-Business Suite Diagnostics Oracle E-Business Suite Diagnostics is a free tool provided by Oracle to ease the gathering and analyzing of information from your E-Business Suite specific to an existing issue or setup Formatted output displays the information gathered, the findings of the analysis and appropriate actions to take if necessary This tool is easy to use and is designed for both the functional and technical user Oracle E-Business Suite Diagnostics are designed to improve: − Problem Avoidance - resolving configuration and data issues that would cause processes to fail − Self Service Resolution - resolving problems without the need to contact Oracle Support − Reduction in Resolution Time - minimizing the time spent to resolve an issue by increasing support engineer − Risk Assessment Activities – free tool that you can use to facilitate Risk Assessment Activities − Knowledge of Oracle Best Practices – users become more knowledgeable about Oracle best practices by using E-Business Suite Diagnostics Copyright © Roger Drolet, CPA, MBA, CISA, CITP 2010. All rights reserved. Oracle Security in Release 12 Effective 13-Apr-2009 Page 17 of 23 Rev 1
  • Lessons Learned: –E-Business Suite Diagnostics – Cost Effective Risk Assessment Tool Lessons Learned: E-Business Suite Diagnostics Whitepaper I will write another whitepaper that describes the E-Business Suite Diagnostics in more detail. I believe that this tool can be used as part of a very cost-effective solution to help companies implement Oracle databases and applications using Oracle and Industry best practices. Moreover, these companies can use the E-Business Suite Diagnostics to proactively monitor E- Business Suite Security and Oracle Application Configuration. Oracle Security, Identity Management, and Governance Risk and Compliance (GRC) Oracle Security, IDM and GRC applications provide sophisticated and robust solutions. I do not suggest that companies use E-Business Suite Diagnostics in lieu of these solutions; However, the E-Business Suite Diagnostics are free and they provide Oracle system controls that can significantly improve security. Risk Assessments Companies can use E-Business Suite Diagnostics to facilitate Risk Assessment activities. Guardian Oracle Guardian is an intuitive tool for preemptive system support. Oracle Guardian is designed to find potential problems before they require the attention of your IT support staff or impact your operations and your customers. Oracle Guardian helps to streamline deployments and day-to-day operations. At the touch of a button, Oracle Guardian does the following: − Automatically finds and recommends the right updates and maintenance packs - saving your team time and maximizing your efficiency − Scans your domain in seconds to immediately recognize and diagnose software defects. − Using simple diagnostic Signature Patterns, quickly provides intuitive and detailed information about potential problems and how to fix them − Offers side-by-side comparisons of snapshots or domains, constructing a timeline and comparing configuration and inventory differences − Offers customizable signature annotations for managing, filtering, and tracking Signature Patterns and work related to detected Signature Patterns − Integrates with Oracle JRockit Mission Control, collecting data through the JRockit Runtime Analyzer and applying Signature Patterns to the data Copyright © Roger Drolet, CPA, MBA, CISA, CITP 2010. All rights reserved. Oracle Security in Release 12 Effective 13-Apr-2009 Page 18 of 23 Rev 1
  • Lessons Learned: –Guardian – Another Risk Assessment and Risk Management Tool Lessons Learned: Risk Assessment and Risk Management Tool This is another free resource provided by Oracle to reduce your reliance on Oracle Support that you can use to improve and monitor security and internal controls Background Customer Support in today‘s software industry is usually either proactive or reactive. Reactive support addresses problems once they have already impacted a customer‘s system in some manner. Proactive support is an intensive way to resolve system problems once they‘ve been identified, but before they cause downtime or impact productivity. For proactive support, IT personnel monitor systems and address the root cause of an issue before they grow. Both types of support are focused on existing issues and are frequently expensive and complicated. Both support models can also leave customers dissatisfied because both require a problem to manifest before addressing it; this can require increased man-hours and IT budget to identify and resolve them. Oracle Guardian has moved on from these traditional support paradigms by offering a new, pre-emptive model. This is because we recognize that our customers have complex systems that form the core of their businesses—systems which cannot rely on antiquated break/fix models for support. Instead, they require a 24/7; preemptive automated support offering that can identify potential problems before they occur. They need a support paradigm that offers peace of mind. Oracle Guardian is Oracle‘s response to this need, as identified through extensive field research and analysis. i Beyond Reactive or Proactive Support Oracle Guardian is an intuitive tool for preemptive system support designed to find potential problems before they require the attention of your IT support staff or impact your operations and your customers. Oracle Guardian helps to streamline deployments and day-to-day operations. At the touch of a button: − Guardian automatically finds and recommends the right updates, service, and maintenance packs so your team doesn‘t have to. − Guardian scans your domain. Simple diagnostic signature patterns quickly give intuitive and detailed information about all potential problems and how to fix them. − Guardian provides up-to-date signature patterns on a regular basis to ensure system and application stability − Guardian allows you to roll out complex applications faster than your competitors by eliminating antiquated, inefficient troubleshooting techniques such as knowledgebase searches or frequently asked questions. Does Guardian Require a License? Yes - Guardian requires a license in order to function. Copyright © Roger Drolet, CPA, MBA, CISA, CITP 2010. All rights reserved. Oracle Security in Release 12 Effective 13-Apr-2009 Page 19 of 23 Rev 1
  • For evaluation, the required license file, which does expire, is obtained through the page where you download BEA Guardian, using the Download License Key Here link. Save it into your BEA Guardian installation directory. Learn More Maintenance Wizard (MW) Oracle Support provides Maintenance Wizard to guide you through the upgrade of Oracle Applications technology stack and products from Release 11i versions to Release 12. It draws on instructions from numerous manuals and other documentation to provide you with a complete picture of the activities required for an upgrade. Maintenance Wizard helps you to reduce upgrade tasks by dynamically filtering the necessary steps based on criteria it obtains from your Applications environment. The resulting report is a set of step-by-step instructions of exactly what you need to do to complete your specific upgrade, including any critical patches that your system may require. It can also automatically execute many of the tasks for you, so as to reduce the possibility of errors or accidental omission of vital tasks Learn More. Remote Diagnostic Agent (RDA) Remote Diagnostic Agent (RDA) is a command-line diagnostic tool that is executed by an engine written in the Perl programming language. RDA provides a unified package of support diagnostics tools and preventive solutions (see Knowledge Article 330760.1). The data captured provides Oracle Support with a comprehensive picture of the customer's environment which aids in problem diagnosis. Oracle Support encourages the use of RDA because it greatly reduces service request resolution time by minimizing the number of requests from Oracle Support for more information. RDA is designed to be as unobtrusive as possible; it does not modify systems in any way. It collects useful data for Oracle Support only and a security filter is provided if required. Learn More Other RDA Resources − Remote Diagnostic Agent (RDA) 4 - FAQ − RDA 4 - Health Check / Validation Engine Guide − Running RDA and Health Check for Oracle Application Server Environments − Remote Diagnostic Agent (RDA) 4 - Getting Started − Remote Diagnostic Agent (RDA) 4 - Main Man Page Copyright © Roger Drolet, CPA, MBA, CISA, CITP 2010. All rights reserved. Oracle Security in Release 12 Effective 13-Apr-2009 Page 20 of 23 Rev 1
  • Oracle Configuration Manager (OCM) Oracle Configuration Manager works with My Oracle Support to enable proactive support capability that helps you organize collect and manage your Oracle configurations by providing the following: − Secure, automated configuration collection − Proactive configuration-specific notification of Security and General Alerts − HealthCheck recommendations based on Support best practices when using configuration auto-collection − Simplified Service Request logging, tracking and reporting − Project cataloging of key milestones and contacts associated with your configurations − Other RDA Resources − Other RDA Resources Other OCM Resources − Learn More About My Oracle Support Configuration Manager Other Resources − Diagnosibility Community − Best Practices for Securing Oracle E-Business Suite Release 12 − Best Practices for Securing Oracle E-Business Suite − Oracle Configuration Manager Security Overview and Collections Overview − Oracle E-Business Suite Network Utilities: Best Practices − Oracle E-Business Suite Secure Enterprise Search Best Practices, Release 12 − Oracle Application Object Library Best Practices: E-Business Suite Diagnostic Tests Health Check Test − Best Practices for Adopting Oracle E-Business Suite, Release 12 − System Health − Oracle Guardian Signature Pattern Release File − What Is New In Oracle Guardian Signature Pattern Release − Oracle Guardian White Paper − Guardian 1.0 - What is the best way to update Guardian from the evaluation version to the current version? − Description of All Signature Patterns in the Current Signature Patterns Release − All About Security: User, Privilege, Role, SYSDBA, O/S Authentication, Audit, Encryption, OLS, Database Vault, Audit Vault About the Author I am the Founder and President of Oracle Independent Consultants LLC (OIC LLC), which is a large virtual Oracle Consulting Firm. My personal area of interest is Oracle Security, Identity Management (IDM) and Governance, Risk and Compliance (GRC) Solutions. Copyright © Roger Drolet, CPA, MBA, CISA, CITP 2010. All rights reserved. Oracle Security in Release 12 Effective 13-Apr-2009 Page 21 of 23 Rev 1
  • If you are also interested in these solutions, I invite you to join the Oracle Security, Identity Management (IDM) and Governance, Risk and Compliance (GRC) Professionals Group. It’s free. Regards, Roger Drolet, CPA, MBA, CISA, CITP Copyright © Roger Drolet, CPA, MBA, CISA, CITP 2010. All rights reserved. Oracle Security in Release 12 Effective 13-Apr-2009 Page 22 of 23 Rev 1
  • i Oracle Guardian White Paper dated Wednesday, November 26, 2008.