Your SlideShare is downloading. ×
0
OOW 2009 EBS Security R12
OOW 2009 EBS Security R12
OOW 2009 EBS Security R12
OOW 2009 EBS Security R12
OOW 2009 EBS Security R12
OOW 2009 EBS Security R12
OOW 2009 EBS Security R12
OOW 2009 EBS Security R12
OOW 2009 EBS Security R12
OOW 2009 EBS Security R12
OOW 2009 EBS Security R12
OOW 2009 EBS Security R12
OOW 2009 EBS Security R12
OOW 2009 EBS Security R12
OOW 2009 EBS Security R12
OOW 2009 EBS Security R12
OOW 2009 EBS Security R12
OOW 2009 EBS Security R12
OOW 2009 EBS Security R12
OOW 2009 EBS Security R12
OOW 2009 EBS Security R12
OOW 2009 EBS Security R12
OOW 2009 EBS Security R12
OOW 2009 EBS Security R12
OOW 2009 EBS Security R12
OOW 2009 EBS Security R12
OOW 2009 EBS Security R12
OOW 2009 EBS Security R12
OOW 2009 EBS Security R12
OOW 2009 EBS Security R12
OOW 2009 EBS Security R12
OOW 2009 EBS Security R12
OOW 2009 EBS Security R12
OOW 2009 EBS Security R12
OOW 2009 EBS Security R12
OOW 2009 EBS Security R12
OOW 2009 EBS Security R12
OOW 2009 EBS Security R12
OOW 2009 EBS Security R12
OOW 2009 EBS Security R12
OOW 2009 EBS Security R12
OOW 2009 EBS Security R12
OOW 2009 EBS Security R12
OOW 2009 EBS Security R12
OOW 2009 EBS Security R12
OOW 2009 EBS Security R12
OOW 2009 EBS Security R12
OOW 2009 EBS Security R12
OOW 2009 EBS Security R12
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

OOW 2009 EBS Security R12

1,669

Published on

1 Comment
0 Likes
Statistics
Notes
  • http://www.dbmanagement.info/Tutorials/Oracle_EBS.htm
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Be the first to like this

No Downloads
Views
Total Views
1,669
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
115
Comments
1
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Critical Data Protection and Security in Oracle E-Business Suite Eric Bing – Senior Director, Applications Product Security Robert Armstrong – Senior Manager, Applications Product Security
  • 2. The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
  • 3. Agenda • Business Drivers • Security Challenges <Insert Picture Here> • Security Inside Out • End-to-End Security • E-Business Suite (EBS) Secure Configuration • Secure Your Environment • Externalizing EBS Security • Spreading out from the Apps tier • EBS Integrations • Leveraging Oracle Technology • Q&A
  • 4. Security Challenges
  • 5. Security for Web based Loan Origination start Credit Rating Get Rating Handle Negative Credit Exception Send Loan Application Send Loan Application United Loan Star Loan Receive Loan Offer Receive Loan Offer ? Select Lowest Offer end
  • 6. Security Vulnerabilities 2. SSN sent in clear text 1. Anyone who can access the <SSN> start server can initiate loan Credit Rating 011-22-4488 </SSN> applications Get Rating Handle Negative Credit Exception Send Loan Application Send Loan Application United Loan Star Loan Receive Loan Offer Receive Loan Offer 3. Response must go through the firewall ? Select Lowest Offer 4. How can I be sure no end other sensitive data is unprotected?
  • 7. Comprehensive Security Results 2. Securing Privacy: Auto- 1. Security Policy: Role-based Encryption of PII in XML start access control message Rating Credit Get Rating Handle Negative Credit Exception Send Loan Application Send Loan Application United Loan Star Loan Receive Loan Offer Receive Loan Offer 3. Management: Service virtualization in DMZ ? Select Lowest Offer 4. Audit & Compliance: end System-wide services monitoring
  • 8. More Regulations Than Ever… UK/PRO PIPEDA EU Data Directives Sarbanes-Oxley GLBA PCI Basel II Breach Disclosure FISMA K SOX Euro SOX J SOX HIPAA ISO 17799 SAS 70 COBIT AUS/PRO 90% Companies behind in compliance Source: IT Policy Compliance Group, 2007. Oracle Confidential 9
  • 9. Comprehensive Security
  • 10. 1 Comprehensive Identity & Access Management Store & Virtualize Identities Provision Identities & Roles Manage Access to Systems Manage Entitlements Federate Identities
  • 11. 2 Comprehensive Controls Enforcement Consolidate Compliance Activities Proactively Manage Risk Automate Internal Controls
  • 12. 3 Comprehensive Data Protection When Applications Are Targeted When Data Is In Motion When Data Is At Rest When Data Is Cloned When Data Is Administered
  • 13. Oracle Security Inside Out Database Security • Encryption and Masking • Privileged User Controls • Multi-Factor Authorization • Activity Monitoring and Audit • Secure Configuration Identity Management • User Provisioning • Role Management • Entitlements Management Information • Risk-Based Access Control Infrastructure • Virtual Directories Databases Information Rights Applications Management Content • Track and Audit Document Usage • Control and Revoke Document Access • Secured Inside or Outside Firewall • Centralized Policy Administration Oracle Confidential 14
  • 14. Database Defense-in-Depth Monitoring • Configuration Management • Oracle Audit Vault • Total Recall Access Control • Oracle Database Vault • Label Security Encryption & Masking Encryption & Masking • Advanced Security Access Control • Secure Backup Monitoring • Data Masking
  • 15. E-Business Suite Secure Configuration
  • 16. Secure Configuration 11i – Support note 189367.1 R12 - Support note 403537.1 CPUs Apply them! Evaluating a 11i Cumulative CPU Resolve dependencies and superceded patches Based / testing on 11.5.10CU2
  • 17. Default Passwords Ensure that you’ve changed all default passwords: DB accounts Support Note 361482.1 Patch 4926128 Apps users - Check script is part of Apr CPU - fnddefpw.sql - 11i: Patch 7831891
  • 18. Security Profiles Oracle strongly recommends the following settings for Security Profiles: FND: Diagnostics -> NO Restrict Text Input -> Yes FND Validation Level -> ERROR FND Function Validation Level ->ERROR Framework Validation Level -> ERROR See Oracle Support note 946372.1 - Secure Configuration of E- Business Suite Profiles Contains Information on what these do and what to test when turning these on. FND Validation Level is the only one of these which is off by default in 11i.
  • 19. FND Validation Level Products must be at the 11.5.10CU2 level or above to use FND Validation Level. Benefit: Provides defense in depth against parameter and URL tampering May prevent direct access (via a bookmark or URL) to pages that are not considered "launch pages" or "bookmarkable pages“ Customized integration points which navigate into the E- Business Suite should be tested. Prerecorded scripts (Winrunner) may need special treatment…
  • 20. Fixed Key Profiles With FND Validation Level on, the URI and parameters are unique for each session If you need to run prerecorded scripts – you can set these at the user level Oracle recommends that the Fixed Key profiles not be used in production environments Set both FND: Fixed Key Enabled - Y FND: Fixed Key – Hexadecimal string of size 64
  • 21. Password Hashing Non-Reversible Password Hashing Support Note 457166.1 Stores local Applications user passwords as non-reversible hashes Available as of 11i ATG RUP6, 12.0.4 and 12.1 Upgrade your desktop clients Use FNDCPASS to migrate following the note Backup & Test carefully – migration is…non-reversible
  • 22. Externalizing EBS Security
  • 23. Apps Schema Access SOA Suite Apps Adapter (PL/SQL execution) Issues External applications for database oriented activities Schema password keeps changing Standard based access Current Solution Create a new schema and provide privileges Provide apps password to external system
  • 24. Solution Application Data Source Application Data Source Implementation J2EE/JDBC standards based On the External Tier Application Server Register the Application Data Source Register the Node as trusted Node Create a new Application User Grant Role (shipped) to this User Register this new User in the Application Server
  • 25. JAAS implementation for EBS New Solution E-Biz light-weight LoginModule, compliant with JAAS specifications, works with JDK or J2EE environments. Implement JAAS Authentication using AOL security System Implement JAAS Authorization using UMX roles.
  • 26. JAAS for EBS Leverage EBS Authentication ADF, Web-Services and Authorization EJB (WebLogic)
  • 27. E-Business Suite / Oracle Access Manager Integration Architecture Build on secure foundation for existing integrations Focus on stability and scalability Improve ease of integration for new implementations Provide easy transition for Oracle Single Sign-On Server integrations “Future-proof” identity management stack
  • 28. E-Business Suite / Oracle Access Manager Integration Architecture EBS Access Gateway Application Moves authentication into an external service Fewer points of integration makes it easier to certify future releases Insulates E-Business Suite instance from user authentication configuration Single application works for E-Business Suite Release 11i and Release 12 No release-specific or OAM-dependent code Availability planned for 2010 Watch for announcements on Oracle E-Business Suite Technology Blog (http://blogs.oracle.com/stevenChan/)
  • 29. Architecture Overview E-Business Suite instance Configured to use Access Gateway Access Gateway protected by OAM
  • 30. E-Business Suite Integrations
  • 31. Oracle Audit Vault Applications are validated by Default Database auditing is underneath the Application Application User Auditing Application can set the database “Client Identifier” to tie application user with application shared account Database Auditing can be used to monitor Audit base application tables and views Privileged user operations in the database (logins, user/table create)
  • 32. Setting Client Identifier Any application running on Oracle database can set the client identifier E-Business Suite (planned) Single line of initialization logic that needs to be added: dbms_session.set_identifier(substrb(fnd_global.username, 1, 64)); Application sets client_info to User A User A connects Oracle Audit Record Application uses Server client_identifier Application resets client_info to User B Oracle User B Database connects
  • 33. Oracle Audit Vault Application Integration 1. Turn on database auditing Set the database parameters  audit_trail, audit_trail_dest, audit_sys_operations 2. Determine the application tables to audit audit <table> by access; 3. Configure Audit Vault to collect the database audit trail 4. Setup alerts in Audit Vault 5. View Reports
  • 34. Oracle Audit Vault Application Integration
  • 35. Oracle Audit Vault Application Integration
  • 36. Oracle Audit Vault Application Integration
  • 37. Data Base Vault DB Vault Separation of Duties for DBA roles Concerns Customizations to realms Patching with DB Vault on Generic accounts (APPS / SYSTEM) have access to sensitive data
  • 38. Customizing DB Vault Default realm we ship with contains all Apps objects We now support realms that are subsets of this Need to ensure that all the procedures and patches in Support Notes are followed Any subsets will be treated as certified Any additions will be treated as customizations Detailed example of extending EBS realms in Support Notes
  • 39. Patching DB Vault We now support patching the EBS Applications with DB Vault still on Instructions in Support notes Pre and post patching scripts to give SYSTEM additional privs Suggest auditing during patch window Ensure named users are used Can use proxy access for named users to reduce administration See Support Note on Using DB Vault in the E-Business Suite for suggestions on how to minimize use of generic accounts
  • 40. Providing Separation of Duties with (or without) DB Vault Use named accounts Use proxying Don’t have DBAs doing normal activities in the APPS and SYSTEM accounts Customizing Realms Reducing seeded realms not considered a customization OS access Use named accounts Delegate common tasks through sudo or EM Remove write and read for non-owners (0500 or 0700)
  • 41. Support Notes on E-Business Suite with DB Vault Guidance Document (New) • 950018.1 Using Database Vault in the E-Business Suite Implementation Instructions • 428503.1 Integrating Oracle E-Business Suite Release 11i with Oracle Database Vault 10.2.0.4 • 859399.1 Integrating Oracle E-Business Suite Release 11i with Oracle Database Vault 11.1.0.7 • 566841.1 Integrating Oracle E-Business Suite Release 12 with Oracle Database Vault 10.2.0.4 • 859397.1 Integrating Oracle E-Business Suite Release 12 with Oracle Database Vault 11.1.0.7
  • 42. Transparent Data Encryption (TDE) Certification SQL Layer Protecting data at rest Column-level TDE Buffer Cache Certified for 10GR2 and 11G “SSN = 834-63-..” R11i and R12 Tablespace TDE Certified for 11G Database R11i and R12 data blocks “*M$b@^s%&d7” undo temp blocks blocks redo flashback logs logs
  • 43. Oracle Label Security (OLS) / Virtual Private Database (VPD) Additional Apps level protections? Yes, Apps uses it this way for MOAC Protection at DB level? Involves protecting your context as well Need to work through performance issues Need to work through implications of limiting row visibility All VPD treated as customization
  • 44. 11gR2 certification 11.5.10.2 completed 12 still working Advanced Security Option Advance Network Encryption TDE and DB Vault not included in initial cert Certification will follow
  • 45. Futures PCI - PA-DSS certification and whitepaper DB Vault – patching without generic accounts OS level protections PII - Sensitive data collection and realms Sensitive pages - Guest, Admin pages Exposure of core FND APIs to external developers
  • 46. <Insert Picture Here> Q&A
  • 47. Oracle Software Security Assurance Sessions at Oracle OpenWorld Related Sessions • S309974: Securing Oracle E-Business Suite with Oracle Identity and Access Management, Tuesday October 13th, 17:30 - 18:30 Marriott Hotel Salon 3 • S311455: Tips/Tricks for Auditing PeopleSoft and Oracle E-Business Suite Applications from the Database Tuesday October 13th, Moscone South Rm 306 • S311337: Secure Your Existing Application Transparently in 30 Minutes or Less, Wednesday October 14th, Moscone South Rm 103

×