Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

OOW 2009 EBS Security R12


Published on

    Are you sure you want to  Yes  No
    Your message goes here
  • Be the first to like this

OOW 2009 EBS Security R12

  1. 1. Critical Data Protection and Security in Oracle E-Business Suite Eric Bing – Senior Director, Applications Product Security Robert Armstrong – Senior Manager, Applications Product Security
  2. 2. The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
  3. 3. Agenda • Business Drivers • Security Challenges <Insert Picture Here> • Security Inside Out • End-to-End Security • E-Business Suite (EBS) Secure Configuration • Secure Your Environment • Externalizing EBS Security • Spreading out from the Apps tier • EBS Integrations • Leveraging Oracle Technology • Q&A
  4. 4. Security Challenges
  5. 5. Security for Web based Loan Origination start Credit Rating Get Rating Handle Negative Credit Exception Send Loan Application Send Loan Application United Loan Star Loan Receive Loan Offer Receive Loan Offer ? Select Lowest Offer end
  6. 6. Security Vulnerabilities 2. SSN sent in clear text 1. Anyone who can access the <SSN> start server can initiate loan Credit Rating 011-22-4488 </SSN> applications Get Rating Handle Negative Credit Exception Send Loan Application Send Loan Application United Loan Star Loan Receive Loan Offer Receive Loan Offer 3. Response must go through the firewall ? Select Lowest Offer 4. How can I be sure no end other sensitive data is unprotected?
  7. 7. Comprehensive Security Results 2. Securing Privacy: Auto- 1. Security Policy: Role-based Encryption of PII in XML start access control message Rating Credit Get Rating Handle Negative Credit Exception Send Loan Application Send Loan Application United Loan Star Loan Receive Loan Offer Receive Loan Offer 3. Management: Service virtualization in DMZ ? Select Lowest Offer 4. Audit & Compliance: end System-wide services monitoring
  8. 8. More Regulations Than Ever… UK/PRO PIPEDA EU Data Directives Sarbanes-Oxley GLBA PCI Basel II Breach Disclosure FISMA K SOX Euro SOX J SOX HIPAA ISO 17799 SAS 70 COBIT AUS/PRO 90% Companies behind in compliance Source: IT Policy Compliance Group, 2007. Oracle Confidential 9
  9. 9. Comprehensive Security
  10. 10. 1 Comprehensive Identity & Access Management Store & Virtualize Identities Provision Identities & Roles Manage Access to Systems Manage Entitlements Federate Identities
  11. 11. 2 Comprehensive Controls Enforcement Consolidate Compliance Activities Proactively Manage Risk Automate Internal Controls
  12. 12. 3 Comprehensive Data Protection When Applications Are Targeted When Data Is In Motion When Data Is At Rest When Data Is Cloned When Data Is Administered
  13. 13. Oracle Security Inside Out Database Security • Encryption and Masking • Privileged User Controls • Multi-Factor Authorization • Activity Monitoring and Audit • Secure Configuration Identity Management • User Provisioning • Role Management • Entitlements Management Information • Risk-Based Access Control Infrastructure • Virtual Directories Databases Information Rights Applications Management Content • Track and Audit Document Usage • Control and Revoke Document Access • Secured Inside or Outside Firewall • Centralized Policy Administration Oracle Confidential 14
  14. 14. Database Defense-in-Depth Monitoring • Configuration Management • Oracle Audit Vault • Total Recall Access Control • Oracle Database Vault • Label Security Encryption & Masking Encryption & Masking • Advanced Security Access Control • Secure Backup Monitoring • Data Masking
  15. 15. E-Business Suite Secure Configuration
  16. 16. Secure Configuration 11i – Support note 189367.1 R12 - Support note 403537.1 CPUs Apply them! Evaluating a 11i Cumulative CPU Resolve dependencies and superceded patches Based / testing on 11.5.10CU2
  17. 17. Default Passwords Ensure that you’ve changed all default passwords: DB accounts Support Note 361482.1 Patch 4926128 Apps users - Check script is part of Apr CPU - fnddefpw.sql - 11i: Patch 7831891
  18. 18. Security Profiles Oracle strongly recommends the following settings for Security Profiles: FND: Diagnostics -> NO Restrict Text Input -> Yes FND Validation Level -> ERROR FND Function Validation Level ->ERROR Framework Validation Level -> ERROR See Oracle Support note 946372.1 - Secure Configuration of E- Business Suite Profiles Contains Information on what these do and what to test when turning these on. FND Validation Level is the only one of these which is off by default in 11i.
  19. 19. FND Validation Level Products must be at the 11.5.10CU2 level or above to use FND Validation Level. Benefit: Provides defense in depth against parameter and URL tampering May prevent direct access (via a bookmark or URL) to pages that are not considered "launch pages" or "bookmarkable pages“ Customized integration points which navigate into the E- Business Suite should be tested. Prerecorded scripts (Winrunner) may need special treatment…
  20. 20. Fixed Key Profiles With FND Validation Level on, the URI and parameters are unique for each session If you need to run prerecorded scripts – you can set these at the user level Oracle recommends that the Fixed Key profiles not be used in production environments Set both FND: Fixed Key Enabled - Y FND: Fixed Key – Hexadecimal string of size 64
  21. 21. Password Hashing Non-Reversible Password Hashing Support Note 457166.1 Stores local Applications user passwords as non-reversible hashes Available as of 11i ATG RUP6, 12.0.4 and 12.1 Upgrade your desktop clients Use FNDCPASS to migrate following the note Backup & Test carefully – migration is…non-reversible
  22. 22. Externalizing EBS Security
  23. 23. Apps Schema Access SOA Suite Apps Adapter (PL/SQL execution) Issues External applications for database oriented activities Schema password keeps changing Standard based access Current Solution Create a new schema and provide privileges Provide apps password to external system
  24. 24. Solution Application Data Source Application Data Source Implementation J2EE/JDBC standards based On the External Tier Application Server Register the Application Data Source Register the Node as trusted Node Create a new Application User Grant Role (shipped) to this User Register this new User in the Application Server
  25. 25. JAAS implementation for EBS New Solution E-Biz light-weight LoginModule, compliant with JAAS specifications, works with JDK or J2EE environments. Implement JAAS Authentication using AOL security System Implement JAAS Authorization using UMX roles.
  26. 26. JAAS for EBS Leverage EBS Authentication ADF, Web-Services and Authorization EJB (WebLogic)
  27. 27. E-Business Suite / Oracle Access Manager Integration Architecture Build on secure foundation for existing integrations Focus on stability and scalability Improve ease of integration for new implementations Provide easy transition for Oracle Single Sign-On Server integrations “Future-proof” identity management stack
  28. 28. E-Business Suite / Oracle Access Manager Integration Architecture EBS Access Gateway Application Moves authentication into an external service Fewer points of integration makes it easier to certify future releases Insulates E-Business Suite instance from user authentication configuration Single application works for E-Business Suite Release 11i and Release 12 No release-specific or OAM-dependent code Availability planned for 2010 Watch for announcements on Oracle E-Business Suite Technology Blog (
  29. 29. Architecture Overview E-Business Suite instance Configured to use Access Gateway Access Gateway protected by OAM
  30. 30. E-Business Suite Integrations
  31. 31. Oracle Audit Vault Applications are validated by Default Database auditing is underneath the Application Application User Auditing Application can set the database “Client Identifier” to tie application user with application shared account Database Auditing can be used to monitor Audit base application tables and views Privileged user operations in the database (logins, user/table create)
  32. 32. Setting Client Identifier Any application running on Oracle database can set the client identifier E-Business Suite (planned) Single line of initialization logic that needs to be added: dbms_session.set_identifier(substrb(fnd_global.username, 1, 64)); Application sets client_info to User A User A connects Oracle Audit Record Application uses Server client_identifier Application resets client_info to User B Oracle User B Database connects
  33. 33. Oracle Audit Vault Application Integration 1. Turn on database auditing Set the database parameters  audit_trail, audit_trail_dest, audit_sys_operations 2. Determine the application tables to audit audit <table> by access; 3. Configure Audit Vault to collect the database audit trail 4. Setup alerts in Audit Vault 5. View Reports
  34. 34. Oracle Audit Vault Application Integration
  35. 35. Oracle Audit Vault Application Integration
  36. 36. Oracle Audit Vault Application Integration
  37. 37. Data Base Vault DB Vault Separation of Duties for DBA roles Concerns Customizations to realms Patching with DB Vault on Generic accounts (APPS / SYSTEM) have access to sensitive data
  38. 38. Customizing DB Vault Default realm we ship with contains all Apps objects We now support realms that are subsets of this Need to ensure that all the procedures and patches in Support Notes are followed Any subsets will be treated as certified Any additions will be treated as customizations Detailed example of extending EBS realms in Support Notes
  39. 39. Patching DB Vault We now support patching the EBS Applications with DB Vault still on Instructions in Support notes Pre and post patching scripts to give SYSTEM additional privs Suggest auditing during patch window Ensure named users are used Can use proxy access for named users to reduce administration See Support Note on Using DB Vault in the E-Business Suite for suggestions on how to minimize use of generic accounts
  40. 40. Providing Separation of Duties with (or without) DB Vault Use named accounts Use proxying Don’t have DBAs doing normal activities in the APPS and SYSTEM accounts Customizing Realms Reducing seeded realms not considered a customization OS access Use named accounts Delegate common tasks through sudo or EM Remove write and read for non-owners (0500 or 0700)
  41. 41. Support Notes on E-Business Suite with DB Vault Guidance Document (New) • 950018.1 Using Database Vault in the E-Business Suite Implementation Instructions • 428503.1 Integrating Oracle E-Business Suite Release 11i with Oracle Database Vault • 859399.1 Integrating Oracle E-Business Suite Release 11i with Oracle Database Vault • 566841.1 Integrating Oracle E-Business Suite Release 12 with Oracle Database Vault • 859397.1 Integrating Oracle E-Business Suite Release 12 with Oracle Database Vault
  42. 42. Transparent Data Encryption (TDE) Certification SQL Layer Protecting data at rest Column-level TDE Buffer Cache Certified for 10GR2 and 11G “SSN = 834-63-..” R11i and R12 Tablespace TDE Certified for 11G Database R11i and R12 data blocks “*M$b@^s%&d7” undo temp blocks blocks redo flashback logs logs
  43. 43. Oracle Label Security (OLS) / Virtual Private Database (VPD) Additional Apps level protections? Yes, Apps uses it this way for MOAC Protection at DB level? Involves protecting your context as well Need to work through performance issues Need to work through implications of limiting row visibility All VPD treated as customization
  44. 44. 11gR2 certification completed 12 still working Advanced Security Option Advance Network Encryption TDE and DB Vault not included in initial cert Certification will follow
  45. 45. Futures PCI - PA-DSS certification and whitepaper DB Vault – patching without generic accounts OS level protections PII - Sensitive data collection and realms Sensitive pages - Guest, Admin pages Exposure of core FND APIs to external developers
  46. 46. <Insert Picture Here> Q&A
  47. 47. Oracle Software Security Assurance Sessions at Oracle OpenWorld Related Sessions • S309974: Securing Oracle E-Business Suite with Oracle Identity and Access Management, Tuesday October 13th, 17:30 - 18:30 Marriott Hotel Salon 3 • S311455: Tips/Tricks for Auditing PeopleSoft and Oracle E-Business Suite Applications from the Database Tuesday October 13th, Moscone South Rm 306 • S311337: Secure Your Existing Application Transparently in 30 Minutes or Less, Wednesday October 14th, Moscone South Rm 103