SlideShare una empresa de Scribd logo

Critical Data Protection and Security in Oracle E-Business Suite

J
jucaab

This document discusses security strategies for Oracle E-Business Suite applications. It outlines business drivers for security, security challenges, and comprehensive security approaches. It discusses securing the EBS environment through configuration hardening and patching. It also covers externalizing EBS security through approaches like integrating with Oracle Identity Management and leveraging technologies like Oracle Audit Vault. The presentation provides an overview of current and future certification plans for advanced security options in Oracle databases like Transparent Data Encryption and Database Vault when used with EBS. It aims to help organizations understand security best practices for Oracle E-Business Suite applications.

1 de 49
Descargar para leer sin conexión
Critical Data Protection and Security in Oracle E-Business Suite Eric Bing – Senior Director, Applications Product Security Robert Armstrong – Senior Manager, Applications Product Security
The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
Agenda • Business Drivers • Security Challenges <Insert Picture Here> • Security Inside Out • End-to-End Security • E-Business Suite (EBS) Secure Configuration • Secure Your Environment • Externalizing EBS Security • Spreading out from the Apps tier • EBS Integrations • Leveraging Oracle Technology • Q&A
Security Challenges
Security for Web based Loan Origination start Credit Rating Get Rating Handle Negative Credit Exception Send Loan Application Send Loan Application United Loan Star Loan Receive Loan Offer Receive Loan Offer ? Select Lowest Offer end
Security Vulnerabilities 2. SSN sent in clear text 1. Anyone who can access the <SSN> start server can initiate loan Credit Rating 011-22-4488 </SSN> applications Get Rating Handle Negative Credit Exception Send Loan Application Send Loan Application United Loan Star Loan Receive Loan Offer Receive Loan Offer 3. Response must go through the firewall ? Select Lowest Offer 4. How can I be sure no end other sensitive data is unprotected?
Comprehensive Security Results 2. Securing Privacy: Auto- 1. Security Policy: Role-based Encryption of PII in XML start access control message Rating Credit Get Rating Handle Negative Credit Exception Send Loan Application Send Loan Application United Loan Star Loan Receive Loan Offer Receive Loan Offer 3. Management: Service virtualization in DMZ ? Select Lowest Offer 4. Audit & Compliance: end System-wide services monitoring
More Regulations Than Ever… UK/PRO PIPEDA EU Data Directives Sarbanes-Oxley GLBA PCI Basel II Breach Disclosure FISMA K SOX Euro SOX J SOX HIPAA ISO 17799 SAS 70 COBIT AUS/PRO 90% Companies behind in compliance Source: IT Policy Compliance Group, 2007. Oracle Confidential 9
Comprehensive Security
1 Comprehensive Identity & Access Management Store & Virtualize Identities Provision Identities & Roles Manage Access to Systems Manage Entitlements Federate Identities
2 Comprehensive Controls Enforcement Consolidate Compliance Activities Proactively Manage Risk Automate Internal Controls
3 Comprehensive Data Protection When Applications Are Targeted When Data Is In Motion When Data Is At Rest When Data Is Cloned When Data Is Administered
Oracle Security Inside Out Database Security • Encryption and Masking • Privileged User Controls • Multi-Factor Authorization • Activity Monitoring and Audit • Secure Configuration Identity Management • User Provisioning • Role Management • Entitlements Management Information • Risk-Based Access Control Infrastructure • Virtual Directories Databases Information Rights Applications Management Content • Track and Audit Document Usage • Control and Revoke Document Access • Secured Inside or Outside Firewall • Centralized Policy Administration Oracle Confidential 14
Database Defense-in-Depth Monitoring • Configuration Management • Oracle Audit Vault • Total Recall Access Control • Oracle Database Vault • Label Security Encryption & Masking Encryption & Masking • Advanced Security Access Control • Secure Backup Monitoring • Data Masking
E-Business Suite Secure Configuration
Secure Configuration 11i – Support note 189367.1 R12 - Support note 403537.1 CPUs Apply them! Evaluating a 11i Cumulative CPU Resolve dependencies and superceded patches Based / testing on 11.5.10CU2
Default Passwords Ensure that you’ve changed all default passwords: DB accounts Support Note 361482.1 Patch 4926128 Apps users - Check script is part of Apr CPU - fnddefpw.sql - 11i: Patch 7831891
Security Profiles Oracle strongly recommends the following settings for Security Profiles: FND: Diagnostics -> NO Restrict Text Input -> Yes FND Validation Level -> ERROR FND Function Validation Level ->ERROR Framework Validation Level -> ERROR See Oracle Support note 946372.1 - Secure Configuration of E- Business Suite Profiles Contains Information on what these do and what to test when turning these on. FND Validation Level is the only one of these which is off by default in 11i.
FND Validation Level Products must be at the 11.5.10CU2 level or above to use FND Validation Level. Benefit: Provides defense in depth against parameter and URL tampering May prevent direct access (via a bookmark or URL) to pages that are not considered "launch pages" or "bookmarkable pages“ Customized integration points which navigate into the E- Business Suite should be tested. Prerecorded scripts (Winrunner) may need special treatment…
Fixed Key Profiles With FND Validation Level on, the URI and parameters are unique for each session If you need to run prerecorded scripts – you can set these at the user level Oracle recommends that the Fixed Key profiles not be used in production environments Set both FND: Fixed Key Enabled - Y FND: Fixed Key – Hexadecimal string of size 64
Password Hashing Non-Reversible Password Hashing Support Note 457166.1 Stores local Applications user passwords as non-reversible hashes Available as of 11i ATG RUP6, 12.0.4 and 12.1 Upgrade your desktop clients Use FNDCPASS to migrate following the note Backup & Test carefully – migration is…non-reversible
Externalizing EBS Security
Apps Schema Access SOA Suite Apps Adapter (PL/SQL execution) Issues External applications for database oriented activities Schema password keeps changing Standard based access Current Solution Create a new schema and provide privileges Provide apps password to external system
Solution Application Data Source Application Data Source Implementation J2EE/JDBC standards based On the External Tier Application Server Register the Application Data Source Register the Node as trusted Node Create a new Application User Grant Role (shipped) to this User Register this new User in the Application Server
JAAS implementation for EBS New Solution E-Biz light-weight LoginModule, compliant with JAAS specifications, works with JDK or J2EE environments. Implement JAAS Authentication using AOL security System Implement JAAS Authorization using UMX roles.
JAAS for EBS Leverage EBS Authentication ADF, Web-Services and Authorization EJB (WebLogic)
E-Business Suite / Oracle Access Manager Integration Architecture Build on secure foundation for existing integrations Focus on stability and scalability Improve ease of integration for new implementations Provide easy transition for Oracle Single Sign-On Server integrations “Future-proof” identity management stack
E-Business Suite / Oracle Access Manager Integration Architecture EBS Access Gateway Application Moves authentication into an external service Fewer points of integration makes it easier to certify future releases Insulates E-Business Suite instance from user authentication configuration Single application works for E-Business Suite Release 11i and Release 12 No release-specific or OAM-dependent code Availability planned for 2010 Watch for announcements on Oracle E-Business Suite Technology Blog (http://blogs.oracle.com/stevenChan/)
Architecture Overview E-Business Suite instance Configured to use Access Gateway Access Gateway protected by OAM
E-Business Suite Integrations
Oracle Audit Vault Applications are validated by Default Database auditing is underneath the Application Application User Auditing Application can set the database “Client Identifier” to tie application user with application shared account Database Auditing can be used to monitor Audit base application tables and views Privileged user operations in the database (logins, user/table create)
Setting Client Identifier Any application running on Oracle database can set the client identifier E-Business Suite (planned) Single line of initialization logic that needs to be added: dbms_session.set_identifier(substrb(fnd_global.username, 1, 64)); Application sets client_info to User A User A connects Oracle Audit Record Application uses Server client_identifier Application resets client_info to User B Oracle User B Database connects
Oracle Audit Vault Application Integration 1. Turn on database auditing Set the database parameters  audit_trail, audit_trail_dest, audit_sys_operations 2. Determine the application tables to audit audit <table> by access; 3. Configure Audit Vault to collect the database audit trail 4. Setup alerts in Audit Vault 5. View Reports
Oracle Audit Vault Application Integration
Oracle Audit Vault Application Integration
Oracle Audit Vault Application Integration
Data Base Vault DB Vault Separation of Duties for DBA roles Concerns Customizations to realms Patching with DB Vault on Generic accounts (APPS / SYSTEM) have access to sensitive data
Customizing DB Vault Default realm we ship with contains all Apps objects We now support realms that are subsets of this Need to ensure that all the procedures and patches in Support Notes are followed Any subsets will be treated as certified Any additions will be treated as customizations Detailed example of extending EBS realms in Support Notes
Patching DB Vault We now support patching the EBS Applications with DB Vault still on Instructions in Support notes Pre and post patching scripts to give SYSTEM additional privs Suggest auditing during patch window Ensure named users are used Can use proxy access for named users to reduce administration See Support Note on Using DB Vault in the E-Business Suite for suggestions on how to minimize use of generic accounts
Providing Separation of Duties with (or without) DB Vault Use named accounts Use proxying Don’t have DBAs doing normal activities in the APPS and SYSTEM accounts Customizing Realms Reducing seeded realms not considered a customization OS access Use named accounts Delegate common tasks through sudo or EM Remove write and read for non-owners (0500 or 0700)
Support Notes on E-Business Suite with DB Vault Guidance Document (New) • 950018.1 Using Database Vault in the E-Business Suite Implementation Instructions • 428503.1 Integrating Oracle E-Business Suite Release 11i with Oracle Database Vault 10.2.0.4 • 859399.1 Integrating Oracle E-Business Suite Release 11i with Oracle Database Vault 11.1.0.7 • 566841.1 Integrating Oracle E-Business Suite Release 12 with Oracle Database Vault 10.2.0.4 • 859397.1 Integrating Oracle E-Business Suite Release 12 with Oracle Database Vault 11.1.0.7
Transparent Data Encryption (TDE) Certification SQL Layer Protecting data at rest Column-level TDE Buffer Cache Certified for 10GR2 and 11G “SSN = 834-63-..” R11i and R12 Tablespace TDE Certified for 11G Database R11i and R12 data blocks “*M$b@^s%&d7” undo temp blocks blocks redo flashback logs logs
Oracle Label Security (OLS) / Virtual Private Database (VPD) Additional Apps level protections? Yes, Apps uses it this way for MOAC Protection at DB level? Involves protecting your context as well Need to work through performance issues Need to work through implications of limiting row visibility All VPD treated as customization
11gR2 certification 11.5.10.2 completed 12 still working Advanced Security Option Advance Network Encryption TDE and DB Vault not included in initial cert Certification will follow
Futures PCI - PA-DSS certification and whitepaper DB Vault – patching without generic accounts OS level protections PII - Sensitive data collection and realms Sensitive pages - Guest, Admin pages Exposure of core FND APIs to external developers
<Insert Picture Here> Q&A
Oracle Software Security Assurance Sessions at Oracle OpenWorld Related Sessions • S309974: Securing Oracle E-Business Suite with Oracle Identity and Access Management, Tuesday October 13th, 17:30 - 18:30 Marriott Hotel Salon 3 • S311455: Tips/Tricks for Auditing PeopleSoft and Oracle E-Business Suite Applications from the Database Tuesday October 13th, Moscone South Rm 306 • S311337: Secure Your Existing Application Transparently in 30 Minutes or Less, Wednesday October 14th, Moscone South Rm 103
Critical Data Protection and Security in Oracle E-Business Suite

Recomendados

SunGard Enterprise Cloud Services @ Cloud Connect 2011
SunGard Enterprise Cloud Services @ Cloud Connect 2011SunGard Enterprise Cloud Services @ Cloud Connect 2011
SunGard Enterprise Cloud Services @ Cloud Connect 2011Satish Hemachandran
 
A better waytosecureapps-finalv1
A better waytosecureapps-finalv1A better waytosecureapps-finalv1
A better waytosecureapps-finalv1OracleIDM
 
Secure and Scale Your Virtual Infrastructure While Meeting Compliance Mandates
Secure and Scale Your Virtual Infrastructure While Meeting Compliance MandatesSecure and Scale Your Virtual Infrastructure While Meeting Compliance Mandates
Secure and Scale Your Virtual Infrastructure While Meeting Compliance MandatesHyTrust
 
Testing cloud services - EuroSTAR
Testing cloud services - EuroSTARTesting cloud services - EuroSTAR
Testing cloud services - EuroSTARJeroen Mengerink
 
Cso oow12-summit-sonny-sing hv4
Cso oow12-summit-sonny-sing hv4Cso oow12-summit-sonny-sing hv4
Cso oow12-summit-sonny-sing hv4OracleIDM
 
Securing Internet Payment Systems
Securing Internet Payment SystemsSecuring Internet Payment Systems
Securing Internet Payment SystemsDomenico Catalano
 
Od webcast-cloud-fraud final
Od webcast-cloud-fraud finalOd webcast-cloud-fraud final
Od webcast-cloud-fraud finalOracleIDM
 
Secure Enterprise Cloud
Secure Enterprise CloudSecure Enterprise Cloud
Secure Enterprise CloudIndu Kodukula
 

Recomendados

SunGard Enterprise Cloud Services @ Cloud Connect 2011
SunGard Enterprise Cloud Services @ Cloud Connect 2011SunGard Enterprise Cloud Services @ Cloud Connect 2011
SunGard Enterprise Cloud Services @ Cloud Connect 2011Satish Hemachandran
 
A better waytosecureapps-finalv1
A better waytosecureapps-finalv1A better waytosecureapps-finalv1
A better waytosecureapps-finalv1OracleIDM
 
Secure and Scale Your Virtual Infrastructure While Meeting Compliance Mandates
Secure and Scale Your Virtual Infrastructure While Meeting Compliance MandatesSecure and Scale Your Virtual Infrastructure While Meeting Compliance Mandates
Secure and Scale Your Virtual Infrastructure While Meeting Compliance MandatesHyTrust
 
Testing cloud services - EuroSTAR
Testing cloud services - EuroSTARTesting cloud services - EuroSTAR
Testing cloud services - EuroSTARJeroen Mengerink
 
Cso oow12-summit-sonny-sing hv4
Cso oow12-summit-sonny-sing hv4Cso oow12-summit-sonny-sing hv4
Cso oow12-summit-sonny-sing hv4OracleIDM
 
Securing Internet Payment Systems
Securing Internet Payment SystemsSecuring Internet Payment Systems
Securing Internet Payment SystemsDomenico Catalano
 
Od webcast-cloud-fraud final
Od webcast-cloud-fraud finalOd webcast-cloud-fraud final
Od webcast-cloud-fraud finalOracleIDM
 
Secure Enterprise Cloud
Secure Enterprise CloudSecure Enterprise Cloud
Secure Enterprise CloudIndu Kodukula
 
NetAuthority Brochure
NetAuthority BrochureNetAuthority Brochure
NetAuthority BrochureVivastream
 
P hallam baker_keynote
P hallam baker_keynoteP hallam baker_keynote
P hallam baker_keynoteshindeshekhar
 
Internet Security Threat Report (ISTR) Vol. 16
Internet Security Threat Report (ISTR) Vol. 16Internet Security Threat Report (ISTR) Vol. 16
Internet Security Threat Report (ISTR) Vol. 16Symantec APJ
 
Stronger/Multi-factor Authentication for Enterprise Applications
Stronger/Multi-factor Authentication for Enterprise ApplicationsStronger/Multi-factor Authentication for Enterprise Applications
Stronger/Multi-factor Authentication for Enterprise ApplicationsRamesh Nagappan
 
ccmigration_09186a008033a3b4
ccmigration_09186a008033a3b4ccmigration_09186a008033a3b4
ccmigration_09186a008033a3b4guest66dc5f
 
Keynote oracle entitlement-driven idm
Keynote oracle entitlement-driven idmKeynote oracle entitlement-driven idm
Keynote oracle entitlement-driven idmNormand Sauve
 
Healthcare it consolidated
Healthcare it consolidatedHealthcare it consolidated
Healthcare it consolidatedOracleIDM
 
Webinar - Easy multi factor authentication strategies and PCI DSS
Webinar - Easy multi factor authentication strategies and PCI DSSWebinar - Easy multi factor authentication strategies and PCI DSS
Webinar - Easy multi factor authentication strategies and PCI DSSonionid12
 
Cyber Threats & Cybersecurity - Are You Ready? - Jared Carstensen
Cyber Threats & Cybersecurity - Are You Ready? - Jared CarstensenCyber Threats & Cybersecurity - Are You Ready? - Jared Carstensen
Cyber Threats & Cybersecurity - Are You Ready? - Jared Carstensenjaredcarst
 
Intel Cloud Summit: Greg Brown McAfee
Intel Cloud Summit: Greg Brown McAfeeIntel Cloud Summit: Greg Brown McAfee
Intel Cloud Summit: Greg Brown McAfeeIntelAPAC
 
From Physical to Virtual to Cloud
From Physical to Virtual to CloudFrom Physical to Virtual to Cloud
From Physical to Virtual to CloudCisco Security
 
ISACA New York Metro April 30 2012
ISACA New York Metro April 30 2012ISACA New York Metro April 30 2012
ISACA New York Metro April 30 2012Ulf Mattsson
 
Security for heterogeneous enviroments
Security for heterogeneous enviromentsSecurity for heterogeneous enviroments
Security for heterogeneous enviromentsFederman Hoyos
 
טכנולוגיות אבטחת מערכות מידע
טכנולוגיות אבטחת מערכות מידעטכנולוגיות אבטחת מערכות מידע
טכנולוגיות אבטחת מערכות מידעIsrael Export Institute_מכון היצוא
 
Sunera Business & Technology Risk Consulting
Sunera Business & Technology Risk ConsultingSunera Business & Technology Risk Consulting
Sunera Business & Technology Risk ConsultingSunera
 
Noble Foods- Cisco
Noble Foods- CiscoNoble Foods- Cisco
Noble Foods- CiscoCisco Case Studies
 
Crypto regulations in Russia
Crypto regulations in RussiaCrypto regulations in Russia
Crypto regulations in RussiaAleksey Lukatskiy
 
ISACA Dallas Texas 2010 - Ulf Mattsson
ISACA Dallas Texas 2010 - Ulf MattssonISACA Dallas Texas 2010 - Ulf Mattsson
ISACA Dallas Texas 2010 - Ulf MattssonUlf Mattsson
 
Identity Assertions Draftv5
Identity Assertions Draftv5Identity Assertions Draftv5
Identity Assertions Draftv5Salvatore D'Agostino
 
Hitachi ID Password Manager (formerly P-Synch): Lower cost, improve service a...
Hitachi ID Password Manager (formerly P-Synch): Lower cost, improve service a...Hitachi ID Password Manager (formerly P-Synch): Lower cost, improve service a...
Hitachi ID Password Manager (formerly P-Synch): Lower cost, improve service a...Hitachi ID Systems, Inc.
 
Advanced Controls access and user security for superusers con8824
Advanced Controls access and user security for superusers con8824Advanced Controls access and user security for superusers con8824
Advanced Controls access and user security for superusers con8824Oracle
 
Intro to EDW
Intro to EDWIntro to EDW
Intro to EDWJonathan Bloom
 

Más contenido relacionado

La actualidad más candente

NetAuthority Brochure
NetAuthority BrochureNetAuthority Brochure
NetAuthority BrochureVivastream
 
P hallam baker_keynote
P hallam baker_keynoteP hallam baker_keynote
P hallam baker_keynoteshindeshekhar
 
Internet Security Threat Report (ISTR) Vol. 16
Internet Security Threat Report (ISTR) Vol. 16Internet Security Threat Report (ISTR) Vol. 16
Internet Security Threat Report (ISTR) Vol. 16Symantec APJ
 
Stronger/Multi-factor Authentication for Enterprise Applications
Stronger/Multi-factor Authentication for Enterprise ApplicationsStronger/Multi-factor Authentication for Enterprise Applications
Stronger/Multi-factor Authentication for Enterprise ApplicationsRamesh Nagappan
 
ccmigration_09186a008033a3b4
ccmigration_09186a008033a3b4ccmigration_09186a008033a3b4
ccmigration_09186a008033a3b4guest66dc5f
 
Keynote oracle entitlement-driven idm
Keynote oracle entitlement-driven idmKeynote oracle entitlement-driven idm
Keynote oracle entitlement-driven idmNormand Sauve
 
Healthcare it consolidated
Healthcare it consolidatedHealthcare it consolidated
Healthcare it consolidatedOracleIDM
 
Webinar - Easy multi factor authentication strategies and PCI DSS
Webinar - Easy multi factor authentication strategies and PCI DSSWebinar - Easy multi factor authentication strategies and PCI DSS
Webinar - Easy multi factor authentication strategies and PCI DSSonionid12
 
Cyber Threats & Cybersecurity - Are You Ready? - Jared Carstensen
Cyber Threats & Cybersecurity - Are You Ready? - Jared CarstensenCyber Threats & Cybersecurity - Are You Ready? - Jared Carstensen
Cyber Threats & Cybersecurity - Are You Ready? - Jared Carstensenjaredcarst
 
Intel Cloud Summit: Greg Brown McAfee
Intel Cloud Summit: Greg Brown McAfeeIntel Cloud Summit: Greg Brown McAfee
Intel Cloud Summit: Greg Brown McAfeeIntelAPAC
 
From Physical to Virtual to Cloud
From Physical to Virtual to CloudFrom Physical to Virtual to Cloud
From Physical to Virtual to CloudCisco Security
 
ISACA New York Metro April 30 2012
ISACA New York Metro April 30 2012ISACA New York Metro April 30 2012
ISACA New York Metro April 30 2012Ulf Mattsson
 
Security for heterogeneous enviroments
Security for heterogeneous enviromentsSecurity for heterogeneous enviroments
Security for heterogeneous enviromentsFederman Hoyos
 
Sunera Business & Technology Risk Consulting
Sunera Business & Technology Risk ConsultingSunera Business & Technology Risk Consulting
Sunera Business & Technology Risk ConsultingSunera
 
Crypto regulations in Russia
Crypto regulations in RussiaCrypto regulations in Russia
Crypto regulations in RussiaAleksey Lukatskiy
 
ISACA Dallas Texas 2010 - Ulf Mattsson
ISACA Dallas Texas 2010 - Ulf MattssonISACA Dallas Texas 2010 - Ulf Mattsson
ISACA Dallas Texas 2010 - Ulf MattssonUlf Mattsson
 
Hitachi ID Password Manager (formerly P-Synch): Lower cost, improve service a...
Hitachi ID Password Manager (formerly P-Synch): Lower cost, improve service a...Hitachi ID Password Manager (formerly P-Synch): Lower cost, improve service a...
Hitachi ID Password Manager (formerly P-Synch): Lower cost, improve service a...Hitachi ID Systems, Inc.
 

La actualidad más candente (20)

NetAuthority Brochure
NetAuthority BrochureNetAuthority Brochure
NetAuthority Brochure
 
P hallam baker_keynote
P hallam baker_keynoteP hallam baker_keynote
P hallam baker_keynote
 
Internet Security Threat Report (ISTR) Vol. 16
Internet Security Threat Report (ISTR) Vol. 16Internet Security Threat Report (ISTR) Vol. 16
Internet Security Threat Report (ISTR) Vol. 16
 
Stronger/Multi-factor Authentication for Enterprise Applications
Stronger/Multi-factor Authentication for Enterprise ApplicationsStronger/Multi-factor Authentication for Enterprise Applications
Stronger/Multi-factor Authentication for Enterprise Applications
 
ccmigration_09186a008033a3b4
ccmigration_09186a008033a3b4ccmigration_09186a008033a3b4
ccmigration_09186a008033a3b4
 
Keynote oracle entitlement-driven idm
Keynote oracle entitlement-driven idmKeynote oracle entitlement-driven idm
Keynote oracle entitlement-driven idm
 
Healthcare it consolidated
Healthcare it consolidatedHealthcare it consolidated
Healthcare it consolidated
 
Webinar - Easy multi factor authentication strategies and PCI DSS
Webinar - Easy multi factor authentication strategies and PCI DSSWebinar - Easy multi factor authentication strategies and PCI DSS
Webinar - Easy multi factor authentication strategies and PCI DSS
 
Cyber Threats & Cybersecurity - Are You Ready? - Jared Carstensen
Cyber Threats & Cybersecurity - Are You Ready? - Jared CarstensenCyber Threats & Cybersecurity - Are You Ready? - Jared Carstensen
Cyber Threats & Cybersecurity - Are You Ready? - Jared Carstensen
 
Intel Cloud Summit: Greg Brown McAfee
Intel Cloud Summit: Greg Brown McAfeeIntel Cloud Summit: Greg Brown McAfee
Intel Cloud Summit: Greg Brown McAfee
 
From Physical to Virtual to Cloud
From Physical to Virtual to CloudFrom Physical to Virtual to Cloud
From Physical to Virtual to Cloud
 
ISACA New York Metro April 30 2012
ISACA New York Metro April 30 2012ISACA New York Metro April 30 2012
ISACA New York Metro April 30 2012
 
Security for heterogeneous enviroments
Security for heterogeneous enviromentsSecurity for heterogeneous enviroments
Security for heterogeneous enviroments
 
טכנולוגיות אבטחת מערכות מידע
טכנולוגיות אבטחת מערכות מידעטכנולוגיות אבטחת מערכות מידע
טכנולוגיות אבטחת מערכות מידע
 
Sunera Business & Technology Risk Consulting
Sunera Business & Technology Risk ConsultingSunera Business & Technology Risk Consulting
Sunera Business & Technology Risk Consulting
 
Noble Foods- Cisco
Noble Foods- CiscoNoble Foods- Cisco
Noble Foods- Cisco
 
Crypto regulations in Russia
Crypto regulations in RussiaCrypto regulations in Russia
Crypto regulations in Russia
 
ISACA Dallas Texas 2010 - Ulf Mattsson
ISACA Dallas Texas 2010 - Ulf MattssonISACA Dallas Texas 2010 - Ulf Mattsson
ISACA Dallas Texas 2010 - Ulf Mattsson
 
Identity Assertions Draftv5
Identity Assertions Draftv5Identity Assertions Draftv5
Identity Assertions Draftv5
 
Hitachi ID Password Manager (formerly P-Synch): Lower cost, improve service a...
Hitachi ID Password Manager (formerly P-Synch): Lower cost, improve service a...Hitachi ID Password Manager (formerly P-Synch): Lower cost, improve service a...
Hitachi ID Password Manager (formerly P-Synch): Lower cost, improve service a...
 

Destacado

Advanced Controls access and user security for superusers con8824
Advanced Controls access and user security for superusers con8824Advanced Controls access and user security for superusers con8824
Advanced Controls access and user security for superusers con8824Oracle
 
Agile Data Warehouse Modeling: Introduction to Data Vault Data Modeling
Agile Data Warehouse Modeling: Introduction to Data Vault Data ModelingAgile Data Warehouse Modeling: Introduction to Data Vault Data Modeling
Agile Data Warehouse Modeling: Introduction to Data Vault Data ModelingKent Graziano
 
Data Warehouse Design and Best Practices
Data Warehouse Design and Best PracticesData Warehouse Design and Best Practices
Data Warehouse Design and Best PracticesIvo Andreev
 
Introduction to Data Vault Modeling
Introduction to Data Vault ModelingIntroduction to Data Vault Modeling
Introduction to Data Vault ModelingKent Graziano
 

Destacado (6)

Advanced Controls access and user security for superusers con8824
Advanced Controls access and user security for superusers con8824Advanced Controls access and user security for superusers con8824
Advanced Controls access and user security for superusers con8824
 
Intro to EDW
Intro to EDWIntro to EDW
Intro to EDW
 
Agile Data Warehouse Modeling: Introduction to Data Vault Data Modeling
Agile Data Warehouse Modeling: Introduction to Data Vault Data ModelingAgile Data Warehouse Modeling: Introduction to Data Vault Data Modeling
Agile Data Warehouse Modeling: Introduction to Data Vault Data Modeling
 
Mountain dew
Mountain dewMountain dew
Mountain dew
 
Data Warehouse Design and Best Practices
Data Warehouse Design and Best PracticesData Warehouse Design and Best Practices
Data Warehouse Design and Best Practices
 
Introduction to Data Vault Modeling
Introduction to Data Vault ModelingIntroduction to Data Vault Modeling
Introduction to Data Vault Modeling
 

Similar a Critical Data Protection and Security in Oracle E-Business Suite

Oracle security-formula
Oracle security-formulaOracle security-formula
Oracle security-formulaOracleIDM
 
Information and Identity Protection - Data Loss Prevention, Encryption, User ...
Information and Identity Protection - Data Loss Prevention, Encryption, User ...Information and Identity Protection - Data Loss Prevention, Encryption, User ...
Information and Identity Protection - Data Loss Prevention, Encryption, User ...Symantec APJ
 
Life & Work Online Protecting Your Identity
Life & Work Online Protecting Your IdentityLife & Work Online Protecting Your Identity
Life & Work Online Protecting Your IdentityInnoTech
 
Cio ciso security_strategyv1.1
Cio ciso security_strategyv1.1Cio ciso security_strategyv1.1
Cio ciso security_strategyv1.1Anindya Ghosh,
 
Best Practice For Public Sector Information Security And Compliance
Best Practice For Public Sector Information Security And ComplianceBest Practice For Public Sector Information Security And Compliance
Best Practice For Public Sector Information Security And ComplianceOracle
 
Building a Secure Cloud with Identity Management
Building a Secure Cloud with Identity ManagementBuilding a Secure Cloud with Identity Management
Building a Secure Cloud with Identity ManagementOracleIDM
 
Symantec Introduces New Security Solutions to Counter Advanced Persistent Thr...
Symantec Introduces New Security Solutions to Counter Advanced Persistent Thr...Symantec Introduces New Security Solutions to Counter Advanced Persistent Thr...
Symantec Introduces New Security Solutions to Counter Advanced Persistent Thr...Symantec
 
AWS Summit 2011: Cloud Compliance 101: No PhD required - SafeNet
AWS Summit 2011: Cloud Compliance 101: No PhD required - SafeNetAWS Summit 2011: Cloud Compliance 101: No PhD required - SafeNet
AWS Summit 2011: Cloud Compliance 101: No PhD required - SafeNetAmazon Web Services
 
Modern Lessons in Security Monitoring
Modern Lessons in Security MonitoringModern Lessons in Security Monitoring
Modern Lessons in Security MonitoringAnton Goncharov
 
Micro Focus SRG Solution Mapping to the New BDDK Regulations for Turkish Fina...
Micro Focus SRG Solution Mapping to the New BDDK Regulations for Turkish Fina...Micro Focus SRG Solution Mapping to the New BDDK Regulations for Turkish Fina...
Micro Focus SRG Solution Mapping to the New BDDK Regulations for Turkish Fina...Emrah Alpa, CISSP CEH CCSK
 
Identity systems
Identity systemsIdentity systems
Identity systemsJim Fenton
 
Sådan undgår du misbrug af kundedata og fortrolig information
Sådan undgår du misbrug af kundedata og fortrolig informationSådan undgår du misbrug af kundedata og fortrolig information
Sådan undgår du misbrug af kundedata og fortrolig informationIBM Danmark
 
Integrating Information Protection Into Data Architecture & SDLC
Integrating Information Protection Into Data Architecture & SDLCIntegrating Information Protection Into Data Architecture & SDLC
Integrating Information Protection Into Data Architecture & SDLCDATAVERSITY
 
Oracle tech fmw-05-idm-neum-16.04.2010
Oracle tech fmw-05-idm-neum-16.04.2010Oracle tech fmw-05-idm-neum-16.04.2010
Oracle tech fmw-05-idm-neum-16.04.2010Oracle BH
 
Security best practices
Security best practicesSecurity best practices
Security best practicesAVEVA
 

Similar a Critical Data Protection and Security in Oracle E-Business Suite (20)

Oracle security-formula
Oracle security-formulaOracle security-formula
Oracle security-formula
 
Sw keynote
Sw keynoteSw keynote
Sw keynote
 
Information and Identity Protection - Data Loss Prevention, Encryption, User ...
Information and Identity Protection - Data Loss Prevention, Encryption, User ...Information and Identity Protection - Data Loss Prevention, Encryption, User ...
Information and Identity Protection - Data Loss Prevention, Encryption, User ...
 
Life & Work Online Protecting Your Identity
Life & Work Online Protecting Your IdentityLife & Work Online Protecting Your Identity
Life & Work Online Protecting Your Identity
 
Cio ciso security_strategyv1.1
Cio ciso security_strategyv1.1Cio ciso security_strategyv1.1
Cio ciso security_strategyv1.1
 
Cloud Auditing
Cloud AuditingCloud Auditing
Cloud Auditing
 
Best Practice For Public Sector Information Security And Compliance
Best Practice For Public Sector Information Security And ComplianceBest Practice For Public Sector Information Security And Compliance
Best Practice For Public Sector Information Security And Compliance
 
Building a Secure Cloud with Identity Management
Building a Secure Cloud with Identity ManagementBuilding a Secure Cloud with Identity Management
Building a Secure Cloud with Identity Management
 
Symantec Introduces New Security Solutions to Counter Advanced Persistent Thr...
Symantec Introduces New Security Solutions to Counter Advanced Persistent Thr...Symantec Introduces New Security Solutions to Counter Advanced Persistent Thr...
Symantec Introduces New Security Solutions to Counter Advanced Persistent Thr...
 
iScan Online - PCI DSS Mobile Task Force
iScan Online - PCI DSS Mobile Task ForceiScan Online - PCI DSS Mobile Task Force
iScan Online - PCI DSS Mobile Task Force
 
Securityinsideout
SecurityinsideoutSecurityinsideout
Securityinsideout
 
AWS Summit 2011: Cloud Compliance 101: No PhD required - SafeNet
AWS Summit 2011: Cloud Compliance 101: No PhD required - SafeNetAWS Summit 2011: Cloud Compliance 101: No PhD required - SafeNet
AWS Summit 2011: Cloud Compliance 101: No PhD required - SafeNet
 
Modern Lessons in Security Monitoring
Modern Lessons in Security MonitoringModern Lessons in Security Monitoring
Modern Lessons in Security Monitoring
 
QualysGuard InfoDay 2012 - Secure Digital Vault for Qualys
QualysGuard InfoDay 2012 - Secure Digital Vault for QualysQualysGuard InfoDay 2012 - Secure Digital Vault for Qualys
QualysGuard InfoDay 2012 - Secure Digital Vault for Qualys
 
Micro Focus SRG Solution Mapping to the New BDDK Regulations for Turkish Fina...
Micro Focus SRG Solution Mapping to the New BDDK Regulations for Turkish Fina...Micro Focus SRG Solution Mapping to the New BDDK Regulations for Turkish Fina...
Micro Focus SRG Solution Mapping to the New BDDK Regulations for Turkish Fina...
 
Identity systems
Identity systemsIdentity systems
Identity systems
 
Sådan undgår du misbrug af kundedata og fortrolig information
Sådan undgår du misbrug af kundedata og fortrolig informationSådan undgår du misbrug af kundedata og fortrolig information
Sådan undgår du misbrug af kundedata og fortrolig information
 
Integrating Information Protection Into Data Architecture & SDLC
Integrating Information Protection Into Data Architecture & SDLCIntegrating Information Protection Into Data Architecture & SDLC
Integrating Information Protection Into Data Architecture & SDLC
 
Oracle tech fmw-05-idm-neum-16.04.2010
Oracle tech fmw-05-idm-neum-16.04.2010Oracle tech fmw-05-idm-neum-16.04.2010
Oracle tech fmw-05-idm-neum-16.04.2010
 
Security best practices
Security best practicesSecurity best practices
Security best practices
 

Más de jucaab

Soa con8642 pdf_8642_0001
Soa con8642 pdf_8642_0001Soa con8642 pdf_8642_0001
Soa con8642 pdf_8642_0001jucaab
 
Soa cloud con8968_pdf_8968_0001
Soa cloud con8968_pdf_8968_0001Soa cloud con8968_pdf_8968_0001
Soa cloud con8968_pdf_8968_0001jucaab
 
Otm 2013 c13_e-14a-pospelov-evgeniy-taking-control-over-transportation-spend
Otm 2013 c13_e-14a-pospelov-evgeniy-taking-control-over-transportation-spendOtm 2013 c13_e-14a-pospelov-evgeniy-taking-control-over-transportation-spend
Otm 2013 c13_e-14a-pospelov-evgeniy-taking-control-over-transportation-spendjucaab
 
Otm 2013 c13_e-14b-hatcher-and-van-haaster-otm-sap-integration
Otm 2013 c13_e-14b-hatcher-and-van-haaster-otm-sap-integrationOtm 2013 c13_e-14b-hatcher-and-van-haaster-otm-sap-integration
Otm 2013 c13_e-14b-hatcher-and-van-haaster-otm-sap-integrationjucaab
 
Otm 2013 c13_e-17a-plessis-elisabeth-otm-self-help
Otm 2013 c13_e-17a-plessis-elisabeth-otm-self-helpOtm 2013 c13_e-17a-plessis-elisabeth-otm-self-help
Otm 2013 c13_e-17a-plessis-elisabeth-otm-self-helpjucaab
 
Otm 2013 c13_e-17b-andriesse-lourens-otm-data-management
Otm 2013 c13_e-17b-andriesse-lourens-otm-data-managementOtm 2013 c13_e-17b-andriesse-lourens-otm-data-management
Otm 2013 c13_e-17b-andriesse-lourens-otm-data-managementjucaab
 
Otm 2013 c13_e-18a-sabharwal-naval-covert-waste-to-value-with-otm
Otm 2013 c13_e-18a-sabharwal-naval-covert-waste-to-value-with-otmOtm 2013 c13_e-18a-sabharwal-naval-covert-waste-to-value-with-otm
Otm 2013 c13_e-18a-sabharwal-naval-covert-waste-to-value-with-otmjucaab
 
Otm 2013 c13_e-21-fl-keynote-implications-of-ec-transportation-priorities
Otm 2013 c13_e-21-fl-keynote-implications-of-ec-transportation-prioritiesOtm 2013 c13_e-21-fl-keynote-implications-of-ec-transportation-priorities
Otm 2013 c13_e-21-fl-keynote-implications-of-ec-transportation-prioritiesjucaab
 
Otm 2013 c13_e-22a-lim-joshua-otm-as-a-service-differentiator
Otm 2013 c13_e-22a-lim-joshua-otm-as-a-service-differentiatorOtm 2013 c13_e-22a-lim-joshua-otm-as-a-service-differentiator
Otm 2013 c13_e-22a-lim-joshua-otm-as-a-service-differentiatorjucaab
 
Otm 2013 c13_e-22b-vivio-pam-otm-3d-load-configurator
Otm 2013 c13_e-22b-vivio-pam-otm-3d-load-configuratorOtm 2013 c13_e-22b-vivio-pam-otm-3d-load-configurator
Otm 2013 c13_e-22b-vivio-pam-otm-3d-load-configuratorjucaab
 
Otm 2013 c13_e-23b-hatcher-neil-otm-gtm-data-maintenance
Otm 2013 c13_e-23b-hatcher-neil-otm-gtm-data-maintenanceOtm 2013 c13_e-23b-hatcher-neil-otm-gtm-data-maintenance
Otm 2013 c13_e-23b-hatcher-neil-otm-gtm-data-maintenancejucaab
 
Otm 2013 c13_e-13b-hagan-mark-otm-soa
Otm 2013 c13_e-13b-hagan-mark-otm-soaOtm 2013 c13_e-13b-hagan-mark-otm-soa
Otm 2013 c13_e-13b-hagan-mark-otm-soajucaab
 
Otm 2013 c13_e-12-gittoes-derek-otm-release-6-3-overview
Otm 2013 c13_e-12-gittoes-derek-otm-release-6-3-overviewOtm 2013 c13_e-12-gittoes-derek-otm-release-6-3-overview
Otm 2013 c13_e-12-gittoes-derek-otm-release-6-3-overviewjucaab
 
Otm 2013 c13_e-15-gittoes-derek-otm-product-strategy
Otm 2013 c13_e-15-gittoes-derek-otm-product-strategyOtm 2013 c13_e-15-gittoes-derek-otm-product-strategy
Otm 2013 c13_e-15-gittoes-derek-otm-product-strategyjucaab
 
Otm con8923 pdf_8923_0002
Otm con8923 pdf_8923_0002Otm con8923 pdf_8923_0002
Otm con8923 pdf_8923_0002jucaab
 
Otm con8923 pdf_8923_0001
Otm con8923 pdf_8923_0001Otm con8923 pdf_8923_0001
Otm con8923 pdf_8923_0001jucaab
 
Otm con8766 pdf_8766_0001
Otm con8766 pdf_8766_0001Otm con8766 pdf_8766_0001
Otm con8766 pdf_8766_0001jucaab
 
Fusion apps security_con8714_pdf_8714_0001
Fusion apps security_con8714_pdf_8714_0001Fusion apps security_con8714_pdf_8714_0001
Fusion apps security_con8714_pdf_8714_0001jucaab
 
Fusion app tech_con8707_pdf_8707_0001
Fusion app tech_con8707_pdf_8707_0001Fusion app tech_con8707_pdf_8707_0001
Fusion app tech_con8707_pdf_8707_0001jucaab
 
Fusion app integration_con8685_pdf_8685_0001
Fusion app integration_con8685_pdf_8685_0001Fusion app integration_con8685_pdf_8685_0001
Fusion app integration_con8685_pdf_8685_0001jucaab
 

Más de jucaab (20)

Soa con8642 pdf_8642_0001
Soa con8642 pdf_8642_0001Soa con8642 pdf_8642_0001
Soa con8642 pdf_8642_0001
 
Soa cloud con8968_pdf_8968_0001
Soa cloud con8968_pdf_8968_0001Soa cloud con8968_pdf_8968_0001
Soa cloud con8968_pdf_8968_0001
 
Otm 2013 c13_e-14a-pospelov-evgeniy-taking-control-over-transportation-spend
Otm 2013 c13_e-14a-pospelov-evgeniy-taking-control-over-transportation-spendOtm 2013 c13_e-14a-pospelov-evgeniy-taking-control-over-transportation-spend
Otm 2013 c13_e-14a-pospelov-evgeniy-taking-control-over-transportation-spend
 
Otm 2013 c13_e-14b-hatcher-and-van-haaster-otm-sap-integration
Otm 2013 c13_e-14b-hatcher-and-van-haaster-otm-sap-integrationOtm 2013 c13_e-14b-hatcher-and-van-haaster-otm-sap-integration
Otm 2013 c13_e-14b-hatcher-and-van-haaster-otm-sap-integration
 
Otm 2013 c13_e-17a-plessis-elisabeth-otm-self-help
Otm 2013 c13_e-17a-plessis-elisabeth-otm-self-helpOtm 2013 c13_e-17a-plessis-elisabeth-otm-self-help
Otm 2013 c13_e-17a-plessis-elisabeth-otm-self-help
 
Otm 2013 c13_e-17b-andriesse-lourens-otm-data-management
Otm 2013 c13_e-17b-andriesse-lourens-otm-data-managementOtm 2013 c13_e-17b-andriesse-lourens-otm-data-management
Otm 2013 c13_e-17b-andriesse-lourens-otm-data-management
 
Otm 2013 c13_e-18a-sabharwal-naval-covert-waste-to-value-with-otm
Otm 2013 c13_e-18a-sabharwal-naval-covert-waste-to-value-with-otmOtm 2013 c13_e-18a-sabharwal-naval-covert-waste-to-value-with-otm
Otm 2013 c13_e-18a-sabharwal-naval-covert-waste-to-value-with-otm
 
Otm 2013 c13_e-21-fl-keynote-implications-of-ec-transportation-priorities
Otm 2013 c13_e-21-fl-keynote-implications-of-ec-transportation-prioritiesOtm 2013 c13_e-21-fl-keynote-implications-of-ec-transportation-priorities
Otm 2013 c13_e-21-fl-keynote-implications-of-ec-transportation-priorities
 
Otm 2013 c13_e-22a-lim-joshua-otm-as-a-service-differentiator
Otm 2013 c13_e-22a-lim-joshua-otm-as-a-service-differentiatorOtm 2013 c13_e-22a-lim-joshua-otm-as-a-service-differentiator
Otm 2013 c13_e-22a-lim-joshua-otm-as-a-service-differentiator
 
Otm 2013 c13_e-22b-vivio-pam-otm-3d-load-configurator
Otm 2013 c13_e-22b-vivio-pam-otm-3d-load-configuratorOtm 2013 c13_e-22b-vivio-pam-otm-3d-load-configurator
Otm 2013 c13_e-22b-vivio-pam-otm-3d-load-configurator
 
Otm 2013 c13_e-23b-hatcher-neil-otm-gtm-data-maintenance
Otm 2013 c13_e-23b-hatcher-neil-otm-gtm-data-maintenanceOtm 2013 c13_e-23b-hatcher-neil-otm-gtm-data-maintenance
Otm 2013 c13_e-23b-hatcher-neil-otm-gtm-data-maintenance
 
Otm 2013 c13_e-13b-hagan-mark-otm-soa
Otm 2013 c13_e-13b-hagan-mark-otm-soaOtm 2013 c13_e-13b-hagan-mark-otm-soa
Otm 2013 c13_e-13b-hagan-mark-otm-soa
 
Otm 2013 c13_e-12-gittoes-derek-otm-release-6-3-overview
Otm 2013 c13_e-12-gittoes-derek-otm-release-6-3-overviewOtm 2013 c13_e-12-gittoes-derek-otm-release-6-3-overview
Otm 2013 c13_e-12-gittoes-derek-otm-release-6-3-overview
 
Otm 2013 c13_e-15-gittoes-derek-otm-product-strategy
Otm 2013 c13_e-15-gittoes-derek-otm-product-strategyOtm 2013 c13_e-15-gittoes-derek-otm-product-strategy
Otm 2013 c13_e-15-gittoes-derek-otm-product-strategy
 
Otm con8923 pdf_8923_0002
Otm con8923 pdf_8923_0002Otm con8923 pdf_8923_0002
Otm con8923 pdf_8923_0002
 
Otm con8923 pdf_8923_0001
Otm con8923 pdf_8923_0001Otm con8923 pdf_8923_0001
Otm con8923 pdf_8923_0001
 
Otm con8766 pdf_8766_0001
Otm con8766 pdf_8766_0001Otm con8766 pdf_8766_0001
Otm con8766 pdf_8766_0001
 
Fusion apps security_con8714_pdf_8714_0001
Fusion apps security_con8714_pdf_8714_0001Fusion apps security_con8714_pdf_8714_0001
Fusion apps security_con8714_pdf_8714_0001
 
Fusion app tech_con8707_pdf_8707_0001
Fusion app tech_con8707_pdf_8707_0001Fusion app tech_con8707_pdf_8707_0001
Fusion app tech_con8707_pdf_8707_0001
 
Fusion app integration_con8685_pdf_8685_0001
Fusion app integration_con8685_pdf_8685_0001Fusion app integration_con8685_pdf_8685_0001
Fusion app integration_con8685_pdf_8685_0001
 

Critical Data Protection and Security in Oracle E-Business Suite

  • 1.
  • 2. Critical Data Protection and Security in Oracle E-Business Suite Eric Bing – Senior Director, Applications Product Security Robert Armstrong – Senior Manager, Applications Product Security
  • 3. The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
  • 4. Agenda • Business Drivers • Security Challenges <Insert Picture Here> • Security Inside Out • End-to-End Security • E-Business Suite (EBS) Secure Configuration • Secure Your Environment • Externalizing EBS Security • Spreading out from the Apps tier • EBS Integrations • Leveraging Oracle Technology • Q&A
  • 6. Security for Web based Loan Origination start Credit Rating Get Rating Handle Negative Credit Exception Send Loan Application Send Loan Application United Loan Star Loan Receive Loan Offer Receive Loan Offer ? Select Lowest Offer end
  • 7. Security Vulnerabilities 2. SSN sent in clear text 1. Anyone who can access the <SSN> start server can initiate loan Credit Rating 011-22-4488 </SSN> applications Get Rating Handle Negative Credit Exception Send Loan Application Send Loan Application United Loan Star Loan Receive Loan Offer Receive Loan Offer 3. Response must go through the firewall ? Select Lowest Offer 4. How can I be sure no end other sensitive data is unprotected?
  • 8. Comprehensive Security Results 2. Securing Privacy: Auto- 1. Security Policy: Role-based Encryption of PII in XML start access control message Rating Credit Get Rating Handle Negative Credit Exception Send Loan Application Send Loan Application United Loan Star Loan Receive Loan Offer Receive Loan Offer 3. Management: Service virtualization in DMZ ? Select Lowest Offer 4. Audit & Compliance: end System-wide services monitoring
  • 9. More Regulations Than Ever… UK/PRO PIPEDA EU Data Directives Sarbanes-Oxley GLBA PCI Basel II Breach Disclosure FISMA K SOX Euro SOX J SOX HIPAA ISO 17799 SAS 70 COBIT AUS/PRO 90% Companies behind in compliance Source: IT Policy Compliance Group, 2007. Oracle Confidential 9
  • 11. 1 Comprehensive Identity & Access Management Store & Virtualize Identities Provision Identities & Roles Manage Access to Systems Manage Entitlements Federate Identities
  • 12. 2 Comprehensive Controls Enforcement Consolidate Compliance Activities Proactively Manage Risk Automate Internal Controls
  • 13. 3 Comprehensive Data Protection When Applications Are Targeted When Data Is In Motion When Data Is At Rest When Data Is Cloned When Data Is Administered
  • 14. Oracle Security Inside Out Database Security • Encryption and Masking • Privileged User Controls • Multi-Factor Authorization • Activity Monitoring and Audit • Secure Configuration Identity Management • User Provisioning • Role Management • Entitlements Management Information • Risk-Based Access Control Infrastructure • Virtual Directories Databases Information Rights Applications Management Content • Track and Audit Document Usage • Control and Revoke Document Access • Secured Inside or Outside Firewall • Centralized Policy Administration Oracle Confidential 14
  • 15. Database Defense-in-Depth Monitoring • Configuration Management • Oracle Audit Vault • Total Recall Access Control • Oracle Database Vault • Label Security Encryption & Masking Encryption & Masking • Advanced Security Access Control • Secure Backup Monitoring • Data Masking
  • 17. Secure Configuration 11i – Support note 189367.1 R12 - Support note 403537.1 CPUs Apply them! Evaluating a 11i Cumulative CPU Resolve dependencies and superceded patches Based / testing on 11.5.10CU2
  • 18. Default Passwords Ensure that you’ve changed all default passwords: DB accounts Support Note 361482.1 Patch 4926128 Apps users - Check script is part of Apr CPU - fnddefpw.sql - 11i: Patch 7831891
  • 19. Security Profiles Oracle strongly recommends the following settings for Security Profiles: FND: Diagnostics -> NO Restrict Text Input -> Yes FND Validation Level -> ERROR FND Function Validation Level ->ERROR Framework Validation Level -> ERROR See Oracle Support note 946372.1 - Secure Configuration of E- Business Suite Profiles Contains Information on what these do and what to test when turning these on. FND Validation Level is the only one of these which is off by default in 11i.
  • 20. FND Validation Level Products must be at the 11.5.10CU2 level or above to use FND Validation Level. Benefit: Provides defense in depth against parameter and URL tampering May prevent direct access (via a bookmark or URL) to pages that are not considered "launch pages" or "bookmarkable pages“ Customized integration points which navigate into the E- Business Suite should be tested. Prerecorded scripts (Winrunner) may need special treatment…
  • 21. Fixed Key Profiles With FND Validation Level on, the URI and parameters are unique for each session If you need to run prerecorded scripts – you can set these at the user level Oracle recommends that the Fixed Key profiles not be used in production environments Set both FND: Fixed Key Enabled - Y FND: Fixed Key – Hexadecimal string of size 64
  • 22. Password Hashing Non-Reversible Password Hashing Support Note 457166.1 Stores local Applications user passwords as non-reversible hashes Available as of 11i ATG RUP6, 12.0.4 and 12.1 Upgrade your desktop clients Use FNDCPASS to migrate following the note Backup & Test carefully – migration is…non-reversible
  • 24. Apps Schema Access SOA Suite Apps Adapter (PL/SQL execution) Issues External applications for database oriented activities Schema password keeps changing Standard based access Current Solution Create a new schema and provide privileges Provide apps password to external system
  • 25. Solution Application Data Source Application Data Source Implementation J2EE/JDBC standards based On the External Tier Application Server Register the Application Data Source Register the Node as trusted Node Create a new Application User Grant Role (shipped) to this User Register this new User in the Application Server
  • 26. JAAS implementation for EBS New Solution E-Biz light-weight LoginModule, compliant with JAAS specifications, works with JDK or J2EE environments. Implement JAAS Authentication using AOL security System Implement JAAS Authorization using UMX roles.
  • 27. JAAS for EBS Leverage EBS Authentication ADF, Web-Services and Authorization EJB (WebLogic)
  • 28. E-Business Suite / Oracle Access Manager Integration Architecture Build on secure foundation for existing integrations Focus on stability and scalability Improve ease of integration for new implementations Provide easy transition for Oracle Single Sign-On Server integrations “Future-proof” identity management stack
  • 29. E-Business Suite / Oracle Access Manager Integration Architecture EBS Access Gateway Application Moves authentication into an external service Fewer points of integration makes it easier to certify future releases Insulates E-Business Suite instance from user authentication configuration Single application works for E-Business Suite Release 11i and Release 12 No release-specific or OAM-dependent code Availability planned for 2010 Watch for announcements on Oracle E-Business Suite Technology Blog (http://blogs.oracle.com/stevenChan/)
  • 30. Architecture Overview E-Business Suite instance Configured to use Access Gateway Access Gateway protected by OAM
  • 32. Oracle Audit Vault Applications are validated by Default Database auditing is underneath the Application Application User Auditing Application can set the database “Client Identifier” to tie application user with application shared account Database Auditing can be used to monitor Audit base application tables and views Privileged user operations in the database (logins, user/table create)
  • 33. Setting Client Identifier Any application running on Oracle database can set the client identifier E-Business Suite (planned) Single line of initialization logic that needs to be added: dbms_session.set_identifier(substrb(fnd_global.username, 1, 64)); Application sets client_info to User A User A connects Oracle Audit Record Application uses Server client_identifier Application resets client_info to User B Oracle User B Database connects
  • 34. Oracle Audit Vault Application Integration 1. Turn on database auditing Set the database parameters  audit_trail, audit_trail_dest, audit_sys_operations 2. Determine the application tables to audit audit <table> by access; 3. Configure Audit Vault to collect the database audit trail 4. Setup alerts in Audit Vault 5. View Reports
  • 38. Data Base Vault DB Vault Separation of Duties for DBA roles Concerns Customizations to realms Patching with DB Vault on Generic accounts (APPS / SYSTEM) have access to sensitive data
  • 39. Customizing DB Vault Default realm we ship with contains all Apps objects We now support realms that are subsets of this Need to ensure that all the procedures and patches in Support Notes are followed Any subsets will be treated as certified Any additions will be treated as customizations Detailed example of extending EBS realms in Support Notes
  • 40. Patching DB Vault We now support patching the EBS Applications with DB Vault still on Instructions in Support notes Pre and post patching scripts to give SYSTEM additional privs Suggest auditing during patch window Ensure named users are used Can use proxy access for named users to reduce administration See Support Note on Using DB Vault in the E-Business Suite for suggestions on how to minimize use of generic accounts
  • 41. Providing Separation of Duties with (or without) DB Vault Use named accounts Use proxying Don’t have DBAs doing normal activities in the APPS and SYSTEM accounts Customizing Realms Reducing seeded realms not considered a customization OS access Use named accounts Delegate common tasks through sudo or EM Remove write and read for non-owners (0500 or 0700)
  • 42. Support Notes on E-Business Suite with DB Vault Guidance Document (New) • 950018.1 Using Database Vault in the E-Business Suite Implementation Instructions • 428503.1 Integrating Oracle E-Business Suite Release 11i with Oracle Database Vault 10.2.0.4 • 859399.1 Integrating Oracle E-Business Suite Release 11i with Oracle Database Vault 11.1.0.7 • 566841.1 Integrating Oracle E-Business Suite Release 12 with Oracle Database Vault 10.2.0.4 • 859397.1 Integrating Oracle E-Business Suite Release 12 with Oracle Database Vault 11.1.0.7
  • 43. Transparent Data Encryption (TDE) Certification SQL Layer Protecting data at rest Column-level TDE Buffer Cache Certified for 10GR2 and 11G “SSN = 834-63-..” R11i and R12 Tablespace TDE Certified for 11G Database R11i and R12 data blocks “*M$b@^s%&d7” undo temp blocks blocks redo flashback logs logs
  • 44. Oracle Label Security (OLS) / Virtual Private Database (VPD) Additional Apps level protections? Yes, Apps uses it this way for MOAC Protection at DB level? Involves protecting your context as well Need to work through performance issues Need to work through implications of limiting row visibility All VPD treated as customization
  • 45. 11gR2 certification 11.5.10.2 completed 12 still working Advanced Security Option Advance Network Encryption TDE and DB Vault not included in initial cert Certification will follow
  • 46. Futures PCI - PA-DSS certification and whitepaper DB Vault – patching without generic accounts OS level protections PII - Sensitive data collection and realms Sensitive pages - Guest, Admin pages Exposure of core FND APIs to external developers
  • 48. Oracle Software Security Assurance Sessions at Oracle OpenWorld Related Sessions • S309974: Securing Oracle E-Business Suite with Oracle Identity and Access Management, Tuesday October 13th, 17:30 - 18:30 Marriott Hotel Salon 3 • S311455: Tips/Tricks for Auditing PeopleSoft and Oracle E-Business Suite Applications from the Database Tuesday October 13th, Moscone South Rm 306 • S311337: Secure Your Existing Application Transparently in 30 Minutes or Less, Wednesday October 14th, Moscone South Rm 103