This document discusses security strategies for Oracle E-Business Suite applications. It outlines business drivers for security, security challenges, and comprehensive security approaches. It discusses securing the EBS environment through configuration hardening and patching. It also covers externalizing EBS security through approaches like integrating with Oracle Identity Management and leveraging technologies like Oracle Audit Vault. The presentation provides an overview of current and future certification plans for advanced security options in Oracle databases like Transparent Data Encryption and Database Vault when used with EBS. It aims to help organizations understand security best practices for Oracle E-Business Suite applications.
Critical Data Protection and Security in Oracle E-Business Suite
1.
2. Critical Data Protection and Security in Oracle E-Business Suite
Eric Bing – Senior Director, Applications Product Security
Robert Armstrong – Senior Manager, Applications Product Security
3. The following is intended to outline our general
product direction. It is intended for information
purposes only, and may not be incorporated into any
contract. It is not a commitment to deliver any
material, code, or functionality, and should not be
relied upon in making purchasing decisions.
The development, release, and timing of any
features or functionality described for Oracle’s
products remains at the sole discretion of Oracle.
4. Agenda
• Business Drivers
• Security Challenges <Insert Picture Here>
• Security Inside Out
• End-to-End Security
• E-Business Suite (EBS) Secure Configuration
• Secure Your Environment
• Externalizing EBS Security
• Spreading out from the Apps tier
• EBS Integrations
• Leveraging Oracle Technology
• Q&A
6. Security for Web based Loan Origination
start
Credit Rating
Get Rating
Handle Negative
Credit Exception
Send Loan Application Send Loan Application
United Loan Star Loan
Receive Loan Offer Receive Loan Offer
? Select Lowest Offer
end
7. Security Vulnerabilities
2. SSN sent in clear text 1. Anyone who can access the
<SSN> start
server can initiate loan
Credit Rating
011-22-4488
</SSN>
applications
Get Rating
Handle Negative
Credit Exception
Send Loan Application Send Loan Application
United Loan Star Loan
Receive Loan Offer Receive Loan Offer
3. Response must go
through the firewall ? Select Lowest Offer
4. How can I be sure no
end other sensitive data
is unprotected?
8. Comprehensive Security Results
2. Securing Privacy: Auto- 1. Security Policy: Role-based
Encryption of PII in XML start access control
message Rating
Credit
Get Rating
Handle Negative
Credit Exception
Send Loan Application Send Loan Application
United Loan Star Loan
Receive Loan Offer Receive Loan Offer
3. Management: Service
virtualization in DMZ ? Select Lowest Offer
4. Audit & Compliance:
end
System-wide services
monitoring
9. More Regulations Than Ever…
UK/PRO
PIPEDA
EU Data Directives
Sarbanes-Oxley GLBA
PCI Basel II
Breach Disclosure FISMA K SOX
Euro SOX
J SOX
HIPAA
ISO 17799
SAS 70 COBIT
AUS/PRO
90% Companies behind in compliance
Source: IT Policy Compliance Group, 2007.
Oracle Confidential
9
13. 3 Comprehensive Data Protection
When Applications Are Targeted
When Data Is In Motion
When Data Is At Rest
When Data Is Cloned
When Data Is Administered
14. Oracle Security Inside Out
Database Security
• Encryption and Masking
• Privileged User Controls
• Multi-Factor Authorization
• Activity Monitoring and Audit
• Secure Configuration
Identity Management
• User Provisioning
• Role Management
• Entitlements Management
Information • Risk-Based Access Control
Infrastructure • Virtual Directories
Databases Information Rights
Applications Management
Content • Track and Audit Document Usage
• Control and Revoke Document Access
• Secured Inside or Outside Firewall
• Centralized Policy Administration
Oracle Confidential
14
17. Secure Configuration
11i – Support note 189367.1
R12 - Support note 403537.1
CPUs
Apply them!
Evaluating a 11i Cumulative CPU
Resolve dependencies and superceded patches
Based / testing on 11.5.10CU2
18. Default Passwords
Ensure that you’ve changed all default passwords:
DB accounts
Support Note 361482.1
Patch 4926128
Apps users
- Check script is part of Apr CPU - fnddefpw.sql
- 11i: Patch 7831891
19. Security Profiles
Oracle strongly recommends the following settings for
Security Profiles:
FND: Diagnostics -> NO
Restrict Text Input -> Yes
FND Validation Level -> ERROR
FND Function Validation Level ->ERROR
Framework Validation Level -> ERROR
See Oracle Support note 946372.1 - Secure Configuration of E-
Business Suite Profiles
Contains Information on what these do and what to test when turning
these on.
FND Validation Level is the only one of these which is off by
default in 11i.
20. FND Validation Level
Products must be at the 11.5.10CU2 level or above to
use FND Validation Level.
Benefit: Provides defense in depth against parameter
and URL tampering
May prevent direct access (via a bookmark or URL) to
pages that are not considered "launch pages" or
"bookmarkable pages“
Customized integration points which navigate into the E-
Business Suite should be tested.
Prerecorded scripts (Winrunner) may need special
treatment…
21. Fixed Key Profiles
With FND Validation Level on, the URI and
parameters are unique for each session
If you need to run prerecorded scripts – you can set
these at the user level
Oracle recommends that the Fixed Key profiles not be
used in production environments
Set both
FND: Fixed Key Enabled - Y
FND: Fixed Key – Hexadecimal string of size 64
22. Password Hashing
Non-Reversible Password Hashing
Support Note 457166.1
Stores local Applications user passwords as non-reversible
hashes
Available as of 11i ATG RUP6, 12.0.4 and 12.1
Upgrade your desktop clients
Use FNDCPASS to migrate following the note
Backup & Test carefully – migration is…non-reversible
24. Apps Schema Access
SOA Suite
Apps Adapter
(PL/SQL execution)
Issues
External applications for database oriented activities
Schema password keeps changing
Standard based access
Current Solution
Create a new schema and provide privileges
Provide apps password to external system
25. Solution
Application Data Source
Application Data Source Implementation
J2EE/JDBC standards based
On the External Tier Application Server
Register the Application Data Source
Register the Node as trusted Node
Create a new Application User
Grant Role (shipped) to this User
Register this new User in the Application Server
26. JAAS implementation for EBS
New Solution
E-Biz light-weight LoginModule, compliant with JAAS
specifications, works with JDK or J2EE environments.
Implement JAAS Authentication using AOL security
System
Implement JAAS Authorization using UMX roles.
27. JAAS for EBS
Leverage EBS
Authentication
ADF,
Web-Services
and Authorization
EJB
(WebLogic)
28. E-Business Suite / Oracle Access Manager
Integration Architecture
Build on secure foundation for existing integrations
Focus on stability and scalability
Improve ease of integration for new implementations
Provide easy transition for Oracle Single Sign-On
Server integrations
“Future-proof” identity management stack
29. E-Business Suite / Oracle Access Manager
Integration Architecture
EBS Access Gateway Application
Moves authentication into an external service
Fewer points of integration makes it easier to certify future
releases
Insulates E-Business Suite instance from user authentication
configuration
Single application works for E-Business Suite
Release 11i and Release 12
No release-specific or OAM-dependent code
Availability planned for 2010
Watch for announcements on Oracle E-Business Suite
Technology Blog (http://blogs.oracle.com/stevenChan/)
30. Architecture Overview
E-Business Suite
instance
Configured to
use Access
Gateway
Access Gateway
protected by OAM
32. Oracle Audit Vault
Applications are validated by Default
Database auditing is underneath the Application
Application User Auditing
Application can set the database “Client Identifier” to tie application
user with application shared account
Database Auditing can be used to monitor
Audit base application tables and views
Privileged user operations in the database (logins, user/table
create)
33. Setting Client Identifier
Any application running on Oracle database can set the client
identifier
E-Business Suite (planned)
Single line of initialization logic that needs to be added:
dbms_session.set_identifier(substrb(fnd_global.username, 1, 64));
Application sets
client_info to User A
User A
connects Oracle Audit Record
Application uses
Server client_identifier
Application resets
client_info to User B Oracle
User B Database
connects
34. Oracle Audit Vault
Application Integration
1. Turn on database auditing
Set the database parameters audit_trail, audit_trail_dest,
audit_sys_operations
2. Determine the application tables to audit
audit <table> by access;
3. Configure Audit Vault to collect the database audit
trail
4. Setup alerts in Audit Vault
5. View Reports
38. Data Base Vault
DB Vault
Separation of Duties for DBA roles
Concerns
Customizations to realms
Patching with DB Vault on
Generic accounts (APPS / SYSTEM) have access to
sensitive data
39. Customizing DB Vault
Default realm we ship with contains all Apps objects
We now support realms that are subsets of this
Need to ensure that all the procedures and patches in
Support Notes are followed
Any subsets will be treated as certified
Any additions will be treated as customizations
Detailed example of extending EBS realms in Support
Notes
40. Patching DB Vault
We now support patching the EBS Applications with
DB Vault still on
Instructions in Support notes
Pre and post patching scripts to give SYSTEM additional
privs
Suggest auditing during patch window
Ensure named users are used
Can use proxy access for named users to reduce
administration
See Support Note on Using DB Vault in the E-Business Suite
for suggestions on how to minimize use of generic accounts
41. Providing Separation of Duties with (or without) DB
Vault
Use named accounts
Use proxying
Don’t have DBAs doing normal activities in the APPS and
SYSTEM accounts
Customizing Realms
Reducing seeded realms not considered a customization
OS access
Use named accounts
Delegate common tasks through sudo or EM
Remove write and read for non-owners (0500 or 0700)
42. Support Notes on E-Business Suite with DB Vault
Guidance Document (New)
• 950018.1 Using Database Vault in the E-Business Suite
Implementation Instructions
• 428503.1 Integrating Oracle E-Business Suite Release 11i with
Oracle Database Vault 10.2.0.4
• 859399.1 Integrating Oracle E-Business Suite Release 11i with
Oracle Database Vault 11.1.0.7
• 566841.1 Integrating Oracle E-Business Suite Release 12 with
Oracle Database Vault 10.2.0.4
• 859397.1 Integrating Oracle E-Business Suite Release 12 with
Oracle Database Vault 11.1.0.7
43. Transparent Data Encryption (TDE) Certification
SQL Layer
Protecting data at rest
Column-level TDE Buffer Cache
Certified for 10GR2 and 11G “SSN = 834-63-..”
R11i and R12
Tablespace TDE
Certified for 11G Database
R11i and R12
data blocks
“*M$b@^s%&d7”
undo temp
blocks blocks
redo flashback
logs logs
44. Oracle Label Security (OLS) / Virtual Private
Database (VPD)
Additional Apps level protections?
Yes, Apps uses it this way for MOAC
Protection at DB level?
Involves protecting your context as well
Need to work through performance issues
Need to work through implications of limiting row
visibility
All VPD treated as customization
45. 11gR2 certification
11.5.10.2 completed
12 still working
Advanced Security Option
Advance Network Encryption
TDE and DB Vault not included in initial cert
Certification will follow
46. Futures
PCI - PA-DSS certification and whitepaper
DB Vault – patching without generic accounts
OS level protections
PII - Sensitive data collection and realms
Sensitive pages - Guest, Admin pages
Exposure of core FND APIs to external developers
48. Oracle Software Security Assurance Sessions at
Oracle OpenWorld
Related Sessions
• S309974: Securing Oracle E-Business Suite with Oracle Identity and
Access Management, Tuesday October 13th, 17:30 - 18:30 Marriott Hotel
Salon 3
• S311455: Tips/Tricks for Auditing PeopleSoft and Oracle E-Business Suite
Applications from the Database Tuesday October 13th, Moscone South
Rm 306
• S311337: Secure Your Existing Application Transparently in 30 Minutes or
Less, Wednesday October 14th, Moscone South Rm 103