Upload
jucaab
View
2.379
Download
7
Embed Size (px)
DESCRIPTION
Citation preview
Critical Data Protection and Security in Oracle E-Business Suite
Eric Bing – Senior Director, Applications Product Security
Robert Armstrong – Senior Manager, Applications Product Security
The following is intended to outline our general
product direction. It is intended for information
purposes only, and may not be incorporated into any
contract. It is not a commitment to deliver any
material, code, or functionality, and should not be
relied upon in making purchasing decisions.
The development, release, and timing of any
features or functionality described for Oracle’s
products remains at the sole discretion of Oracle.
<Insert Picture Here>
Agenda
• Business Drivers
• Security Challenges
• Security Inside Out
• End-to-End Security
• E-Business Suite (EBS) Secure Configuration
• Secure Your Environment
• Externalizing EBS Security
• Spreading out from the Apps tier
• EBS Integrations
• Leveraging Oracle Technology
• Q & A
Security
Challenges
Security for Web based Loan Origination
Select Lowest Offer
Handle Negative
Credit Exception
Credit Rating
start
end
?
United Loan Star Loan
Get Rating
Send Loan Application
Receive Loan Offer
Send Loan Application
Receive Loan Offer
Security Vulnerabilities
Select Lowest Offer
Handle Negative
Credit Exception
Credit Rating
start
end
?
United Loan Star Loan
Get Rating
Send Loan Application
Receive Loan Offer
Send Loan Application
Receive Loan Offer
<SSN>
011-22-4488
</SSN>
2. SSN sent in clear text
3. Response must go
through the firewall
4.How can I be sure no
other sensitive data
is unprotected?
1.Anyone who can access the
server can initiate loan
applications
Comprehensive Security Results
Select Lowest Offer
Handle Negative
Credit Exception
Credit Rating
start
end
?
United Loan Star Loan
Get Rating
Send Loan Application
Receive Loan Offer
Send Loan Application
Receive Loan Offer
1.Security Policy: Role-based
access control
2. Securing Privacy: Auto-
Encryption of PII in XML
message
3. Management: Service
virtualization in DMZ4.Audit & Compliance:
System-wide services
monitoring
Oracle Confidential9
More Regulations Than Ever…
FISMA
Sarbanes-Oxley
Breach Disclosure
PCI
HIPAA
GLBA
PIPEDA
Basel II
EU Data Directives
Euro SOXJ SOX
K SOX
SAS 70
AUS/PRO
UK/PRO
Source: IT Policy Compliance Group, 2007.
COBIT
ISO 17799
90% Companies behind in compliance
Comprehensive
Security
Comprehensive Identity & Access Management
Store & Virtualize Identities
Provision Identities & Roles
Manage Access to Systems
Manage Entitlements
Federate Identities
1
Comprehensive Controls Enforcement2
Consolidate Compliance Activities
Proactively Manage Risk
Automate Internal Controls
Comprehensive Data Protection3
When Data Is In Motion
When Data Is At Rest
When Data Is Cloned
When Data Is Administered
When Applications Are Targeted
Oracle Confidential14
• Encryption and Masking
• Privileged User Controls
• Multi-Factor Authorization
• Activity Monitoring and Audit
• Secure Configuration
Identity Management
Information RightsManagement
Databases
Applications
Content
Oracle Security Inside Out
Infrastructure
• User Provisioning
• Role Management
• Entitlements Management
• Risk-Based Access Control
• Virtual Directories
• Track and Audit Document Usage
• Control and Revoke Document Access
• Secured Inside or Outside Firewall
• Centralized Policy Administration
Information
Database Security
Database Defense-in-Depth
Monitoring
Access Control
Encryption & Masking
Monitoring
• Configuration Management
• Oracle Audit Vault
• Total Recall
Access Control
• Oracle Database Vault
• Label Security
• Advanced Security
• Secure Backup
• Data Masking
Encryption & Masking
E-Business Suite
Secure
Configuration
Secure Configuration
11i – Support note 189367.1
R12 - Support note 403537.1
CPUs
Apply them!
Evaluating a 11i Cumulative CPU
Resolve dependencies and superceded patches
Based / testing on 11.5.10CU2
Default Passwords
Ensure that you’ve changed all default passwords:
DB accounts
Support Note 361482.1
Patch 4926128
Apps users
- Check script is part of Apr CPU - fnddefpw.sql
- 11i: Patch 7831891
Security Profiles
Oracle strongly recommends the following settings for
Security Profiles:
FND: Diagnostics -> NO
Restrict Text Input -> Yes
FND Validation Level -> ERROR
FND Function Validation Level ->ERROR
Framework Validation Level -> ERROR
See Oracle Support note 946372.1 - Secure Configuration of E-
Business Suite Profiles
Contains Information on what these do and what to test when turning
these on.
FND Validation Level is the only one of these which is off by
default in 11i.
FND Validation Level
Products must be at the 11.5.10CU2 level or above to
use FND Validation Level.
Benefit: Provides defense in depth against parameter
and URL tampering
May prevent direct access (via a bookmark or URL) to
pages that are not considered "launch pages" or
"bookmarkable pages“
Customized integration points which navigate into the E-
Business Suite should be tested.
Prerecorded scripts (Winrunner) may need special
treatment…
Fixed Key Profiles
With FND Validation Level on, the URI and parameters are unique for each session
If you need to run prerecorded scripts – you can set these at the user level
Oracle recommends that the Fixed Key profiles not be used in production environments
Set bothFND: Fixed Key Enabled - Y
FND: Fixed Key – Hexadecimal string of size 64
Password Hashing
Non-Reversible Password Hashing
Support Note 457166.1
Stores local Applications user passwords as non-reversible
hashes
Available as of 11i ATG RUP6, 12.0.4 and 12.1
Upgrade your desktop clients
Use FNDCPASS to migrate following the note
Backup & Test carefully – migration is…non-reversible
Externalizing
EBS Security
Apps Schema Access
Issues
External applications for database oriented activities
Schema password keeps changing
Standard based access
Current Solution
Create a new schema and provide privileges
Provide apps password to external system
SOA Suite Apps Adapter
(PL/SQL execution)
SolutionApplication Data Source
Application Data Source Implementation
J2EE/JDBC standards based
On the External Tier Application Server
Register the Application Data Source
Register the Node as trusted Node
Create a new Application User
Grant Role (shipped) to this User
Register this new User in the Application Server
JAAS implementation for EBS
New Solution
E-Biz light-weight LoginModule, compliant with JAAS
specifications, works with JDK or J2EE environments.
Implement JAAS Authentication using AOL security
System
Implement JAAS Authorization using UMX roles.
JAAS for EBS
Leverage EBS Authentication
and AuthorizationADF,
Web-ServicesEJB
(WebLogic)
E-Business Suite / Oracle Access Manager
Integration Architecture
Build on secure foundation for existing integrations
Focus on stability and scalability
Improve ease of integration for new implementations
Provide easy transition for Oracle Single Sign-On
Server integrations
“Future-proof” identity management stack
E-Business Suite / Oracle Access Manager
Integration Architecture
EBS Access Gateway Application
Moves authentication into an external service
Fewer points of integration makes it easier to certify future
releases
Insulates E-Business Suite instance from user authentication
configuration
Single application works for E-Business Suite
Release 11i and Release 12
No release-specific or OAM-dependent code
Availability planned for 2010
Watch for announcements on Oracle E-Business Suite
Technology Blog (http://blogs.oracle.com/stevenChan/)
Architecture Overview
Configured to use Access Gateway
Access Gateway protected by OAM
E-Business Suite instance
E-Business
Suite
Integrations
Oracle Audit Vault
Applications are validated by Default
Database auditing is underneath the Application
Application User Auditing
Application can set the database “Client Identifier” to tie application
user with application shared account
Database Auditing can be used to monitor
Audit base application tables and views
Privileged user operations in the database (logins, user/table
create)
Setting Client Identifier
User A
connects
User B
connects
Oracle
Application
Server
Oracle
Database
Any application running on Oracle database can set the client
identifier
E-Business Suite (planned)
Single line of initialization logic that needs to be added:
dbms_session.set_identifier(substrb(fnd_global.username, 1, 64));
Application sets
client_info to User A
Application resets
client_info to User B
Audit Record uses client_identifier
Oracle Audit Vault Application Integration
1. Turn on database auditing
Set the database parameters audit_trail, audit_trail_dest,
audit_sys_operations
2. Determine the application tables to audit
audit <table> by access;
3. Configure Audit Vault to collect the database audit
trail
4. Setup alerts in Audit Vault
5. View Reports
Oracle Audit Vault Application Integration
Oracle Audit Vault Application Integration
Oracle Audit Vault Application Integration
Data Base Vault
DB Vault
Separation of Duties for DBA roles
Concerns
Customizations to realms
Patching with DB Vault on
Generic accounts (APPS / SYSTEM) have access to
sensitive data
Customizing DB Vault
Default realm we ship with contains all Apps objects
We now support realms that are subsets of this
Need to ensure that all the procedures and patches in
Support Notes are followed
Any subsets will be treated as certified
Any additions will be treated as customizations
Detailed example of extending EBS realms in Support
Notes
Patching DB Vault
We now support patching the EBS Applications with
DB Vault still on
Instructions in Support notes
Pre and post patching scripts to give SYSTEM additional
privs
Suggest auditing during patch window
Ensure named users are used
Can use proxy access for named users to reduce
administration
See Support Note on Using DB Vault in the E-Business Suite
for suggestions on how to minimize use of generic accounts
Providing Separation of Duties with (or without) DB
Vault
Use named accounts
Use proxying
Don’t have DBAs doing normal activities in the APPS and
SYSTEM accounts
Customizing Realms
Reducing seeded realms not considered a customization
OS access
Use named accounts
Delegate common tasks through sudo or EM
Remove write and read for non-owners (0500 or 0700)
Support Notes on E-Business Suite with DB Vault
•950018.1 Using Database Vault in the E-Business Suite
Guidance Document (New)
•428503.1 Integrating Oracle E-Business Suite Release 11i with Oracle Database Vault 10.2.0.4
•859399.1 Integrating Oracle E-Business Suite Release 11i with Oracle Database Vault 11.1.0.7
•566841.1 Integrating Oracle E-Business Suite Release 12 with Oracle Database Vault 10.2.0.4
•859397.1 Integrating Oracle E-Business Suite Release 12 with Oracle Database Vault 11.1.0.7
Implementation Instructions
Transparent Data Encryption (TDE) Certification
Protecting data at rest
Column-level TDE
Certified for 10GR2 and 11G
R11i and R12
Tablespace TDE
Certified for 11G Database
R11i and R12
SQL Layer
data blocks
“*M$b@^s%&d7”
undo blocks
temp blocks
flashback logs
redo logs
Buffer Cache
“SSN = 834-63-..”
Oracle Label Security (OLS) / Virtual Private
Database (VPD)
Additional Apps level protections?
Yes, Apps uses it this way for MOAC
Protection at DB level?
Involves protecting your context as well
Need to work through performance issues
Need to work through implications of limiting row
visibility
All VPD treated as customization
11gR2 certification
11.5.10.2 completed
12 still working
Advanced Security Option
Advance Network Encryption
TDE and DB Vault not included in initial cert
Certification will follow
Futures
PCI - PA-DSS certification and whitepaper
DB Vault – patching without generic accounts
OS level protections
PII - Sensitive data collection and realms
Sensitive pages - Guest, Admin pages
Exposure of core FND APIs to external developers
<Insert Picture Here>
Q & A
Oracle Software Security Assurance Sessions at
Oracle OpenWorld
•S309974: Securing Oracle E-Business Suite with Oracle Identity and Access Management, Tuesday October 13th, 17:30 - 18:30 Marriott Hotel Salon 3
•S311455: Tips/Tricks for Auditing PeopleSoft and Oracle E-Business Suite Applications from the Database Tuesday October 13th, Moscone South Rm 306
•S311337: Secure Your Existing Application Transparently in 30 Minutes or Less, Wednesday October 14th, Moscone South Rm 103
Related Sessions