oow 2009 ebs security r12

49

Upload: jucaab

Post on 18-Jan-2015

2.391 views

Category:

Documents


7 download

DESCRIPTION

 

TRANSCRIPT

Page 1: OOW 2009 EBS Security R12
Page 2: OOW 2009 EBS Security R12

Critical Data Protection and Security in Oracle E-Business Suite

Eric Bing – Senior Director, Applications Product Security

Robert Armstrong – Senior Manager, Applications Product Security

Page 3: OOW 2009 EBS Security R12

The following is intended to outline our general

product direction. It is intended for information

purposes only, and may not be incorporated into any

contract. It is not a commitment to deliver any

material, code, or functionality, and should not be

relied upon in making purchasing decisions.

The development, release, and timing of any

features or functionality described for Oracle’s

products remains at the sole discretion of Oracle.

Page 4: OOW 2009 EBS Security R12

<Insert Picture Here>

Agenda

• Business Drivers

• Security Challenges

• Security Inside Out

• End-to-End Security

• E-Business Suite (EBS) Secure Configuration

• Secure Your Environment

• Externalizing EBS Security

• Spreading out from the Apps tier

• EBS Integrations

• Leveraging Oracle Technology

• Q & A

Page 5: OOW 2009 EBS Security R12

Security

Challenges

Page 6: OOW 2009 EBS Security R12

Security for Web based Loan Origination

Select Lowest Offer

Handle Negative

Credit Exception

Credit Rating

start

end

?

United Loan Star Loan

Get Rating

Send Loan Application

Receive Loan Offer

Send Loan Application

Receive Loan Offer

Page 7: OOW 2009 EBS Security R12

Security Vulnerabilities

Select Lowest Offer

Handle Negative

Credit Exception

Credit Rating

start

end

?

United Loan Star Loan

Get Rating

Send Loan Application

Receive Loan Offer

Send Loan Application

Receive Loan Offer

<SSN>

011-22-4488

</SSN>

2. SSN sent in clear text

3. Response must go

through the firewall

4.How can I be sure no

other sensitive data

is unprotected?

1.Anyone who can access the

server can initiate loan

applications

Page 8: OOW 2009 EBS Security R12

Comprehensive Security Results

Select Lowest Offer

Handle Negative

Credit Exception

Credit Rating

start

end

?

United Loan Star Loan

Get Rating

Send Loan Application

Receive Loan Offer

Send Loan Application

Receive Loan Offer

1.Security Policy: Role-based

access control

2. Securing Privacy: Auto-

Encryption of PII in XML

message

3. Management: Service

virtualization in DMZ4.Audit & Compliance:

System-wide services

monitoring

Page 9: OOW 2009 EBS Security R12

Oracle Confidential9

More Regulations Than Ever…

FISMA

Sarbanes-Oxley

Breach Disclosure

PCI

HIPAA

GLBA

PIPEDA

Basel II

EU Data Directives

Euro SOXJ SOX

K SOX

SAS 70

AUS/PRO

UK/PRO

Source: IT Policy Compliance Group, 2007.

COBIT

ISO 17799

90% Companies behind in compliance

Page 10: OOW 2009 EBS Security R12

Comprehensive

Security

Page 11: OOW 2009 EBS Security R12

Comprehensive Identity & Access Management

Store & Virtualize Identities

Provision Identities & Roles

Manage Access to Systems

Manage Entitlements

Federate Identities

1

Page 12: OOW 2009 EBS Security R12

Comprehensive Controls Enforcement2

Consolidate Compliance Activities

Proactively Manage Risk

Automate Internal Controls

Page 13: OOW 2009 EBS Security R12

Comprehensive Data Protection3

When Data Is In Motion

When Data Is At Rest

When Data Is Cloned

When Data Is Administered

When Applications Are Targeted

Page 14: OOW 2009 EBS Security R12

Oracle Confidential14

• Encryption and Masking

• Privileged User Controls

• Multi-Factor Authorization

• Activity Monitoring and Audit

• Secure Configuration

Identity Management

Information RightsManagement

Databases

Applications

Content

Oracle Security Inside Out

Infrastructure

• User Provisioning

• Role Management

• Entitlements Management

• Risk-Based Access Control

• Virtual Directories

• Track and Audit Document Usage

• Control and Revoke Document Access

• Secured Inside or Outside Firewall

• Centralized Policy Administration

Information

Database Security

Page 15: OOW 2009 EBS Security R12

Database Defense-in-Depth

Monitoring

Access Control

Encryption & Masking

Monitoring

• Configuration Management

• Oracle Audit Vault

• Total Recall

Access Control

• Oracle Database Vault

• Label Security

• Advanced Security

• Secure Backup

• Data Masking

Encryption & Masking

Page 16: OOW 2009 EBS Security R12

E-Business Suite

Secure

Configuration

Page 17: OOW 2009 EBS Security R12

Secure Configuration

11i – Support note 189367.1

R12 - Support note 403537.1

CPUs

Apply them!

Evaluating a 11i Cumulative CPU

Resolve dependencies and superceded patches

Based / testing on 11.5.10CU2

Page 18: OOW 2009 EBS Security R12

Default Passwords

Ensure that you’ve changed all default passwords:

DB accounts

Support Note 361482.1

Patch 4926128

Apps users

- Check script is part of Apr CPU - fnddefpw.sql

- 11i: Patch 7831891

Page 19: OOW 2009 EBS Security R12

Security Profiles

Oracle strongly recommends the following settings for

Security Profiles:

FND: Diagnostics -> NO

Restrict Text Input -> Yes

FND Validation Level -> ERROR

FND Function Validation Level ->ERROR

Framework Validation Level -> ERROR

See Oracle Support note 946372.1 - Secure Configuration of E-

Business Suite Profiles

Contains Information on what these do and what to test when turning

these on.

FND Validation Level is the only one of these which is off by

default in 11i.

Page 20: OOW 2009 EBS Security R12

FND Validation Level

Products must be at the 11.5.10CU2 level or above to

use FND Validation Level.

Benefit: Provides defense in depth against parameter

and URL tampering

May prevent direct access (via a bookmark or URL) to

pages that are not considered "launch pages" or

"bookmarkable pages“

Customized integration points which navigate into the E-

Business Suite should be tested.

Prerecorded scripts (Winrunner) may need special

treatment…

Page 21: OOW 2009 EBS Security R12

Fixed Key Profiles

With FND Validation Level on, the URI and parameters are unique for each session

If you need to run prerecorded scripts – you can set these at the user level

Oracle recommends that the Fixed Key profiles not be used in production environments

Set bothFND: Fixed Key Enabled - Y

FND: Fixed Key – Hexadecimal string of size 64

Page 22: OOW 2009 EBS Security R12

Password Hashing

Non-Reversible Password Hashing

Support Note 457166.1

Stores local Applications user passwords as non-reversible

hashes

Available as of 11i ATG RUP6, 12.0.4 and 12.1

Upgrade your desktop clients

Use FNDCPASS to migrate following the note

Backup & Test carefully – migration is…non-reversible

Page 23: OOW 2009 EBS Security R12

Externalizing

EBS Security

Page 24: OOW 2009 EBS Security R12

Apps Schema Access

Issues

External applications for database oriented activities

Schema password keeps changing

Standard based access

Current Solution

Create a new schema and provide privileges

Provide apps password to external system

SOA Suite Apps Adapter

(PL/SQL execution)

Page 25: OOW 2009 EBS Security R12

SolutionApplication Data Source

Application Data Source Implementation

J2EE/JDBC standards based

On the External Tier Application Server

Register the Application Data Source

Register the Node as trusted Node

Create a new Application User

Grant Role (shipped) to this User

Register this new User in the Application Server

Page 26: OOW 2009 EBS Security R12

JAAS implementation for EBS

New Solution

E-Biz light-weight LoginModule, compliant with JAAS

specifications, works with JDK or J2EE environments.

Implement JAAS Authentication using AOL security

System

Implement JAAS Authorization using UMX roles.

Page 27: OOW 2009 EBS Security R12

JAAS for EBS

Leverage EBS Authentication

and AuthorizationADF,

Web-ServicesEJB

(WebLogic)

Page 28: OOW 2009 EBS Security R12

E-Business Suite / Oracle Access Manager

Integration Architecture

Build on secure foundation for existing integrations

Focus on stability and scalability

Improve ease of integration for new implementations

Provide easy transition for Oracle Single Sign-On

Server integrations

“Future-proof” identity management stack

Page 29: OOW 2009 EBS Security R12

E-Business Suite / Oracle Access Manager

Integration Architecture

EBS Access Gateway Application

Moves authentication into an external service

Fewer points of integration makes it easier to certify future

releases

Insulates E-Business Suite instance from user authentication

configuration

Single application works for E-Business Suite

Release 11i and Release 12

No release-specific or OAM-dependent code

Availability planned for 2010

Watch for announcements on Oracle E-Business Suite

Technology Blog (http://blogs.oracle.com/stevenChan/)

Page 30: OOW 2009 EBS Security R12

Architecture Overview

Configured to use Access Gateway

Access Gateway protected by OAM

E-Business Suite instance

Page 31: OOW 2009 EBS Security R12

E-Business

Suite

Integrations

Page 32: OOW 2009 EBS Security R12

Oracle Audit Vault

Applications are validated by Default

Database auditing is underneath the Application

Application User Auditing

Application can set the database “Client Identifier” to tie application

user with application shared account

Database Auditing can be used to monitor

Audit base application tables and views

Privileged user operations in the database (logins, user/table

create)

Page 33: OOW 2009 EBS Security R12

Setting Client Identifier

User A

connects

User B

connects

Oracle

Application

Server

Oracle

Database

Any application running on Oracle database can set the client

identifier

E-Business Suite (planned)

Single line of initialization logic that needs to be added:

dbms_session.set_identifier(substrb(fnd_global.username, 1, 64));

Application sets

client_info to User A

Application resets

client_info to User B

Audit Record uses client_identifier

Page 34: OOW 2009 EBS Security R12

Oracle Audit Vault Application Integration

1. Turn on database auditing

Set the database parameters audit_trail, audit_trail_dest,

audit_sys_operations

2. Determine the application tables to audit

audit <table> by access;

3. Configure Audit Vault to collect the database audit

trail

4. Setup alerts in Audit Vault

5. View Reports

Page 35: OOW 2009 EBS Security R12

Oracle Audit Vault Application Integration

Page 36: OOW 2009 EBS Security R12

Oracle Audit Vault Application Integration

Page 37: OOW 2009 EBS Security R12

Oracle Audit Vault Application Integration

Page 38: OOW 2009 EBS Security R12

Data Base Vault

DB Vault

Separation of Duties for DBA roles

Concerns

Customizations to realms

Patching with DB Vault on

Generic accounts (APPS / SYSTEM) have access to

sensitive data

Page 39: OOW 2009 EBS Security R12

Customizing DB Vault

Default realm we ship with contains all Apps objects

We now support realms that are subsets of this

Need to ensure that all the procedures and patches in

Support Notes are followed

Any subsets will be treated as certified

Any additions will be treated as customizations

Detailed example of extending EBS realms in Support

Notes

Page 40: OOW 2009 EBS Security R12

Patching DB Vault

We now support patching the EBS Applications with

DB Vault still on

Instructions in Support notes

Pre and post patching scripts to give SYSTEM additional

privs

Suggest auditing during patch window

Ensure named users are used

Can use proxy access for named users to reduce

administration

See Support Note on Using DB Vault in the E-Business Suite

for suggestions on how to minimize use of generic accounts

Page 41: OOW 2009 EBS Security R12

Providing Separation of Duties with (or without) DB

Vault

Use named accounts

Use proxying

Don’t have DBAs doing normal activities in the APPS and

SYSTEM accounts

Customizing Realms

Reducing seeded realms not considered a customization

OS access

Use named accounts

Delegate common tasks through sudo or EM

Remove write and read for non-owners (0500 or 0700)

Page 42: OOW 2009 EBS Security R12

Support Notes on E-Business Suite with DB Vault

•950018.1 Using Database Vault in the E-Business Suite

Guidance Document (New)

•428503.1 Integrating Oracle E-Business Suite Release 11i with Oracle Database Vault 10.2.0.4

•859399.1 Integrating Oracle E-Business Suite Release 11i with Oracle Database Vault 11.1.0.7

•566841.1 Integrating Oracle E-Business Suite Release 12 with Oracle Database Vault 10.2.0.4

•859397.1 Integrating Oracle E-Business Suite Release 12 with Oracle Database Vault 11.1.0.7

Implementation Instructions

Page 43: OOW 2009 EBS Security R12

Transparent Data Encryption (TDE) Certification

Protecting data at rest

Column-level TDE

Certified for 10GR2 and 11G

R11i and R12

Tablespace TDE

Certified for 11G Database

R11i and R12

SQL Layer

data blocks

“*M$b@^s%&d7”

undo blocks

temp blocks

flashback logs

redo logs

Buffer Cache

“SSN = 834-63-..”

Page 44: OOW 2009 EBS Security R12

Oracle Label Security (OLS) / Virtual Private

Database (VPD)

Additional Apps level protections?

Yes, Apps uses it this way for MOAC

Protection at DB level?

Involves protecting your context as well

Need to work through performance issues

Need to work through implications of limiting row

visibility

All VPD treated as customization

Page 45: OOW 2009 EBS Security R12

11gR2 certification

11.5.10.2 completed

12 still working

Advanced Security Option

Advance Network Encryption

TDE and DB Vault not included in initial cert

Certification will follow

Page 46: OOW 2009 EBS Security R12

Futures

PCI - PA-DSS certification and whitepaper

DB Vault – patching without generic accounts

OS level protections

PII - Sensitive data collection and realms

Sensitive pages - Guest, Admin pages

Exposure of core FND APIs to external developers

Page 47: OOW 2009 EBS Security R12

<Insert Picture Here>

Q & A

Page 48: OOW 2009 EBS Security R12

Oracle Software Security Assurance Sessions at

Oracle OpenWorld

•S309974: Securing Oracle E-Business Suite with Oracle Identity and Access Management, Tuesday October 13th, 17:30 - 18:30 Marriott Hotel Salon 3

•S311455: Tips/Tricks for Auditing PeopleSoft and Oracle E-Business Suite Applications from the Database Tuesday October 13th, Moscone South Rm 306

•S311337: Secure Your Existing Application Transparently in 30 Minutes or Less, Wednesday October 14th, Moscone South Rm 103

Related Sessions

Page 49: OOW 2009 EBS Security R12