JD Edwards Security Best Practices

Transcription

1

2 JD Edwards Security Best Practices Manish Somani Director, Software Engineering Oracle JD Edwards Marcelo Tamassia Founding Partner EmeraldCube Solutions October 01, 2014

3 Safe Harbor Statement The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle s products remains at the sole discretion of Oracle.

4 Program Agenda Why do I care about Security? Oracle Software Security Assurance Security in EnterpriseOne: Built-in, Not Bolt-On!! Oracle Security Products OAM Case Studies

5 Security : Is it a choice? In 2004, it was discovered that crackers gained almost complete access to Nortel's systems. Thought to have originated in 2000, for nearly ten years they accessed documents including s, technical papers, research, development reports, and business plans. "I have no doubt that extensive cyber attacks contributed to our downfall and bankruptcy in Brian Shields, the former senior systems security adviser at Nortel

6 Multi-Dimensional Aspects Of Security IP theft and economic espionage Financial fraud and organized crime Sophisticated hackers Opportunistic insiders Today s threats What s at stake Intellectual property Customer, employee, citizen, corporate data Financial loss Reputational loss Fines & penalties Internal and external audits Supply chain security Changing regulatory landscape Data and systems consolidation Changing environments (mobile devices, cloud, etc.) Other challenges

7 Oracle Software Security Assurance

8 Oracle Software Security Assurance (OSSA) Encompasses all the continuously improving processes, procedures, and technologies Implemented by Oracle to ensure that Oracle s products are meeting our customers security requirements, while providing for the most cost-effective ownership experience.

9 Oracle Software Security Assurance Maintaining the security posture of ALL Oracle customers is one of the greatest priorities of Oracle Applies to ALL Oracle software products throughout their lifecycle, and constantly evolving to adapt to new technologies, threats, and product use cases Oracle security programs affect the entire product lifecycle

10 Secure Development Standards Coding guidelines Secure coding principles Examples of what not to do Requirements to use previously vetted security code Minimum secure design requirements Mandatory training for all employees

11 Product Definition Security requirements are expressed as early as design phase Security requirements Include requirements from Secure Coding Standards Product-specific requirements Established security criteria must be satisfied and reviewed at each step of process

12 Product Development Ongoing reviews to validate compliance with: Secure Coding Standards Additional design reviews for security Extensive use of scanning and testing tools to provide ongoing feedback to development team in regards to quality of produced code

13 Ongoing Assurance Security testing takes place throughout useful life of the product Pre-release security scanning and testing Post-release security activities: Ethical hacking Updated secure configuration recommendations are available online

14 Security in JD Edwards EnterpriseOne Built-in, Not Bolt-On!!

15 JD Edwards EnterpriseOne Security Deployment Server Windows Client Data across Data Data in trust at flight rest boundaries Business Services Server JAS/HTML Server Enterprise Server BI Publisher Server (OVR) Database Server Transaction Server

16 Secure Data in Flight Support HTTPS between Web Browser and HTML Server between E1 HTML Server and BI Server for One View Reports Support SSL between HTML Server and Enterprise Server Support SSL between Deployment Server and Enterprise Server

17 Secure Data at Rest Password in all configuration files Jas.ini, jdbj.ini, jde.ini and jdeinterop.ini Configured via server manager User passwords in Security Tables are encrypted using One-way Hash Application Business Table Data are encrypted using TripleDes

18 Secure Data Across Trust Boundary Secured File Upload Allowed only for a white list Validate File content Secured Download Security Prevents in line opening of file Prevent Click Jacking and HTML frame injection Prevent Cross Site Scripting and java script injection

19 Security Testing for EnterpriseOne Static Code Analysis HP Fortify tools is integrated in the build process to scan for security issues Dynamic Test Analysis HP Web Inspect is part of test cycle to scan for security issues for HTML client Fuzz Testing JDENET testing XML Parser Testing

20 Security Guide update for EnterpriseOne Update security guide as per OSSA standard Integrate Security Best practice into security admin guide Integrate database public shutdown paper for all supported databases.

21 Oracle Security Products

22 Oracle Security OIM products Oracle Internet Directory (OID) LDAP directory server that stores its data in an Oracle database Oracle Access Manager (OAM) provides SSO, authentication, authorization, centralized policy administration. Oracle Identity Manager(OIM) provides provisioning, reconciliation, self-service, and integration with heterogeneous identity systems through connectors

23 Marcelo Tamassia Founding EmeraldCube Solutions Why Prism? 18 years of tech industry experience 13 years of EnterpriseOne consulting in South and North America Planned, designed, executed, and managed over 90 E1 implementations and upgrades worldwide

24 EmeraldCube Solutions Focus: JDE Technology, Business Intelligence & IoT JDE & OBI focused Managed Services team On Demand and Managed Services plans Unmatched proactive, monitoring, and alerting tools Experts in BI solutions for JDE On premises and cloud-based options Choice of BI tools and platforms Subscription and traditional software acquisition models EmeraldSensor for JDEdwards EnterpriseOne IoT platform for JDE customers Complete solution - sensors, gateway & analytics

25 Customer Case - I

26 Laser Technology Denver-based industry leader in the design and manufacturing of innovative laser-based speed and distance measurement instruments including laser rangefinders, speed guns & sensors JDE Footprint Release 9.1 Tools Users Financials/Manufacturing/Distribution Red Stack

27 Laser Technology: Needs IT & Auditors Inconsistent password policies between JDE and AD High number of password related helpdesk calls Convoluted on-boarding process for new employees/ids Users Too many passwords to remember

28 Laser Technology: Solution Oracle Access Manager LDAP/AD Identity Store Form Authentication End-user experience User types JDE URL User gets prompted by OAM login page User types their network/ad credentials User is inside JDE

29 Laser Technology: Benefits Consistent password policy Significant reduction of helpdesk calls Streamlined user on-boarding Users no longer need to remember their JDE password

30 Customer Case - II

31 Silgan Containers Largest provider of metal food packaging in the United States, Silgan Containers is trusted by America s most respected brands JDE Footprint Release 9.0 Tools Users Financials/Manufacturing/Distribution iseries / Windows

32 Silgan: Needs IT & Auditors Inconsistent password policies between JDE, OBIEE, and AD High number of password related helpdesk calls Convoluted on-boarding process for new employees/ids BI using long names and JDE using short names JDE usernames did not match AD usernames (10 character limitation) Users Too many usernames to remember Too many passwords to remember

33 Silgan: Solution Active Directory Custom field for E1 short username (work around JDE 10 characters limitation) Oracle Access Manager LDAP/AD User Identity Store Two application domains setup on OAM (JDE and OBIEE) User Mappings / responses Kerberos / Windows Native Authentication

34 Silgan: Solution End-user experience User types JDE URL and user is automatically on JDE User types BI URL and user is automatically on OBIEE No more password changes inside JDE / BI

35 Silgan: Benefits No more passwords / usernames to memorize. Happy users! True Single-Sign On Consistent password policy across JDE, BI, and AD Significant reduction of helpdesk calls

36 Lessons Learned

37 OAM Lessons Learned OAM single point of failure (cluster) Separate production and development OAM servers? Short/Long username options Native Authentication Browser settings VPN / External Users Fallback authentication Use multiple domain controllers on the setup Triple check your response mappings JDE Security guide

38 Contact

39 The Right Tool for the Task Strengthen Your JD Edwards EnterpriseOne JD Edwards Professionals My Oracle Support Communities JD Edwards The Right Tool for the Task Doc ID will help you find out! TheOracleJDEdwards LearnJDE.com JD Edwards Newsletters EnterpriseOne World