Securing Oracle E-Business Suite in the Cloud

Similar documents
Oracle E-Business Suite APPS, SYSADMIN, and oracle Securing Generic Privileged Accounts. Stephen Kost Chief Technology Officer Integrigy Corporation

Guide to Auditing and Logging in the Oracle E-Business Suite

Developing Value from Oracle s Audit Vault For Auditors and IT Security Professionals

All Things Oracle Database Encryption

Credit Cards and Oracle E-Business Suite Security and PCI Compliance Issues

Oracle Database Security Myths

<Insert Picture Here> Oracle Database Vault

Obtaining Value from Your Database Activity Monitoring (DAM) Solution

New Oracle 12c Security Features Oracle E-Business Suite Perspective

PCI Compliance in Oracle E-Business Suite

How to Audit the Top Ten E-Business Suite Security Risks

Encrypting Sensitive Data in Oracle E-Business Suite

Security Implications of Oracle Product Desupport April 23, 2015

New Security Features in Oracle E-Business Suite 12.2

PCI Compliance in Oracle E-Business Suite

Virtualization Impact on Compliance and Audit

White Paper How Noah Mobile uses Microsoft Azure Core Services

mission critical applications mission critical security Internal Auditor Primer: Oracle E-Business Suite Security Risks Primer

Top Ten Fraud Risks in the Oracle E Business Suite

Oracle Database Security Solutions

Detecting and Stopping Cyber Attacks Against Oracle Databases June 25, 2015

Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet

Cloud Security and Managing Use Risks

Strategic Compliance & Securing the Cloud. Annalea Sharack-Ilg, CISSP, AMBCI Technical Director of Information Security

<Insert Picture Here> Oracle Database Security Overview

WHITE PAPER. Guide to Auditing and Logging in the Oracle E-Business Suite

WHITE PAPER. Guide to Auditing and Logging in the Oracle E-Business Suite

Adatbázis hibrid felhő - egyszerűbb, mint gondolná

MySQL Security: Best Practices

Oracle Database 11g: Security Release 2. Course Topics. Introduction to Database Security. Choosing Security Solutions

An Oracle White Paper June Oracle Database 11g: Cost-Effective Solutions for Security and Compliance

Keeping up with the World of Cloud Computing: What Should Internal Audit be Thinking About?

Copyright 2013, Oracle and/or its affiliates. All rights reserved.

Credit Cards and Oracle: How to Comply with PCI DSS. Stephen Kost Integrigy Corporation Session #600

Oracle Database 11g: Security. What you will learn:

Trust but Verify: Best Practices for Monitoring Privileged Users

HIPAA and HITECH Compliance Simplification. Sol Cates

The Elephant in the Room: What s the Buzz Around Cloud Computing?

Cloud Data Security. Sol Cates

Oracle Audit in a Nutshell - Database Audit but how?

D50323GC20 Oracle Database 11g: Security Release 2

Pharma CloudAdoption. and Qualification Trends

Requirements Checklist for Choosing a Cloud Backup and Recovery Service Provider

CSN38:Tracking Privileged User Access within an ArcSight Logger and SIEM Environment Philip Lieberman, President and CEO

AppSentry Application and Database Security Auditing

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

NYOUG Spring 2015 Its Only Auditing - Don t Be Afraid

Secret Server Qualys Integration Guide

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

Oracle Database 11g: Security Release 2

Enforcive / Enterprise Security

Safeguard Sensitive Data in EBS: A Look at Oracle Database Vault, Transparent Data Encryption, and Data Masking. Lucy Feng

Running Oracle Applications on AWS

The Cloud is Not Enough Why Hybrid Infrastructure is Shaping the Future of Cloud Computing

Oracle Database 11g: Security

CONSIDERATIONS BEFORE MOVING TO THE CLOUD

Intel Enhanced Data Security Assessment Form

Securing Data in Oracle Database 12c

Cloud Services Overview

Cloud Assurance: Ensuring Security and Compliance for your IT Environment

MAXIMUM DATA SECURITY with ideals TM Virtual Data Room

Securing and Auditing Cloud Computing. Jason Alexander Chief Information Security Officer

Managing Cloud Computing Risk

Security Overview Enterprise-Class Secure Mobile File Sharing

Production in the Cloud

An Oracle White Paper August Oracle Database Auditing: Performance Guidelines

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Vormetric Addendum to VMware Solution Guide for Payment Card Industry Data Security Standard

CloudCheck Compliance Certification Program

Ensuring Enterprise Data Security with Secure Mobile File Sharing.

Securely Outsourcing to the Cloud: Five Key Questions to Ask

Security Whitepaper. NetTec NSI Philosophy. Best Practices

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT

Cloud Computing An Auditor s Perspective

Anypoint Platform Cloud Security and Compliance. Whitepaper

Time to Value: Successful Cloud Software Implementation

IBM PowerSC. Security and compliance solution designed to protect virtualized datacenters. Highlights. IBM Systems and Technology Data Sheet

Auditing Data Access Without Bringing Your Database To Its Knees

Commercial Software Licensing

Making Database Security an IT Security Priority

Auditing Cloud Computing and Outsourced Operations

Enterprise Governance and Planning

A COALFIRE PERSPECTIVE. Moving to the Cloud. NCHELP Spring Convention Panel May 2012

ENCRYPTION KEY MANAGEMENT SIMPLIFIED A BEGINNER S GUIDE TO ENCRYPTION KEY MANAGEMENT

Cloud Computing: What needs to Be Validated and Qualified. Ivan Soto

IT Risk and Security Cloud Computing Mike Thomas Erie Insurance May 2011

Real-Time Database Protection and. Overview IBM Corporation

WHITE PAPER. Guide to Auditing and Logging Oracle Databases

Protecting Sensitive Data Reducing Risk with Oracle Database Security

Ayla Networks, Inc. SOC 3 SysTrust 2015

BMC s Security Strategy for ITSM in the SaaS Environment

Managing Oracle E-Business Suite Security

2013 AWS Worldwide Public Sector Summit Washington, D.C.

Transcription:

Securing Oracle E-Business Suite in the Cloud November 18, 2015 Stephen Kost Chief Technology Officer Integrigy Corporation Phil Reimann Director of Business Development Integrigy Corporation

Agenda The Cloud Trust-but-Verify Q&A 1 2 3 4 5 Cloud Security Challenges Encryption

About Integrigy ERP Applications Oracle E-Business Suite Databases Oracle and Microsoft SQL Server Products Services AppSentry ERP Application and Database Security Auditing Tool AppDefend Enterprise Application Firewall for the Oracle E-Business Suite Validates Security Protects Oracle EBS Verify Security Ensure Compliance Build Security Security Assessments ERP, Database, Sensitive Data, Pen Testing Compliance Assistance SOX, PCI, HIPAA Security Design Services Auditing, Encryption, DMZ You

Agenda The Cloud Trust-but-Verify Q&A 1 2 3 4 5 Cloud Security Challenges Encryption

What is the Cloud? Clouds are not new - Infrastructure as a Service (IAAS) and Platform as a Service (PAAS) have been around for decades - Used to be called Hosting or Out-Sourcing - Software as a Service (SAAS) is what is new What are the differences? - Number of lawyers and length of contract - Division of responsibilities

Clouds Defined As Pizza

Oracle E-Business Suite in the Cloud Platform as a Service (PAAS) - Fully integrated 3rd party service offering Hosting, DBA, and application support Infrastructure as a Service (IAAS) - Hybrid or multivendor solution Data center (hosting) DBA & Application support managed services Network

Agenda The Cloud Trust-but-Verify Q&A 1 2 3 4 5 Cloud Security Challenges Encryption

Does the Cloud Change Security? No

Data Ownership Using the Cloud does not fundamentally change ownership of data - You own your data - You are responsible for your data Legal and compliance mandates flow out and down to your vendor(s) - Onward transfer is your responsibility Cloud extends only what should already be in place to protect YOUR data - Effective security & trust-but-verify

Cloud Requires Redrawing Responsibility Lines Customers own the application, data, and configurations Cloud provider supplies infrastructure and managed services Responsibilities will vary among providers and customers Provider Technical Management Customer Data, Configuration, & Policy Ownership Oracle E-Business Suite Oracle Database Its not this simple

Operational Processes Sample Division of Responsibilities Provider Oracle E-Business Suite Technical Components Shared Customer Oracle E-Business Suite Database Application Server Operating System Network User Management 1. Account Security Segregation of Duties Database Security Network and Web OS Security Network 2. Data Security Data Management and Privacy Database Access and Privileges Web Access File Permissions Encryption 3. Auditing Application Auditing Database Auditing Web Logging OS Auditing Network Auditing 4. Monitoring and Troubleshooting Application Database Web and Forms Operating System Network 5. Change Management Object Migrations Application Configuration Change Control Database Configuration Change Control Change Control Change Control 6. Patching Application Patches Database Patches Application Server Patches OS Patches Firmware Patches 7. Development Application Database Web Web Services and SOA Shell and File Transfer Testing

How to Secure E-Business in the Cloud? Redraw lines of responsibility - Differs PAAS vs. IAAS Must Trust-but-Verify 3rd parties and associated lines of responsibilities - Requires new skills and support services: IT & E-Business Support Procurement/Vendor management Legal & compliance

Agenda The Cloud Trust-but-Verify Q&A 1 2 3 4 5 Cloud Security Challenges Encryption

Clouds Create More Insiders Insiders include - DBAs - Application Administrators - System Administrators - Developers - Contractors - Vendors Number of insiders can range greatly - Cloud providers usually have a very large number of insiders

Insider Threats Cannot Be Avoided Need to guard against insider threat - Prevent unauthorized access and breaches - Ensure policies and procedures are adhered to - Eliminate poor or risky behaviors How do you trust insiders? - Trust but verify

Oracle EBS Generic Privileged Accounts Oracle E-Business Suite SYSADMIN seeded application accounts Oracle Database Operating System (Unix and Linux) APPS, APPLSYS SYS, SYSTEM Oracle EBS schemas (GL, AP,...) root oracle, applmgr

Oracle E-Business Suite Trust Perimeter Passwords define the Trust Perimeter DB & Operating System 300+ accounts Generic accounts Staff accounts Oracle E-Business Suite System Admin Generic accounts 40+ default accounts Passwords Create Insiders Environments Production Test Development Teams Developers Contractors Support & QA

Oracle E-Business Suite Cloud Perimeter IAAS extends perimeter, PAAS even more 24x7 SLAs will greatly extend trust perimeter Data Center Location Floor/section Cage access Administrators DBAs O/S Admins Sysadmin Your Staff Infrastructure Storage Network Hypervisor Backup Offshore Office(s) 1:10 on-shore Contractors of the contractors

Generic Privileged Account Inter-Dependency database APPS can obtain SYSADMIN password execute SQL as SYS execute SQL as APPS application SYSADMIN database SYS connect as SYSDBA operating system oracle/ applmgr execute OS commands as oracle

How to Verify Trust of Service Providers Service providers introduce large numbers of insiders - Large cloud vendors can have 1,000s Use Service Organization Control (SOC) Reports - Third party audit and attestation - Standard set by American Institute of CPAs - Much more effective than contractual or SLA reports

Four Key Facts about SOC Reports Replacement for SAS70 Report - SSAE 16 SOC Report Is a historical report - Type I reports on a specific day - Type II reports on a historical period SOC 1 Report Vendor management s discretion on what to include - Vendor reports differ widely SOC 2 Report Whether or not AICPA dictated Trust Principles are being followed - Security, Availability, Integrity, Confidentiality and Privacy

Verify Trust of Service Providers Use service providers who regularly produce SOC reports - Management commitment - Request SOC reports annually Use providers whose SOC report works for you - Read carefully and don t assume anything - Clearly meets your compliance and regulatory requirements - Aligns with your audit and fiscal periods

Verify Trust of Service Providers Verifying your service provider s supply chain - Are they outsourcing key services? Writing verification into contract with provider - Production of SOC report (e.g., annually) - Notification, if not approval, of changes to controls Ask for a SOC 2 instead of SOC 1 report - Review with vendor plans for SOC 2 reporting

Compliance Challenges Oracle E-Business Suite by default does not meet most compliance standards - HIPAA, SOX, PCI Some customers need to meet more than one standard Hosting can complicate reporting - Majority of requirements owned by client - Many shared responsibilities

Trust-But-Verify Best Practices Require adherence to PCI standard (credit card security) even if not a processing cards - Well documented and consistent set of standards Consider independent security assessments - In-house technical and security expertise? Request audit trails and logs for insider operating system and/or database activity - Require Syslog feeds to on premise logging solution

Net Privileged Native Fine Oracle Database Auditing 5 Fine Grained Auditing DBMS_FGA.add_policy FGA_LOG$ table AUDIT_FILE_DEST dir AUDIT_TRAIL DB AUD$ table 4 3 Standard Auditing SYS Auditing AUDIT_SYSLOG_LEVEL AUDIT_SYS_OPERATIONS OS/XML AUDIT_FILE_DEST dir Syslog On-Premise SIEM For Trust Verification (e.g., Splunk) 2 DB Alert Log BG_DUMP_DEST dir 1 Listener LOGGING_name = ON TNS_ADMIN/log dir Type of auditing and logging Audit and logging parameters Location of audit data

Trust-But-Verify Risks to Oracle E-Business Suite in the Cloud - How do guard against authorized changes and access - How to identify poor or risky behaviors - How to meet compliance requirements (SOX, HIPAA, PCI) Use policy of Trust-but-Verify - Implement log and audit framework - Build security monitoring, alerting and audit programs using log and audit framework - Regular assessments (e.g. Integrigy to professionally verify) Integrigy Framework for Oracle E-Business Suite logging and auditing - Whitepaper: http://www.integrigy.com/securityresources/guide-auditing-oracle-applications

Agenda The Cloud Trust-but-Verify Q&A 1 2 3 4 5 Cloud Security Challenges Encryption

Oracle E-Business Suite Encryption In-Motion - Use SSL At-Rest - Use File system (TDE) encryption - Don t forget about backups, VM images, etc. In-Use - No protection (APPS)

Does Encryption Make Clouds Safer? What does Encryption provide? - Confidentiality and Integrity - Not at cost of Availability Does encryption protect sensitive data? - Sort of - coarse-grained file access control only - Little to no protection against abuse by privileged users - Access to Oracle wallets controls everything Key management determines success - You and only you can should control the keys - Recommend use of Hardware Security Module

Hardware Security Modules (HSM) HSMs are physical devices - Secure storage for encryption keys - Secure computational space (memory) for encryption and decryption Oracle TDE fully certified to use HSMs - More secure alternative to the Oracle wallet - Several third party vendors Vormetric Using HSMs for E-Business in the Cloud - Must be fully in your control, you own your data - No protection for APPs password

Agenda The Cloud Trust-but-Verify Q&A 1 2 3 4 5 Cloud Security Challenges Encryption

Contact Information Stephen Kost Chief Technology Officer Integrigy Corporation web: www.integrigy.com e-mail: info@integrigy.com blog: integrigy.com/oracle-security-blog youtube: youtube.com/integrigy

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information