The Weakest Link : Securing large, complex, global Oracle ebusiness Suite solutions

The Weakest Link : Securing large, complex, global Oracle ebusiness Suite solutions Radomir Vranesevic Director and IT Architect Oracle Certified Master, CISSP Fusion Professionals 1

Agenda Introduction Approach Objectives Requirements Process Architecture / Design Implementation / Testing Monitoring / Update Summary 2

Introduction Oracle ebusiness Suite solution trends Large 10 s of Application modules 10,000 s of Users, Terabytes of data Complex Integrated with 10 s of systems, including Portal, BI Number of security and other compliance requirements Global Intranet, Internet Employees, Customers, Partners Comprehensive approach to security is required to secure large, complex, global Oracle ebusiness Suite solutions 3

Introduction Information is one of the most important enterprise assets Managing Information Security in large, complex, global Oracle ebusiness Suite solutions is huge task Security is a process, not a product Security requires the integration of people, process, and technology - your security will be as strong as your weakest link Security Management is Risk Management To increase security, risk needs to be: modeled, quantified and minimized over time 4

Approach Start with Security Objectives / Policy Definition of what it means to be secure Follow Enterprise / International Standards (ISO 17799, etc.) Security Process Method an organization uses to implement and achieve its security objectives. Define Stakeholders, Deliverables, Roles and Responsibilities Security Requirements Start with Information Sensitivity Classification Assign risk ratings, which will drive security requirements Security Architecture Platform to mitigate risks while complying with requirements Should be appropriate for the size and complexity of the organisation and sufficiently flexible 5

Approach - cont Security Design Design all elements of the security solution - technology and processes Where design can not comply with architecture/policy review the risk Security Implementation / Testing Verifiable implementation of security design Test to confirm and reassure compliance with requirements/policy Security Monitoring / Update Implement operational procedures that will monitor and manage security including regular audit processes Review and update the security solution as new requirements, patches, modules are added to the solution 6

Security Objectives Define clear objectives - what it means to be secure Availability Integrity of Data or Systems Confidentiality of Data or Systems Accountability Assurance Define Guidance, Resources, and Standards Define Regulations and Standards that solution needs to comply with Enterprise Security Architecture Privacy Standards ISO 17799, etc Enterprise Security Standards, Policies, Procedures Engage enterprise security team on time Confirm the process and objectives at the start of every project 7

Security Process (sample) Governance Enterprise Security Architecture (ESA) Objectives and policies Risk Management Process Security Design Review Security Test Review Managed Services Security Procedures ebusiness Suite DEFINITION ANALYSIS DESIGN BUILD TEST TRANSITION Infrastructure Designs (Security Sections) Infrastructure Build Infrastructure Test cases + results Infrastructure Procedures Infrastructure Security Requirements LAN, Desktop, Printing Designs (Security Sections) LAN, Desktop, Printing Build Lan, Desktop Printing Test cases + results Lan, Desktop Pritning Procedures LAN,WAN Desktop Information Sensitivity Classification Security Architecture Application Security Design Application Security Build Application Security Test cases + results Application Security Procedures Application Business Impact Analysis Business Impact Summary Business Procedures Business Non Prod Ruirements (Masking, Cloning Admin) Non Prod Design (Masking, Cloning Admin) Non Prod Build + Procedures (Masking, Cloning Admin) Non-Prod 8

Security Requirements Start with Information Sensitivity Classification Needs to be done by the business owner of the data Sample security classification levels: Sensitivity: Public, Internal Use, Confidential, Highly Restricted Privacy: Privacy, No Privacy Criticality: Non-essential, routine, important, critical Define granularity of the classification Classify Oracle ebusiness Suite data at the module level (HR, GL, AP,AR) When required, classify data at a more granular level (Interface/Report/Table) Requirements are based on Information Sensitivity Classification, and security policies and objectives Define required level of security controls Authentication (Highly Restricted data may require Strong Authentication) Authorisation (Who can access what, separation of duties, etc.) Audit (Highly Restricted data may require Levels of audit,) Data in Transition (HTTPS for uses, 3DES for external interfaces) Data at Rest (encryption of key data elements e.g. credit cards) 9

Security Architecture Domains Common practice for securing Oracle ebusiness Suite solution is to define 3 Security Domains (or infrastructure zones), separated by firewalls and other security controls Outer domain (DMZ) - accessible from the outside, un-trusted world/internet, Accessible over Internet, only expose minimum required subset of solution ( i applications like istore, irecruitment) Only reverse proxy like Oracle Web Cache or Apache in this zone. Intermediate domain more protected domain Accessed by external user via outer domain, and internal users via intranet User separate set of Oracle middletier servers (with full functionality) for intranet, and separate set of Oracle middletier servers for external user (with limited functionality) Inner domain highest level of protection No direct access to this zone except when absolutely necessary Business data reside in this domain in ebusiness Suite, Portal, OID, integration Hub. etc databases 10

Security Architecture (sample) Customer/ Supplier (Invoice) External System Employee (Remote) Non Employee Finance User HR User Sys admin VPN Desktop ADI HTTPS HTTPS HTTPS FTP (3DES) HTTPS HTTPS Intranet email (3DES) Printer IPP / HTTP WAN FTP (CAST5) Internet Secure Printer IPP / HTTPS Other system FW OUTER DOMAIN = Zone 1 LB DC LAN FTP Mail Server Public FTP HTTPS, FTP Reverse Proxy Other system LB LB INTERMEDIATE DOMAIN = Zone 3 Intra App S/W HR, FIN, IA App S/W HR SS Data Center Desktop ADI (Oracle Net) Intra MT System S/W (ebs, Portal, ihub, OID/SSO) O/S OUTER DOMAIN = Zone 2 IA MT System S/W (ebs, Portal, OID/SSO) FW INNER DOMAIN = Zone 4 DB (ebs, Portal, ihub, OID/SSO) O/S SAN (DB FS, MT FS, APP FS) Service Providers Remote admin VPN / IPSec Admin Zone O/S TAPE 11

Security Architecture (sample) Department 1 Department 2 VPN Department 3... Dedicated Net Department N Department User @Home Public User Supplier Partners (Banks, etc.) Dedicated Net VPN Intranet Internet Firewall Load Balancer Data Center Intranet Internet Access (DMZ) Zone Integration Public FTPS OCS Reverse Proxy 11i Apps Reverse Proxy Portal MT Reverse Proxy SSO MT Reverse Proxy Internet Proxys Middleware Zone Firewall Firewall Data Center Load Balancer Load Balancer Intranet midtiers ebus Portal MT ebus OID/SSO MT ebus OCS MT Integration Portal MT Integration OID/SSO MT Integration ihub MT ebusiness OCS MT ebusiness 11i App MT ebusiness Portal MT ebusiness OID/SSO MT integration internet ihub MT ebusiness internet OCS MT ebusiness internet 11i App MT ebusiness internet Portal MT ebusiness internet OID/SSO MT Internet middtiers Firewall Database Zone ebus Portal DB ebus OID/SSO DB ebus OCS DB Integration IM/Portal DB Integration ihub DB ebus OCS DB ebus 11i DB ebus Portal DB ebus OID/SSO DB 12

Security Design - Authentication Use Oracle Internet Directory (OID) and Oracle Single Sign On (SSO) as the central authentication mechanisms For all components of the solution: ebs, Portal, Discoverer, ihub, DB Set appropriate password policies in OID Restrict access to the ebusiness Suite Local Login except for users of few applications (Desktop/Web ADI) that do not integrate with SSO Integrate Oracle OID/SSO with Enterprise SSO solutions like Tivoli Direct integration of ebusiness Suite with third party SSO solutions is not possible at this stage Strong Two-factor Authentication Integrate Oracle SSO with products like RSA Token Implement Strong Authentication for remote network access when the management of the system is outsourced Future Direction Consider using Oracle Access Manager and Oracle Federation Manager for SAML based federated authentication. 13

Security Design Authorisation Implement fine grained authorisation in the ebusiness Suite Design of application responsibilities is key to securing ebusiness Suite Use new Roles feature provided by the UMX module Group responsibilities into higher level Business Roles Use Oracle Virtual Private Database and/or Label Security if additional data security is required. Use Oracle Internet Directory Authorisation where possible Provision subset of ebs responsibilities / roles to OID groups Use OID groups to secure Portal and other applications that use OID/LDAP authorisation. Internet Access Implement additional access controls on reverse proxy / external middletier level (strong authentication, restrict access to responsibilities, URL firewall, etc) (Note: 287176.1) Future Direction Consider using Oracle Data Vault for additional database access control 14

Security Design Auditing Implement comprehensive auditing of all components Oracle Application Server access_log auditing Oracle OID/SSO Authentication Auditing Oracle Database Auditing Standard DB auditing for DBA level operations Fine grained auditing for select operations on key tables Oracle ebusiness Suite Application Auditing Basic audit : Standard applications WHO columns Sign On Audit :Records user activity: login, responsibilities and forms used, logout Table Audit: Full table audit for changes to key tables Operating System level auditing Network level auditing Firewall and VPN audit for remote users and administrators Reviewing audit data regularly Future Direction Consider using Oracle Audit Vault as a central Audit warehouse 15

Security Design Data in transit Encrypt data in transit when it is traversing un-trusted networks Use network protocol level encryption instead of application level encryptions where possible Use HTTPS for web users of ebusiness Suite, Portal, Discoverer, etc, Consider using SSL accelerator like F5 BigIP to reduce load on servers Use SFTP for secure transfer of files between system Use Oracle Net encryption between client and Oracle Database. If middletier and database are in same trusted zone, encryption may not be required. Use Secure email Gateway for encryption of email Use application level encryption tools like PGP or DBMS_CRYPTO when network level encryption is not possible 16

Security Design Data at rest Database Encryption Column level encryption in Oracle Database 10.2 Backup Encryption Encrypt backup data on tape Data at Desktops/Laptops Highly restricted data in spreadsheets, reports, interfaces, which is saved at desktops/laptops should be encrypted using desktop encryption tools like PGP Desktop. Data masking Use tools like DataMasker to mask Non-production data New release Oracle Enterprise Manager supports data masking Future Direction Tablespace level encryption in Oracle Database 11.1 17

Securing Database Follow Oracle Database Security Checklist http://www.oracle.com/technology/deploy/security/pdf/twp_security_checklist_db_database.pdf Follow www.petefinnigan.com Comprehensive source of Oracle Database Security information Restrict direct access to database Use firewalls and Oracle Net valid node checking feature Restrict access to APPS account, create separate accounts for read only access, define database access procedures Define clear database access procedures for Remote DBA s, when the management of the system is outsourced Future Direction Consider using Oracle Data Vault for additional database access control, and Enterprise User Security or Strong Authentication for database users 18

Securing Application Server Follow Oracle Application Security Guide - Security Best Practices Turn off all the components, demos, etc. that are not required OID/SSO Establish process and procedures for provisioning and management of users in OID Portal Use Portal security to limit access to content / applications Discoverer Implement SSO between Oracle SSO, Discoverer and ebusiness Suite Future Direction Consider using Oracle Access Manager and Web Services Manager for securing SOA based applications/integration 19

Securing ebusiness Suite Follow Oracle ebusiness Suite security best practice Best Practices For Securing Oracle E-Business Suite 11i (189367.1) R12 (403537.1) DMZ Configuration with Oracle E-Business Suite 11i (287176.1) & R12 (380490.1) E-Business Suite Recommended Set Up for Client/Server Products (277535.1) Limit number of Shared Application Accounts Apply same security controls in Non-Production as in Production Define clear Non-Production operational procedures Define and implement Separation of Duty rules Future Direction R12 Multi Org Access Control (MOAC) has a potential to greatly simplify security setup in large global Multi Org ebusiness Suite Solutions. 20

Security Implementation / Testing Security Implementation Must be repeatable and verifiable When solution can not be implemented as per design, raise the risk and review the design Security Testing Must confirm that security implementation is compliant with security requirements User test plans and results as a basis for the future audit 21

Security Monitoring / Update Security Monitoring Develop set of procedures for monitoring and managing security in production, including incident management Perform regular review of security risks and review audit reports regularly Security Update Regularly apply Critical Patch Update (CPU) Patches Review and implement new security recommendations as they become available For each new requirement, like implementation of new module or ebusiness Suite upgrade, follow the same security approach / process 22

Summary Information is one of the most important enterprise assets Information in Oracle ebusiness Suite is key enterprise asset, protecting this information is the key security objective Security is a process, not a product Security will be as strong as your weakest link, secure all components of the solution: people, process, and technology. Security Management is Risk Management Be aware of risk and manage it 23

Radomir Vranesevic Director and IT Architect Oracle Certified Master, CISSP Mobile: +61 (0)401 481 815 radomir@fusionprofessionals.com www.fusionprofessionals.com PO BOX 290 Crows Nest NSW 1585 Australia (02) 85690272 24