1 copyright © 2011, oracle and/or its affiliates. all rights reserved. · © 2011 oracle...


E-Business Suite Data ProtectionRobert ArmstrongEric Bing

ORACLEPRODUCT

LOGO


The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.


Program Agenda• Security Challenges• Auditing in E-Business Suite• Transparent Tablespace Encryption• Data Masking• Separation of Duties

– Patching via OAM Patch Manager– Patching and administering mid-tier services– Sensitive pages– Database Vault


Applications Run Our World

98%


Cloud Computing Environments

• Data, data everywhere• The information being created, collected,

and stored is valuable to everyday operations

• Business data represents a type of currency within the marketplace.

• Like all currency, data must be protected.

• Need to track sensitive data


More Challenges Than Ever Before…• More data, doubling yearly • More breaches, average $6.6 million+ per breach• More threats, coming from every part of the business• More regulations, federal, state, local, industry• Equates to more costs…

• User Management Costs• User Productivity Costs• Compliance & Remediation Costs• Security Breach Remediation Costs

It Adds Up$


Solutions Map

WebClient ApplicationServer

Access Control Matrix

Secure Socket Layer

OracleNetworkEncryption

Data MaskingOn Clone DB

Encrypted using Transparent Data Encryption to protect data at rest

Column level security using VPD

Configure DB Vault to protect against DBA access

Authorize access from applications interface using FND Grants

Database

Approvals

Business Process

Policy Store

Auditing


Program Agenda

• Security Challenges– What are we protecting against?

• Auditing in Oracle E-Business Suite• Separation of Duties / Least Privilege

– Sensitive Admin Pages– Database Vault

• Other Technologies– Data Masking in Oracle E-Business Suite – Transparent Data Encryption

© 2011 Oracle Corporation 10

Why Audit?• Its all about protecting sensitive data, maintaining

customer trust, and protecting the business• Trust-but-verify that your employees are only

performing operations required by the business• Detective controls to monitor what is really going on• Reduce the curiosity seekers from looking at data• Compliance demands that privileged users be monitored

• Know what is going on before others tell you


Comprehensive Auditing of E-Business Suite Applications• Five primary ways:

– Standard Application Auditing – Application Level Audit Trail – Database Event Auditing – Database Trigger Auditing– Fine Grain Auditing (Audit Vault)


What to Audit

• System Changes:– Changes to the database structure– Addition, deletion, or change to database triggers– Changes to programs, libraries, or scripts at the OS level– Changes to objects or packages at the database level– Changes to the setups or profile options at the application level

• End-User Activities:– User Access – “Sign-On:Audit Level”

• All user signons• Unsuccessful logins• Concurrent requests


What to Audit

• Security– Menus– Roles,– Responsibilities– Security Profiles

• Application Controls:– Journal Sources– Receivables activities

• Change Management (development)– Concurrent programs– Executables– Functions– SQL Forms

Recommendations


Database Auditing and Applications• Monitor privileged application user accounts for non-compliant

activity– Audit non-application access to sensitive data (credit card, financial data,

personal identifiable information, etc.)

• Verify that no one is trying to bypass the application controls/security– PO line items are changed so it does not require more approvals

• Verify shared accounts are not be abused by non-privileged users– Application bypass - Use of application accounts to view application data


Oracle Audit VaultAudit Database Activity in Real-Time

• Consolidate database audit trail into secure centralized repository• Detect and alert on suspicious activities, including privileged users• Out-of-the box compliance reports for SOX, PCI, and other regulations

• E.g., privileged user audit, entitlements, failed logins, regulated data changes• Streamline audits with report generation, notification, attestation, archiving, etc.

CRM Data

ERP Data

Databases

HR Data

Audit Data

Policies

Built-inReports

Alerts

CustomReports

!

Auditor


Oracle Audit Vault

• Applications are validated by default– Database auditing is underneath the Application

• Application User Auditing– Application can set the database “Client Identifier” to tie application user

with application shared account

• Database Auditing can be used to monitor – Audit base application tables and views– Privileged user operations in the database (logins, user/table create)


Setting Client Identifier

• Any application running on Oracle database can set the client identifier

User A connects

User B connects

OracleApplication

Server

OracleDatabase

Application sets client_info to User A

Application resets client_info to User B

Audit Record uses client_identifier


Oracle Audit

1. Turn on database auditing• Set the database parameters audit_trail, audit_trail_dest,

audit_sys_operations

2. Determine the application tables to audit• audit <table> by access;

3. Configure Audit Vault to collect the database audit trail4. Setup alerts in Audit Vault5. View Reports

Application Integration


Oracle Audit Vault Application Integration

20 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. 20

The Access Reports filter the audit content based on event and categories, such as Data Access: select, insert, update, delete.., and User Sessions: login, logout,etc. The Oracle Audit Vault Auditor’s Guide list the events that are collected and mapped to the categories.


The Entitlement Reports can be used for internal/external auditors to view Oracle database users and their privileges. You can view all Oracle databases and their users or filter by an individual database to view the privileges. The compare capability provides a report on changes to user privileges from one snapshot time to another.


The Compliance Reports provide out-of-the-box reports requested by auditors. Each category of reports can be customized to filter by databases that are audited for that regulation


Comprehensive Data Protection

When Data Is In Motion

When Data Is At Rest

When Data Is Cloned

When Data Is Administered

When Applications Are Targeted


Advanced SecurityTransparent Data Encryption

Benefits

Strong encryption for data at rest

No application changes required

Efficient encryption of sensitive application data


Column Transparent Data Encryption

No application changes required


Transparent Tablespace Encryption

• No need to worry about which columns have to be encrypted

• Highly efficient– High performance– Space preserving

• Highly Secure– Everything on disk is encrypted– Industry standard cryptography

• No application changes required

Oracle Database 11g Solution

SQL Layer

data blocks“*M$b@^s%&d7”

undo blocks

temp blocks

flashback logs

redo logs

Buffer Cache“SSN = 834-63-..”


What is Data Masking?

What• The act of anonymizing customer,

financial, or company-confidential data to create new, legible data that retains the data's properties, such as its width, type, and format

Why• To protect confidential data in non-

production environments when the data is shared with non-production users without revealing sensitive information

LAST_NAME SSN SALARY

ANSKEKSL 111—23-1111 60,000

BKJHHEIEDK 222-34-1345 40,000

LAST_NAME SSN SALARY

AGUILAR 203-33-3234 40,000

BENSON 323-22-2943 60,000

Production Non-Production


Using Enterprise Manager Data Masking

• Used in conjunction with cloning• Create irreversibly scrambled versions of your

production DB for testing & development

Production

Clone

Staging

MaskClone

Test


What are we Producing?

• E-Business Suite Masking Template– Metadata for the EM Masking tool– Columns, Relationships, and Masking rules for Personally

Identifiable Information (PII) and Sensitive attributes for E-Business Suite products

• ~1000 Columns– 65% HCM - Also TCA, ATG, Financials, Projects…

• Not split out by product or family– De-identification needs to be done across the DB


Goals in Application Masking

• De-Identify the data– Scramble identifiers of individuals (PII) – Name, account, address,

location, drivers license…

• Mask sensitive data– Mask the data that, if associated with PII, would cause privacy concerns

• Compensation• Health• Employment Information

• Maintain Data Validity– Don’t break the application (too much…)


PersonaIIy Identifiable Information

• Name• Business Location• Business Phone• Business ID• Accounts (Bank, debit, credit)• Location• External ID (drivers license)• National ID (social security number)• Web Site• Phone

Categories


Sensitive Data

• Compensation• Employment details• Nationality / Citizenship• Health Information• Personal information• Mother's maiden name• Passwords• Encryption keys• Audit information• Session information

Categories


Administrative Separation of Duties

• Separation of Duties - Prevent fraud or theft by a single individual– Sarbanes-Oxley (SOX)– Payment Card Industry (PCI) – Data Security Standard (DSS)– Health Insurance Portability and Accountability Act (HIPAA)– Gramm-Leach-Bliley Act (GLBA) ...

Business Drivers


Least Privilege Administrative Accounts

• Principle of least privilege user account– Perform tasks with as few privileges as possible– Run applications with as few privileges as possible– Limit the number of people with access to critical system security

controls

• Benefits– Limits the damage that can result from an accident or error– Reduces impact of misuse of a privilege– Reduces the auditing requirements

Business Drivers


Separation of Duties for Admin Accounts

• Database access– Use named accounts– Use database proxy user ( sqlplus ebing[apps]/<ebingpwd> )– Avoid routine activities in the APPS and SYSTEM accounts

• Operating System access– Use named accounts– Delegate common tasks through sudo or Oracle Enterprise Manager– Remove write and read for non-owners (0600 or 0700)

• Enhancing Oracle E-Business Suite Security with Separation of Duties (Note 950018.1)

Process Guidelines


Challenges with implementing Admin SOD

• Patching without “super user” credentials• Starting and stopping mid-tier services• Restricting access to administrative pages and

functionality– Auditing reports on who has access in production


Separation of Duties / Least Privilege

• Problem: Using adpatch requires a super Admin– Access to the DB account passwords (APPS and SYSTEM)– Access to the applmgr Operating System account– No controls on the patch being applied– No out-of-the-box auditing

• Solutions:– Put in place logging and credential control for patch windows– Use E-Business Suite Plug-In (Application Change Management

Pack - ACMP) Patch Manager functionality

Oracle E-Business Suite Patching


Patching via ACMP Patch Manager

• Benefits of Application Change Management Pack– Allows for deployment of patches without database or operating

system credentials– Restricts ad-hoc access to application data– Provides protection against tampering of patches by providing a

protected process flow.– Provides a separation of roles (patch manager and patch

approver)– Provides optional approval and auditing of patch deployments

Benefits



• Setup Admin associates users with roles and targets– Robert is Patch Manager for Prod1 instance

• Setup Admin sets up Preferred Credentials for targets– Set up preferred credentials for Robert for SYSTEM and APPS

accounts in Prod1

Process Flow


Set up Roles and Assign Targets


Preferred Credentials in OAM Patch Manager

Patching via OAM Patch Manager



• Patch Manager schedules or submits patch – this can be:– Directly downloaded from Oracle– Staged via Oracle Management Server (OMS)

• Patch Approver optionally can approve the patch and audit patch activity

Process Flow


Approve Patches


View Approval History



• Oracle E-Business Suite Plug-in 4.0 – Requires Enterprise Manager 11g Grid Control R1 (11.1.0.1.0)

• Oracle E-Business Suite:– 11i: Release 11.5.10 CU2 with ATG_PF.H RUP6 or higher– 12.0: Release 12.0.4 with R12.ATG_PF.A.delta.6– 12.1: Release 12.1 with R12.ATG_PF.B.delta.3

• Getting Started with Oracle E-Business Suite Plug-in, Release 4.0 (Note 1224313.1)

• Separation of Duties using Patch Manager (Note 1363260.1)

Supported platforms and versions



• Problem: Managing the mid-tier systems without database credentials– Managing concurrent manager required APPS passwords in the

past

• Options:– Leverage sudo – but have to hardcode passwords in scripts– Leverage Enterprise Manager Applications Management Pack– Start concurrent manager with an applications user name and

password from the command line (available in 12.1.3)

Starting and stopping mid-tier services



• Create a new user (e.g CONCOPER)– assign the ”Concurrent Manager Operator” responsibility

• On the application tier update the following 4 variables in the AutoConfig context file and then run AutoConfig


Auto Config Variable New Value

s_cp_user CONCOPER (or the one you created)s_cp_password_type AppsUsers_cp_resp_shortname FND s_cp_resp_name Concurrent Manager Operator



• Application tiers can be started and stopped by calling adstrtal.sh and adstpall.sh with the -secureapps option– Script will prompt for Applications user name and password– Documented in Secure Configuration Guide for Oracle E-

Business Suite Release 12 (Note 403537.1)


[applmgr@app01]$ adstrtal.sh -secureappsEnter the Applications username: CONCOPEREnter the Applications password:



• Problem: Identifying access to critical pages• Security Administrator

– Control of access to pages and profiles• Sensitive Administrator Functionality

– Pages and profiles which allow for changes to “code” at Runtime– Often allow for HTML or SQL to be defined from the application– Ideally should be disabled on Production Systems

Control and Audit Privileged Pages



• Administrator / Developer Functionality– Pages / profiles which allow for Application Development at

Runtime• SQL statements or fragments• HTML fragments• OS commands

– Designed-in SQL injections or XSS injections– Should be disabled, controlled, and audited in production

environments• Flexfield definitions• Forms and Framework personalization…

Sensitive Administrator Functionality



• Documented in Sensitive Administrative Pages in Oracle E-Business Suite (Note 1334930.1)

• Identifies new categories of sensitive functionality:– Oracle Forms Controlled by Function Security (~40)– HTML Pages Controlled by Function Security (~25)– Pages and Forms Controlled by Profile Options (3)– Pages Controlled by JTF Roles and Permissions (3)

Sensitive Administrator Functionality


Sensitive Administrator FunctionalityProfiles

Feature Profile Code Recommended Settings

OA Framework Personalization

FND_CUSTOM_OA_DEFINTION("Personalize Self‐service Defn") No

Form Personalization / Examine

Combination of profiles: FND_HIDE_DIAGNOSTICS("Hide Diagnostics menu entry") and DIAGNOSTICS ("Utilities:Diagnostics")

FND_HIDE_DIAGNOSTICS: Yes

DIAGNOSTICS : No


Sensitive Administrator FunctionalityRecommendations

• Note 1334930.1 provides SQL queries to determine who has access to these– SQL scripts drive off of page and form names (not functions)– Slower, but ensures we pick up custom functions that include

these

• Reduce and eliminate access to these pages by admins• Use Fine Grained Auditing to audit the tables associated

with these pages


Oracle Database VaultPrivileged Account Controls

Procurement

HR

Finance

Application DBA

select * from finance.customers

DBA

Application

• Enforce least privilege and prevent DBA access to apps data

• Enforce who, where, when, and how data can be accessed using rules and factors

• Restrict ad hoc database changes

• Securely enable applications consolidation and outsourcing / off-shoring


Database Vault

• Default realm we ship with contains all Apps objects• We now support realms that are subsets of this

– Need to ensure that all the procedures and patches in Support Notes are followed

– Any subsets will be treated as certified– Any additions will be treated as customizations

• Detailed example of extending EBS realms in Support Notes

Modifying Default Realms


Database Vault White Papers

• 428503.1 - Integrating Oracle E-Business Suite Release 11i with Oracle Database Vault 10.2.0.4

• 859399.1 - Integrating Oracle E-Business Suite Release 11i with Oracle Database Vault 11.1.0.7

• 566841.1 - Integrating Oracle E-Business Suite Release 12 with Oracle Database Vault 10.2.0.4

• 859397.1 - Integrating Oracle E-Business Suite Release 12 with Oracle Database Vault 11.1.0.7


Q&A

1 copyright © 2011, oracle and/or its affiliates. all rights reserved. · © 2011 oracle...

Documents