![Page 1: 1 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. · © 2011 Oracle Corporation 10 Why Audit? • Its all about protecting sensitive data, maintaining customer](https://reader035.vdocuments.site/reader035/viewer/2022070709/5ebcc25cafb9556ed43610f0/html5/thumbnails/1.jpg)
1 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
![Page 2: 1 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. · © 2011 Oracle Corporation 10 Why Audit? • Its all about protecting sensitive data, maintaining customer](https://reader035.vdocuments.site/reader035/viewer/2022070709/5ebcc25cafb9556ed43610f0/html5/thumbnails/2.jpg)
2 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
E-Business Suite Data ProtectionRobert ArmstrongEric Bing
ORACLEPRODUCT
LOGO
![Page 3: 1 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. · © 2011 Oracle Corporation 10 Why Audit? • Its all about protecting sensitive data, maintaining customer](https://reader035.vdocuments.site/reader035/viewer/2022070709/5ebcc25cafb9556ed43610f0/html5/thumbnails/3.jpg)
3 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
![Page 4: 1 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. · © 2011 Oracle Corporation 10 Why Audit? • Its all about protecting sensitive data, maintaining customer](https://reader035.vdocuments.site/reader035/viewer/2022070709/5ebcc25cafb9556ed43610f0/html5/thumbnails/4.jpg)
4 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Program Agenda• Security Challenges• Auditing in E-Business Suite• Transparent Tablespace Encryption• Data Masking• Separation of Duties
– Patching via OAM Patch Manager– Patching and administering mid-tier services– Sensitive pages– Database Vault
![Page 5: 1 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. · © 2011 Oracle Corporation 10 Why Audit? • Its all about protecting sensitive data, maintaining customer](https://reader035.vdocuments.site/reader035/viewer/2022070709/5ebcc25cafb9556ed43610f0/html5/thumbnails/5.jpg)
5 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Applications Run Our World
98%
![Page 6: 1 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. · © 2011 Oracle Corporation 10 Why Audit? • Its all about protecting sensitive data, maintaining customer](https://reader035.vdocuments.site/reader035/viewer/2022070709/5ebcc25cafb9556ed43610f0/html5/thumbnails/6.jpg)
6 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Cloud Computing Environments
• Data, data everywhere• The information being created, collected,
and stored is valuable to everyday operations
• Business data represents a type of currency within the marketplace.
• Like all currency, data must be protected.
• Need to track sensitive data
![Page 7: 1 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. · © 2011 Oracle Corporation 10 Why Audit? • Its all about protecting sensitive data, maintaining customer](https://reader035.vdocuments.site/reader035/viewer/2022070709/5ebcc25cafb9556ed43610f0/html5/thumbnails/7.jpg)
7 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
More Challenges Than Ever Before…• More data, doubling yearly • More breaches, average $6.6 million+ per breach• More threats, coming from every part of the business• More regulations, federal, state, local, industry• Equates to more costs…
• User Management Costs• User Productivity Costs• Compliance & Remediation Costs• Security Breach Remediation Costs
It Adds Up$
![Page 8: 1 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. · © 2011 Oracle Corporation 10 Why Audit? • Its all about protecting sensitive data, maintaining customer](https://reader035.vdocuments.site/reader035/viewer/2022070709/5ebcc25cafb9556ed43610f0/html5/thumbnails/8.jpg)
8 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Solutions Map
WebClient ApplicationServer
Access Control Matrix
Secure Socket Layer
OracleNetworkEncryption
Data MaskingOn Clone DB
Encrypted using Transparent Data Encryption to protect data at rest
Column level security using VPD
Configure DB Vault to protect against DBA access
Authorize access from applications interface using FND Grants
Database
Approvals
Business Process
Policy Store
Auditing
![Page 9: 1 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. · © 2011 Oracle Corporation 10 Why Audit? • Its all about protecting sensitive data, maintaining customer](https://reader035.vdocuments.site/reader035/viewer/2022070709/5ebcc25cafb9556ed43610f0/html5/thumbnails/9.jpg)
9 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Program Agenda
• Security Challenges– What are we protecting against?
• Auditing in Oracle E-Business Suite• Separation of Duties / Least Privilege
– Sensitive Admin Pages– Database Vault
• Other Technologies– Data Masking in Oracle E-Business Suite – Transparent Data Encryption
![Page 10: 1 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. · © 2011 Oracle Corporation 10 Why Audit? • Its all about protecting sensitive data, maintaining customer](https://reader035.vdocuments.site/reader035/viewer/2022070709/5ebcc25cafb9556ed43610f0/html5/thumbnails/10.jpg)
© 2011 Oracle Corporation 10
Why Audit?• Its all about protecting sensitive data, maintaining
customer trust, and protecting the business• Trust-but-verify that your employees are only
performing operations required by the business• Detective controls to monitor what is really going on• Reduce the curiosity seekers from looking at data• Compliance demands that privileged users be monitored
• Know what is going on before others tell you
![Page 11: 1 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. · © 2011 Oracle Corporation 10 Why Audit? • Its all about protecting sensitive data, maintaining customer](https://reader035.vdocuments.site/reader035/viewer/2022070709/5ebcc25cafb9556ed43610f0/html5/thumbnails/11.jpg)
11 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Comprehensive Auditing of E-Business Suite Applications• Five primary ways:
– Standard Application Auditing – Application Level Audit Trail – Database Event Auditing – Database Trigger Auditing– Fine Grain Auditing (Audit Vault)
![Page 12: 1 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. · © 2011 Oracle Corporation 10 Why Audit? • Its all about protecting sensitive data, maintaining customer](https://reader035.vdocuments.site/reader035/viewer/2022070709/5ebcc25cafb9556ed43610f0/html5/thumbnails/12.jpg)
12 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What to Audit
• System Changes:– Changes to the database structure– Addition, deletion, or change to database triggers– Changes to programs, libraries, or scripts at the OS level– Changes to objects or packages at the database level– Changes to the setups or profile options at the application level
• End-User Activities:– User Access – “Sign-On:Audit Level”
• All user signons• Unsuccessful logins• Concurrent requests
![Page 13: 1 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. · © 2011 Oracle Corporation 10 Why Audit? • Its all about protecting sensitive data, maintaining customer](https://reader035.vdocuments.site/reader035/viewer/2022070709/5ebcc25cafb9556ed43610f0/html5/thumbnails/13.jpg)
13 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What to Audit
• Security– Menus– Roles,– Responsibilities– Security Profiles
• Application Controls:– Journal Sources– Receivables activities
• Change Management (development)– Concurrent programs– Executables– Functions– SQL Forms
Recommendations
![Page 14: 1 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. · © 2011 Oracle Corporation 10 Why Audit? • Its all about protecting sensitive data, maintaining customer](https://reader035.vdocuments.site/reader035/viewer/2022070709/5ebcc25cafb9556ed43610f0/html5/thumbnails/14.jpg)
14 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Database Auditing and Applications• Monitor privileged application user accounts for non-compliant
activity– Audit non-application access to sensitive data (credit card, financial data,
personal identifiable information, etc.)
• Verify that no one is trying to bypass the application controls/security– PO line items are changed so it does not require more approvals
• Verify shared accounts are not be abused by non-privileged users– Application bypass - Use of application accounts to view application data
![Page 15: 1 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. · © 2011 Oracle Corporation 10 Why Audit? • Its all about protecting sensitive data, maintaining customer](https://reader035.vdocuments.site/reader035/viewer/2022070709/5ebcc25cafb9556ed43610f0/html5/thumbnails/15.jpg)
15 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Oracle Audit VaultAudit Database Activity in Real-Time
• Consolidate database audit trail into secure centralized repository• Detect and alert on suspicious activities, including privileged users• Out-of-the box compliance reports for SOX, PCI, and other regulations
• E.g., privileged user audit, entitlements, failed logins, regulated data changes• Streamline audits with report generation, notification, attestation, archiving, etc.
CRM Data
ERP Data
Databases
HR Data
Audit Data
Policies
Built-inReports
Alerts
CustomReports
!
Auditor
![Page 16: 1 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. · © 2011 Oracle Corporation 10 Why Audit? • Its all about protecting sensitive data, maintaining customer](https://reader035.vdocuments.site/reader035/viewer/2022070709/5ebcc25cafb9556ed43610f0/html5/thumbnails/16.jpg)
16 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Oracle Audit Vault
• Applications are validated by default– Database auditing is underneath the Application
• Application User Auditing– Application can set the database “Client Identifier” to tie application user
with application shared account
• Database Auditing can be used to monitor – Audit base application tables and views– Privileged user operations in the database (logins, user/table create)
![Page 17: 1 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. · © 2011 Oracle Corporation 10 Why Audit? • Its all about protecting sensitive data, maintaining customer](https://reader035.vdocuments.site/reader035/viewer/2022070709/5ebcc25cafb9556ed43610f0/html5/thumbnails/17.jpg)
17 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Setting Client Identifier
• Any application running on Oracle database can set the client identifier
User A connects
User B connects
OracleApplication
Server
OracleDatabase
Application sets client_info to User A
Application resets client_info to User B
Audit Record uses client_identifier
![Page 18: 1 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. · © 2011 Oracle Corporation 10 Why Audit? • Its all about protecting sensitive data, maintaining customer](https://reader035.vdocuments.site/reader035/viewer/2022070709/5ebcc25cafb9556ed43610f0/html5/thumbnails/18.jpg)
18 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Oracle Audit
1. Turn on database auditing• Set the database parameters audit_trail, audit_trail_dest,
audit_sys_operations
2. Determine the application tables to audit• audit <table> by access;
3. Configure Audit Vault to collect the database audit trail4. Setup alerts in Audit Vault5. View Reports
Application Integration
![Page 19: 1 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. · © 2011 Oracle Corporation 10 Why Audit? • Its all about protecting sensitive data, maintaining customer](https://reader035.vdocuments.site/reader035/viewer/2022070709/5ebcc25cafb9556ed43610f0/html5/thumbnails/19.jpg)
19 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Oracle Audit Vault Application Integration
![Page 20: 1 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. · © 2011 Oracle Corporation 10 Why Audit? • Its all about protecting sensitive data, maintaining customer](https://reader035.vdocuments.site/reader035/viewer/2022070709/5ebcc25cafb9556ed43610f0/html5/thumbnails/20.jpg)
20 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. 20
The Access Reports filter the audit content based on event and categories, such as Data Access: select, insert, update, delete.., and User Sessions: login, logout,etc. The Oracle Audit Vault Auditor’s Guide list the events that are collected and mapped to the categories.
![Page 21: 1 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. · © 2011 Oracle Corporation 10 Why Audit? • Its all about protecting sensitive data, maintaining customer](https://reader035.vdocuments.site/reader035/viewer/2022070709/5ebcc25cafb9556ed43610f0/html5/thumbnails/21.jpg)
21 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. 21
The Entitlement Reports can be used for internal/external auditors to view Oracle database users and their privileges. You can view all Oracle databases and their users or filter by an individual database to view the privileges. The compare capability provides a report on changes to user privileges from one snapshot time to another.
![Page 22: 1 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. · © 2011 Oracle Corporation 10 Why Audit? • Its all about protecting sensitive data, maintaining customer](https://reader035.vdocuments.site/reader035/viewer/2022070709/5ebcc25cafb9556ed43610f0/html5/thumbnails/22.jpg)
22 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. 22
The Compliance Reports provide out-of-the-box reports requested by auditors. Each category of reports can be customized to filter by databases that are audited for that regulation
![Page 23: 1 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. · © 2011 Oracle Corporation 10 Why Audit? • Its all about protecting sensitive data, maintaining customer](https://reader035.vdocuments.site/reader035/viewer/2022070709/5ebcc25cafb9556ed43610f0/html5/thumbnails/23.jpg)
23 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Comprehensive Data Protection
When Data Is In Motion
When Data Is At Rest
When Data Is Cloned
When Data Is Administered
When Applications Are Targeted
![Page 24: 1 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. · © 2011 Oracle Corporation 10 Why Audit? • Its all about protecting sensitive data, maintaining customer](https://reader035.vdocuments.site/reader035/viewer/2022070709/5ebcc25cafb9556ed43610f0/html5/thumbnails/24.jpg)
24 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Program Agenda• Security Challenges• Auditing in E-Business Suite• Transparent Tablespace Encryption• Data Masking• Separation of Duties
– Patching via OAM Patch Manager– Patching and administering mid-tier services– Sensitive pages– Database Vault
![Page 25: 1 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. · © 2011 Oracle Corporation 10 Why Audit? • Its all about protecting sensitive data, maintaining customer](https://reader035.vdocuments.site/reader035/viewer/2022070709/5ebcc25cafb9556ed43610f0/html5/thumbnails/25.jpg)
25 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Advanced SecurityTransparent Data Encryption
Benefits
Strong encryption for data at rest
No application changes required
Efficient encryption of sensitive application data
![Page 26: 1 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. · © 2011 Oracle Corporation 10 Why Audit? • Its all about protecting sensitive data, maintaining customer](https://reader035.vdocuments.site/reader035/viewer/2022070709/5ebcc25cafb9556ed43610f0/html5/thumbnails/26.jpg)
26 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Column Transparent Data Encryption
No application changes required
![Page 27: 1 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. · © 2011 Oracle Corporation 10 Why Audit? • Its all about protecting sensitive data, maintaining customer](https://reader035.vdocuments.site/reader035/viewer/2022070709/5ebcc25cafb9556ed43610f0/html5/thumbnails/27.jpg)
27 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Transparent Tablespace Encryption
• No need to worry about which columns have to be encrypted
• Highly efficient– High performance– Space preserving
• Highly Secure– Everything on disk is encrypted– Industry standard cryptography
• No application changes required
Oracle Database 11g Solution
SQL Layer
data blocks“*M$b@^s%&d7”
undo blocks
temp blocks
flashback logs
redo logs
Buffer Cache“SSN = 834-63-..”
![Page 28: 1 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. · © 2011 Oracle Corporation 10 Why Audit? • Its all about protecting sensitive data, maintaining customer](https://reader035.vdocuments.site/reader035/viewer/2022070709/5ebcc25cafb9556ed43610f0/html5/thumbnails/28.jpg)
28 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What is Data Masking?
What• The act of anonymizing customer,
financial, or company-confidential data to create new, legible data that retains the data's properties, such as its width, type, and format
Why• To protect confidential data in non-
production environments when the data is shared with non-production users without revealing sensitive information
LAST_NAME SSN SALARY
ANSKEKSL 111—23-1111 60,000
BKJHHEIEDK 222-34-1345 40,000
LAST_NAME SSN SALARY
AGUILAR 203-33-3234 40,000
BENSON 323-22-2943 60,000
Production Non-Production
![Page 29: 1 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. · © 2011 Oracle Corporation 10 Why Audit? • Its all about protecting sensitive data, maintaining customer](https://reader035.vdocuments.site/reader035/viewer/2022070709/5ebcc25cafb9556ed43610f0/html5/thumbnails/29.jpg)
29 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Using Enterprise Manager Data Masking
• Used in conjunction with cloning• Create irreversibly scrambled versions of your
production DB for testing & development
Production
Clone
Staging
MaskClone
Test
![Page 30: 1 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. · © 2011 Oracle Corporation 10 Why Audit? • Its all about protecting sensitive data, maintaining customer](https://reader035.vdocuments.site/reader035/viewer/2022070709/5ebcc25cafb9556ed43610f0/html5/thumbnails/30.jpg)
30 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What are we Producing?
• E-Business Suite Masking Template– Metadata for the EM Masking tool– Columns, Relationships, and Masking rules for Personally
Identifiable Information (PII) and Sensitive attributes for E-Business Suite products
• ~1000 Columns– 65% HCM - Also TCA, ATG, Financials, Projects…
• Not split out by product or family– De-identification needs to be done across the DB
![Page 31: 1 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. · © 2011 Oracle Corporation 10 Why Audit? • Its all about protecting sensitive data, maintaining customer](https://reader035.vdocuments.site/reader035/viewer/2022070709/5ebcc25cafb9556ed43610f0/html5/thumbnails/31.jpg)
31 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Goals in Application Masking
• De-Identify the data– Scramble identifiers of individuals (PII) – Name, account, address,
location, drivers license…
• Mask sensitive data– Mask the data that, if associated with PII, would cause privacy concerns
• Compensation• Health• Employment Information
• Maintain Data Validity– Don’t break the application (too much…)
![Page 32: 1 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. · © 2011 Oracle Corporation 10 Why Audit? • Its all about protecting sensitive data, maintaining customer](https://reader035.vdocuments.site/reader035/viewer/2022070709/5ebcc25cafb9556ed43610f0/html5/thumbnails/32.jpg)
32 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
PersonaIIy Identifiable Information
• Name• Business Location• Business Phone• Business ID• Accounts (Bank, debit, credit)• Location• External ID (drivers license)• National ID (social security number)• Web Site• Phone
Categories
![Page 33: 1 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. · © 2011 Oracle Corporation 10 Why Audit? • Its all about protecting sensitive data, maintaining customer](https://reader035.vdocuments.site/reader035/viewer/2022070709/5ebcc25cafb9556ed43610f0/html5/thumbnails/33.jpg)
33 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Sensitive Data
• Compensation• Employment details• Nationality / Citizenship• Health Information• Personal information• Mother's maiden name• Passwords• Encryption keys• Audit information• Session information
Categories
![Page 34: 1 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. · © 2011 Oracle Corporation 10 Why Audit? • Its all about protecting sensitive data, maintaining customer](https://reader035.vdocuments.site/reader035/viewer/2022070709/5ebcc25cafb9556ed43610f0/html5/thumbnails/34.jpg)
35 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Program Agenda• Security Challenges• Auditing in E-Business Suite• Transparent Tablespace Encryption• Data Masking• Separation of Duties
– Patching via OAM Patch Manager– Patching and administering mid-tier services– Sensitive pages– Database Vault
![Page 35: 1 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. · © 2011 Oracle Corporation 10 Why Audit? • Its all about protecting sensitive data, maintaining customer](https://reader035.vdocuments.site/reader035/viewer/2022070709/5ebcc25cafb9556ed43610f0/html5/thumbnails/35.jpg)
36 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Administrative Separation of Duties
• Separation of Duties - Prevent fraud or theft by a single individual– Sarbanes-Oxley (SOX)– Payment Card Industry (PCI) – Data Security Standard (DSS)– Health Insurance Portability and Accountability Act (HIPAA)– Gramm-Leach-Bliley Act (GLBA) ...
Business Drivers
![Page 36: 1 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. · © 2011 Oracle Corporation 10 Why Audit? • Its all about protecting sensitive data, maintaining customer](https://reader035.vdocuments.site/reader035/viewer/2022070709/5ebcc25cafb9556ed43610f0/html5/thumbnails/36.jpg)
37 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Least Privilege Administrative Accounts
• Principle of least privilege user account– Perform tasks with as few privileges as possible– Run applications with as few privileges as possible– Limit the number of people with access to critical system security
controls
• Benefits– Limits the damage that can result from an accident or error– Reduces impact of misuse of a privilege– Reduces the auditing requirements
Business Drivers
![Page 37: 1 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. · © 2011 Oracle Corporation 10 Why Audit? • Its all about protecting sensitive data, maintaining customer](https://reader035.vdocuments.site/reader035/viewer/2022070709/5ebcc25cafb9556ed43610f0/html5/thumbnails/37.jpg)
38 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Separation of Duties for Admin Accounts
• Database access– Use named accounts– Use database proxy user ( sqlplus ebing[apps]/<ebingpwd> )– Avoid routine activities in the APPS and SYSTEM accounts
• Operating System access– Use named accounts– Delegate common tasks through sudo or Oracle Enterprise Manager– Remove write and read for non-owners (0600 or 0700)
• Enhancing Oracle E-Business Suite Security with Separation of Duties (Note 950018.1)
Process Guidelines
![Page 38: 1 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. · © 2011 Oracle Corporation 10 Why Audit? • Its all about protecting sensitive data, maintaining customer](https://reader035.vdocuments.site/reader035/viewer/2022070709/5ebcc25cafb9556ed43610f0/html5/thumbnails/38.jpg)
39 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Challenges with implementing Admin SOD
• Patching without “super user” credentials• Starting and stopping mid-tier services• Restricting access to administrative pages and
functionality– Auditing reports on who has access in production
![Page 39: 1 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. · © 2011 Oracle Corporation 10 Why Audit? • Its all about protecting sensitive data, maintaining customer](https://reader035.vdocuments.site/reader035/viewer/2022070709/5ebcc25cafb9556ed43610f0/html5/thumbnails/39.jpg)
40 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Separation of Duties / Least Privilege
• Problem: Using adpatch requires a super Admin– Access to the DB account passwords (APPS and SYSTEM)– Access to the applmgr Operating System account– No controls on the patch being applied– No out-of-the-box auditing
• Solutions:– Put in place logging and credential control for patch windows– Use E-Business Suite Plug-In (Application Change Management
Pack - ACMP) Patch Manager functionality
Oracle E-Business Suite Patching
![Page 40: 1 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. · © 2011 Oracle Corporation 10 Why Audit? • Its all about protecting sensitive data, maintaining customer](https://reader035.vdocuments.site/reader035/viewer/2022070709/5ebcc25cafb9556ed43610f0/html5/thumbnails/40.jpg)
41 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Patching via ACMP Patch Manager
• Benefits of Application Change Management Pack– Allows for deployment of patches without database or operating
system credentials– Restricts ad-hoc access to application data– Provides protection against tampering of patches by providing a
protected process flow.– Provides a separation of roles (patch manager and patch
approver)– Provides optional approval and auditing of patch deployments
Benefits
![Page 41: 1 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. · © 2011 Oracle Corporation 10 Why Audit? • Its all about protecting sensitive data, maintaining customer](https://reader035.vdocuments.site/reader035/viewer/2022070709/5ebcc25cafb9556ed43610f0/html5/thumbnails/41.jpg)
42 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Patching via ACMP Patch Manager
• Setup Admin associates users with roles and targets– Robert is Patch Manager for Prod1 instance
• Setup Admin sets up Preferred Credentials for targets– Set up preferred credentials for Robert for SYSTEM and APPS
accounts in Prod1
Process Flow
![Page 42: 1 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. · © 2011 Oracle Corporation 10 Why Audit? • Its all about protecting sensitive data, maintaining customer](https://reader035.vdocuments.site/reader035/viewer/2022070709/5ebcc25cafb9556ed43610f0/html5/thumbnails/42.jpg)
43 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Set up Roles and Assign Targets
![Page 43: 1 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. · © 2011 Oracle Corporation 10 Why Audit? • Its all about protecting sensitive data, maintaining customer](https://reader035.vdocuments.site/reader035/viewer/2022070709/5ebcc25cafb9556ed43610f0/html5/thumbnails/43.jpg)
44 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Preferred Credentials in OAM Patch Manager
Patching via OAM Patch Manager
![Page 44: 1 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. · © 2011 Oracle Corporation 10 Why Audit? • Its all about protecting sensitive data, maintaining customer](https://reader035.vdocuments.site/reader035/viewer/2022070709/5ebcc25cafb9556ed43610f0/html5/thumbnails/44.jpg)
45 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Patching via ACMP Patch Manager
• Patch Manager schedules or submits patch – this can be:– Directly downloaded from Oracle– Staged via Oracle Management Server (OMS)
• Patch Approver optionally can approve the patch and audit patch activity
Process Flow
![Page 45: 1 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. · © 2011 Oracle Corporation 10 Why Audit? • Its all about protecting sensitive data, maintaining customer](https://reader035.vdocuments.site/reader035/viewer/2022070709/5ebcc25cafb9556ed43610f0/html5/thumbnails/45.jpg)
46 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Approve Patches
![Page 46: 1 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. · © 2011 Oracle Corporation 10 Why Audit? • Its all about protecting sensitive data, maintaining customer](https://reader035.vdocuments.site/reader035/viewer/2022070709/5ebcc25cafb9556ed43610f0/html5/thumbnails/46.jpg)
47 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
View Approval History
![Page 47: 1 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. · © 2011 Oracle Corporation 10 Why Audit? • Its all about protecting sensitive data, maintaining customer](https://reader035.vdocuments.site/reader035/viewer/2022070709/5ebcc25cafb9556ed43610f0/html5/thumbnails/47.jpg)
48 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Patching via ACMP Patch Manager
• Oracle E-Business Suite Plug-in 4.0 – Requires Enterprise Manager 11g Grid Control R1 (11.1.0.1.0)
• Oracle E-Business Suite:– 11i: Release 11.5.10 CU2 with ATG_PF.H RUP6 or higher– 12.0: Release 12.0.4 with R12.ATG_PF.A.delta.6– 12.1: Release 12.1 with R12.ATG_PF.B.delta.3
• Getting Started with Oracle E-Business Suite Plug-in, Release 4.0 (Note 1224313.1)
• Separation of Duties using Patch Manager (Note 1363260.1)
Supported platforms and versions
![Page 48: 1 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. · © 2011 Oracle Corporation 10 Why Audit? • Its all about protecting sensitive data, maintaining customer](https://reader035.vdocuments.site/reader035/viewer/2022070709/5ebcc25cafb9556ed43610f0/html5/thumbnails/48.jpg)
49 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Separation of Duties / Least Privilege
• Problem: Managing the mid-tier systems without database credentials– Managing concurrent manager required APPS passwords in the
past
• Options:– Leverage sudo – but have to hardcode passwords in scripts– Leverage Enterprise Manager Applications Management Pack– Start concurrent manager with an applications user name and
password from the command line (available in 12.1.3)
Starting and stopping mid-tier services
![Page 49: 1 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. · © 2011 Oracle Corporation 10 Why Audit? • Its all about protecting sensitive data, maintaining customer](https://reader035.vdocuments.site/reader035/viewer/2022070709/5ebcc25cafb9556ed43610f0/html5/thumbnails/49.jpg)
50 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Separation of Duties / Least Privilege
• Create a new user (e.g CONCOPER)– assign the ”Concurrent Manager Operator” responsibility
• On the application tier update the following 4 variables in the AutoConfig context file and then run AutoConfig
Starting and stopping mid-tier services
Auto Config Variable New Value
s_cp_user CONCOPER (or the one you created)s_cp_password_type AppsUsers_cp_resp_shortname FND s_cp_resp_name Concurrent Manager Operator
![Page 50: 1 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. · © 2011 Oracle Corporation 10 Why Audit? • Its all about protecting sensitive data, maintaining customer](https://reader035.vdocuments.site/reader035/viewer/2022070709/5ebcc25cafb9556ed43610f0/html5/thumbnails/50.jpg)
51 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Separation of Duties / Least Privilege
• Application tiers can be started and stopped by calling adstrtal.sh and adstpall.sh with the -secureapps option– Script will prompt for Applications user name and password– Documented in Secure Configuration Guide for Oracle E-
Business Suite Release 12 (Note 403537.1)
Starting and stopping mid-tier services
[applmgr@app01]$ adstrtal.sh -secureappsEnter the Applications username: CONCOPEREnter the Applications password:
![Page 51: 1 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. · © 2011 Oracle Corporation 10 Why Audit? • Its all about protecting sensitive data, maintaining customer](https://reader035.vdocuments.site/reader035/viewer/2022070709/5ebcc25cafb9556ed43610f0/html5/thumbnails/51.jpg)
52 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Separation of Duties / Least Privilege
• Problem: Identifying access to critical pages• Security Administrator
– Control of access to pages and profiles• Sensitive Administrator Functionality
– Pages and profiles which allow for changes to “code” at Runtime– Often allow for HTML or SQL to be defined from the application– Ideally should be disabled on Production Systems
Control and Audit Privileged Pages
![Page 52: 1 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. · © 2011 Oracle Corporation 10 Why Audit? • Its all about protecting sensitive data, maintaining customer](https://reader035.vdocuments.site/reader035/viewer/2022070709/5ebcc25cafb9556ed43610f0/html5/thumbnails/52.jpg)
53 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Separation of Duties / Least Privilege
• Administrator / Developer Functionality– Pages / profiles which allow for Application Development at
Runtime• SQL statements or fragments• HTML fragments• OS commands
– Designed-in SQL injections or XSS injections– Should be disabled, controlled, and audited in production
environments• Flexfield definitions• Forms and Framework personalization…
Sensitive Administrator Functionality
![Page 53: 1 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. · © 2011 Oracle Corporation 10 Why Audit? • Its all about protecting sensitive data, maintaining customer](https://reader035.vdocuments.site/reader035/viewer/2022070709/5ebcc25cafb9556ed43610f0/html5/thumbnails/53.jpg)
54 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Separation of Duties / Least Privilege
• Documented in Sensitive Administrative Pages in Oracle E-Business Suite (Note 1334930.1)
• Identifies new categories of sensitive functionality:– Oracle Forms Controlled by Function Security (~40)– HTML Pages Controlled by Function Security (~25)– Pages and Forms Controlled by Profile Options (3)– Pages Controlled by JTF Roles and Permissions (3)
Sensitive Administrator Functionality
![Page 54: 1 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. · © 2011 Oracle Corporation 10 Why Audit? • Its all about protecting sensitive data, maintaining customer](https://reader035.vdocuments.site/reader035/viewer/2022070709/5ebcc25cafb9556ed43610f0/html5/thumbnails/54.jpg)
55 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Sensitive Administrator FunctionalityProfiles
Feature Profile Code Recommended Settings
OA Framework Personalization
FND_CUSTOM_OA_DEFINTION("Personalize Self‐service Defn") No
Form Personalization / Examine
Combination of profiles: FND_HIDE_DIAGNOSTICS("Hide Diagnostics menu entry") and DIAGNOSTICS ("Utilities:Diagnostics")
FND_HIDE_DIAGNOSTICS: Yes
DIAGNOSTICS : No
![Page 55: 1 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. · © 2011 Oracle Corporation 10 Why Audit? • Its all about protecting sensitive data, maintaining customer](https://reader035.vdocuments.site/reader035/viewer/2022070709/5ebcc25cafb9556ed43610f0/html5/thumbnails/55.jpg)
56 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Sensitive Administrator FunctionalityRecommendations
• Note 1334930.1 provides SQL queries to determine who has access to these– SQL scripts drive off of page and form names (not functions)– Slower, but ensures we pick up custom functions that include
these
• Reduce and eliminate access to these pages by admins• Use Fine Grained Auditing to audit the tables associated
with these pages
![Page 56: 1 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. · © 2011 Oracle Corporation 10 Why Audit? • Its all about protecting sensitive data, maintaining customer](https://reader035.vdocuments.site/reader035/viewer/2022070709/5ebcc25cafb9556ed43610f0/html5/thumbnails/56.jpg)
57 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Oracle Database VaultPrivileged Account Controls
Procurement
HR
Finance
Application DBA
select * from finance.customers
DBA
Application
• Enforce least privilege and prevent DBA access to apps data
• Enforce who, where, when, and how data can be accessed using rules and factors
• Restrict ad hoc database changes
• Securely enable applications consolidation and outsourcing / off-shoring
![Page 57: 1 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. · © 2011 Oracle Corporation 10 Why Audit? • Its all about protecting sensitive data, maintaining customer](https://reader035.vdocuments.site/reader035/viewer/2022070709/5ebcc25cafb9556ed43610f0/html5/thumbnails/57.jpg)
58 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Database Vault
• Default realm we ship with contains all Apps objects• We now support realms that are subsets of this
– Need to ensure that all the procedures and patches in Support Notes are followed
– Any subsets will be treated as certified– Any additions will be treated as customizations
• Detailed example of extending EBS realms in Support Notes
Modifying Default Realms
![Page 58: 1 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. · © 2011 Oracle Corporation 10 Why Audit? • Its all about protecting sensitive data, maintaining customer](https://reader035.vdocuments.site/reader035/viewer/2022070709/5ebcc25cafb9556ed43610f0/html5/thumbnails/58.jpg)
59 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Database Vault White Papers
• 428503.1 - Integrating Oracle E-Business Suite Release 11i with Oracle Database Vault 10.2.0.4
• 859399.1 - Integrating Oracle E-Business Suite Release 11i with Oracle Database Vault 11.1.0.7
• 566841.1 - Integrating Oracle E-Business Suite Release 12 with Oracle Database Vault 10.2.0.4
• 859397.1 - Integrating Oracle E-Business Suite Release 12 with Oracle Database Vault 11.1.0.7
![Page 59: 1 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. · © 2011 Oracle Corporation 10 Why Audit? • Its all about protecting sensitive data, maintaining customer](https://reader035.vdocuments.site/reader035/viewer/2022070709/5ebcc25cafb9556ed43610f0/html5/thumbnails/59.jpg)
60 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Q&A
![Page 60: 1 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. · © 2011 Oracle Corporation 10 Why Audit? • Its all about protecting sensitive data, maintaining customer](https://reader035.vdocuments.site/reader035/viewer/2022070709/5ebcc25cafb9556ed43610f0/html5/thumbnails/60.jpg)
61 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.