1 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. · © 2011 Oracle...
Transcript of 1 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. · © 2011 Oracle...
1 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
2 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
E-Business Suite Data ProtectionRobert ArmstrongEric Bing
ORACLEPRODUCT
LOGO
3 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
4 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Program Agenda• Security Challenges• Auditing in E-Business Suite• Transparent Tablespace Encryption• Data Masking• Separation of Duties
– Patching via OAM Patch Manager– Patching and administering mid-tier services– Sensitive pages– Database Vault
5 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Applications Run Our World
98%
6 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Cloud Computing Environments
• Data, data everywhere• The information being created, collected,
and stored is valuable to everyday operations
• Business data represents a type of currency within the marketplace.
• Like all currency, data must be protected.
• Need to track sensitive data
7 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
More Challenges Than Ever Before…• More data, doubling yearly • More breaches, average $6.6 million+ per breach• More threats, coming from every part of the business• More regulations, federal, state, local, industry• Equates to more costs…
• User Management Costs• User Productivity Costs• Compliance & Remediation Costs• Security Breach Remediation Costs
It Adds Up$
8 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Solutions Map
WebClient ApplicationServer
Access Control Matrix
Secure Socket Layer
OracleNetworkEncryption
Data MaskingOn Clone DB
Encrypted using Transparent Data Encryption to protect data at rest
Column level security using VPD
Configure DB Vault to protect against DBA access
Authorize access from applications interface using FND Grants
Database
Approvals
Business Process
Policy Store
Auditing
9 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Program Agenda
• Security Challenges– What are we protecting against?
• Auditing in Oracle E-Business Suite• Separation of Duties / Least Privilege
– Sensitive Admin Pages– Database Vault
• Other Technologies– Data Masking in Oracle E-Business Suite – Transparent Data Encryption
© 2011 Oracle Corporation 10
Why Audit?• Its all about protecting sensitive data, maintaining
customer trust, and protecting the business• Trust-but-verify that your employees are only
performing operations required by the business• Detective controls to monitor what is really going on• Reduce the curiosity seekers from looking at data• Compliance demands that privileged users be monitored
• Know what is going on before others tell you
11 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Comprehensive Auditing of E-Business Suite Applications• Five primary ways:
– Standard Application Auditing – Application Level Audit Trail – Database Event Auditing – Database Trigger Auditing– Fine Grain Auditing (Audit Vault)
12 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What to Audit
• System Changes:– Changes to the database structure– Addition, deletion, or change to database triggers– Changes to programs, libraries, or scripts at the OS level– Changes to objects or packages at the database level– Changes to the setups or profile options at the application level
• End-User Activities:– User Access – “Sign-On:Audit Level”
• All user signons• Unsuccessful logins• Concurrent requests
13 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What to Audit
• Security– Menus– Roles,– Responsibilities– Security Profiles
• Application Controls:– Journal Sources– Receivables activities
• Change Management (development)– Concurrent programs– Executables– Functions– SQL Forms
Recommendations
14 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Database Auditing and Applications• Monitor privileged application user accounts for non-compliant
activity– Audit non-application access to sensitive data (credit card, financial data,
personal identifiable information, etc.)
• Verify that no one is trying to bypass the application controls/security– PO line items are changed so it does not require more approvals
• Verify shared accounts are not be abused by non-privileged users– Application bypass - Use of application accounts to view application data
15 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Oracle Audit VaultAudit Database Activity in Real-Time
• Consolidate database audit trail into secure centralized repository• Detect and alert on suspicious activities, including privileged users• Out-of-the box compliance reports for SOX, PCI, and other regulations
• E.g., privileged user audit, entitlements, failed logins, regulated data changes• Streamline audits with report generation, notification, attestation, archiving, etc.
CRM Data
ERP Data
Databases
HR Data
Audit Data
Policies
Built-inReports
Alerts
CustomReports
!
Auditor
16 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Oracle Audit Vault
• Applications are validated by default– Database auditing is underneath the Application
• Application User Auditing– Application can set the database “Client Identifier” to tie application user
with application shared account
• Database Auditing can be used to monitor – Audit base application tables and views– Privileged user operations in the database (logins, user/table create)
17 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Setting Client Identifier
• Any application running on Oracle database can set the client identifier
User A connects
User B connects
OracleApplication
Server
OracleDatabase
Application sets client_info to User A
Application resets client_info to User B
Audit Record uses client_identifier
18 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Oracle Audit
1. Turn on database auditing• Set the database parameters audit_trail, audit_trail_dest,
audit_sys_operations
2. Determine the application tables to audit• audit <table> by access;
3. Configure Audit Vault to collect the database audit trail4. Setup alerts in Audit Vault5. View Reports
Application Integration
19 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Oracle Audit Vault Application Integration
20 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. 20
The Access Reports filter the audit content based on event and categories, such as Data Access: select, insert, update, delete.., and User Sessions: login, logout,etc. The Oracle Audit Vault Auditor’s Guide list the events that are collected and mapped to the categories.
21 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. 21
The Entitlement Reports can be used for internal/external auditors to view Oracle database users and their privileges. You can view all Oracle databases and their users or filter by an individual database to view the privileges. The compare capability provides a report on changes to user privileges from one snapshot time to another.
22 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. 22
The Compliance Reports provide out-of-the-box reports requested by auditors. Each category of reports can be customized to filter by databases that are audited for that regulation
23 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Comprehensive Data Protection
When Data Is In Motion
When Data Is At Rest
When Data Is Cloned
When Data Is Administered
When Applications Are Targeted
24 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Program Agenda• Security Challenges• Auditing in E-Business Suite• Transparent Tablespace Encryption• Data Masking• Separation of Duties
– Patching via OAM Patch Manager– Patching and administering mid-tier services– Sensitive pages– Database Vault
25 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Advanced SecurityTransparent Data Encryption
Benefits
Strong encryption for data at rest
No application changes required
Efficient encryption of sensitive application data
26 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Column Transparent Data Encryption
No application changes required
27 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Transparent Tablespace Encryption
• No need to worry about which columns have to be encrypted
• Highly efficient– High performance– Space preserving
• Highly Secure– Everything on disk is encrypted– Industry standard cryptography
• No application changes required
Oracle Database 11g Solution
SQL Layer
data blocks“*M$b@^s%&d7”
undo blocks
temp blocks
flashback logs
redo logs
Buffer Cache“SSN = 834-63-..”
28 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What is Data Masking?
What• The act of anonymizing customer,
financial, or company-confidential data to create new, legible data that retains the data's properties, such as its width, type, and format
Why• To protect confidential data in non-
production environments when the data is shared with non-production users without revealing sensitive information
LAST_NAME SSN SALARY
ANSKEKSL 111—23-1111 60,000
BKJHHEIEDK 222-34-1345 40,000
LAST_NAME SSN SALARY
AGUILAR 203-33-3234 40,000
BENSON 323-22-2943 60,000
Production Non-Production
29 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Using Enterprise Manager Data Masking
• Used in conjunction with cloning• Create irreversibly scrambled versions of your
production DB for testing & development
Production
Clone
Staging
MaskClone
Test
30 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What are we Producing?
• E-Business Suite Masking Template– Metadata for the EM Masking tool– Columns, Relationships, and Masking rules for Personally
Identifiable Information (PII) and Sensitive attributes for E-Business Suite products
• ~1000 Columns– 65% HCM - Also TCA, ATG, Financials, Projects…
• Not split out by product or family– De-identification needs to be done across the DB
31 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Goals in Application Masking
• De-Identify the data– Scramble identifiers of individuals (PII) – Name, account, address,
location, drivers license…
• Mask sensitive data– Mask the data that, if associated with PII, would cause privacy concerns
• Compensation• Health• Employment Information
• Maintain Data Validity– Don’t break the application (too much…)
32 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
PersonaIIy Identifiable Information
• Name• Business Location• Business Phone• Business ID• Accounts (Bank, debit, credit)• Location• External ID (drivers license)• National ID (social security number)• Web Site• Phone
Categories
33 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Sensitive Data
• Compensation• Employment details• Nationality / Citizenship• Health Information• Personal information• Mother's maiden name• Passwords• Encryption keys• Audit information• Session information
Categories
35 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Program Agenda• Security Challenges• Auditing in E-Business Suite• Transparent Tablespace Encryption• Data Masking• Separation of Duties
– Patching via OAM Patch Manager– Patching and administering mid-tier services– Sensitive pages– Database Vault
36 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Administrative Separation of Duties
• Separation of Duties - Prevent fraud or theft by a single individual– Sarbanes-Oxley (SOX)– Payment Card Industry (PCI) – Data Security Standard (DSS)– Health Insurance Portability and Accountability Act (HIPAA)– Gramm-Leach-Bliley Act (GLBA) ...
Business Drivers
37 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Least Privilege Administrative Accounts
• Principle of least privilege user account– Perform tasks with as few privileges as possible– Run applications with as few privileges as possible– Limit the number of people with access to critical system security
controls
• Benefits– Limits the damage that can result from an accident or error– Reduces impact of misuse of a privilege– Reduces the auditing requirements
Business Drivers
38 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Separation of Duties for Admin Accounts
• Database access– Use named accounts– Use database proxy user ( sqlplus ebing[apps]/<ebingpwd> )– Avoid routine activities in the APPS and SYSTEM accounts
• Operating System access– Use named accounts– Delegate common tasks through sudo or Oracle Enterprise Manager– Remove write and read for non-owners (0600 or 0700)
• Enhancing Oracle E-Business Suite Security with Separation of Duties (Note 950018.1)
Process Guidelines
39 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Challenges with implementing Admin SOD
• Patching without “super user” credentials• Starting and stopping mid-tier services• Restricting access to administrative pages and
functionality– Auditing reports on who has access in production
40 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Separation of Duties / Least Privilege
• Problem: Using adpatch requires a super Admin– Access to the DB account passwords (APPS and SYSTEM)– Access to the applmgr Operating System account– No controls on the patch being applied– No out-of-the-box auditing
• Solutions:– Put in place logging and credential control for patch windows– Use E-Business Suite Plug-In (Application Change Management
Pack - ACMP) Patch Manager functionality
Oracle E-Business Suite Patching
41 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Patching via ACMP Patch Manager
• Benefits of Application Change Management Pack– Allows for deployment of patches without database or operating
system credentials– Restricts ad-hoc access to application data– Provides protection against tampering of patches by providing a
protected process flow.– Provides a separation of roles (patch manager and patch
approver)– Provides optional approval and auditing of patch deployments
Benefits
42 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Patching via ACMP Patch Manager
• Setup Admin associates users with roles and targets– Robert is Patch Manager for Prod1 instance
• Setup Admin sets up Preferred Credentials for targets– Set up preferred credentials for Robert for SYSTEM and APPS
accounts in Prod1
Process Flow
43 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Set up Roles and Assign Targets
44 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Preferred Credentials in OAM Patch Manager
Patching via OAM Patch Manager
45 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Patching via ACMP Patch Manager
• Patch Manager schedules or submits patch – this can be:– Directly downloaded from Oracle– Staged via Oracle Management Server (OMS)
• Patch Approver optionally can approve the patch and audit patch activity
Process Flow
46 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Approve Patches
47 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
View Approval History
48 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Patching via ACMP Patch Manager
• Oracle E-Business Suite Plug-in 4.0 – Requires Enterprise Manager 11g Grid Control R1 (11.1.0.1.0)
• Oracle E-Business Suite:– 11i: Release 11.5.10 CU2 with ATG_PF.H RUP6 or higher– 12.0: Release 12.0.4 with R12.ATG_PF.A.delta.6– 12.1: Release 12.1 with R12.ATG_PF.B.delta.3
• Getting Started with Oracle E-Business Suite Plug-in, Release 4.0 (Note 1224313.1)
• Separation of Duties using Patch Manager (Note 1363260.1)
Supported platforms and versions
49 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Separation of Duties / Least Privilege
• Problem: Managing the mid-tier systems without database credentials– Managing concurrent manager required APPS passwords in the
past
• Options:– Leverage sudo – but have to hardcode passwords in scripts– Leverage Enterprise Manager Applications Management Pack– Start concurrent manager with an applications user name and
password from the command line (available in 12.1.3)
Starting and stopping mid-tier services
50 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Separation of Duties / Least Privilege
• Create a new user (e.g CONCOPER)– assign the ”Concurrent Manager Operator” responsibility
• On the application tier update the following 4 variables in the AutoConfig context file and then run AutoConfig
Starting and stopping mid-tier services
Auto Config Variable New Value
s_cp_user CONCOPER (or the one you created)s_cp_password_type AppsUsers_cp_resp_shortname FND s_cp_resp_name Concurrent Manager Operator
51 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Separation of Duties / Least Privilege
• Application tiers can be started and stopped by calling adstrtal.sh and adstpall.sh with the -secureapps option– Script will prompt for Applications user name and password– Documented in Secure Configuration Guide for Oracle E-
Business Suite Release 12 (Note 403537.1)
Starting and stopping mid-tier services
[applmgr@app01]$ adstrtal.sh -secureappsEnter the Applications username: CONCOPEREnter the Applications password:
52 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Separation of Duties / Least Privilege
• Problem: Identifying access to critical pages• Security Administrator
– Control of access to pages and profiles• Sensitive Administrator Functionality
– Pages and profiles which allow for changes to “code” at Runtime– Often allow for HTML or SQL to be defined from the application– Ideally should be disabled on Production Systems
Control and Audit Privileged Pages
53 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Separation of Duties / Least Privilege
• Administrator / Developer Functionality– Pages / profiles which allow for Application Development at
Runtime• SQL statements or fragments• HTML fragments• OS commands
– Designed-in SQL injections or XSS injections– Should be disabled, controlled, and audited in production
environments• Flexfield definitions• Forms and Framework personalization…
Sensitive Administrator Functionality
54 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Separation of Duties / Least Privilege
• Documented in Sensitive Administrative Pages in Oracle E-Business Suite (Note 1334930.1)
• Identifies new categories of sensitive functionality:– Oracle Forms Controlled by Function Security (~40)– HTML Pages Controlled by Function Security (~25)– Pages and Forms Controlled by Profile Options (3)– Pages Controlled by JTF Roles and Permissions (3)
Sensitive Administrator Functionality
55 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Sensitive Administrator FunctionalityProfiles
Feature Profile Code Recommended Settings
OA Framework Personalization
FND_CUSTOM_OA_DEFINTION("Personalize Self‐service Defn") No
Form Personalization / Examine
Combination of profiles: FND_HIDE_DIAGNOSTICS("Hide Diagnostics menu entry") and DIAGNOSTICS ("Utilities:Diagnostics")
FND_HIDE_DIAGNOSTICS: Yes
DIAGNOSTICS : No
56 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Sensitive Administrator FunctionalityRecommendations
• Note 1334930.1 provides SQL queries to determine who has access to these– SQL scripts drive off of page and form names (not functions)– Slower, but ensures we pick up custom functions that include
these
• Reduce and eliminate access to these pages by admins• Use Fine Grained Auditing to audit the tables associated
with these pages
57 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Oracle Database VaultPrivileged Account Controls
Procurement
HR
Finance
Application DBA
select * from finance.customers
DBA
Application
• Enforce least privilege and prevent DBA access to apps data
• Enforce who, where, when, and how data can be accessed using rules and factors
• Restrict ad hoc database changes
• Securely enable applications consolidation and outsourcing / off-shoring
58 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Database Vault
• Default realm we ship with contains all Apps objects• We now support realms that are subsets of this
– Need to ensure that all the procedures and patches in Support Notes are followed
– Any subsets will be treated as certified– Any additions will be treated as customizations
• Detailed example of extending EBS realms in Support Notes
Modifying Default Realms
59 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Database Vault White Papers
• 428503.1 - Integrating Oracle E-Business Suite Release 11i with Oracle Database Vault 10.2.0.4
• 859399.1 - Integrating Oracle E-Business Suite Release 11i with Oracle Database Vault 11.1.0.7
• 566841.1 - Integrating Oracle E-Business Suite Release 12 with Oracle Database Vault 10.2.0.4
• 859397.1 - Integrating Oracle E-Business Suite Release 12 with Oracle Database Vault 11.1.0.7
60 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Q&A
61 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.