Oracle E-Business Suite (EBS) ties into every aspect of your IT infrastructure and is “the keys to your kingdom” containing all your financial, banking, HR, and customer payment information. Securing your Oracle EBS solution is a mission-critical function that can impact that viability of your organization. Breaches and attacks can result in significant financial loses, the inability to perform day-to-day operations, and on-going liability from the exposure of customer data.
On January 21, Syntax presented the webinar “Developing a Comprehensive Security Strategy for Oracle E-Business Suite” which is now available on-demand. During the Q&A one of the participants asked for a few specific examples of targeted security products to directly secure an Oracle E-Business Suite deployment. The following 5 areas should be key considerations when securing your Oracle EBS environment at your organization.
Most Oracle EBS customers are probably using a load balancer from companies like F5 or Citrix’s NetScalar product to front-end their EBS application for scaling and redundancy. While both of these companies offer Web Application Firewall (WAF) modules for their products, there are a lot of nuances in how Oracle implements web services, codes pages using their OA Framework, and uses proprietary technologies like Oracle Forms that are hard to secure using an “off the shelf” WAF product. If you will be publicly exposing “i-modules” such as iSupplier, iRecruitment, or iStore to users on the Internet consider investing in an EBS-specific application firewall such as Integrigy’s AppDefend product which is purpose-built for Oracle EBS.
Database Security Audit
Oracle EBS has an exceedingly large and complex data model that leverages virtually every database feature available incorporating partitioning, XML, blob data, stored procedures, OS-level punch-outs, and more. Further complicating matters, EBS includes a large number of pre-seeded database accounts necessary for the application to function. This coupled with the fact that virtually every EBS patch has a database component, makes both initial hardening a challenge as well as protecting your security profile from configuration drift over time due to patching and implementation/configuration decisions. Consider running free tools such as Oracle’s Database Security Assessment Tool (DBSAT) or Imperva’s SCUBA tool to ensure your database is properly secured.
Your Oracle EBS system contains lots of sensitive data such as credit cards, bank accounts and personal information about employees like social security number, salary and home address which if exposed can open your organization to regulatory and civil fines in the event of a breach. To help prevent data theft, consider encrypting your database to limit access to sensitive data to only the appropriate individuals and ensuring that anyone else only sees unusable, encrypted data. Database encryption can be accomplished using native database features like Oracle Advanced Security and Oracle Transparent Data Encryption (TDE) or via third-party products like Thales Vormetric data security platform.
Limit Firewall Ports
In total, Oracle EBS uses hundreds of network ports for all the various components and technologies in the application stack to function. That said, a very limited number are actually needed by the average end user such as HTTPS for your Web tier and Oracle Forms for your Application tier. Make sure you follow the Principle of Least Privilege when defining firewall rules and limiting access to the API ports to a named list of target systems hosting integrated products. Restrict access to the TNS DB port(s) as much as possible and consider separating your DB tier from other application tiers in order to insert a firewall that watches for SQL Injection and other DB attacks through your Web and Application tiers.
GRC and Auditing
Consider implementing a Governance, Risk, and Compliance (GRC) package for managing the issues of corporate governance, enterprise risk management (ERM), and corporate compliance with data privacy and other regulations. An effective GRC implementation will help your organization reduce risk and improve control effectiveness, security, and compliance through an integrated and unified approach that reduces issues arising from organizational silos in large enterprises with redundant roles and multiple business lines. Oracle offers both an on-premises GRC product that integrates with Oracle EBS as well as a SaaS Risk Management and Compliance solution.
If you want to learn more about Oracle EBS security, view our on-demand webinar, Developing a Comprehensive Security Strategy for Oracle E-Business Suite.
Or, contact us today to discover how Syntax can help build a multi-layer solution to protect and reduce the risks to your Oracle EBS environment.