Recommendations For Securing Oracle E-Business Suite
By Eric P. Maurice-Oracle on May 23, 2007
Hi, this is Eric Maurice!
Important aspects of securing an environment include secure deployment and ongoing maintenance and monitoring of security events for the environment. Security is a process, an ongoing effort that does not end after successfully deploying a new system or application. Securing an environment requires a holistic approach where all layers of the IT environment have to be considered. In the most simple scenario, for example, when an organization needs to secure a dedicated single server-based application, the organization needs - at the very minimum - to understand how to deploy the application, then secure it at the OS, database (if a database is being used) and network levels, while also providing for physically controlling access to the server. Furthermore, securing an environment is not limited to the one-time effort of proper initial configuration because it is critical that the environment be monitored for anomalous security events on an ongoing basis. Finally, the environment must be periodically assessed for deviation from its security baseline, as configuration changes can often alter the security state of a system.
In previous blog entries, I have often mentioned the Resource Library on the Oracle Software Security Assurance web site. This is because we are aiming to promote relevant and up-to-date security content on this page, including tips, techniques, and technical white papers. Among the resources available on the Resource Library are recommendations for locking down and maintaining the security posture of Oracle products in production environments. These recommendations often extend to the non-Oracle components of a client�s IT infrastructure (for example, they include recommendations for securing file systems, OS authentication, etc.) Much of this security content can also be accessed directly on the Security Technology Center on Oracle Technology Network and on MetaLink (subscription required).
A few months back, we recorded a technical webcast titled �Best Practices for Oracle Database Security�. This webcast was quite successful, and we continue to see an audience for the webcast on a daily basis. Its popularity has prompted us to record additional technical �how to� webcasts. Those webcasts are designed to provide quick introductions to the most important security recommendations for deploying and maintaining specific Oracle products.
Today, we are making available a technical webcast on how to secure Oracle E-Business Suite R11. This webcast goes over the recommendations specifically stated in MetaLink Note 189367.1, including:
- Tips to harden the applications environment
- Specific configuration baselines for internal and external deployments
- Recommendations for monitoring certain events, including how to use the Oracle Applications Manager to log and monitor for relevant security events
- Recommendations for developing the proper process for the application of the Critical Patch Updates.
Implementing those recommendations will bring organizations a long way in term of preventing common attacks.
Note that in February, Oracle also produced a technical white paper, which follows the same structure as the previous technical E-Business security white papers, but introduces specific security recommendations for Oracle E-Business Suite R12. This white paper is available as Metalink Note 403537.1.