Oracle E-Business Suite Security Tips for DBAs

The Oracle database is the true heart of the Oracle E-Business Suite (EBS) and is where the “magic happens.” But, as you know already, securing Oracle EBS is more than securing the database. Beyond recommended database security best practices, I wanted to give you some practical tips that help define a better security process for Oracle EBS. Of course, I’ll also share with you how the Onapsis Security Platform can help make this a whole lot easier for you.

Tip #1: Oracle EBS is not secure by default
When you install Oracle EBS, you get the “whole enchilada.” So whether your organization is going to use every EBS application or not, you have it all – Order Management, Logistics, Procurement, Projects, Manufacturing, Asset Lifecycle Management (ALM), Service, Financials and Human Capital Management (HCM).

To support all these modules, hundreds of default passwords are created that you need to change, even for the modules you are not using. And, don’t forget to securely hash the EBS end-user passwords. While user passwords for Oracle EBS applications are stored in encrypted form, they are also not optionally hashed by default.

Now, this is just the proverbial tip of the iceberg to get Oracle EBS secure and compliant. You should start with the Oracle EBS Security Configuration Guide.

Tip #2: The Oracle EBS Security Configuration Guide gives you the minimum requirements
While consulting with the Oracle EBS Security Configuration Guide is a good place to start, it really only gives you the minimum requirements to start securing EBS. Additionally, your implementation of Oracle EBS is not going to be the same as somebody else’s. There will be quite a bit of customization and unique use cases. This means that setting up and securing your Oracle EBS implementation will be unique to you. It’s recommended that you follow the guide, but make sure you take additional steps based upon your organization’s security policy. Locking down security settings, configurations and controls is absolutely necessary to protect your applications from vulnerabilities.

Tip #3: Applying Oracle Critical Patch Updates alone is not enough to keep Oracle EBS secure
Yes, it is best practice to apply the Oracle Critical Patch Updates (CPUs) as frequently as you can. And, when doing so, don’t forget to apply the patches to all of the Oracle EBS applications along with the supporting technology, such as the database and WebLogic.

For some organizations, patching may not even be practical because the risk of extended downtime to apply the patches could be greater than the perceived security concern. You need to consider the impact of the patch and how critical the vulnerability is to make the decision on whether to apply the patch or not. Many organizations do not immediately apply security patches and use a n-1 patching approach, where they apply the previous quarter’s security patch after Oracle releases their latest patch. This allows them to thoroughly test the previous quarter’s security patch.
 
Tip #4: Changes are constantly being made to the system, either by you or by others. Do you know when things change and when?
So, you’ve locked down your Oracle EBS application, but what happens over time? Any time you, another team member or a contractor makes an update to the application, for example, to support the business or to improve performance, the security-sensitive settings and configurations are also at risk of being changed. This is a common occurrence in ERP security known as configuration drift.

How are you ensuring that these settings and configurations remain secure? Are you routinely spot checking to validate security? This can be difficult especially if you are manually doing the checking. Onapsis can automate this process for you and save you a lot of time and effort to ensure security and compliance

Tip #5: Don’t just rely on Information Security to keep Oracle EBS secure
Undoubtedly, the Information Security Team has put a lot of security tools in place to help keep your organization secure from both internal and external threats. Tools like firewalls, network intrusion detection systems, vulnerability scanners and web application firewalls, are critical elements of your organization’s security posture, but treat Oracle EBS as any other generic application. This can place your EBS applications at risk. EBS, especially when deployed to the internet, can be directly extended outside your firewall (i.e. in the DMZ) leaving it wide open to exploits.

Keeping Oracle EBS protected and compliant is difficult and should be a cross-functional effort. You need to work with the Information Security Team and Internal Audit to share how you are securing Oracle EBS. When you are all on the same page, you can ensure the applications are securely configured, there is proper security tools and processes in place and controls are being checked to confirm compliance.

Additionally, you might look at ERP security solutions like Onapsis that can unify these cross-functional teams with security and compliance visibility into Oracle EBS.
     
How can Onapsis help?
The Onapsis Security Platform is a purpose-built security and compliance solution for ERP systems such as Oracle EBS and SAP. For cross-functional teams responsible for Oracle EBS security and compliance, it automates monitoring, protection and risk mitigation.

You can continually run assessments against your application security setting and configurations to proactively identify vulnerabilities and audit violations – enabling you to prioritize remediation and reduce risk. With the Onapsis Security Platform, you will spend less time answering security requests from auditors and security professionals, because you can use Onapsis to answer your own questions. To learn more, we welcome you to schedule a demo.