Oracle Security, Identity Management and Governance, Risk and Compliance Solutions

farrierlimpingInternet και Εφαρμογές Web

31 Οκτ 2013 (πριν από 4 χρόνια και 7 μέρες)

174 εμφανίσεις


Copy right ©
Roger Drolet, CPA, MBA, CISA, CITP

2013
. All rights reserv ed.


Oracle Security in Release 12



Effective
13
-
Apr
-
2009

Page
1

of
22

Rev
1

Oracle Security, Identity
Management and
Governance, Risk and
Compliance Solutions

Overview

By:

Roger Drolet CPA, MBA, CISA, CITP


Copy right ©
Roger Drolet, CPA, MBA, CISA, CITP

2013
. All rights reserv ed.


Oracle Security in Release 12



Effective
13
-
Apr
-
2009

Page
2

of
22

Rev
1

Summary

I wrote this whitepaper to help you become familiar with the Oracle Applications included in the
Oracle Security, Iden
tity Management (IDM) and Governance, Risk and Compliance (GRC)
suites. Most of these applications are relatively new and your company may not have purchased
the licenses to use these applications.

Use Oracle’s Incentive to your Advantage

Through acquis
itions and/or development, Oracle offers several
Oracle Diagnosibility Products

for free. It is in Oracle’s best interests to do this because
Oracle Support can significantly reduce
their support cost if

your Oracle users learned to effectively and efficiently use these diagnostic
tools. Obviously, it is also in your company’s best interests to reduce the time it currently takes
to resolve service requests (SRs) with Oracle. This provides more time for
your employees to
spend working on core business activities.

Facilitate Risk Assessment and Risk Management

As you review this whitepaper you will come to realize that Oracle S
ecurity, IDM

and GRC
applications provide an Enterprise Security Solution. Usin
g these applications, your companies
can centralize all security, identity management and Governance, Risk and Compliance (GRC)
activities and provide senior management with dashboards that they can use to drill down into
individuals business process and c
ontrols.

Unfortunately, these solutions are not free and they require the purchase of hardware, software
licenses, consulting and other project related products and services.

Cost
-
Effective Risk Assessment Tools

The Oracle Diagnosibility Products are free.

They require no additional hardware or software
licenses. You may have to apply a few patches, but the effort is minimal compared to the
benefits you will realize by using these tools
.

You can use these tools immediately to assess Oracle E
-
Business Secur
ity and to access Oracle
Application Configuration for compliance with Oracle and Industry best practices.

Monitor Im
plementation and Configuration d
uring Implementation

You can also use the Oracle Diagnosibility Products to monitor the setup and configura
tion of
your Oracle applications concurrently with other project activities. For example, you may want
to complete an initial assessment before conducting UAT, after final setup and configuration in
the production instance and at other times on an ad hoc
basis.


Copy right ©
Roger Drolet, CPA, MBA, CISA, CITP

2013
. All rights reserv ed.


Oracle Security in Release 12



Effective
13
-
Apr
-
2009

Page
3

of
22

Rev
1

Oracle Security, IDM and GRC Solutions

Introduction

This whitepaper identifies the

Oracle applications, which are included in
the Oracle

Security,
Identity Management

(IDM)
, and Governance, Risk an
d Compliance (GRC) solutions that are
available with

Release 12.

This whitepaper will identify and provide a brief description of each
Oracle applicat
ion included in these

suites

of Oracle applications.

I will also identify some of the other Oracle features you can define, configure and implement to
improv
e security and ensure that your Oracle applications are configured using Oracle and
Industry best practices.

This whitepaper is not intended to be a definitive guide to Oracle Security, Identity Management
and Governance, Risk and Compliance (GRC); however
, it will provide you with a very good
framework that you can use to drill down into more detail for each of these applications.

Oracle Security, IDM and GRC Solutions



Security



Or
acle Identity Management



Governance, Risk and Compliance

Oracle Database Security Products



Oracle Database Vault



Oracle Audit Vault



Oracle Configuration Management



Oracle Total Recall



Oracle Advanced Security



Oracle Data Masking



Oracle Label Security



Oracle Secure Backup

Oracle Database Vault

Reduce the Cost of Protecting Data

Oracle Database
Vault

helps organizations addre
ss regulatory mandates and increase the security
of existing applications. Regulations such as Sarbanes
-
Oxley, Payment Card Industry (PCI) Data
Security Standard (DSS), Health Insurance Portability and Accountability Act (HIPAA),
Gramm
-
Leach
-
Bliley Act (GL
BA) and similar global directives call for separation
-
of
-
duties and
other preventive controls to ensure data integrity and data privacy. With Oracle Database Vault,
organizations can pro
-
actively safeguard application data stored in the Oracle database fro
m
being accessed by privileged database users. Application data can be further protected using
Oracle Database Vault's multi
-
factor policies that control access based on built
-
in factors such as
time of day, IP address, application name, and authentication

method, preventing unauthorized
ad
-
hoc access and application by
-
pass.


Copy right ©
Roger Drolet, CPA, MBA, CISA, CITP

2013
. All rights reserv ed.


Oracle Security in Release 12



Effective
13
-
Apr
-
2009

Page
4

of
22

Rev
1

Learn More

Oracle Audit Vault

Reduce the Cost of Compliance Reporting and Database Monitoring

Oracle Audit Vault red
uces the cost and complexity of compliance and the risk of insider threats
by automating the collection and consolidation of audit data. It provides a secure and highly
scalable audit warehouse, enabling simplified reporting, analysis, and threat detection

on audit
data. In addition, database audit settings are centrally managed and monitored from within Audit
Vault, reducing IT security cost. With Oracle Audit Vault, organizations are in a much better
position to enforce privacy policies, guard against ins
ider threats, and address regulatory
requirements such as Sarbanes
-
Oxley and PCI.

Learn More

Other Audit Vault Resources



Audit Vault Collection Agent Configuration for R
AC Database
-

Step by Step Guide



Mandatory Patches to be aplied on Oracle Audit Vault 10.2.2.0.0

Oracle Configuration Management

Increase the security of your Oracle databases

Oracle Configuration Management pack for Enterprise Man
ager helps organizations increase the
security of their Oracle databases and comply with IT control frameworks such as Control
Objectives for Information and related Technology (COBIT) and Committee of Sponsoring
Organizations of the Treadway Commission (C
OSO) "Internal Control
-

Integrated Framework"
as required by Sarbanes
-
Oxley and similar global directives. Oracle Configuration Management
combines discovery, vulnerability scanning, compliance benchmarking, and central management
of database configuratio
n to detect and prevent configuration drift or unauthorized configuration
changes. Additionally Configuration Management's Critical Patch Update Advisory feature alerts
customers to critical patches issued by Oracle and immediately identifies those systems

across
the enterprise that may require the new critical patch, optionally invoking the patch wizard to
automatically deploy the
patch;

ensuring application databases are always up
-
to
-
date and
protected.

Learn More

Oracle Total Recall

Increase Security and Reduce the Cost of Storing Historical Data

Regulatory oversight such as Sarbanes
-
Oxley, HIPAA, Basel
-
II as well as internal audits, require
companies to keep
historical data available for long periods of time. Oracle Total Recall with
Oracle Database 11
g

Enterprise Edition helps companies store this data in a secure, tamper proof
database while keeping it accessible to existing applications. Total Recall requir
es no application
changes or special interfaces and provides the optimal storage footprint. Managing historical data

Copy right ©
Roger Drolet, CPA, MBA, CISA, CITP

2013
. All rights reserv ed.


Oracle Security in Release 12



Effective
13
-
Apr
-
2009

Page
5

of
22

Rev
1

should no longer be an onerous task. Oracle Total Recall provides a secure, efficient, easy
-
to
-
use
and application
-
transparent solution for

long
-
term storage and audit of historical data.

Learn More

Oracle Advanced Security

The Most Cost
-
Effective Solution for Comprehensive Data Protection

Oracle Advanced Security helps organiz
ations comply with privacy and regulatory mandates
such as Sarbanes
-
Oxley, Payment Card Industry (PCI) Data Security Standard (DSS), Health
Insurance Portability and Accountability Act (HIPAA), as well as numerous breach notification
laws. With Oracle Adva
nced Security, customers can transparently encrypt all application data or
specific sensitive columns, such as credit cards, social security numbers, or personally
identifiable information (PII). By encrypting data at rest in the database as well as whenev
er it
leaves the database over the network or via backups, Oracle Advanced Security provides the
most cost
-
effective solution for comprehensive data protection.

Learn More

Oracle Data M
asking

Reduce the Cost of Securing Your Nonproduction Environments

Oracle Data Masking pack for Enterprise Manager helps organizations comply with data privacy
and protection mandates such as Sarbanes
-
Oxley, Payment Card Industry (PCI) Data Security
Standa
rd (DSS), Health Insurance Portability and Accountability Act (HIPAA), as well as
numerous laws that restrict the use of actual customer data. With Oracle Data Masking, sensitive
information such as credit card or social security numbers can be replaced wi
th realistic values,
allowing production data to be safely used for development, testing, or sharing with out
-
source
or off
-
shore partners for other non
-
production purposes. Oracle Data Masking uses a library of
templates and format rules, consistently tra
nsforming data in order to maintain referential
integrity for applications.

Learn More

Oracle Label Security

Classify and mediate access to data based on its classification

Oracle
Label Security is a powerful and easy
-
to
-
use tool for classifying data and mediating
access to data based on its classification. Designed to meet public sector requirements for multi
-
level security and mandatory access control, Oracle Label Security provid
es a flexible
framework that both government and commercial entities worldwide can use to manage access to
data on a "need to know" basis in order to protect data privacy and achieve regulatory
compliance.

Learn More


Copy right ©
Roger Drolet, CPA, MBA, CISA, CITP

2013
. All rights reserv ed.


Oracle Security in Release 12



Effective
13
-
Apr
-
2009

Page
6

of
22

Rev
1

Oracle Secure Backup

Integrated Data Protection for Tape Backup and Internet (Cloud) Storage

Centralized tape backup management with Oracle Secure Backup provides an integrated, easy
-
to
-
use backup solution that encrypts data to

tape to safeguard against the misuse of sensitive data
in the event that backup tapes are lost or stolen. The Oracle Secure Backup Cloud module
delivers efficient Oracle database backups to Amazon S3 through tight integration with Oracle
Recovery Manager.

A Versatile Solution with Innovative Licensing

Oracle Secure Backup with Oracle Database 11g delivers high performance network tape
backups for Oracle Databases and file systems on Linux, UNIX, and Windows platforms with
support for over 200 different tap
e devices from leading vendors. The Oracle Secure Backup
Cloud module complements your existing backup strategies and can run independent of Oracle
Secure Backup tape management offerings. With a low entry cost of $3,500 per physical tape
drive, Oracle Sec
ure Backup is ideal for small and midsized businesses and large enterprises
alike

Learn More

Oracle Identity Management Solutions



Oracle Access Man
ager



Oracle Adaptive Access Manager



Oracle Identity Manager



Oracle Role Manager



Oracle Identity Federation



Oracle Internet Directory



Oracle Virtual Directory



Oracle Web Services Manage
r



Oracle Enterprise Single Sign
-
On Suite



Oracle Entitlements Server



Oracle Management Pack for Identity Manage
ment



Oracle Authentication Services for Operating Systems

Oracle Access Manager

User Access Management for Secure Business Interactions

Oracle Access Manager allows users of your applications or IT systems to
log in once and gain
access to a broad range of IT resources. Oracle Access Manager provides an identity
management and access control system that is shared by all your applications. The result is a
centralized and automated single sign
-
on (SSO) solution f
or managing who has access to what
information across your entire IT infrastructure. Oracle Access Manager is available as a stand
-
alone product or as

part of
Oracle Identity & Access Management Suite
.

Learn More


Copy right ©
Roger Drolet, CPA, MBA, CISA, CITP

2013
. All rights reserv ed.


Oracle Security in Release 12



Effective
13
-
Apr
-
2009

Page
7

of
22

Rev
1

Oracle Adaptive Access Manager

Strong Authentication and Proactive, Real
-
Time Fraud Prevention

Rapid growth in online commerce has brought increasing sophistication of internet fraud.
Threats from Phi
shing, Pharming, Trojans, Key Logging, and Proxy Attacks, combined with
regulations and mandates (such as FFIEC, HIPAA, PCI) governing online data privacy, place
online security at a premium. Customers must feel protected for online business channels to
gr
ow. Oracle Adaptive Access Manager provides superior protection for businesses and their
customers through strong yet easy
-
to
-
deploy multifactor authentication and proactive, real
-
time
fraud prevention.

Learn More

Oracle Identity Manager

Core Technology for User Provisioning and Cost
-
Efficient Compliance

The rights and attributes of each person who accesses your IT system continually change as
roles,
rules, and policies evolve within your enterprise. The challenge is compounded during
mergers and acquisitions, and when sharing IT privileges with business partners and customers.
Add to that, the burden associated with meeting regulatory and privacy requ
irements such as
SOX, HIPAA,
HSPD12
, and many others. Oracle Identity Manager is a best
-
in
-
class user
provisioning and administration solution that automates the pro
cess of adding, updating, and
deleting user accounts from applications and directories; and improves regulatory compliance by
providing granular reports that
atte
st

to who has access to what. Oracle Identity Manager is
available as a stand
-
alone product or as

part of
Oracle Identity & Access Management Suite
.

Learn
More

Oracle Role Manager

Comprehensive Enterprise Role Management

In today's regulatory compliance environment, organizations need a holistic view of their
business users, job functions, and associated entitlements. Attempting this manually often results
in chaos, frustration, and failed projects. Oracle Role Manager provides enterprise class role
lifecycle management capabilities, helping strengthen regulatory compliance, and alleviating
associated costs. It acts as the authoritative source for the relati
onships between business users,
organizations, and entitlements, thus enabling automation of role based provisioning and access
control across the IT infrastructure. This also provides enterprise applications rich role
information enabling automation of bu
siness transactions for approval and routing
.

Learn More

Oracle Identity Federation

Cross
-
Domain User Access for Improved Business Integration

Oracle Identity
Federation is an industry
-
leading federation solution providing a self
-
contained
and flexible multi
-
protocol federation server that can be rapidly deployed with your existing

Copy right ©
Roger Drolet, CPA, MBA, CISA, CITP

2013
. All rights reserv ed.


Oracle Security in Release 12



Effective
13
-
Apr
-
2009

Page
8

of
22

Rev
1

identity and access management systems. Support for leading standards
-
based proto
cols ensures
interoperability to share identities across vendors, customers, and business partners without the
increased costs of managing, maintaining, and administering additional identities and credentials.
Oracle Identity Federation is available as a s
tand
-
alone product or as part of
Oracle Identity &
Access Management Suite
.

Learn More

Oracle Internet Directory

The Foundation for Robust Identity Mana
gement Deployments

The past decade has seen an explosion in the number of web
-
based applications. To gain control
over the vast number of user accounts within these applications, many companies have deployed
one or more LDAP directories. These often requir
e multiple security systems to secure physical
access, to secure legacy applications, and to secure network access. Oracle offers state
-
of
-
the
-
art
LDAP directory services as well as integrated supporting technologies that allow large
enterprises to provide

greater directory functionality in a wide array of deployments
.

Learn More

Oracle Virtual Directory

The Foundation for Robust Identity Management Deploy
ments

The past decade has seen an explosion in the number of web
-
based applications. To gain control
over the vast number of user accounts within these applications, many companies have deployed
one or more LDAP directories. These often require multiple se
curity systems to secure physical
access, to secure legacy applications, and to secure network access. Oracle offers state
-
of
-
the
-
art
LDAP directory services as well as integrated supporting technologies that allow large
enterprises to provide greater dire
ctory functionality in a wide array of deployments
.

Learn More

Oracle Web Services Manager

Deploy Web Services in a Secure Environment

As Web services ha
ve become a common method for integrating systems, services are now
exposed to the Internet for use by customers, business partners, and partners of those partners. As
a result, access control and auditing are ever more urgent requirements. To provide effe
ctive
access control, the concepts of identity management and SOA management must merge. Oracle
is leading this trend.

Oracle Web Services Manager is a J2EE application designed to define and implement Web
services security in heterogeneous environments, p
rovide tools to manage Web services based on
service
-
level agreements, and allow the user to monitor runtime activity in graphical charts.

Learn More


Copy right ©
Roger Drolet, CPA, MBA, CISA, CITP

2013
. All rights reserv ed.


Oracle Security in Release 12



Effective
13
-
Apr
-
2009

Page
9

of
22

Rev
1

Oracle Enterprise Single Sign
-
On Suite

User Access Management across Legacy Applications

Oracle Enterprise Single Sign
-
On Suite provides users with unified sign
-
on and authentication
across all their enterprise resources, including desktops, client
-
server,

and custom

and host
-
based
mainframe applications. Even if users travel or share workstations, they can enjoy the flexibility
of a single log
-
on that eliminates the need for multiple usernames and passwords and helps
enforce strong password and authenticat
ion policies.

Learn More

Oracle Entitlements Server

Centralized Fine
-
Grained Authorization Policies for Enterprise Applications

Evolving business
and regulatory conditions can drive changes to the security and regulatory
policies that govern your business. However, for most applications these policies are embedded
in their code, making it difficult to change, and nearly impossible to monitor and aud
it. Oracle
Entitlements Server (formerly BEA AquaLogic Enterprise Security) externalizes and centralizes
fine
-
grained authorization policies for enterprise applications and web services. This is achieved
via comprehensive, reusable, and fully auditable aut
horization policies and a simple, easy
-
to
-
use
administration model.

Learn More

Oracle Management Pack for Identity Management

Proactively Manage Perform
ance, Availability, and Service Levels for Identity Services

As identity management grows more pervasive and becomes increasingly mission
-
critical,
organizations are looking for ways to streamline management and monitoring. Oracle
Management Pack for Ident
ity Management addresses these needs by providing a
comprehensive, integrated enterprise management solution for Oracle Identity Management.

Learn More

Oracle Authentication Services for Operating Systems

Enforcing Security and Compliance Across Diverse Platforms

Traditional user management approaches such as local account management or Network
Information Service (NIS) can be cost
-
prohibitive, lack con
sistent policy enforcement, and leave
organizations open to significant policy concerns. The Oracle Authentication Services for
Operating Systems offers Linux and
UNIX

environments a centralized, secure and seamless user
authentication infrastructure.
Orac
le Authentication Services for Operating Systems

is available
as part of the Oracle Directory Services offering and leverages
Oracle Internet Directory
, which
is proven to scale across billions of users.

Learn More


Copy right ©
Roger Drolet, CPA, MBA, CISA, CITP

2013
. All rights reserv ed.


Oracle Security in Release 12



Effective
13
-
Apr
-
2009

Page
10

of
22

Rev
1

Oracle Governance, Risk and Compliance (GRC) Solutions

Oracle GRC Solutions include the following products:



GR
C Reporting and Analytics




GRC Process Management




GRC Application Controls




GRC Infrastructure Controls


GRC Reporting and Analytics



Fusion GRC Intelligence


Fusion GRC Intelligence

Gain Transparency to Control Status. Accelerate Risk Responsiveness. Deliver User
-
Tailored Intelligence.

Oracle Fusion Governance, Risk, and Compliance Intelligence (GRC Intelligence)

empowers
you to stay on top of critical organizational compliance and risk management activities. Fusion
GRC Intellige
nce offers enhanced visibility into your organization's compliance readiness and
responsiveness by providing risk, control, and performance analytics and
dashboards
. Robust
reporting capabilities help validate control design and operating effectiveness aga
inst access
policies and segregation of duties conflicts. The interactive solution enables GRC professionals
to effectively plan, model, report and analyze GRC activities so that potential issues are
identified earlier and corrective actions are more timel
y and informed.

GRC Process Management

Oracle Governance, Risk, and Compliance Manager

Through converging global compliance standards and accelerating performance expectations,
organizations are facing greater complexity in coordinating and managing their
governance, risk
and compliance initiatives. Based on best
-
practice frameworks such as COSO, COBIT, ITIL and
others, Oracle Governance, Risk, and Compliance Manager (GRC Manager) automates the
management of internal controls and improves the efficiency of
an organization's compliance
processes. GRC Manager monitors business process risk and control performance across the
enterprise, automatically highlighting areas of control weakness, and initiating corrective actions
with automated loss and investigations

management. Whether your organization leverages the
Oracle E
-
Business Suite, PeopleSoft Enterprise, Siebel, JD Edwards World, SAP, legacy or
homegrown applications, Oracle GRC Manager works across diverse applications and system
environments

GRC Applicati
on Controls



Application Access Controls Governor




Configuration Controls Governor




Transaction Controls Governor




Preventive Controls Governor


Copy right ©
Roger Drolet, CPA, MBA, CISA, CITP

2013
. All rights reserv ed.


Oracle Security in Release 12



Effective
13
-
Apr
-
2009

Page
11

of
22

Rev
1

Application Access Co
ntrols Governor


Real
-
Time Enforcement of Segregation of Duties and Access Policies

The ability to fine
-
tune user access

and to track that access

is key to complying with
regulatory requirements and ensuring corporate security. Oracle Application Access C
ontrols
Governor provides real
-
time monitoring and proactive enforcement of crucial access policies,
such as those that support segregation of duties (SOD). The system anticipates potential SOD
conflicts before they arise, and even prevents any assignment
of roles or responsibilities within
an application that would compromise proper segregation of duties. Application Access Controls
Governor also extends key access controls to "super
-
users" and temporary or contract workers.

Configuration Controls Governor

Real
-
Time Enforcement of Segregation of Duties and Access Policies

The ability to fine
-
tune user access

and to track that access

is key to complying

with
regulatory requirements and ensuring corporate security. Oracle Application Access Controls
Governor provides real
-
time monitoring and proactive enforcement of crucial access policies,
such as those that support segregation of duties (SOD). The syste
m anticipates potential SOD
conflicts before they arise, and even prevents any assignment of roles or responsibilities within
an application that would compromise proper segregation of duties. Application Access Controls
Governor also extends key access co
ntrols to "super
-
users" and temporary or contract workers.

Transaction Controls Governor

Continuous Monitoring of Business Transactions

You can't enfo
rce internal controls if you don't know when they are being broken. Oracle
Transaction Controls Governor continuously monitors transactions against policies to detect
suspicious transactions or inappropriate business practices. The system proactively alert
s the
appropriate stakeholders for effective and timely remediation of violations. Oracle Transaction
Controls Governor tracks events that indicate:



Potential violation of internal controls
-

for example, an employee raises multiple
requisitions for a sin
gle purchase totaling an amount greater than her approval level



Heightened levels of risk
-

for instance, an unexpected delay in anticipated cash receipts
which would result in a shortfall in projected cash flow



Reportable events
-

for example, a foreign

subsidiary writes off a significant bad debt

Preventive Controls Governor

Ensure Data Quality and Privacy with Granular Control

Control over the qualit
y of applications data starts at the user level. Without such control, your
company is left open to mistakes, loss of data, and fraud. The Oracle Preventive Controls
Governor provides fine
-
grained control over user viewing and editing of key data, while
tr
acking changes (or attempted changes) by users.
With it, you can limit or control which data
fields application users can change or see,

and

define the types of data users can input in


Copy right ©
Roger Drolet, CPA, MBA, CISA, CITP

2013
. All rights reserv ed.


Oracle Security in Release 12



Effective
13
-
Apr
-
2009

Page
12

of
22

Rev
1

various fields, and limit the values of transactions to enforce regulat
ory or corporate guidelines.
The Oracle Preventive Controls Governor provides not only assured regulatory compliance and
protection against fraud, but also the prevention of many common data
-
entry errors.





GRC Infrastructure Controls



Identity Manager




Access Manager




Role Manager




Database Vault




Audit Vault




Advanced Security




Secure Backup




Enterprise Manager




Universal Content Management




Universal Records Management




Information Rights Management


The following GRC Infrastructure Controls are also listed as either Oracle Security or Oracle
Identity Management Solutions:



Identity Manager




Access Manager




Role Manager




Database Vault




Audit Vault




A
dvanced Security




Secure Backup


Enterprise Manager



Appl
ications Management




Database Management




Middleware Management




Configuration Management



Quality Management




User Experience Management




Heterogeneous Support


Applicatio
ns Management

Complete Solution for Managing Oracle Applications and Infrastructure

Oracle provides the most comprehensive management solution for Oracle E
-
Business Suite,
PeopleSoft, and Siebel applications with its unique
top
-
down

approach. Only Oracle provides a
single management solution that gives you the ability to proactively monitor the health of all
application processes and components

including the underlying middleware and datab
ases as
well as the virtual and physical hosts they run on.


Copy right ©
Roger Drolet, CPA, MBA, CISA, CITP

2013
. All rights reserv ed.


Oracle Security in Release 12



Effective
13
-
Apr
-
2009

Page
13

of
22

Rev
1

Learn More


Database Management

Get Maximum Performance
with

ROI of 100%

Oracle provides an integrated management solution for managing Oracle database with a unique
top
-
down

application management approach. With new self
-
managing capabilities, Oracle
eliminates time
-
consuming, error
-
prone administrative tasks, so database administrators can
focus on strategic bus
iness objectives instead of performance and availability fire drills.

Oracle Management Packs for Database provide significant cost and time
-
saving capabilities for
managing Oracle Databases. Independent studies demonstrate that Oracle Database is 40 perce
nt
easier to manage over
DB2

and 38 percent over
SQL Server
.

Learn More

Middleware Management

Manage SOA Applications and Infrastructure with Less Effort

Oracle provides the most complete and integrated m
anagement solution for Oracle Fusion
Middleware with Oracle Enterprise Manager's unique
top
-
down

approach. Oracle Enterprise
Manager automatically discovers all Oracle Fusion Middleware co
mponents and their
interdependencies and provides industry best practices built into dashboards for system, services,
and compliance.

For Oracle WebLogic Server, Oracle Enterprise Manager provides a complete management
solution in a single console. You can

track diagnostics for applications and Web services,
including low
-
overhead monitoring; view historical and real
-
time application performance on
any JVM including Oracle JRockit; and trace in
-
flight transactions and cross
-
tier performance
with the Oracle
Database. Features such as auto
-
discovery and configuration tracking for Oracle
WebLogic Server, and its underlying hardware and operating system, simplify compliance and
help you diagnose hard
-
to
-
locate issues resulting from configuration changes.

Oracle
Enterprise Manager also offers extensive SOA management capabilities, spanning Oracle
BPEL, and Oracle Service Bus. You can now use an integrated solution for managing Oracle
Service Bus, Oracle BPEL, and Oracle WebLogic Server to quickly resolve performan
ce,
availability, and configuration related issues across the entire SOA environment

Learn More

Configuration Management

Reduce
the

Cost of IT Compliance

Oracle Configuration Management Pack enhances Oracle Enterprise Manager with
comprehensive configuration management for the entire Oracle application environment. Oracle

Copy right ©
Roger Drolet, CPA, MBA, CISA, CITP

2013
. All rights reserv ed.


Oracle Security in Release 12



Effective
13
-
Apr
-
2009

Page
14

of
22

Rev
1

Con
figuration Management Pack includes two key components; the Configuration Change
Console and the Application Configuration Console.

With its built
-
in configuration automation, the Configuration Change Console helps reduce IT
costs and mitigates risk by aut
omatically detecting, validating, and reporting authorized and
unauthorized configuration changes in real time

ultimately leading to accelerated IT
compliance and operational efficiencies.

By automating the way configurations are managed and tracked throug
hout the application
lifecycle, the Application Configuration Console ensures configuration consistency across
development and production environments.
The Application Configuration Console with its
100+ built
-
in application blueprints helps reduce complex
ity while improving application
performance and availability.
As a result, customers benefit from higher IT service quality, lower
total cost of ownership for their enterprise applications and improved business agility

Learn More

Quality Management

Reduce Testing Effort by Up to 80%

Oracle Application Quality Management provides a

comprehensive set of testing solutions for
mission
-
critical applications. These solutions deliver a unique blend of highly automated testing
functions for packaged and SOA applications and feature the industry's first and only database
testing solution th
at employs real production workloads. Oracle Application Quality
Management plays a key role in Oracle Enterprise Manager's
top
-
down

approach to application
management, and ensures that ap
plications perform well under peak load with maximum
throughput, even in the face of evolving technology, limited understanding of test parameters,
and resource constraints.

Learn More

User Experience Management

Stop Online Revenue Loss in Tough Economic Ti
mes

According to industry experts, over 70% of user issues are still reported by end
-
users not by
system monitoring tools. Oracle Real User Experience Insight identifies and helps resolve user
experience issues and revenue problems before business and use
rs are impacted. Oracle Real
User Experience Insight uses a state
-
of
-
the
-
art network protocol analysis technology to analyze
performance and availability as well as user behavior. It has no impact on the performance of
your applications and requires no cha
nges. It can be used on traditional Web
-
based applications
as well as SOA and AJAX enabled applications.

Learn More

Heterogeneous Support

Manage Oracle and Non
-
Oracle Technologies within a Single Console


Copy right ©
Roger Drolet, CPA, MBA, CISA, CITP

2013
. All rights reserv ed.


Oracle Security in Release 12



Effective
13
-
Apr
-
2009

Page
15

of
22

Rev
1

Oracle Enterprise Manager not
-
only manages Oracle Technologies, it provides rich management
solutions for heterogeneous environments with its uniqu
e
top
-
down

approach. Only Oracle
provides the most complete solution focused on managing business applications and related
infrastructure technologies in a single management console. Get e
xactly what you need to
manage your applications end
-
to
-
end with a rich selection of easy
-
to
-
deploy plug
-
ins and
connectors for heterogeneous environments. Check out the
par
tner exchange

for more than two
dozen heterogeneous management plug
-
ins and connectors including Microsoft MOM, IBM
WebSphere, BEA WebLogic, JBoss, EMC storage, F5 BIG IP, Check Point Firewall, Remedy
and more.

Learn More

Universal Content Management

Oracle Universal Content Management (UCM) is the industry's most unified ente
rprise content
management platform that enables you to leverage market
-
leading document management, Web
content management, digital asset management, and records retention functionality to build and
complement your business applications. Building a strateg
ic enterprise content management
infrastructure for content and applications helps you to reduce costs, easily share content across
the enterprise, minimize risk, automate expensive, time
-
intensive and manual processes, and
consolidate multiple Web sites o
nto a single platform for centralized management. Through user
-
friendly interfaces, roles
-
based authentication and security models, Oracle Universal Content
Management empowers users throughout the enterprise to view, collaborate on or retire content,
ensu
ring that all accessible distributed or published information is secure, accurate and up
-
to
-
date.

Learn More

Universal Records Management

Oracle Universal Records Management (URM) enables you to apply your records management
policies and practices on content in remote repositories such as

file systems, content management
systems, and email archives. URM also enables you to apply records management practices to
non
-
records content.

Learn More

Information Rights Management


Oracle Information Rights Management (IRM, formerly SealedMedia and Stellent Information
Rights Mana
gement) is a new form of information security technology that secures and tracks
sensitive digital information everywhere it is stored and used. Conventional information
management products only manage documents, emails, and web pages while they remain sto
red
within server
-
side repositories. Oracle Information Rights Management uses encryption to
extend the management of information beyond the repository
-

to every copy of an organization's
most sensitive information, everywhere it is stored and used
-

on e
nd user desktops, laptops and
mobile wireless devices, in other repositories, inside and outside the firewall. For a quick
introduction to Oracle Information Rights Management,
view

our 2 minut
e explainer.


Copy right ©
Roger Drolet, CPA, MBA, CISA, CITP

2013
. All rights reserv ed.


Oracle Security in Release 12



Effective
13
-
Apr
-
2009

Page
16

of
22

Rev
1

Learn More



Copy right ©
Roger Drolet, CPA, MBA, CISA, CITP

2013
. All rights reserv ed.


Oracle Security in Release 12



Effective
13
-
Apr
-
2009

Page
17

of
22

Rev
1

Oracle
Diagnosibility

Products

In this section, I will introduce you to several tools that Oracle provides for free.
Oracle
developed these tools to
reduce Support Costs by providing automated tools that perform
diagnostic tests.

I included these tools because you can use these them to facilitate Risk Assessment and Risk
Management Activities without having to purchase a
ny additional hardware or software licenses.

These tools

enable you to take proactive measures to assess E
-
Business Security and Oracle
Application Configuration to ensure that you have configured your applications using Oracle
best practices.

Oracle Supp
ort defined Diagnosibility to include:



E
-
Business Suite Diagnostics



Guardian



Maintenance Wizard (MW)



Remote Diagnostic Agent (RDA)



Oracle Configuration Manager (OCM)

E
-
Business Suite Diagnostics

Orac
le E
-
Business Suite Diagnostics

is a free tool provided by Oracle to ease the gathering and
analyzing of info
rmation from your E
-
Business Suite specific to
an

existing issue or setup

Formatted output displays the information gathered, the findings of the analysis and appropriate
actions to take if necessary

This tool is easy to use and is designed for both the
functional and technical user

Oracle E
-
Business Suite Diagnostics are designed to improve:




Problem Avoidance

-

resolving configuration and data issues that would cause
processes to fail



Self Service Resolution

-

resolving problems without the need to co
ntact Oracle
Support



Reduction in Resolution Time

-

minimizing the time spent to resolve an issue by
increasing support engineer



Risk Assessment Activities


free tool that you can use to facilitate Risk
Assessment Activities



Knowledge of Oracle Best Pra
ctices


users become more knowledgeable about
Oracle best practices by using E
-
Business Suite Diagnostics





Copy right ©
Roger Drolet, CPA, MBA, CISA, CITP

2013
. All rights reserv ed.


Oracle Security in Release 12



Effective
13
-
Apr
-
2009

Page
18

of
22

Rev
1


Lessons Learned:
1


E
-
Business Suite Diagnostics


Cost Effective Risk Assessment Tool

Lessons Learned
:

E
-
Busi
ness Suite Diagnostics Whitepaper

I will write another whitepaper that describes the E
-
Business Suite Diagnostics in more detail. I
believe that this tool can be used as part of a very cost
-
effective solution to help companies
implement Oracle databases an
d applications using Oracle and Industry best practices.
Moreover, these companies can use the E
-
Business Suite Diagnostics to proactively monitor E
-
Business Suite Security and Oracle Application Configuration.

Oracle Security, Identity Management, and Go
vernance Risk and Compliance (GRC)

Oracle Security, IDM and GRC applications provide sophisticated and robust
solutions. I do
not suggest that companies use E
-
Business Suite Diagnostics in lieu of these solutions;
However, the E
-
Business Suite Diagnostics

are free and they provide Oracle system controls
that can significantly improve security.

Risk Assessments

Companies can use E
-
Business Suite Diagnostics to facilitate Risk Assessment activities.

Guardian

Oracle Guardian is an intuitive tool for preempti
ve system support. Oracle Guardian is designed
to find potential problems before they require the attention of your IT support staff or impact
your operations and your customers.

Oracle Guardian helps to streamline deployments and day
-
to
-
day operations. At

the touch of a
button, Oracle Guardian does the following:



Automatically finds and recommends the right updates and maintenance packs
-

saving your team time and maximizing your efficiency



Scans your domain in seconds to immediately recognize and diagnose

software
defects.



Using simple diagnostic
Signature Patterns
, quickly provides intuitive and detailed
information about potential problems and how to fix them



Offers side
-
by
-
side comparisons of snapshots or domains, constructing a t
imeline
and comparing configuration and inventory differences



Offers customizable signature annotations for managing, filtering, and tracking
Signature Patterns and work related to detected Signature Patterns



Integrates with Oracle JRockit Mission Control,

collecting data through the JRockit
Runtime Analyzer and applying Signature Patterns to the data





Copy right ©
Roger Drolet, CPA, MBA, CISA, CITP

2013
. All rights reserv ed.


Oracle Security in Release 12



Effective
13
-
Apr
-
2009

Page
19

of
22

Rev
1


Lessons Learned:
2


Guardian


Another Risk Assessment and Risk Management Tool

Lessons Learned
:

Risk Assessment and Ri
sk Management Tool

This is another free resource provided by Oracle to reduce your reliance on Oracle Support that
you can use to improve and monitor security and internal controls

Background

Customer Support in today‘s software industry is usually eithe
r proactive or reactive. Reactive
support addresses problems once they have already impacted a customer‘s system in some
manner. Proactive support is an intensive way to resolve system problems once they‘ve been
identified, but before they cause downtime o
r impact productivity. For proactive support, IT
personnel monitor systems and address the root cause of an issue before they grow. Both types of
support are focused on existing issues and are frequently expensive and complicated. Both
support models can a
lso leave customers dissatisfied because both require a problem to manifest
before addressing it; this can require increased man
-
hours and IT budget to identify and resolve
them. Oracle Guardian has moved on from these traditional support paradigms by offe
ring a
new,
pre
-
emptive
model. This is because we recognize that our customers have complex systems
that form the core of their businesses

systems which cannot rely on antiquated break/fix
models for support. Instead, they require a 24/
7;

preemptive automa
ted support offering that can
identify potential problems
before
they occur. They need a support paradigm that offers peace of
mind. Oracle Guardian is Oracle‘s response to this need, as identified through extensive field
research and analysis.
i

Beyond Re
active or Proactive Support

Oracle Guardian is an intuitive tool for preemptive system support designed to find potential
problems before they require the attention of your IT support staff or impact your operations and
your customers. Oracle Guardian hel
ps to streamline deployments and day
-
to
-
day operations. At
the touch of a button:



Guardian automatically finds and recommends the right updates, service, and
maintenance packs so your team doesn‘t have to.



Guardian scans your domain. Simple diagnostic
si
gnature patterns
quickly give
intuitive and detailed information about all potential problems and how to fix them.



Guardian provides up
-
to
-
date signature patterns on a regular basis to ensure system
and application stability



Guardian allows you to roll o
ut complex applications faster than your competitors by
eliminating antiquated, inefficient troubleshooting techniques such as knowledgebase
searches or frequently asked questions.

Does Guardian Require a License?

Yes
-

Guardian requires a license in orde
r to function.


Copy right ©
Roger Drolet, CPA, MBA, CISA, CITP

2013
. All rights reserv ed.


Oracle Security in Release 12



Effective
13
-
Apr
-
2009

Page
20

of
22

Rev
1

For evaluation, the required license file, which does expire, is obtained through the page where
you download BEA Guardian, using the Download License Key Here link. Save it into your
BEA Guardian installation directory.


Learn More


Maintenance Wizard (MW)

Oracle Support provides Maintenance Wizard to guide you through the upgrade of Oracle
Applications technology stack and products from Release 11
i

versions to Release 12. It draws on
instructions from numerous manuals and other do
cumentation to provide you with a complete
picture of the activities required for an upgrade.

Maintenance Wizard helps you to reduce upgrade tasks by dynamically filtering the necessary
steps based on criteria it obtains from your Applications environment.

The resulting report is a
set of step
-
by
-
step instructions of exactly what you need to do to complete your specific upgrade,
including any critical patches that your system may require. It can also automatically execute
many of the tasks for you, so as to

reduce the possibility of errors or accidental omission of vital
tasks

Learn More.

Remote Diagnostic Agent (RDA)

Remote Diagnostic Agent (RDA) is a command
-
line diagnostic tool that is executed by an
engine written in the Perl programming language. RDA provides a unified package of support
diagnostics too
ls and preventive solutions (see Knowledge Article
330760.1
). The data captured
provides Oracle Support with a comprehensive picture of the customer's environ
ment which aids
in problem diagnosis.

Oracle Support encourages the use of RDA because it greatly reduces service request resolution
time by minimizing the number of requests from Oracle Support for more information. RDA is
designed to be as unobtrusive a
s possible; it does not modify systems in any way. It collects
useful data for Oracle Support only and a
security filter

is provided if required.

Learn More

Other RDA Resources



Remote Diagnostic Agent (RDA) 4
-

FAQ



RDA 4
-

Health Check / Validation Engine Guide



Running RDA and Health Check for Oracle Application Server Environments



Remote Diagnostic Agent (RDA) 4
-

Getting Started



Remote Diagnostic Agent (RDA) 4
-

Main Man Page


Copy right ©
Roger Drolet, CPA, MBA, CISA, CITP

2013
. All rights reserv ed.


Oracle Security in Release 12



Effective
13
-
Apr
-
2009

Page
21

of
22

Rev
1

Oracle Configur
ation Manager (OCM)

Oracle Configuration Manager

works with My Oracle

Support to enable proactive support
capability that helps you
organize

collect and manage your Oracle configurations by providing
the following:




Secure, automated configuration collecti
on



Proactive configuration
-
specific notification of Security and General Alerts



HealthCheck recommendations based on Support best practices when using
configuration auto
-
collection



Simplified Service Request logging, tracking and reporting



Project cata
loging of key milestones and contacts associated with your
configurations



Other RDA Resources



Other RDA Resources

Other OCM Resources



Learn More About My Oracle Support Configura
tion Manager

Other Resources



Diagnosibility Community



Best Practices for Se
curing Oracle E
-
Business Suite Release 12



Best Practices for Securing Oracle E
-
Business Suite



Oracle Configuration Manager Security Overvi
ew and Collections Overview



Oracle E
-
Business Suite Network Utilities: Best Practices



Oracle E
-
Business Suite Secure Enterprise Search Best Practices, Release 12



Oracle Application Object

Library Best Practices: E
-
Business Suite Diagnostic Tests Health
Check Test



Best Practices for Adopting Oracle E
-
Business Suite, Release 12



System Health



Oracle Guardian Signature Pattern Release File



What
Is New In Oracle Guardian Signature Pattern Release



Oracle Guardian White Paper



Guardian 1.0
-

What is the best way to update Guardian from the evaluation version to the
current vers
ion?



Description of All Signature Patterns in the Current Signature Patterns Release



All About Security: User, Privilege, Role, SYSDBA, O/S Authentication, Audit, Encryption,
OLS, Database Vault, Audit Vault

A
bout the Author

I am the Founder and President of
Oracle Independent Consultants LLC

(OIC LLC), which is a
large virtual Oracle Consulting Firm. My personal area of interest is Oracle Security, Identity
Managemen
t (IDM) and Governance, Risk and Compliance (GRC) Solutions.

If you are also interested in these solutions, I invite you to join the
Oracle Security, Identity
Management (IDM) and Gov
ernance, Risk and Compliance (GRC) Professionals Group
. It’s
free.


Copy right ©
Roger Drolet, CPA, MBA, CISA, CITP

2013
. All rights reserv ed.


Oracle Security in Release 12



Effective
13
-
Apr
-
2009

Page
22

of
22

Rev
1

Regards,

Roger Drolet, CPA, MBA, CISA, CITP





i

Oracle Guardian White Paper

dated Wednesday, November 26, 2008.