• No results found

JD Edwards Security Best Practices

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "JD Edwards Security Best Practices"

Copied!
39
0
0

Loading.... (view fulltext now)

Download now ( 39 Page )

Full text

(1)
(2)

JD Edwards Security Best

Practices

Manish Somani

Director, Software Engineering Oracle JD Edwards

Marcelo Tamassia Founding Partner

EmeraldCube Solutions October 01, 2014

(3)

Safe Harbor Statement

The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a

commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.

(4)

Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |

Program Agenda

Why do I care about Security?

Oracle Software Security Assurance

Security in EnterpriseOne: Built-in, Not Bolt-On!!

Oracle Security Products

OAM Case Studies

1

2

3

4

(5)

“Security”: Is it a choice?

In 2004, it was discovered that crackers gained almost

complete access to Nortel's systems.

Thought to have originated in 2000, for nearly ten

years they accessed documents including emails,

technical papers, research, development reports, and business plans.

"I have no doubt that extensive cyber attacks

contributed to our downfall and bankruptcy in 2009.”

-

Brian Shields, the former senior systems security adviser at Nortel

(6)

Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |

Multi-Dimensional Aspects Of Security

• IP theft and economic espionage

• Financial fraud and organized crime • Sophisticated hackers • Opportunistic insiders

Today’s

threats

• Intellectual property

• Customer, employee, citizen, corporate data

• Financial loss • Reputational loss • Fines & penalties

What’s at

stake

• Internal and external audits • Supply chain security

• Changing regulatory landscape • Data and systems consolidation • Changing environments (mobile

devices, cloud, etc.)

Other

challenges

(7)
(8)

Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |

Oracle Software Security Assurance (OSSA)

Encompasses all the continuously improving

processes, procedures, and technologies

Implemented by Oracle to ensure that Oracle’s

products are meeting our customers’ security

requirements, while providing for the most

cost-effective ownership experience.

(9)

Oracle Software Security Assurance

Maintaining the security posture

– of ALL Oracle customers is one of the greatest

priorities of Oracle

Applies to ALL Oracle software products

– throughout their lifecycle, and constantly

evolving to adapt to new technologies, threats, and product use cases

Oracle security programs affect the entire

(10)

Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |

Secure Development Standards

Coding guidelines

– Secure coding principles

– Examples of what not to do

– Requirements to use previously vetted security code

– Minimum secure design requirements

Mandatory training

(11)

Product Definition

Security requirements

– are expressed as early as design phase

Security requirements

– Include requirements from Secure Coding Standards

– Product-specific requirements

Established security criteria

(12)

Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |

Product Development

Ongoing reviews to validate compliance with

:

– Secure Coding Standards

Additional design reviews for security

Extensive use of scanning and testing tools

– to provide ongoing feedback to development team in

(13)

Ongoing Assurance

Security testing takes place throughout useful life of

the product

– Pre-release security scanning and testing

– Post-release security activities:

– Ethical hacking

Updated secure configuration

(14)

Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |

Security in JD Edwards EnterpriseOne

(15)

JD Edwards EnterpriseOne Security

BI Publisher

Server (OVR) Database Server JAS/HTML Server Enterprise Server Business Services Server Transaction Server Deployment Server Windows Client

Data in flight

Data at rest

(16)

Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |

Secure Data in Flight

Support HTTPS

between Web Browser and HTML Server

between E1 HTML Server and BI Server for One View Reports

Support SSL between HTML Server and Enterprise Server

(17)

Secure Data at Rest

Password in all configuration files

Jas.ini, jdbj.ini, jde.ini and jdeinterop.ini

Configured via server manager

User passwords in Security Tables are encrypted using One-way Hash

(18)

Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |

Secure Data Across Trust Boundary

Secured File Upload

Allowed only for a white list

Validate File content

Secured Download Security

Prevents in line opening of file

Prevent Click Jacking and HTML frame injection

(19)

Security Testing for EnterpriseOne

Static Code Analysis

‒ HP Fortify tools is integrated in the build process to scan for security issues

Dynamic Test Analysis

‒ HP Web Inspect is part of test cycle to scan for security issues for HTML client

Fuzz Testing

• JDENET testing

(20)

Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |

Security Guide update for EnterpriseOne

Update security guide as per OSSA standard

Integrate Security Best practice into security admin guide

(21)
(22)

Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |

Oracle Security OIM products

Oracle Internet Directory (OID)

– LDAP directory server that stores its data in an Oracle database

Oracle Access Manager (OAM)

– provides SSO, authentication, authorization, centralized policy administration.

Oracle Identity Manager(OIM)

– provides provisioning, reconciliation, self-service, and integration with

(23)

Marcelo Tamassia

Why Prism?

• Founding partner @ EmeraldCube Solutions

• 18 years of tech industry experience

• 13 years of EnterpriseOne consulting in South and North America

• Planned, designed, executed, and managed over 90 E1 implementations

and upgrades worldwide

(24)

Focus: JDE Technology, Business Intelligence & IoT

JDE & OBI focused Managed Services team

• On Demand and Managed Services plans

• Unmatched proactive, monitoring, and alerting tools

EmeraldCube Solutions

Experts in BI solutions for JDE

• On premises and cloud-based options • Choice of BI tools and platforms

• Subscription and traditional software acquisition models

EmeraldSensor for JDEdwards EnterpriseOne

• IoT platform for JDE customers

• Complete solution - sensors, gateway & analytics

(25)
(26)

Laser Technology

Denver-based industry leader in the design and manufacturing of innovative laser-based speed and distance measurement instruments including laser rangefinders, speed guns & sensors

• JDE Footprint

– Release 9.1 Tools 9.1.4 – 200+ Users

– Financials/Manufacturing/Distribution – Red Stack

(27)

Laser Technology: Needs

• IT & Auditors

– Inconsistent password policies between JDE and AD – High number of password related helpdesk calls

– Convoluted on-boarding process for new employees/IDs

• Users

(28)

Laser Technology: Solution

• Oracle Access Manager

– LDAP/AD Identity Store – Form Authentication

• End-user experience

– User types JDE URL

– User gets prompted by OAM login page – User types their network/AD credentials – User is inside JDE

(29)

Laser Technology: Benefits

• Consistent password policy

• Significant reduction of helpdesk calls • Streamlined user on-boarding

(30)
(31)

Silgan Containers

Largest provider of metal food packaging in the United States, Silgan Containers is trusted by America’s most respected brands

• JDE Footprint

– Release 9.0 Tools 9.1.4 – 600+ Users

– Financials/Manufacturing/Distribution – iSeries / Windows

(32)

Silgan: Needs

• IT & Auditors

– Inconsistent password policies between JDE, OBIEE, and AD – High number of password related helpdesk calls

– Convoluted on-boarding process for new employees/IDs – BI using long names and JDE using short names

– JDE usernames did not match AD usernames (10 character limitation)

• Users

– Too many usernames to remember – Too many passwords to remember

(33)

Silgan: Solution

Active Directory

– Custom field for E1 short username (work around JDE 10 characters limitation)

Oracle Access Manager

– LDAP/AD User Identity Store

– Two application domains setup on OAM (JDE and OBIEE) – User Mappings / responses

(34)

Silgan: Solution

End-user experience

– User types JDE URL and user is automatically on JDE – User types BI URL and user is automatically on OBIEE – No more password changes inside JDE / BI

(35)

Silgan: Benefits

• No more passwords / usernames to memorize. Happy users! • True Single-Sign On

• Consistent password policy across JDE, BI, and AD • Significant reduction of helpdesk calls

(36)
(37)

OAM Lessons Learned

• OAM single point of failure (cluster)

• Separate production and development OAM servers? • Short/Long username options

• Native Authentication

– Browser settings – VPN / External Users – Fallback authentication

• Use multiple domain controllers on the setup • Triple check your response mappings

(38)

Contact Information

[email protected]

@EmeraldCube

(39)

The Right Tool for the Task

Strengthen Your JD Edwards EnterpriseOne Arsenal

The Right Tool for the Task

Doc ID 1918339.1 will help you find out!

@OracleJDEdwards JD Edwards Professionals

TheOracleJDEdwards My Oracle Support Communities JD Edwards Attitude@Altitude JD Edwards Newsletters EnterpriseOne World LearnJDE.com

References

Download now ( PDF - 39 Page - 1.93 MB )

Related documents

Broadband Forum G-PON ONU Certification Program Update

l   Assurance of protocol compliance allows service providers to dedicate resources. to address their

Effects of cryopreservation and freeze-drying on proteases enzymatic activity of entomopathogenic strains of Beauveria bassiana (Balsamo) Vuillemin and Metarhizium anisopliae (Metchnikoff) Sorokin.

P ETLAMUL W., P RASERTSAN P., 2012 – Evaluation of strains of Metarhizium anisopliae and Beauveria bassiana against Spodoptera litura on the basis of their virulence,

MCTS Guide to Configuring Microsoft Windows Server 2008 Active Directory. Chapter 11: Active Directory Certificate Services

• An enterprise CA is a server running Windows Server 2008 with the Active Directory Certificate Services role installed.. • A standalone CA is a server running Windows Server

Comparative Analysis of Sharekhan and Other Stock Broker Companies-project final

This clearly reveals that the growth in the dematerialization process was not keeping pace with the growth in the total turn over of shares in the Indian capital

a750e Shudder

S1 Shift Solenoid A 3-Way Transmission Solenoid S2 Shift Solenoid B Transmission Solenoid 3 SR Shift Solenoid E 3-Way Transmission Solenoid 2 SL1 Pressure Control

Evaluation of the European road freight market for longer and heavier vehicles on the long haul and conclusions to new vehicle concepts

06 Wood and products of wood and cork (except furniture); articles of straw and plaiting materials; pulp, paper and paper products; printed matter and recorded media 08

Acceptability of road pricing and revenue use in the Netherlands

Six different possibilities were evaluated on acceptance by the respondents (general budget, new roads, improve public transport, abandon existing car taxation, lower fuel taxes,

Connections between contour integration and rational Krylov methods for eigenvalue problems

The mathematical equivalence between Algorithms 1 and 3 allows now for a fair comparison between the contour integration method, which is based on computing the discretized