Top Banner
1 Implementing Security Compliance using Policy Groups Rob Zoeteweij Copyright 2009 Zoeteweij Consulting
32

Implementing Security Compliance using Polocy Groups · 2009. 11. 4. · Policy Groups • Policy Groups • Compliance • Logical Group of Policies •10.2.0.4 –3 Out of Box Groups

Oct 09, 2020

Download

Documents

dariahiddleston
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: Implementing Security Compliance using Polocy Groups · 2009. 11. 4. · Policy Groups • Policy Groups • Compliance • Logical Group of Policies •10.2.0.4 –3 Out of Box Groups

1

Implementing

Security Compliance

using Policy Groups

Rob Zoeteweij

Copyright – 2009 Zoeteweij Consulting

Page 2: Implementing Security Compliance using Polocy Groups · 2009. 11. 4. · Policy Groups • Policy Groups • Compliance • Logical Group of Policies •10.2.0.4 –3 Out of Box Groups

This Presentation…

• Is pretty technical

• Includes several (many) Screen dumps

• Covers OEM 10.2.0.4 – 10.2.0.5

• Gives you an insight overview of: How to … / How it

works

• Is about how we do this at Rabobank

2

Page 3: Implementing Security Compliance using Polocy Groups · 2009. 11. 4. · Policy Groups • Policy Groups • Compliance • Logical Group of Policies •10.2.0.4 –3 Out of Box Groups

3

Agenda

• Security at Rabobank

• Policy Rules

• Policy Groups

• Q & A

Page 4: Implementing Security Compliance using Polocy Groups · 2009. 11. 4. · Policy Groups • Policy Groups • Compliance • Logical Group of Policies •10.2.0.4 –3 Out of Box Groups

4

Security at Rabobank

• SOX

• Sarbanes-Oxley Act of 2002 (Wikipedia)

• Public Company Accounting Reform and Investor Protection

Act of 2002

• AKA – Sarbanes-Oxley, Sarbox or SOX

• Sponsors: Senator Paul Sarbanes and Representative

Michael G. Oxley

• In response to a number of major corporate and accounting

scandals incl Enron, Tyco International, Adelphia, Peregrine

Systems and WorldCom

Page 5: Implementing Security Compliance using Polocy Groups · 2009. 11. 4. · Policy Groups • Policy Groups • Compliance • Logical Group of Policies •10.2.0.4 –3 Out of Box Groups

5

Security at Rabobank

• SOX

• Not a static List

• Not a standard List

• Actual measurements can be different per Company

• Both organisational and technical

Page 6: Implementing Security Compliance using Polocy Groups · 2009. 11. 4. · Policy Groups • Policy Groups • Compliance • Logical Group of Policies •10.2.0.4 –3 Out of Box Groups

6

Security at Rabobank• SOX

• Measurements to keep compliant with RABO Security Rules

• Separation of facilities for Development, Testing and Production

• Developers / testers don’t have access to Production servers

• …

• Backups need to be available and tested

• Will be located on other location then source

• Need to be accessible for authorized employees only

• Audit logs need to be created

• All user actions must be logged and fully traceable to an individual

• …

• System access

• Based on “Least privilege” and “Need to know”

• ...

Page 7: Implementing Security Compliance using Polocy Groups · 2009. 11. 4. · Policy Groups • Policy Groups • Compliance • Logical Group of Policies •10.2.0.4 –3 Out of Box Groups

7

Security at Rabobank

• BIV code• Availability – Integrity – Confidentiality

• B - [1-3], I – [1-3], V – [1-3]

• Impact

• 1 – Low, 2 – Middle, 3 - High

• Example

• I = 2

• Financial Transactions that can be reversed without any (Image) damage

• I = 3

• Financial Transactions that can not be reversed without any (Image) damage

Page 8: Implementing Security Compliance using Polocy Groups · 2009. 11. 4. · Policy Groups • Policy Groups • Compliance • Logical Group of Policies •10.2.0.4 –3 Out of Box Groups

8

Security at Rabobank

• BIV code

• Availability – Integrity – Confidentiality

• Applied to Systems

• Applications

• Application Servers

• Servers (Hosts)

• Database Listeners

• Databases

Page 9: Implementing Security Compliance using Polocy Groups · 2009. 11. 4. · Policy Groups • Policy Groups • Compliance • Logical Group of Policies •10.2.0.4 –3 Out of Box Groups

9

Security at Rabobank

• BIV – codes in use

• 222 – 232 – 233 – 322 – 332 – 333

Page 10: Implementing Security Compliance using Polocy Groups · 2009. 11. 4. · Policy Groups • Policy Groups • Compliance • Logical Group of Policies •10.2.0.4 –3 Out of Box Groups

10

Security implementation in OEM

Policy Rules

• Policies

• Policies define the desired behaviour or characteristics of

systems

• A Policy is compliant if is determined that a target meets the

desired state

• Example: Oracle Home Executable Files Permission

• Ensure that all files in the ORACLE_HOME

directories (except for ORACLE_HOME/bin) do not

have public read, write and execute permissions

• If a Target does not meet this state, the Policy is violated

Page 11: Implementing Security Compliance using Polocy Groups · 2009. 11. 4. · Policy Groups • Policy Groups • Compliance • Logical Group of Policies •10.2.0.4 –3 Out of Box Groups

11

Security implementation in OEM

Policy Rules

• Policies – other examples

• Ensure database auditing is enabled

• Each activity in the database should be traceable

• Default passwords

• Ensure there are no default passwords for known accounts

• Open Ports

• Ensure that no unintended ports are left open

• …

Page 12: Implementing Security Compliance using Polocy Groups · 2009. 11. 4. · Policy Groups • Policy Groups • Compliance • Logical Group of Policies •10.2.0.4 –3 Out of Box Groups

12

Page 13: Implementing Security Compliance using Polocy Groups · 2009. 11. 4. · Policy Groups • Policy Groups • Compliance • Logical Group of Policies •10.2.0.4 –3 Out of Box Groups

13

Security implementation in OEM

Policy Rules

• Based on BIV codes in use

• Monitoring Templates

• Only Policy Rules included

• STP – <Target Type> - BIV<code>

• STP – Listener – BIV332

• STP – HTTP Server – BIV223

• STP – Cluster Database – BIV 322

• …

Page 14: Implementing Security Compliance using Polocy Groups · 2009. 11. 4. · Policy Groups • Policy Groups • Compliance • Logical Group of Policies •10.2.0.4 –3 Out of Box Groups

14

Page 15: Implementing Security Compliance using Polocy Groups · 2009. 11. 4. · Policy Groups • Policy Groups • Compliance • Logical Group of Policies •10.2.0.4 –3 Out of Box Groups

15

Security implementation in OEM

Policy Rules

• Use Groups to apply the Templates to the Targets

• Group organisation

• PG-<Target Type>_BIV<Code>_<Phase (Dev, Tst, Stg, Prd)>

• PG-Cluster_Databases_BIV233_Test

• PG-Database_Instances_BIV333_Prod

• …

Page 16: Implementing Security Compliance using Polocy Groups · 2009. 11. 4. · Policy Groups • Policy Groups • Compliance • Logical Group of Policies •10.2.0.4 –3 Out of Box Groups

16

Group PG-Cluster_Databases_BIV332_Test

Includes all Cluster Databases for which BIV code 332 apply

Page 17: Implementing Security Compliance using Polocy Groups · 2009. 11. 4. · Policy Groups • Policy Groups • Compliance • Logical Group of Policies •10.2.0.4 –3 Out of Box Groups

17

Page 18: Implementing Security Compliance using Polocy Groups · 2009. 11. 4. · Policy Groups • Policy Groups • Compliance • Logical Group of Policies •10.2.0.4 –3 Out of Box Groups

18

Page 19: Implementing Security Compliance using Polocy Groups · 2009. 11. 4. · Policy Groups • Policy Groups • Compliance • Logical Group of Policies •10.2.0.4 –3 Out of Box Groups

19

Page 20: Implementing Security Compliance using Polocy Groups · 2009. 11. 4. · Policy Groups • Policy Groups • Compliance • Logical Group of Policies •10.2.0.4 –3 Out of Box Groups

20

Page 21: Implementing Security Compliance using Polocy Groups · 2009. 11. 4. · Policy Groups • Policy Groups • Compliance • Logical Group of Policies •10.2.0.4 –3 Out of Box Groups

21

Page 22: Implementing Security Compliance using Polocy Groups · 2009. 11. 4. · Policy Groups • Policy Groups • Compliance • Logical Group of Policies •10.2.0.4 –3 Out of Box Groups

Security implementation in OEM

Policy Groups

• Policy Groups

• Compliance

• Logical Group of Policies

• 10.2.0.4 – 3 Out of Box Groups

• Secure Configuration for Oracle Database

• Secure Configuration for Oracle Listener

• Secure Configuration for Oracle Real Application Cluster

• 10.2.0.5 – Create your own

22

Page 23: Implementing Security Compliance using Polocy Groups · 2009. 11. 4. · Policy Groups • Policy Groups • Compliance • Logical Group of Policies •10.2.0.4 –3 Out of Box Groups

Security implementation in OEM

Policy Groups

23

Policy Group

Rule 1

Rule 2

Rule n

Group

Target 1

Target 2

Target n

Evaluation

Schedule

Page 24: Implementing Security Compliance using Polocy Groups · 2009. 11. 4. · Policy Groups • Policy Groups • Compliance • Logical Group of Policies •10.2.0.4 –3 Out of Box Groups

24

Page 25: Implementing Security Compliance using Polocy Groups · 2009. 11. 4. · Policy Groups • Policy Groups • Compliance • Logical Group of Policies •10.2.0.4 –3 Out of Box Groups

25

Page 26: Implementing Security Compliance using Polocy Groups · 2009. 11. 4. · Policy Groups • Policy Groups • Compliance • Logical Group of Policies •10.2.0.4 –3 Out of Box Groups

26

Page 27: Implementing Security Compliance using Polocy Groups · 2009. 11. 4. · Policy Groups • Policy Groups • Compliance • Logical Group of Policies •10.2.0.4 –3 Out of Box Groups

27

Page 28: Implementing Security Compliance using Polocy Groups · 2009. 11. 4. · Policy Groups • Policy Groups • Compliance • Logical Group of Policies •10.2.0.4 –3 Out of Box Groups

28

Page 29: Implementing Security Compliance using Polocy Groups · 2009. 11. 4. · Policy Groups • Policy Groups • Compliance • Logical Group of Policies •10.2.0.4 –3 Out of Box Groups

29

Page 30: Implementing Security Compliance using Polocy Groups · 2009. 11. 4. · Policy Groups • Policy Groups • Compliance • Logical Group of Policies •10.2.0.4 –3 Out of Box Groups

30

Page 31: Implementing Security Compliance using Polocy Groups · 2009. 11. 4. · Policy Groups • Policy Groups • Compliance • Logical Group of Policies •10.2.0.4 –3 Out of Box Groups

31

Page 32: Implementing Security Compliance using Polocy Groups · 2009. 11. 4. · Policy Groups • Policy Groups • Compliance • Logical Group of Policies •10.2.0.4 –3 Out of Box Groups

Q & A

32


Related Documents
Golbal Food Polocy

Golbal Food Polocy

Category: Documents
Oracle Fusion Middleware · 2013-01-07 · • MySQL Server 5.1 • Microsoft SQL Server 2000, 2005, 2008 • Oracle 10.2.0.4+, 11.1.0.7+, 11.2.0.1 • IBM DB2 9.1 Browser-based client

Oracle Fusion Middleware · 2013-01-07 · • MySQL Server...

Category: Documents
Algebraic Groups and Arithmetic Groups

Algebraic Groups and Arithmetic Groups

Category: Documents
Implementing Security Compliance using Polocy …...2009/10/12  · Security at Customer’s Site Policy Rules Policy Groups Q & A 25 Policy Groups Compliance Logical Group of Policies

Implementing Security Compliance using Polocy...

Category: Documents
Analysis of Differences Between Two Groups Between Multiple Groups Independent Groups Dependent Groups Independent Groups Dependent Groups Independent.

Analysis of Differences Between Two Groups Between Multiple....

Category: Documents
Technical Specifications For ImageNow 6.6 - Kofax · Perceptive Software Technical Specifications for ImageNow, ... • Oracle 10g, version 10.2.0.4 or higher ... • Oracle 11g Release

Technical Specifications For ImageNow 6.6 - Kofax ·...

Category: Documents
ORACLE VERSION UPGRADE 2 - … · Upgrade from Oracle 10.2.0.4 to 11.2.0.2: 1. Ensure that Oracle is at least 10.2.0.4/10.2.0.5 version as SAP Does not support other versions 2.

ORACLE VERSION UPGRADE 2 - … · Upgrade from Oracle...

Category: Documents
QPS 8.0 ReadMefiles.quark.com/download/documentation/QPS/8/English/QPS_8.0_Re… · • QPS database using Oracle® 10.2.0.4 (Windows® or Linux). If you plan to use an Oracle database

QPS 8.0...

Category: Documents
Oracle® Application Express · well. Oracle Application Express release 4.2 is supported on Oracle Database 10g (10.2.0.4) and later. When determining whether to install this patch

Oracle® Application Express · well. Oracle Application...

Category: Documents
Betriebserfahrungen mit SAP BW auf RAC und AIX - doag.org · – GTS 7.1 – Alle Systeme laufen auf AIX (5.3 TL8 bzw. 6.1 TL2 SP2) und Oracle 10.2.0.4 – LPAR‘s laufen uncapped

Betriebserfahrungen mit SAP BW auf RAC und AIX -...

Category: Documents
Lectures on quantum groups · Lectures on quantum groups TeoBanica Compact quantum groups, Quantum permutation groups, Easy quantum groups, Transitive quantum groups 2020

Lectures on quantum groups · Lectures on quantum groups...

Category: Documents
Oracle® Database - Oracle Help Center · PDF file2 Linux Certification Starting with Oracle Database 10g Release 2 (10.2.0.4), the following operating systems are supported in addition

Oracle® Database - Oracle Help Center · PDF file2 Linux...

Category: Documents