Securing your Oracle Cloud applications is an ongoing challenge. Once implemented, like a new car, Oracle Cloud security must be maintained and checked periodically as users come and go, new company workflows are introduced, and governments adopt new or change existing data protection & privacy regulations. At times, it can seem daunting to keep your users, roles and privileges happy in order to avoid security risks that can appear during audits.
However, when it comes to user access, there are some easy steps you can take right now that will help make your Oracle Cloud applications more secure and reduce the risk of compliance violations!
We’ve put together a short list of actions that will help you secure your Oracle ERP Cloud environment. Among other results, these actions will help you identify the most critical user-job role assignments, better configure roles with more restrictive ability to impact the system and optimize provisioning user access.
1. Minimize Application Implementation Consultant and IT Security Manager job role access
Not all job roles are created equal. The Application Implementation Consultant and IT Security Manager job roles have access to many of the key system administrative tasks across all Oracle Cloud applications. Make sure you are only assigning these job roles to the users who genuinely need them and that you are reviewing which users have this type of access on a regular basis.
2. Design and use custom job roles for user access
Oracle Cloud comes with pre-configured (or “seeded”) job roles upon installation. Unfortunately, using these seeded roles without first looking at the duty roles & access privileges they provide will lead to copious amounts of segregation of duties (SoD) conflicts. Moreover, Oracle Cloud software updates can introduce new functionality and access into these pre-configured job roles.As such, it is best practice to use seeded job role definitions only as a starting point for
designing and building custom job roles or for a few other situations below. Fully custom job roles will not be affected by software updates.
Use seeded job roles only for:
- Designing and building non-inquiry custom job roles
- Emergency account access
- Service accounts that need to process jobs in the background
- Other truly valid business purposes
3. Inquiry only access cannot be granted without custom roles
Out of the box, Oracle Cloud does not provide any inquiry or view-only roles. Therefore in particular, it is strongly recommended to design, build and test inquiry/view-only roles from scratch (i.e. do not copy from the seeded roles) based on the principle of least privilege.
4. Use the Simulate Navigator to identify which privileges grant access to key business process & IT activities
Accessible via the Roles tab in the Security Console, you can use Oracle’s Role Navigation Simulator to help you identify which privileges provide access to specific work areas & tasks. Leverage this functionality to help you build your segregation of duties (SOD) rulesets and understand how users can access privileges without off-hand knowledge of the navigation.
5. Establish a formal user provisioning process
Informal user provisioning practices such as copying existing job roles from one user to another or not specifying the specific job roles to be assigned in access requests (for example, “Give Jack the same access as Diane”) typically leads to over-provisioning security and SOX IT General Controls (ITGC) exceptions. Instead, you should establish a formal user provisioning process which contains the following high-level steps for your organization:
- Document user access requests, via a ticketing system vs. email, and clearly state which job roles are being requested
- Ensure that all access requests are approved by the appropriate IT or business owners prior to assignment and evidence of this approval exists in the request if asked to provide evidence
- Verify that the access granted to the user matches the access requested. Ex. If an approved access request states to provide Job Roles A, B and C to Username G, make sure Username G was only assigned Job Roles A, B and C.
These are just a few tips for securing your Oracle Cloud Application.
Learn even more at our live webinar “30 Security Tips n’ Tricks for Oracle Cloud by Fastpath” on November 11, 2020 @12:00pm EST – REGISTER TODAY!
Looking for more Oracle Cloud educational resources? Check out the Fastpath resources HERE.