In recent years, the increased accessibility of corporate data and business information via the Internet has been accompanied by corresponding security threats. Every system is vulnerable to hackers. Some of these hackers are criminals; some are pranksters. Either way, they can wreak havoc with corporate software and data.
Careful security planning and implementation is a key part of systems management. You need to control access to your corporate applications and protect both applications and their underlying data from harm caused by both malicious outsiders and careless insiders. Securing the Oracle Application Server environment is a multipronged effort, requiring that you consider security in all parts of your overall Oracle component infrastructure: the Oracle Application Server, the database, and any E-Business Suite applications deployed in your environment. In implementing a secure solution, you also need to take non-Oracle components into account. For example, you should analyze the security of your web browsers, assess underlying operating system vulnerabilities, determine whether your configuration requires a firewall, and investigate the need for virtual private networks (VPNs).
This chapter focuses on how to implement Oracle Application Server as part of a secure infrastructure. We describe components of the Oracle Application Server security framework that provide both the security and the identity management needed for centralized user management and support for complex password management policies. We conclude the chapter by briefly describing approaches and architectures for secure deployment.
- Access control
- Accountability and intrusion detection
- Data protection
In managing Oracle Application Server, your security goal should be to deploy the product in such a way that it can pass an independent security assessment. In such a secure deployment, you also need to consider coding practices, eliminate single points of failure in the security mechanism, set minimal privileges as a default, and enable intrusion detection to limit damage from security breaches. Those are extensive security topics that go well beyond the scope of this chapter. See the Appendix, however, for additional sources of security information.