Minimizing Risks by Default
The ultimate aim of Oracle’s product security effort is to ensure that deployed instances of Oracle products are secure. The open architecture of Oracle products provide customers with great flexibility on how Oracle products are deployed and used. With Oracle Software Security Assurance, Oracle also ensures that it is as easy as possible to use Oracle products securely regardless of the technical choices that were made during their initial deployment. Oracle has put a great deal of effort into developing powerful, robust security mechanisms within its products, and the company wants to make sure that customers are fully leveraging these security features. Two related programs are aimed for that purpose:
The Secure Configuration program ensures that the Oracle products install, out of the box, into a secure state.
The Security Guides program ensures that all Oracle products have a comprehensive documentation on configuring and using the products securely.
When customers transition software systems from development and testing to production environments, they typically subject them to a process known as “hardening.” The objective of hardening is to reduce the vulnerability of a production system to attack. This generally involves securing the underlying networks and platforms, restricting user privileges, removing unneeded functionality, and closing off nonessential modes of access to the system, such as unused default user accounts or network ports. Oracle’s Secure Configuration Program is focused on ensuring that products provide an optimal security posture out of the box, with little or no effort required by customers to further “harden” these products. As part of this program, Oracle develops guidelines for secure product configuration, and works with its product development teams to implement these enhancements in new versions of its products. These guidelines are, in part, based on the standard security benchmarks developed by third party organizations, in particular the Center for Internet Security (CIS), of which Oracle is an active participant. Default configurations for improved security must be phased in over time in order to ease the impact on customers and partners who have built applications, or have established security policies and practices, based on earlier defaults.
Oracle has published a number of Security Guides to explain how to install and use Oracle products securely. These guides include specific information on how to enable security features, such as Transport Layer Security, as well as more open-ended guidelines related to the security implications of configuration choices. Security Guides are completely product specific but they also provide recommendations on how to configure a secure environment in which to use the product.
The following topics are examples of areas that are generally discussed in a Security Guide.
Pre-Installation Security covers measures that can be taken to secure the underlying platform.
Installation Security describes the implications of any security choices that can be made during the installation.
Post-Installation Security focuses on configuring the security features of the product.
Secure Configuration Utilities
Oracle has developed a number of tools to assist customers in identifying specific areas in which their product implementations do not comply with best practice recommendations (for example, the continued use of default passwords for default accounts). When appropriate, such tools are made available with Critical Patch Update (CPU) releases. In addition Premiere Support Customers can use the various health checks available on the My Oracle Support portal to identify deviations of their systems to Oracle’s recommended configuration guidelines.