| Siebel CRM Siebel Security Guide Siebel Innovation Pack 2015 E24814-01 |
|
 Previous |
 Next |
View PDF |
| Siebel CRM Siebel Security Guide Siebel Innovation Pack 2015 E24814-01 |
|
Previous |
Next |
View PDF |
The components of Siebel security architecture include:
User authentication for secure system access
End-to-end encryption for data confidentiality
Authorization for appropriate data visibility
Audit trail for data continuity
Secure physical deployment to prevent intrusion
Security for mobile devices
Web browser security settings
Siebel Business Applications provide an open authentication architecture that integrates with a customer's selected authentication infrastructure. For more information, see Chapter 5, "Security Adapter Authentication," and Chapter 6, "Web Single Sign-On Authentication." Siebel Business Applications support three types of user authentication. A logical view of each type of authentication is illustrated in Figure 2-1, where each arrow represents a Siebel CRM authentication mechanism:
Database authentication. A database security adapter is provided to support database credential collection and verification of users.
LDAP and ADSI authentication. LDAP and ADSI security adapters are provided to support credential collection and verification of users in an LDAP or ADSI-compliant directory.
Web Single Sign-On (Web SSO). A configurable mechanism for communicating with Web SSO infrastructures is provided, allowing for Siebel user authentication by a third party at the Web-site level.
Customers can also develop custom security adapters using a security adapter SDK.
The authentication mechanisms illustrated in Figure 2-1 apply whether users access Siebel Business Applications from within a LAN or WAN, or remotely. Additional information on each method of authentication is provided in the following topics.
Siebel Business Applications provide a database security adapter mechanism for credential collection and verification. The default login form collects Siebel user name and password credentials. The security adapter works with the underlying security systems of the database to verify users' credentials.
With database authentication, each user must have a valid database account in order to access a Siebel application. The database administrator (DBA) must add all user database accounts. Database authentication deployment supports password hashing for protection against hacker attacks.
Any Siebel application can use database authentication, which is configured as the default. However, some functionality provided by Siebel Business Applications, such as workflow processes to support user self-registration or forgotten password scenarios (capabilities commonly used in customer applications), require authentication using LDAP or ADSI security adapters. For this reason, database authentication is rarely used with customer applications.
|
Note: The exact valid character set for a Siebel user name and password depends on the underlying authentication system. For database authentication, refer to documentation from your RDBMS vendor. |
For employee or customer applications, Siebel Business Applications include a preconfigured security adapter interface to allow organizations to externalize credential verification in an LDAP or ADSI-compliant directory. The interface connects to a security adapter, which contains the logic to validate credentials to a specific authentication service.
|
Note: The exact valid character set for a Siebel user name and password depends on the underlying authentication system. For LDAP or ADSI authentication, refer to documentation from your vendor, such as one of those listed below. |
Siebel Business Applications customers can therefore verify user credentials with security standards such as LDAP or ADSI.
Siebel CRM provides security adapters for leading authentication services:
LDAP security adapter integration is supported for directory servers that are compliant with the LDAP 3.0 standard.
ADSI security adapter integration is certified and supported for Microsoft Active Directory.
For information about third-party LDAP directory servers supported or validated for use with Siebel Business Applications, see "Directory Servers Supported by Siebel Business Applications". You can also build security adapters to support a variety of authentication technologies. For information on custom security adapters, see "Security Adapter SDK".
Siebel Business Applications offer customers the capability of enabling a single login across multiple Web applications; this is known as Web Single Sign-On (SSO). Siebel Business Applications provide a configurable mechanism for communicating with Web SSO infrastructures, identifying users, and logging users into the Siebel application.
With Web SSO, users are authenticated independently of Siebel Business Applications, such as through a third-party authentication service, or through the Web server.
|
Note: The exact valid character set for a Siebel user name depends on the underlying authentication system. For Web SSO, refer to documentation from your vendor. |
Oracle offers the Siebel Security Adapter Software Developers Kit (SDK) to allow companies to build additional security adapters. Such additional adapters can support other authentication technologies such as digital certificates, biometrics, or smart cards.
For example, a security adapter might be created for a portable device that provides users with a key that changes at frequent intervals. When a security adapter for this device is deployed, only by supplying both the currently displayed key and the user's password or other credentials can the user gain access to the Siebel application.
The security adapter interface is critical to the Siebel architecture because, for most Siebel Business Applications customers, authentication has become an enterprise decision, rather than an application-specific decision. The authentication service can be a shared resource within the Enterprise, thereby centralizing user administration. The Siebel Security AdapterSDK is described in 476962.1 (Article ID) on My Oracle Support.
Stored data can be selectively encrypted at the field level, and access to this data can be secured. In addition, data can be converted into an encrypted form for transmission over a network. Encrypting communications safeguards such data from unauthorized access. Transmitted data must be protected from intrusive techniques (such as sniffer programs) that can capture data and monitor network activity.
End-to-end encryption protects confidentiality along the entire data path: from the client browser, to the Web server, to the Siebel Server, to the database, and back. Figure 2-2 shows the types of encryption available for communications within the Siebel environment.
Communications encryption is available between the following:
Client Browser to Web Server. Siebel Business Applications run using the Siebel Web Client in a standard Web browser. When a user accesses a Siebel application, a Web session is established between the browser and the Siebel Server, with the Web server in between. To protect against session hijacking when sensitive data is transmitted, it is recommended that you use the TLS protocol for communications between the browser and Web server, if support for this protocol is provided by your Web server.
The SWSE can be configured to allow only URLs that use TLS over HTTP (HTTPS protocol) to access views in a Siebel application in the following scenarios:
Use HTTPS only on the login view to protect password transmission. See "Login Security Features".
Use HTTPS for additional specific views (this option is available for standard interactivity applications only). See "Configuring a Siebel Web Client to Use HTTPS".
Use HTTPS for the entire application. See "Configuring a Siebel Web Client to Use HTTPS".
Web Server to Siebel Server. Siebel Business Applications components communicate over the network using a Siebel TCP/IP-based protocol called SISNAPI (Siebel Internet Session API). Customers have the option to secure SISNAPI using TLS or embedded encryption from RSA or Microsoft Crypto APIs. These technologies allow data to be transmitted securely between the Web server and the Siebel Server. For more information, see "Process of Configuring Secure Communications".
Siebel Server to Database. For secure transmission between the database and the Siebel Server, data can be encrypted using the proprietary security protocols specific to the database that a customer is using.
Database Storage. Siebel Business Applications allow customers to encrypt sensitive information stored in the database so that it cannot be viewed without access to the Siebel application. Customers can configure Siebel Business Applications to encrypt data before it is written to the database and decrypt the same data when it is retrieved. This prevents attempts to view sensitive data directly from the database. Siebel Business Applications support data encryption using AES algorithms. For more information, see "About Data Encryption".
Authorization refers to the privileges or resources that a user is entitled to within Siebel Business Applications. Even among authenticated users, organizations generally want to restrict visibility to operating system data. Siebel Business Applications use two primary access-control mechanisms:
View-level access control to manage which application functions a user can access.
Record-level access control to manage which data items are visible to each user.
Access control provides Siebel customers with a unified method of administering access to many content items for many users. For more information, see Chapter 9, "Configuring Access Control."
Organizations are generally arranged around functions, with employees being assigned one or more functions. View-level access control determines what parts of the Siebel application a user can access, based on the functions assigned to that user. In Siebel Business Applications, these functions are called responsibilities.
Responsibilities define the collection of views to which a user has access. An employee assigned to one responsibility might not have access to parts of the Siebel Business Applications associated with another set of responsibilities. For example, typically a system administrator has the ability to view and manage user profiles, while other employees do not have this ability. Each user's primary responsibility also controls the user's default screen tab layout and tasks.
Record-level access control assigns permissions to individual data items within an application. This allows Siebel customers to authorize only those authenticated users who need to view particular data records to access that information.
Siebel Business Applications use three types of record-level access: position, organization, and access group. When a particular position, organization, or access group is assigned to a data record, only employees who have been assigned that position, organization, or access group can view that record.
A position represents a place in the organizational structure, much like a job title. Typically, a single employee occupies a position; however, it is possible for multiple employees to share a position. Position access allows you to classify users so that the hierarchy between them can be used for access to data.
For example, a supervisor would have access to much of the data that a subordinate has access to; the same applies to others who report to the same manager.
Similarly, an organization, such as a branch of an agency or a division of a company, is a grouping of positions that map to the physical hierarchy of a company. Those employees assigned to a position within a certain organization are granted access to the data that has been assigned to that organization. Visibility to data can be set up to restrict employees from accessing data outside their own organization.
An access group is a less-structured collection of users or group of users, such as a task force. Groups can be based on some common attribute of users, or created for a specific purpose, pulling together users from across different organizations and granting them access to the same data.
Siebel Business Applications support various degrees of auditing:
At the simplest level, each data record has created and last updated fields (when and by whom). With additional configuration, you can generate an activity for additional levels of auditing. This is best used when there are limited needs for auditing, for example, just a few areas to track.
Siebel Business Applications can maintain an audit trail of information that tells when business component fields have been changed, who made the change, and what has been changed. It is also possible to maintain an audit trail of when the business component fields have been viewed or exported and who viewed or exported fields. Siebel Audit Trail is a configurable feature that allows users to choose business components and fields to audit, and to determine the scope of the audit.
Siebel customers can choose to audit all activity, or to limit the scope of auditing to those operations performed by certain responsibilities, positions, or employees. Siebel Business Applications also allow customers to audit specific data fields or objects.
Using Siebel Workflow, you can configure workflow processes to save information on changes to specific business components.
You can attach scripts to the business component Write_Record event and save information about the transaction.
Siebel customers can use database auditing that is included with all supported databases. All vendors support high levels of audits: B3 or C2 Orange book levels. (Database auditing requires a security person to review the audit information.)
If you implement a shared database account with LDAP, ADSI, or Web Single Sign-On authentication mechanisms, then database auditing cannot provide detailed information about an individual user's database access. For additional information, see "Configuring the Shared Database Account".
Access to the physical devices that host Siebel Business Applications must be protected. If these devices are compromised, then the security of all applications on the computer is at risk. Utilities that provide computer-level security, by either enforcing computer passwords or encrypting the computer hard drive, can be used and are transparent to the Siebel application.
In Siebel application deployments, the Web server resides in the demilitarized zone (DMZ). Clients outside the firewall access the Web server and the Siebel Server through a secure connection.
In employee application deployment, clients as well as servers often reside behind a firewall.
In customer or partner application deployment, or in employee application deployment where employees accessing the application are outside of the firewall, the Siebel Server is deployed behind an additional firewall.
Siebel Business Applications also support reverse proxy configuration to further enhance the DMZ security. Increasingly, firewall vendors offer virtual private network (VPN) capabilities. VPNs provide a protected means of connecting to the Siebel application for users (such as employees) who require remote access.
Siebel Business Applications work with leading third-party vendors to provide additional physical security measures, such as attack prevention, data back-up, and disaster recovery. For example, HTTP load balancing protects against denial-of-service attacks by handling TCP connections and catching incoming attacks before they reach the Siebel Server. Furthermore, only one IP address and one port have to be opened on the firewall between the Web server and the Siebel Server.
The architecture of Siebel Business Applications takes advantage of high availability technologies, such as Microsoft Cluster Services, which allow multiple computers to function as one by spreading the load across multiple systems. High availability technologies address the need for failover and catastrophic recovery management. For more information, see Siebel Deployment Planning Guide. For information about security issues related to the physical deployment of Siebel components, see Siebel Security Hardening Guide.
Oracle provides a suite of mobile solutions that allow remote access to data within Siebel Business Applications. These solutions support a variety of mobile devices, including tablets, smart phones, handhelds, and laptop computers (running Siebel Mobile Web Client).
Oracle provides security for customers using these devices to access Siebel Business Applications, and works with alliance partners for other types of mobile devices.
For information about security issues for Siebel Business Applications accessed from a browser on a mobile device, see Siebel Mobile Guide: Connected and Siebel Mobile Guide: Disconnected.
For information about security issues for Siebel Mobile Web Client, which can be installed on mobile devices such as laptop computers, see "Configuring Encryption for Mobile Web Client Synchronization" and "About Authentication for Mobile Web Client Synchronization". Siebel Remote and Replication Manager Administration Guide provides additional information on Mobile Web Client security measures.
For information about security issues for Siebel Wireless applications, see Siebel Wireless Administration Guide.
For information about security issues for Siebel Handheld applications, see documentation for particular Siebel Business Applications that use the Siebel Handheld client on Siebel Bookshelf.
Siebel Wireless provides real-time wireless access to Siebel Business Applications through browser-enabled mobile devices. Siebel Wireless views rendered in XML or HTML are sent through the Web server on which the Siebel Web Server Extension (SWSE) is installed to a wireless network, and ultimately to the requestor's browser-enabled wireless device.
In this enterprise solution, the Web server and the Siebel Server reside within the firewall of the Siebel customer, thereby protecting data security. Standard protocols are used to secure browser-based data transmissions across the wireless network.
Multiple methods of securing the data are available, including the Wireless Transport Security Layer for wireless devices and third-party products.
Mobile devices themselves must be secure. If a wireless or handheld device falls into the wrong hands, then organizations need assurance that sensitive data will not be compromised. Siebel Business Applications are fully compatible with the embedded security within these devices, as authentication is generally a device-level decision, rather than an application-specific one.
Certain features and functions in Siebel Business Applications work in conjunction with security or other settings on the Web browser. Detailed information about the browser settings used in deploying Siebel clients is provided in Siebel System Administration Guide. For information about the Web browsers supported for high interactivity clients, and for information about the browser standards required for Siebel Open UI, see the Certifications tab on My Oracle Support and "About Siebel Open UI". For more information about settings in your Web browser, see the documentation for your browser.
