Siebel CRM Siebel Security Guide Siebel Innovation Pack 2017, Rev. A E24814-01 |
|
Previous |
Next |
View PDF |
This topic provides introductory information about securing Oracle's Siebel Business Applications and the infrastructure and environment in which they operate. It includes the following topics:
To secure your Siebel Business Applications environment, you must understand the security threats that exist and the typical approaches used by attackers. This understanding helps you to identify the correct countermeasures that you must adopt. The common security threats include:
Computer viruses (malware)
Code injection
SQL injection
Cross-site scripting (XSS)
Denial of service attacks (DoS)
The following practices can make your applications vulnerable to malicious attacks:
Using weak passwords
Moving data between applications, computers, and sites
Allowing information leaks
Allowing nonsecure coding practices when configuring Siebel Business Applications
Monitor security sites for information on newly discovered vulnerabilities affecting third-party components or applications that are integrated with Siebel Business Applications software. Some of the well-known Web sites that contain information on security incidents with vulnerabilities and patches are as follows:
www.cert.org
www.sans.org
www.insecure.org
www.cisecurity.org
www.securityfocus.com (hosts the Bugtraq mailing list)
Perform security risk assessments regularly to identify possible security vulnerabilities in your environment, then address any issues. For information on this task, see "Performing Security Testing". For general information on preventing security attacks and vulnerabilities in your environment, see "General Security Recommendations".
Align the policies you create to secure your Siebel Business Applications environment with the overall security policies and principles adopted by your organization. Some of the general policies recommended to help protect your Siebel Business Applications deployment and infrastructure include the following:
Restricting network access
Following the principle of least privilege when setting up access controls
Monitoring activity by enabling a minimum level of logging (auditing and reviewing)
Keeping up-to-date with the latest security information
Configuring accounts securely, including securing session management
Setting security parameters
Running security-maintenance reports regularly
Enforcing secure coding practices, for example, data validation, when creating custom code and scripts
Encrypting Web and network communications and sensitive data in the Siebel database, for example, credit card numbers and passwords
Installing approved enterprise-wide antivirus software to protect servers and workstations, and updating virus pattern files on a periodic and emergency basis as recommended by the vendor
Implement a patch management process to make sure that all the software in your environment is updated with the latest software versions and security patches. You must make sure all updates and patches for Siebel Business Applications are applied. Also make sure that all updates are applied for the other software that is required to run Siebel Business Applications, but that is not shipped by Oracle. Some examples include your operating system software and browser software.
Oracle uses critical patch updates to release security patches for all its applications, including Siebel Business Applications. Critical patch updates are issued each quarter and consist of multiple security fixes in one patch.
For a list of the latest critical patch updates and security alerts for Siebel Business Applications available from Oracle, and for information on security vulnerabilities fixed in a critical patch update, go to the Oracle Critical Patch Updates and Security Alerts Web site at
http://www.oracle.com/technetwork/topics/security/alerts-086861.html
Oracle provides information about product security vulnerabilities only as part of the critical patch update or Security Alert notification process.
Siebel Business Applications adhere to a range of common industry standards relating to security so that customers can choose a security infrastructure that best suits their specific business needs. For a list of the technical standards supported with Siebel Business Applications, see "Industry Standards for Security".
Siebel Business Applications also support the following standards:
Payment Card Industry Data Security Standard (PCI DSS)
Common Criteria for Information Technology Security Evaluation (Common Criteria) standard
Federal Information Processing Standard (FIPS) 140
For information about Siebel Business Applications support for the PCI DSS, Common Criteria, and FIPS standards, see "Supported Security Standards".
Note: Siebel Business Applications do not provide a client that supports the Security Assertion Markup Language (SAML) standard. |
Siebel Business Applications are developed and maintained in accordance with the Oracle Software Security Assurance program, which incorporates security best practices in the following areas:
Secure development process
Critical patch updates
External security validations
Security information and best practices
For further information on the Oracle Software Security Assurance program, go to
It is strongly recommended that you implement Transport Layer Security (TLS) encryption for all of the following services and communication paths in a Siebel CRM implementation:
For communications between Siebel Web server and Siebel Web Client.
For communications between Siebel Server and the Web server.
For encryption of communications between Siebel Enterprise components, for example, communications between the Siebel Server to Siebel Web server (Application Interface), or between Siebel Servers.
For communications between an LDAP security adapter and a directory server.
For communications using the Siebel Business Applications external interfaces (EAI), which use Web services to send and receive messages over HTTP.
For communications between Siebel Server and an email server, including encryption for SMTP, IMAP, and POP3 sessions between Siebel Server and an email server.
For more information, see "Securing the Network and Infrastructure" which includes information about the following:
"Enabling Encryption Between the Web Client Browser and Web Server"
"Enabling Encryption Between the Web Server and Siebel Server"
"About Using TLS with Siebel Enterprise Application Integration (EAI)"
For additional information, see the following chapters:
For more information on the support for TLS encryption provided by Siebel CRM, see 1944467.1 (Article ID) on My Oracle Support.
Note: To ensure that you are using the highest level of security, download and install the latest Innovation Pack and patchset release to enable the highest level of security and obtain the latest security-related patches. For more information on this, see Siebel Installation Guide for the operating system you are using and Siebel Patchset Installation Guide for Siebel CRM (1614310.1 Article ID on My Oracle Support). |