| Siebel CRM Siebel Security Guide Siebel Innovation Pack 2017, Rev. A E24814-01 |
|
 Previous |
 Next |
View PDF |
| Siebel CRM Siebel Security Guide Siebel Innovation Pack 2017, Rev. A E24814-01 |
|
Previous |
Next |
View PDF |
This topic outlines recommendations for securing your Siebel database after you have performed the security procedures prescribed by your database vendor. For information on these procedures, refer to your relational database management system documentation. Information about the following is included in this topic:
Sensitive user information, such as credit card numbers, customer details, email IDs, and so on, is usually stored in the database that an application is using. It is important to classify the data that is stored in the database and to implement a role-based access system.
Define stringent policies for Siebel database access both at the account-login level and at the network-visibility level. Only assign authorized users, for example, approved database administrators (DBAs), system accounts for root usage and remote access to the server.
Define access rules so that users cannot log in to the Siebel database and execute queries. Follow these guidelines for the operating systems:
Windows. Add all general users to the Public group in the Siebel database and assign appropriate rights.
UNIX. Do not grant database administrator privileges to general users.
For additional information, see your RDBMS documentation.
Implement the following recommendations:
Restrict access to SQL trace and log files.
In a production environment, do not run Siebel Business Applications with a high level of logging, for example, use log level 2, not 5.
Restrict remote access to the operating system, such as through Telnet (Terminal Network), and restrict remote access diagnostics programs.
Limit access to the data dictionary files; these files store metadata about schema definitions, visibility rules, and other items.
It is recommended that you protect sensitive application data in the Siebel database by encrypting the data. You can choose to encrypt the following:
Specific database fields
Specific database tables
The entire database
Siebel Business Applications support field-level encryption of sensitive information stored in the Siebel database, for example, credit card numbers or national identity numbers. You can configure Siebel Business Applications to encrypt field data before it is written to the Siebel database and decrypt the same data when it is retrieved. This configuration prevents attempts to view sensitive data directly from the Siebel database.
Siebel Business Applications support data encryption using Advanced Encryption Standard (AES). By default, data encryption is not configured. It is recommended that you set data encryption for business component fields using Siebel Tools. For information on encrypting data, see Chapter 4, "Communications and Data Encryption".
When field-level encryption is implemented, data is not decrypted until it is displayed by a user who has the necessary privileges to view the data. The data remains encrypted even when it is loaded into memory, which increases data security. However, using field-level encryption affects performance.
As an alternative to field-level encryption, you can secure sensitive data using products such as the following:
Transparent Data Encryption. If you are using a Microsoft or Oracle database with Siebel Business Applications, then you can use the Transparent Data Encryption feature to encrypt data in the Siebel database. Oracle databases support the use of Transparent Data Encryption to encrypt data at the column and tablespace level. Microsoft databases support the use of Transparent Data Encryption to encrypt data at the cell and database level.
Transparent Data Encryption encrypts data when it is written to the database and decrypts it when it is accessed by Siebel Business Applications. Application pages are decrypted as they are read and are stored in memory in clear text. Because the data is not encrypted when it is being sent to Siebel Business Applications, you must also enable TLS to protect communications between the server and clients. The performance impact of implementing Transparent Data Encryption is minimal.
If you enable Transparent Data Encryption, then all database file backups are also encrypted. For information about Oracle support for Transparent Data Encryption, go to the Oracle Technology Network Web site at
http://www.oracle.com/technetwork/database/security/tde-faq-093689.html
For information about Microsoft support for Transparent Data Encryption, go to the Microsoft MSDN Web site at
Oracle Database Vault. If you are using an Oracle database with Siebel Business Applications, then you can use Oracle Database Vault to restrict access to all the schemas and objects in your application database, or to individual objects and schemas by users, including users with administrative access to the database.
Oracle Database Vault allows you to define a Realm, a protection boundary, around all or some of the objects in your database. The database administrator can work with all the objects within the Realm but cannot access the application data that they contain. This restriction protects your data from insider threats from users with extensive database privileges.
You can integrate Oracle Database Vault with Transparent Data Encryption without the need for additional configuration. For additional information on Oracle Database Vault, go to the Oracle Technology Network Web site at
http://www.oracle.com/technetwork/database/options/database-vault/index-085211.html
Implement the following database backup policies:
