This chapter provides an overview of how to configure and manage security for Oracle Communications Service Controller.
The following principles are fundamental to using any application securely:
Keep software up to date. This includes the latest product release and any patches that apply to it.
Limit privileges as much as possible. Users should be given only the access necessary to perform their work. User privileges should be reviewed periodically to determine relevance to current work requirements.
Monitor system activity. Establish who should access which system components, and how often, and monitor those components.
Install software securely. For example, use firewalls, secure protocols such as SSL and secure passwords.
Learn about and use the Service Controller security features. See these sections for details:
Configuring Security between Service Controller Components in Service Controller System Administrator's Guide.
Securing Credentials with Credential Store in Service Controller System Administrator's Guide.
Use secure development practices. For example, take advantage of existing security functionality instead of creating your own application security. See "Implementing Service Controller Security" for more information.
Keep up to date on security information. Oracle regularly issues security-related patch updates and security alerts. You must install all security patches as soon as possible. See the ”Critical Patch Updates and Security Alerts” Web site:
http://www.oracle.com/technetwork/topics/security/alerts-086861.html
Service Controller relies on these lines of defense against malicious attacks:
High-level protection from the individual protocols that it supports. The "Implementing Service Controller Security" chapter goes into details on how to set up protocol-specific security features.
Low-level (packet-based) protection using firewalls that you select, obtain, and configure to use with Service Controller. Every Service Controller implementation is different and must assess and obtain firewalls that meet you implementation's needs.
Service Controller's built-in security features, such as configurable password strength, and native keystores and truststores for storing credentials. See "Implementing Service Controller Security" for details on how to implement these features.
The policies and procedures that you put in place for configurable software security. This chapter provides some guidance in for these policies and procedures, but every Service Controller implementation is different and must consult your security expert for the best way to completely secure yours.
To implement security, Service Controller uses other Oracle products. See the following documents for more information:
Oracle Coherence Developer's Guide Release 12.2.1.3.0, section Operational Configuration Elements
Oracle Coherence Security Guide Release 12.2.1.3.0
When planning your Service Controller implementation, consider the following:
Which resources need to be protected?
You must protect customer data, such as credit-card numbers.
You must protect internal data and traffic, such as billing event traffic.
You must protect system components from being disabled by external attacks or intentional system overloads
Who are you protecting data from?
For example, you must protect your subscribers' data from other subscribers, but someone in your organization might needs to access that data to manage it. You can analyze your workflows to determine who needs access to the data; for example, perhaps a system administrator can manage your system components without needing to access the system data
What will happen if protections on a strategic resources fail?
In some cases, a fault in your security scheme is nothing more than an inconvenience. In other cases, a fault might cause great damage to you or your customers. Understanding the security ramifications of each resource will help you protect it properly.