1. Security Guide
  2. General Security Principles

General Security Principles

Overall Goals of Security

There are two main thrusts to securing your systems: preventing unauthorized access and keeping the system up and running. Both are important aspects to consider, and both can be compromised by both deliberate acts and accidental failures.

Preventing unauthorized access consists of the following broad pieces:

  • Authentication: is the person or process that is attempting to access the system who or what they say they are?
  • Authorization: is the person or process allowed to be doing what they are attempting to do?
  • Data Access: is the person or process restricted in what data it/they can access?
  • Auditing: is there a way to tell that some aspect of security has been compromised?

Ensuring that the service stays up and running is vitally important, of course, and is therefore an essential part of security. Deliberate attempts to bring a system down are called Denial of Service attacks, and the base components along with the service itself are configured by default to guard against these attacks. Performance problems can also bring a system down, which has the same effect as someone maliciously targeting the system, so this document will on occasion point out ways in which performance can be affected.

Finally, there are security issues that do not fall cleanly into either of these broad categories, but they will be talked about and addressed as well.

General Principals

The following principals are fundamental to any software security plan.

Keep Software Up-to-Date

One of the foundations of good security practice is to keep all software versions and patches up-to-date across the technology stack. The Oracle Fusion Transportation Management Cloud Service will be updated to include any relevant Oracle Critical Patch Updates (CPUs). Oracle releases these Critical Patch Updates four times a year. The Oracle Fusion Transportation Management Cloud Service has three updates a year. These CPUs will be applied to your instances to keep the service as secure as possible. There is nothing a cloud client needs to do to request these CPU patches. However, a cloud client needs to make sure these scheduled updates happen on-time by preparing to thoroughly test their scenarios when their Test instance is updated.

In addition, it is recommended that clients keep any of their custom applications or external systems that interface with their Oracle Fusion Transportation Management Cloud Service patched and up-to-date with any relevant security patches as well.

Follow the Principle of Least Privilege

The principal of least privilege states that users should be given the least amount of privilege to perform their job responsibilities. Over-ambitious granting of responsibilities, roles, grants, etc., especially early on in an organization or during an implementation’s life cycle when there are few people and work needs to be done quickly; can leave an application or cloud services open for abuse. All user access and privileges should be reviewed periodically to determine relevance to current job responsibilities.

Monitor System Activity

System security stands on three pillars: good security protocols, proper system configuration, and system monitoring. Oracle addresses the good security protocols and the proper system configuration pillars in the Oracle Fusion Transportation Management Cloud Service. However, when interfacing to the service with custom applications and external systems, it is the responsibility of the client to use good security protocols and the proper system configuration. Also, auditing and reviewing audit records address this third requirement and is the responsibility of the client. The Oracle Transportation Management service has some degree of monitoring capability. Follow audit advice in this document and regularly monitor audit records.

Keep Up-to-Date on the Latest Security Information

Oracle continually improves its software and documentation. Check this document regularly for revisions as well as the Oracle SaaS Security (https://www.oracle.com/security/saas-security/).

Service Components

The Oracle Fusion Transportation Management Cloud Service is composed of many different applications and components, and these can be used by many different users in a variety of roles. Some of the users will be internal to your company, while others could be external. Data can be exchanged between the applications both internally and to your external systems. Each access path should be looked at individually and decisions should be made appropriately as to what activity will be permitted or blocked, and how controls will be put in place to enforce those decisions.

Whatever you do, make sure to document it, and make sure to keep the document up-to-date! This really cannot be stressed enough, if this is a production system, time will be of the essence, and the time needed to pull together the right people to create one on the fly could be critically detrimental.

Production vs. Pre-Production Environments

Test and Development environments often have data in them that is every bit as important to secure as the real Production data. These systems should be secured as if they were Production systems.