1. Financial Services Cloud Configurations Guide
  2. Security Management
  3. Secure Configurations

Secure Configurations

Secure configurations for Oracle Financial Services Cloud

User Identity Management

Identity management on the Financial Services Cloud platform is provided by Oracle Cloud Infrastructure Identity and Access Management (OCI IAM). See Oracle Cloud Infrastructure Documentation to know more about the options for configuring OCI IAM and managing user identities on it. There are also several options for identity federation to enable a robust single sign on (SSO) configuration for services deployed on the Financial Services Cloud platform to securely cooperate with other identity management systems.

User Entitlement Management

Entitlements management for user identities that are granted access to the Financial Services Cloud platform are provided at three levels in the platform:
  • Purchased entitlements are managed by the platform based on the services a customer has purchased. The platform only allows access to endpoints that belong to services a customer has purchased
  • Course-grained entitlements to each customer tenancy on the platform are managed via the OCI IAM interface where access to customer tenancies on the Financial Services Cloud platform are controlled via OCI IAM Application definitions. There is an OCI IAM application defined per tenancy you have purchased on the Financial Services Cloud platform. Granting user identities in OCI IAM access to the OCI IAM Application for a tenancy also grants them an entitlement to access that tenancy on the Financial Services Cloud platform from the network/web.
  • Fine-grained entitlements to specific service endpoints available from the Financial Services Cloud platform are managed via an Entitlement service domain (group of application interfaces and a user interface) that is exposed from the platform itself.
As mentioned above, an OCI IAM application will be set up for each customer tenancy provisioned for you on the Financial Services Cloud platform. By default, new customers are provisioned with three tenancies on the platform:
  • Production
  • Pre-production
  • Non-Production

In addition to the OCI IAM applications, as a convenience, an OCI IAM user group specific to each customer tenancy on the Financial Services Cloud platform will be created and granted access to the tenancy on the platform.

To grant a user the course-grained entitlement to log into one of your tenancies on the Financial Services Cloud platform, the user’s OCI IAM identity will need to be granted access to the OCI IAM application for that tenancy, or be added to the OCI IAM user group that has been granted access to the OCI IAM application for that tenancy on the platform. A user who does not have access to the OCI IAM application for a customer tenancy will be unable to access the tenancy on the Financial Services Cloud platform. Granting or revoking access to OCI IAM applications for customer tenancies in this manner may be done as described in Oracle Cloud Infrastructure documentation.

Fine-grained entitlement configurations are also available at a minimum down to the endpoint level for services on the Financial Services Cloud platform where control is available to grant or revoke access by HTTP verb on each service endpoint interface exposed from the platform. See Entitlements Management on options for configuring fine-grained entitlements.

Follow the Principle of Least Privilege

The principle of least privilege states that users should be given the least amount of privilege (entitlements for access) to perform their jobs. Over ambitious granting of entitlements, especially early on in an organization’s life cycle when fewer people are involved and work needs to be done quickly, can leave an application open for abuse. Therefore, entitlements granted to users should be audited periodically to determine their relevance to the user’s current job responsibilities and then adjustments should be made as needed to follow the Principle of Least Privilege.

Keep Software Current

One of the principles of good security practice is to keep all software versions and patches up to date. To access services on the Financial Services Cloud platform please ensure that browsers or other consuming webservices are kept current with support for TLS v1.2 or later encryption.

TLS v1.2 is the minimum encryption standard supported by the Financial Services Cloud platform. Access to interfaces exposed from services on the platform via software that does meet this level of encryption will be rejected by the platform. Also, in the future the platform’s minimum encryption standard will be increased to mitigate security vulnerabilities discovered in older encryption standards. Keeping the software you are using to access services on the Financial Services Cloud platform as up to date as possible will help insure that any new minimum encryption standards for the platform will not disrupt your access to the services deployed on it.

Secure Browser Configuration

As stated above, services deployed on the Financial Services Cloud platform are implemented to be secure by default by requiring TLS v1.2 or later encryption support and by enforcing access only for requests that are both authenticated and authorized for the access being attempted. Platform services cannot however enforce security in any facilities such as the browsers being used to access them.

Please follow best practices to secure browsers being used to access services on the Financial Services Cloud platform by following the advice of authorities such as the US government’s Cyber security and Infrastructure Security Agency (CISA).

Secure Access to Service APIs

Application Programming Interfaces (APIs) from services on the Financial Services Cloud are exposed via URL endpoints implementing Representational State Transfer (REST) protocols. These APIs are implemented to be secure by default by requiring TLS v1.2 or later encryption support and by enforcing access only for requests that are both authenticated and authorized via entitlements.

Secure headless authentication to service APIs is available via an OAuth2 API exposed by the platform that is integrated with OCI IAM facilities (meaning it will also support any SSO configurations made through OCI IAM).

APIs exposed from the platform cannot however enforce security in any facilities such as other webservices or browsers being used to access them. Advice on securing every type of webservice that might access service APIs on the Financial Services Cloud platform is beyond the scope of this guide. Please consult with the provider of any webservices that will be accessing service APIs on the Financial Services Cloud platform on how to configure those webservices to be secure. Please also review advice from US government’s Cyber security and Infrastructure Security Agency (CISA) on Web Services Integration.