General Security Principles

The following principles are fundamental to using any application securely.

Keep Software Up To Date

One of the principles of good security practice is to keep all software versions and patches up to date. Regularly check My Oracle Support for Critical Patch Updates (CPU) for the OHI execution platform (Oracle Database and Oracle WebLogic application server).

Restrict Network Access to Critical Services

Keep both the OHI application’s middle-tier and database behind a firewall. In addition, configure a firewall between the middle-tier and the database. The firewalls provide assurance that access to these systems is restricted to a known network route, which can be monitored and restricted, if necessary.

Follow the Principle of Least Privilege

The principle of least privilege states that users should be given the least amount of privilege to perform their jobs. Over ambitious granting of responsibilities, roles, grants, etc., often leaves a system wide open for abuse. User privileges should be reviewed periodically to determine relevance to current job responsibilities.

Monitor System Activity

System security stands on three legs: good security protocols, proper system configuration and system monitoring. Auditing and reviewing audit records address this third requirement. Each component within a system has some degree of monitoring capability. Follow audit advice in this document and regularly monitor audit records.

Keep Up To Date on Latest Security Information

Oracle continually improves its software and documentation. Check the Installation Guide and Release Notes before installing a new release. Regularly check this Security Guide for up-to-date security related information.

Minimize the Attack Surface

The "attack surface" of a system is the sum of the different entry points that an unauthorized user can exploit to gain access to system services or to the data is maintained in the system. Common strategies for reducing the attack surface or hardening the system include (but are not limited to):

Minimize the number of services running, i.e. make sure to only run required services. Make sure that all entry points, like the system’s user interface and its web services are secured.

Specifically for OHI Components applications make sure to:

  • Do not install software on the machines that execute the OHI Components applications technology stack that is not required for running the OHI Components applications.

  • Follow the Installation Guide to prevent installation of software that is not required to run the application. For example, for Oracle’s WebLogic server installation it specifically mentions the services that need to be installed.

  • Do not install additional applications in the WebLogic domains that run OHI Components applications.

  • Make sure to track and trace use of the system, e.g. by logging which users access its services.

  • Apply firewalls at the system’s boundaries.

  • Secure all entries, for example make sure that SSL/TLS is used between clients and load balancer / DMZ.