Session 319
3 likes1,301 views
The document discusses using Oracle Enterprise Manager 12c for security compliance, including an overview of compliance management, a customer story about how CCH uses compliance, and how to configure compliance frameworks, standards, rules, and templates to evaluate targets and monitor for compliance. It also provides additional information on using the EMCLI, SQL queries, and roles and privileges for compliance.
Session 319
- 1. Session 319: Security Compliance using Oracle Enterprise Manager 12c Bobby Curtis, MBA Solution Architect BIAS Corporation April 2013
- 2. • Founded in 2000 • Oracle Platinum Partner with 20+ specializations • Distinguished Oracle Leader – Technology Momentum – Portal Blazer Award – Titan Award – Red Stack + HW Momentum – Excellence in Innovation • Management Team is Ex-Oracle • Location(s): Atlanta, Washington D.C., Offshore – Hyderabad and Chennai, India About BIAS • Inc.500 fastest growing private company in the U.S. for the 3rd Time • Voted Best Place to work in Atlanta for 2nd year
- 3. Bobby Curtis, MBA • Douglasville, Georgia (west side of Atlanta) • Solution Architect, BIAS Corp. About Presenter • Implementation Specialist for Core Technologies • IOUG, ODTUG, & GOUSER • Using Oracle products since 2001 • Previous Life: Military/Systems Administrator Blog: http://www.dbasolved.com Twitter: @curtisbl294 Email: bobby.curtis@biascorp.com curtisbl@gmail.com
- 4. § Compliance § Customer Story -‐ CCH § Puzzle Pieces Session Agenda § Configura8on § Addi8onal Informa8on § Customer Improvements § Wrap-‐Up
- 5. Compliance
- 6. Compliance Management What is compliance management? The ability to evaluate the compliance of targets and systems as they are related to best prac8ces for configura8on, security, and storage.
- 7. Compliance Overview Compliance solu8on consists of:
- 8. What do these numbers have to do with security compliance? Compliance Overview 6 Frameworks :0 50 Standards :23 :115 Rules 1827
- 10. Who is… • Leading provider of Tax, Accoun8ng and Audit Informa8on SoUware for professionals • Subsidiary of Wolters Kluwer Tax & Accoun8ng Customer Story • Based in Riverwoods, Ill., office in Kennesaw, GA. • Largest customer is Internal Revenue Service (IRS) • Booth 1318
- 11. • Reliable monitoring for 3 RAC environments • High security requirements Customer Story • Needed to enforce compliance • Annual audits are 8me consuming
- 13. There are three pieces to the compliance Puzzle Pieces, oh my… puzzle. They are the building blocks for compliance and are hierarchical structure. 1. Frameworks 2. Standards 3. Rules ü Real-‐Time Facets* ü Templates*
- 14. Puzzle Pieces : Framework A compliance framework is a hierarchical structure where any node can be mapped to one or more compliance standards and compliance standard rules. 2 Types of Frameworks: § Oracle Provided § Payment Card Industry (PCI) § Generic § User-‐Defined § Defined to sa8sfy the needs of your organiza8on
- 15. Puzzle Pieces : Standards A compliance standard is a collec8on of checks or rules. Standards-‐Hierarchical Structure: § Compliance Rules § Rule Folders § Hierarchical structure the constrains compliance rules § Compliance Standards § Can include other compliance standards
- 16. What do standards do: Puzzle Pieces : Standards § Represent Industry-‐wide standards, per target § Used as reference configura8on/cer8fied configura8on § Describe best prac8ces for enterprise Security Compliance Standards By Target Type Automa8c Storage Management (ASM) 2 Cluster 1 Cluster Database 7 Database Instance 9 Host 2 Listener 2 Total 23
- 17. A compliance rule is a test that determines if configura8on data change affects compliance. Based on the result, the compliance score is Puzzle Pieces : Rules calculated. 3 Types of Rules: § Repository Rules § Check against metrics in management repository § Weblogic Server Signature Rules § Describe poten8al problems based on info about Weblogic Server and environment § Real-‐Time Monitoring § Monitors ac8ons performed by users on targets
- 18. Puzzle Pieces : Templates Enable security compliance; templates have to be enabled.
- 19. Evaluation…Understand Number of targets evaluated as Cri8cal, Warning, or Compliant Average Score for Evalua8on Number of Cri8cal, Compliance Score Ra9ngs Warning, or Minor Warning Cri9cal < 60 viola8ons across all targets Warning < 80 Compliant > 80
- 20. Compliance Summary & Details § Enterprise Summary Evaluation… Review § Compliance Dashboard
- 21. Configure the Puzzle Pieces
- 22. Configure: Library 3 2 1 N/A
- 23. Configure: Rules
- 24. Configure: Rules
- 26. Compliance Standards are: § Hierarchical in nature § Must have at least 1 rule Configure: Standards Adding Rules/Standards is simple! Right click-‐>Edit-‐>Add
- 27. Configure: Framework § Top most level of compliance § Only standards can be added § Standards in subgroups
- 28. § Oracle Security Template § Immediately available (some delay) Results
- 29. Results
- 30. Dashboard Consists of: § Compliance Framework Summary § Compliance Summary § Least Compliant Generic Systems Results § Most Recently Discovered Unmanaged Hosts § Least Compliant Targets
- 32. Compliance from the command line: § export_compliance_group § export_compliance_standard_rule § export_standard § import_compliance_object EMCLI Options
- 33. Views for Compliance (SYSMAN) § MGMT$COMPLIANCE_STANDARD_GROUP § MGMT$COMPLIANCE_STANDARD § MGMT$COMPLIANCE_STANDARD_RULE § MGMT$COMPLIANCE_SUMMARY SQL Options § MGMT$COMPLIANT_TARGETS § MGMT$COMPLIANCE_TREND § MGMT$COMPOSITE_CS_EVAL_SUMMARY Oracle Enterprise Manager Cloud Control Extensibility Programmers Guide Chapter 18
- 34. To use compliance standards: § CREATE_COMPLIANCE_ENTITY Privileges & Roles § FULL_ANY_COMPLIANCE_ENTITY § VIEW_ANY_COMPLIANCE_FWK § MANAGE_TARGET_COMPLIANCE § VIEW § EM_COMPLIANCE_DESIGNER (ROLE) § EM_COMPLIANCE_OFFICE (ROLE)
- 36. § Able to monitor in all environments § Has a easier and measurable way of enforcing compliance across environments Customer Story § Expected to reduce annual audit 8mes by 40%-‐50%
- 37. § Brief customer story § Talked about compliance and its importance § Implemented security aspects of the compliance model and how to review results § Discussed addi8onal op8ons for compliance Wrap Up § Results of customer implemen8ng compliance
- 39. Thank You for Attending Blog: http://www.dbasolved.com Twitter: @curtisbl294 Email: bobby.curtis@biascorp.com curtisbl@gmail.com hrp://www.biascorp.com