30 Oracle Cloud Security Tips and Tricks
Transcript of 30 Oracle Cloud Security Tips and Tricks
30 Oracle Cloud Security Tipsand TricksPatrick Wadland, CISA, CFE
© 2021 Fastpath, Inc. | 4093 NW Urbandale Drive | Des Moines, IA 50322 | 515-276-1779
www.gofastpath.com. | Page 1
30 Oracle Cloud Security Tips and Tricks
Oracle Cloud ERP is a complex system and securing it can seem overwhelming.
But not all system security issues have to be complicated. And just to prove it, we’ve put
together some surprisingly simple tips that you can put into action right away to help you
define user roles and permissions, manage users, prevent segregation of duties conflicts, and
more.
This eBook takes you through 30 tips and tricks for securing Oracle Cloud in three areas:
System Administration, Automated Application Controls, and IT General Controls (ITGC).
Let’s get started!
© 2021 Fastpath, Inc. | 4093 NW Urbandale Drive | Des Moines, IA 50322 | 515-276-1779
www.gofastpath.com. | Page 2
System Administration
TIP #1: Use the Simulate Navigator feature to identify which privileges grant access to critical business processes and IT activities
Oracle’s Role Navigation Simulator helps administrators identify which privileges provide access to
specific work areas and tasks. Administrators can use this tool to build segregation of duties (SoD)
rulesets. It also shows how user roles can gain access to specific privileges without requiring the
administrator to have prior knowledge of the navigation needed to get there.
Access the Role Navigation Simulator via the Roles tab in the Security Console (Security Console >
Roles Section > Query a Job Role).
From the example shown in Figure 1, the administrator can see all the privileges and sub-privileges
granted to the Supplier Manager role.
Figure 1 – Role Navigation Simulator
TIP #2: Review and reconcile data access
While the job roles (and the duty roles contained within those job roles) will control the privileges those
users have in Oracle Cloud, the Data Access tool will tell the administrator what the users can view and
edit.
For example, suppose you set up a general accounting manager role, and you allow that role to enter
and post journal entries. Even though that role will be able to go into the journal pages, the user will
not be able to enter a journal unless they have the specific type of data access associated with it to
process that transaction.
© 2021 Fastpath, Inc. | 4093 NW Urbandale Drive | Des Moines, IA 50322 | 515-276-1779
www.gofastpath.com. | Page 3
To use the Data Access tool, go to:
Navigator > Setup and Maintenance > Manage Data Access for Users
Figure 2 shows the Manage Data Access for Users screen. In addition to having the privileges secure
for each role, it is also necessary to reconcile the data access for each user role.
Fastpath’s Oracle Cloud products will show you all the users that are assigned data access, as well as
which specific data access they have.
Figure 2 – Manage Data Access for Users
TIP #3: Minimize Application Implementation Consultant and IT Security Manager job role access
The Application Implementation Consultant and IT Security Manager job roles (see Figure 3) provide
many of the key system administration functions in Oracle Cloud. Make sure you are only assigning
these to job roles to the users who genuinely need it and that you are periodically reviewing the users
who have these access privileges.
Figure 3 – View of the Application Implementation Consultant and IT Security Manager job role permissions
© 2021 Fastpath, Inc. | 4093 NW Urbandale Drive | Des Moines, IA 50322 | 515-276-1779
www.gofastpath.com. | Page 4
TIP #4: Design and use custom job roles for user access; seeded job roles are NOT recommended
Oracle Cloud comes with pre-defined job roles upon installation. Unfortunately, using these seeded
(or “out-of-the-box”) role definitions without first looking at the access privileges they provide can lead
to many segregation of duties (SoD) conflicts. Moreover, Oracle Cloud software updates can change
seeded job role access permissions.
Companies typically use three types of role design:
• Use seeded job roles without adjustments
• Fully customized job role definitions
• A combination of seeded and custom job role definitions
Fastpath recommends using seeded job role definitions as a starting point for designing and building
customized job roles. Only use seeded job roles for:
• Emergency account access
• Service accounts that need to process jobs in the background
• Other truly valid business purposes
TIP #5: Assess and test patching impacts
As mentioned elsewhere, quarterly patches can introduce new functionality into seeded job roles but
will not impact customized roles. This underscores why your organization should design and use fully
customized job roles for user access.
Any new functions created by the update will be visible immediately upon patch completion. Always
test new functionality in a non-production environment, and only move it into production when it is
thoroughly tested and users are trained on the new functionality.
TIP #6: Beware of cross-module access!
Some seeded job roles also have interdependent access across multiple applications.
For instance, several roles allow the creation of manual journal entries via the Subledger module (or
application), among them, the AP Manager, the AR Manager, and Payroll Manager.
The example, Figure 4 shows the Payroll Manager job role has the Subledger Accounting Manager duty
role assigned to it. Having access to the Subledger Accounting Manager allows the user to create a
subledger journal entry manually, giving the user the ability to not only create a manual journal entry but
also to CHANGE the Journal Source. The risk here is that a user with this access can make a manual
entry look like a system journal entry, potentially circumventing any journal approval rules you might
have in place.
© 2021 Fastpath, Inc. | 4093 NW Urbandale Drive | Des Moines, IA 50322 | 515-276-1779
www.gofastpath.com. | Page 5
Figure 4 – Payroll Manager job role with Subledger Accounting Manager duty role assigned
TIP #7: Inquiry only access is NOT provided “out of the box” with any roles and, therefore, cannot be granted without custom roles
Out of the box, Oracle Cloud does not provide ANY inquiry or view-only roles.
It is best practice to build these inquiry or view-only roles from scratch (that is, without copying them
from seeded roles). Access to these roles should be based on the principle of least privilege, which
states that the role should only have the minimum set of privileges necessary to perform its function.
TIP #8: Periodically test false positive access
When using a GRC tool (like Fastpath) on your ERP, periodically test job roles, duty roles, data access,
and other security settings to determine if a privilege leads to true or false positive access of business
or IT functionality.
Administrators should have a process in place to test false positive access results from the GRC tool
periodically using a non-production environment; ideally, one that has been recently refreshed from
production. See the next tip for an example test approach.
TIP #9: Maintain and remediate false positive testing results
The following is one possible approach to testing for “False Positive” access:
1. Using your GRC tool, generate a detailed Excel report (i.e., full access path from Job
Role > Duty Role > Privilege) indicating all of the job roles which can access your
key business process/IT activities as determined by your firm’s SoD matrix/ruleset
(Fastpath can easily create this type of report).
2. Use Excel’s Remove Duplicates functionality to remove any duplicate results.
3. Create a test username in your non-production environment, and, for each unique
Access Path-Privilege combination, assign this username a job role that the report
claims can access the privilege. If possible, record and keep track of the exact UI
navigation.
© 2021 Fastpath, Inc. | 4093 NW Urbandale Drive | Des Moines, IA 50322 | 515-276-1779
www.gofastpath.com. | Page 6
For each Access Path-Privilege combination tested, record if the privilege is accessible (Yes) or not
(No) and, if it is not accessible, analyze and assess if it would be possible to remove the privilege from
the preceding duty or job role without impacting other duty or job roles.
TIP #10: Add mitigating rules and conditions in your GRC tool to eliminate false positives
Once false positives are identified, you can establish mitigating rules and conditions to inform the
GRC tool that the user role should be able to perform an action, such as approving journal entries,
requisitions, or POs, as shown in Figure 5.
Figure 5 – Adding a mitigation rule using Fastpath
© 2021 Fastpath, Inc. | 4093 NW Urbandale Drive | Des Moines, IA 50322 | 515-276-1779
www.gofastpath.com. | Page 7
Automated Application Controls
TIP #11: Check your credit before you wreck your credit!
Credit checking can be difficult to enforce in Oracle Cloud. For example, there are about eight
configuration settings across four areas/levels that must be synchronized just to have credit checking
properly in place. These configurations must be set appropriately for Oracle Cloud to:
• Perform a credit check on sales orders at the time the orders are booked
• Place orders by customers with insufficient credit on hold
• Prevent the release of orders on hold until the hold(s) is removed
To perform credit checking, start with the following configurations:
Customer
• Credit Limit
• Order Amount Limit
System
• AR Payment Terms
• Customer Profile Classes
• Credit Management
Business Unit
• Receivables
• Transaction Types
Customer Site
• Credit Limits and Late Charges
NOTE: Don’t try to get everything right at once. Instead, proceed one at a time to make sure each is set
correctly before moving on to the next setting. This also applies to any business process that requires
setting multiple configurations.
© 2021 Fastpath, Inc. | 4093 NW Urbandale Drive | Des Moines, IA 50322 | 515-276-1779
www.gofastpath.com. | Page 8
TIP #12: Validate aging methods
Always make sure your AR Aging reports (see Figure 6) are tied to the appropriate aging methods and
verify that these aging methods are configured appropriately, so overdue invoices appear in the correct
Aging Buckets to help recover the delinquent debt.
Make sure that the aging methods (also known as “aging buckets” in Oracle EBS) are configured
appropriately because these will dictate where any overdue AR invoices appear in your overdue reports.
For example, someone could manipulate the aging methods to put something that is overdue by 90-
180 days in a shorter aging bucket, giving the user reading the report the false impression that it is not
delinquent debt.
Figure 6 – Example of Aging Bucket Reports
TIP #13: Don’t delegate your delegation of authority!
Make sure you have an appropriate approval chain to approve purchase requisitions and purchase
orders. Multiple configurations at the Business Unit level must be set appropriately for Oracle Cloud
to enforce the approval hierarchy for purchase requisitions and purchase orders based on the total
requisition or PO value.
Two configurations to help you configure the approval chain properly are:
• Configure Procurement Business Function
• Manage Requisition Approvals Tasks
© 2021 Fastpath, Inc. | 4093 NW Urbandale Drive | Des Moines, IA 50322 | 515-276-1779
www.gofastpath.com. | Page 9
TIP #14: Match, match, match!
3-Way Matching helps ensure that purchase orders, invoices, and receipts are validated from both
a pricing and quantity perspective as you go through the procurement process. Similar to Credit
Checking (Tip #11), multiple configurations at different levels must be set appropriately for Oracle ERP
Cloud to:
• Require matching on all AP invoices
• Ensure that any AP Invoices that don’t comply with these configurations are placed on hold
Appropriately setting these configurations will help to achieve purchasing and payables control
objectives. Two settings to help you configure your procurement validation process are:
• Invoice Tolerance Set, Financials/System Options
• Payables Invoice Hold
TIP #15: Carefully review and lockdown supplier access
While you can build job roles which have inquiry-only access to suppliers, some sub-privileges can give
users access to supplier bank accounts, supplier sites, and more. Therefore, it is important to properly
configure which job roles have full access to supplier master data.
While Oracle has published many MoS (My Oracle Support) Documents on how to detect and secure
this supplier access, actually securing it can still be a challenge.
Review MoS Documents or talk to consultants with Oracle Cloud Security technical expertise to help
you design and build custom supplier inquiry roles.
TIP #16: Check for duplicate invoices across business units
While Oracle Cloud will try to prevent duplicate invoice payments, it will not prevent the payments of
two invoices with the same invoice number from within two different business units (or operating units
in EBS). Oracle Cloud DOES NOT look across business units and will not see the duplicate invoice.
© 2021 Fastpath, Inc. | 4093 NW Urbandale Drive | Des Moines, IA 50322 | 515-276-1779
www.gofastpath.com. | Page 10
The solution is to design and deploy a solution that seamlessly interrogates invoices across business
units for duplicate invoice numbers as well as other variables that can lead to erroneous or fraudulent
duplicate invoice payments.
TIP #17: Freeze journals!
Manage Journal Sources is a tool within Oracle Cloud to help you identify the origin of a journal entry.
To access the Manage Journal Sources tool, go to:
Setup and Maintenance > Search Tasks > Manage Journal Sources
The Manage Journal Sources tool gives you the option to Freeze Journals (see Figure 7).
When Freeze Journals is set to Yes (Enabled), journals created with this source cannot be modified
prior to posting. When Freeze Journals is set to No (Disabled), users with access to create journals can
open journals prior to posting and perform any of the following actions:
• Modify the GL accounts
• Modify debit/credit amounts
• Add manual journal lines to system journal entries
The risk is that disabling Freeze Journals will allow a user to change GL accounts along with debit/
credit amounts, which can lead to financial statement fraud. The best practice is to freeze all
systematic journal sources (Receivables, Assets, etc.) and unfreeze all manual journal sources.
Figure 7 – Using Manage Journal Sources to Freeze Journals
© 2021 Fastpath, Inc. | 4093 NW Urbandale Drive | Des Moines, IA 50322 | 515-276-1779
www.gofastpath.com. | Page 11
TIP #18: Depreciate those assets
Multiple configurations at different levels must be set appropriately for Oracle Cloud to calculate and
record depreciation for fixed assets in accordance with corporate policy. Configuration settings that
will help achieve these and other purchasing control objectives are Asset Books, Asset Categories, and
Depreciation Methods.
TIP #19: Don’t sublet subledger manual journals
In Oracle EBS Release 12 (R12), Oracle introduced a new capability that allows users to create manual
journal entries within the subledger module; however, users can make these manual journals look
like system journals. This functionality has been carried over to Oracle ERP Cloud as well and can be
accessed from the Create Subledger Journal Entry Online and Create Subledger Journal Entry Batch
screens (see Figure 8).
No user should be able to create manual journal entries within the subledgers unless management
has designed controls to detect and identify these manual subledger journals; making sure the journal
approval rules are in place will mitigate this risk.
Figure 8 – Create Subledger Journal Entry screen
TIP #20: Utilize Journal Approval Rules and Workflows
Effective journal approval rules and workflow will help detect, mitigate, and prevent unauthorized
journal entries leading to reduced opportunities for financial statement fraud such as net income
overstatements or understatements.
Go to Manage Journal Approval Rules (see Figure 9) to enable and set up these workflows:
Navigator > Setup and Maintenance > All Tasks > Manage Journal Approval Rules
© 2021 Fastpath, Inc. | 4093 NW Urbandale Drive | Des Moines, IA 50322 | 515-276-1779
www.gofastpath.com. | Page 12
The bottom line: Make sure you have workflow enabled and you have specific journal rules in place, so
journals being created are routed to the appropriate people.
Figure 9 – Manage Journal Approval Rules screen
© 2021 Fastpath, Inc. | 4093 NW Urbandale Drive | Des Moines, IA 50322 | 515-276-1779
www.gofastpath.com. | Page 13
IT General Controls (ITGC)
TIP #21: Establish a formal user provisioning process
Copying existing user and job role assignments or not specifying specific job roles in access requests
(for example, “Give Jack the same access as Diane”) typically leads to over-provisioning security and
SOX ITGC exceptions. It is important to have a formal process for provisioning users:
1. Document the user access request:
• Have a process to add and modify user access to all key applications
• Document all user access requests via a ticketing system and state which responsibilities
or roles (if using UMX for RBAC) are being requested.
2. Approve the user access request
• Ensure that all access requests are approved by appropriate IT or Business Owners prior
to assignment and that evidence of this approval exists in the request if asked to provide
evidence.
3. Validate the provisioned access
• Verify that access requested matches access granted
• Verify that roles requested match roles assigned
TIP #22: Establish a formal user termination process
Likewise, there should be a formal process for terminating users:
1. Document the user termination
• Have a process to end-date user access
• Document all user termination requests via a ticketing system and set up integrations with
Active Directory and other systems so that IT is promptly notified when users leave the
company
© 2021 Fastpath, Inc. | 4093 NW Urbandale Drive | Des Moines, IA 50322 | 515-276-1779
www.gofastpath.com. | Page 14
2. Terminate ALL user access
• Terminate network access immediately
• Disable Oracle Cloud access NO LATER than two weeks of user’s last day of employment
• Terminate access to all other applications
3. Validate the user’s terminated access
• Verify that terminated users no longer appear on user access review reports
NOTE: Make sure Oracle Cloud (and all key systems) are integrated appropriately with Active Directory
(terminates network access). Integration with Active Directory ensures IT knows when an employee
has been terminated and will not have to wait for HR to tell them. There may be a legitimate reason
why IT was not told about the termination, but SOX auditors are generally not interested in the
explanation.
TIP #23: Plan for and remove emergency access
There are times when access privileges must be granted to some individuals in emergency or
temporary situations (vacation, sick, troubleshooting, etc.). Make sure you have a plan for approving,
assigning, and removing emergency access privileges when the need arises.
TIP #24: Automate your user access review
Many user access reviews are still performed manually, which is adequate for small companies, but
can lead to problems and Segregation of Duties conflicts in larger organizations. Automating user
access reviews include greater auditability and consistency, as well as reducing the time it takes to
generate, review, and organize the reports. Many GRC tools will help you automate the user access
review process.
The following example illustrates Fastpath’s automated review process:
© 2021 Fastpath, Inc. | 4093 NW Urbandale Drive | Des Moines, IA 50322 | 515-276-1779
www.gofastpath.com. | Page 15
1. Fastpath generates a report of users and their access privileges
2. Managers review these reports and accept or reject each item
• If accepted, the user access is authorized
• If rejected, the user access is unauthorized. Access privileges are removed and remediation
or corrective action is taken.
TIP #25: Take a risk-based approach to security
Identify your organization’s highest risks and address these issues first. When reviewing users and
job roles, look at those individuals and roles who have the most critical access first. Start with the
Application Implementation Consultant and IT Security Manager job roles (see Tip #3).
TIP #26: More responsibility = Less access
Management jobs are not transactional jobs and should not have transactional access. Therefore, even
though some managers may be involved in transactions, they should not be performing them. As a
rule, transactional access should decrease with responsibility.
TIP #27: Redesign business processes for Segregation of Duties
Users should not have access to multiple parts of a process. Many accounting firms will provide a
business process walkthrough that will identify vulnerabilities in your business processes, an important
requirement for SOX compliance. This can be hard to do without a GRC tool like Fastpath.
TIP #28: Establish a process to track all configuration changes you make to the system
Auditors might ask for a list of all configuration changes over the past year, and Oracle Cloud does
not provide this for you. One common misperception about ITGC-Change Management testing is that
viewing the last update will show all previous updates. Unfortunately, there is no easy or reliable way to
obtain a seeded report of all Oracle Cloud application configuration changes. The Last Update Date will
not tell you how many times a field has been updated.
You will have to maintain your reporting to ensure you can track all configuration changes to the
system. Custom reports via BI Publisher (within Oracle Cloud) or GRC tools (like Fastpath) are
alternatives that can help provide this information.
© 2021 Fastpath, Inc. | 4093 NW Urbandale Drive | Des Moines, IA 50322 | 515-276-1779
www.gofastpath.com. | Page 16
TIP #29: Perform security changes in phases
Security changes don’t all have to be done at once. Performing your security changes in phases will let
you isolate issues and give you a much more reliable approach to security. Remember, each phase will
still help improve the overall system security.
TIP #30: Security is more than just Oracle Cloud
There are multiple layers to the Oracle Cloud application, and each layer has its own security issues and
mitigating actions. These Rings of Security include:
• The application database
• The Oracle Cloud application itself
• The network and system infrastructure
• The users themselves
As an administrator, you are responsible for asking the difficult
questions – and keep asking them – to make sure that security is
maintained:
• Why does the controller need to process AP?
• Why did the accountant make changes to our suppliers?
• What system does this functionality come from?
Also, look for any other systems that integrate with Oracle Cloud, like Salesforce and Workday.
Transaction flow between business systems can create segregation of duties issues between these
applications that might be hard to find without a dedicated search – don’t make any assumptions.
Conclusion
There are many facets to Oracle Cloud ERP system security, much more than is discussed here.
However, following these simple steps in the areas of system administration, application controls, and
general system controls will go a long way to helping you achieve a secure environment, get a handle
on user roles and privileges, and avoid unnecessary compliance risks.
About Fastpath
The Fastpath Assure suite is a cloud-based risk and compliance platform that helps thousands of
organizations track, review, approve, and mitigate user access risks and Segregation of Duties (SoD)
conflicts. Fastpath customers achieve process efficiency, streamlined audits, and enhanced control
over their security, compliance, and risk management efforts.