This section describes best practices for determining the security needs of your Oracle BPM deployment.
Many resources in the production environment can be protected, including information in databases accessed by Oracle BPM and the availability, performance, applications, and the integrity of the website. When deciding the level of security to provide, consider the resources you want to protect .
For most websites, resources must be protected from everyone on the Internet. But should the website be protected from the employees on the intranet in your enterprise? Should your employees have access to all resources within the Oracle BPM environment? Should system administrators have access to all Oracle BPM resources? Should system administrators have access all data? You might consider giving access to highly confidential data or strategic resources to only a few well trusted system administrators. Perhaps it would be best to allow no system administrators access to the data or resources.
In some cases, a fault in your security scheme is easily detected and considered nothing more than an inconvenience. In other cases, a fault might cause great damage to companies or individual clients that use the website. Understanding the security ramifications of each resource will help you protect it properly.
Whether you deploy Oracle BPM on the Internet or on an intranet, it is a good idea to hire an independent security expert to go over your security plan and procedures, audit your installed systems, and recommend improvements. Oracle partners offer services and products that can help you to secure an Oracle BPM production environment. For details, see the Oracle Partner's Page at http://www.oracle.com/partnerships/index.html.
For the latest information about securing web servers, Oracle recommends the 'Security Practices & Evaluations' information available from the CERT™ Coordination Center operated by Carnegie Mellon University.
Report possible security issues in Oracle BPM by contacting Oracle BPM technical support. For technical support contact information, see Oracle Documentation and Resources.