Chapter - 1 : Overview

Security planning is a critical step to help protect your company’s valuable data and ensure that information is not compromised. Established security policies and goals should guide the security plan your organization performs to secure its systems. Oracle Insurance Data Gateway (OIDG) handles sensitive data and requires security measures to be taken to protect it. Security policies should align with those already established at your organization, or new ones should be established if they are not already defined. This document provides guidelines for securing an OIDG installation, including the configuration and installation steps needed to meet security goals. Details on the types of security features and services that are available to detect and prevent a potential security breach are provided. This encompasses secure system deployment, protection of sensitive data, reliability and availability of the application, authentication and authorization mechanisms.

The development and review of security documentation, an evaluation of business requirements, and the configuration and validation of available security measures and services should all be performed.

Document Ownership and control

This document is maintained by Oracle Insurance Data Gateway Development. It is reviewed twice per year and adjusted as needed.

Note: Oracle Insurance Data Gateway (OIDG) and Oracle Insurance Data Exchange (OIDX) share the same code base and therefore share many of the same security roles and configuration property names. Because of this you will see references to “OIDX” for OIDG security configuration settings.

General Security Principles

The following principles are fundamental to using any application securely.

Keep Software Up To Date

One of the principles of good security practice is to keep all software versions and patches up to date. Regularly check My Oracle Support for Critical Patch Updates (CPU) for the OIDG platform (Oracle Database, Oracle WebLogic application server, and Oracle SOA Suite).

Restrict Network Access to Critical Services

Keep both the OIDG middle-tier and database behind a firewall. In addition, configure a firewall between the middle-tier and the database. The firewalls provide assurance that access to these systems is restricted to a known network route, which can be monitored and restricted, if necessary.

Follow the Principle of Least Privilege

The principle of least privilege states that users should be given the least amount of privilege to perform their jobs. Over ambitious granting of responsibilities, roles, grants, etc. often leaves a system wide open for abuse. User privileges should be reviewed periodically to determine relevance to current job responsibilities.

Monitor System Activity

System security stands on three legs: good security protocols, proper system configuration and system monitoring. Auditing and reviewing audit records address this third requirement. Each component within a system has some degree of monitoring capability. Follow audit advice in this document and regularly monitor audit records.

Keep Up To Date on Latest Security Information

Oracle continually improves its software and documentation. Check the Installation Guide and Release Notes before installing a new release. Regularly check this Security Guide for up-to-date security related information.

Minimize the Attack Surface

The "attack surface" of a system is the sum of the different entry points that an unauthorized user can exploit to gain access to system services or to the data maintained in the system. Common strategies for reducing the attack surface or hardening the system include (but are not limited to):

  • Minimize the number of services running, i.e. make sure to only run required services.
  • Make sure that all entry points, like the system's user interface and its web services are secured.

Specifically for OIDG, do the following:

  • Do not install OIDG software on machines that implements a technology stack that is not required for running the application.
  • Follow the Installation Guide to prevent installation of software that is not required to run the application. For example, for Oracle's WebLogic server installation it specifically mentions the services that need to be installed.
  • Do not install additional applications in the WebLogic domains running OIDG.
  • Make sure to track and trace use of the system, e.g. by logging which users access its services.
  • Apply firewalls at the system's boundaries.
  • Secure all entries, for example make sure that SSL/TLS is used between clients and load balancer / DMZ.