ORACLE CASB

IMPLEMENTATION
V0.1

Abstract
This document provides step by step guidance to setup Oracle CASB

Nitin Jain
nitin.jain@dunnhumby.com
 Version Date Author Description
V0.1 Oct 22, 2021 Nitin Jain Drafted document

Contents
Oracle CASB.................................................................................................................................................2
Configuration Steps.....................................................................................................................................2
Enable Audit Policies...................................................................................................................................5
Enable association of Oracle CASB cloud Service with OAM (Oracle Access Manager) for HCM cloud.......6
Whitelisting Oracle CASB Cloud Service if Oracle HCM Cloud Fusion POD is Whitelisted...........................7
Oracle CASB.................................................................................................................................................7
Check points................................................................................................................................................9
Risk Events.................................................................................................................................................10
Incidents....................................................................................................................................................11
Reports......................................................................................................................................................12
Policy Management...................................................................................................................................13
FAQ............................................................................................................................................................13
Oracle CASB

Cloud Access Security Brokers (CASBs) address security gaps that may arise as a result of an organization’s
transition to the cloud. CASB solutions enforce an organization’s access policies governing usage across the cloud
stack (IaaS, PaaS and SaaS), thereby ensuring secure access to and usage of cloud resources by administrators and
users. The traditional definition used by analysts for CASB focused mainly on enterprise SaaS applications.
However, CASBs expands to cover security of the broader cloud stack, including IaaS. Oracle CASB Cloud Service is
a pioneer in IaaS protection focusing on a heterogeneous multi-vendor SaaS, PaaS and IaaS strategy.

Configuration Steps

A dedicated Service Account/User Account for Oracle CASB Cloud Service in the Oracle HCM Cloud account that
you want to monitor.

This account cannot use multifactor or federated authentication (for example, through a single sign-on service).
You will use the login credentials for this user to allow Oracle CASB Cloud Service to connect to Oracle ERP Cloud /
HCM Cloud / Sales Cloud and retrieve system events.

You can use that existing user for all Oracle Applications Cloud services to communicate with Oracle CASB Cloud
Service.

a. Log into the Oracle Fusion Applications console as an administrator (with IT Security role privileges) to create
other administrators.
b. In the Oracle Fusion Applications console home page:
 Open the Navigator.
 Scroll to the bottom.
 Click More.
 In the left panel, click Security Console.
c. In the left navigation panel, click Users.
d. On the User Accounts page, click Add User Account in the upper-right corner.
e. On the Add User Account page:
 Set the Person Type field to None.
 Enter a First Name for the user (for example, CASB).
 Enter a Last Name to describe the account (for example, Oracle CASB Service Account).
 Enter a User Name to identify the account (for example, CASB).
 You will use this name when you register the application instance in Oracle CASB Cloud Service.
 Enter a Password, and then re-enter it in Confirm Password.
 Click Add Role.
f. In the Add Role Membership dialog box:
 Paste this role code into the Search box.
ORA_FND_CASB_AUDIT_ACCESS_DISCRETIONARY

 Click the Search icon  .
 Select the ORA_FND_CASB_AUDIT_ACCESS_DISCRETIONARY_ DISCRETIONARY code returned in the
search results.
 Click Add Role Membership.
This assigns the Audit Access for Cloud Access Security Broker role.
 Click OK on the confirmation message.
 Click Done in the Add Role Membership dialog box.
g. On the Add User Account page, click Save and Close.
h. In the left navigation panel, click Roles.
i. On the Roles page, click Create Role in the upper-right corner.
j. On the Create Role : Basic Information page:
 Enter a Role Name (for example, CASB_MANAGE_AUDIT_ROLE).
 Copy that entry into the Role Code box.
 Set Role Category to Setup - Job Roles.
 Click Next.
k. On the Function Security page, Privileges tab, click Add Function Security Policy.
l. In the Add Function Security Policy dialog box:
 Paste FND_MANAGE_AUDIT_POLICIES_PRIV into the Search box.
 Click the Search icon  .
 Select the Manage Audit Policies privilege returned in the search results.
 Click Add Privilege to Role.
 Click OK on the confirmation message.
 Click Done in the Add Function Security Policy dialog box.
m. Click Next until you reach the Summary page, then click Save and Close, and OK the confirmation message.
n. In the left navigation panel, click Users.
o. On the User Accounts page:
 Enter the name of the CASB service user you created in the Search box.
 Click the Search icon  .
 In the search results, locate the user you created and click the link next to User Name.
p. On the User Account Details page, click Edit.
q. On the Edit User Account page, click Add Role.
r. In the Add Role Membership dialog box:
 Enter the name of the role you created (CASB_MANAGE_AUDIT_ROLE) in the Search box.
 Click the Search icon  .
 Select the role in the search results.
 Click Add Role Membership.
 Click OK on the confirmation message.
 Click Done in the Add Role Membership dialog box.
s. On the Edit User Account page, click Save and Close in the upper-right corner.
Enable Audit Policies

a. In the Oracle Fusion Applications console home page:

 Open the Navigator.
 Scroll down.
 Click Setup and Maintenance in the lower-right corner.
 In the search results, click Manage Audit Policies.

b. On the Manage Audit Policies page:

 At the right end of the Oracle Fusion Applications row, set Audit Level to Auditing.

 Click Save and Close at the top right.
Enable association of Oracle CASB cloud Service with OAM (Oracle
Access Manager) for HCM cloud

This task is necessary to ensure that auditing is enabled for login and logout events for Fusion Application
instances that Oracle CASB Cloud Service monitors.

1. Log in to the Oracle Support Portal.

2. On the Dashboard, under the Technical Service Requests section, click Create Technical SR.
3. Enter a Problem Summary and a Problem Description.
4. Enter the Service Type Ex: Oracle Fusion Global Human Resource Cloud Service.
5. For Problem Type, select Cloud Hosting Service (Outage,P2T/T2T,Enable
SSO,Resize,CloudPortal,MyServices,User/Password,Network,Schedule Maintenance).
6. Specify your Support Identifier.
7. Select the appropriate Severity.
8. Click Next.
9. For Question 1, select Service Entitlements (Includes Federated SSO, Language Pack Installs, Data Masking,
Break Glass etc.) as the area of concern.
10. From Question 2, select Configure Oracle Cloud Access Security Broker (CASB).
11. For Question Set 3, provide the following information:
 The POD name and the Fusion home page URL for which you want to enable Oracle CASB Cloud
Service
Example, https://<POD_Name>.fs.ap1.oraclecloud.com/homePage/faces/AtkHomePageWelcome
 The Service User ID that you created in Creating a Dedicated Oracle CASB Cloud Service User in Oracle
ERP Cloud.
 If you are using a Fusion Applications version earlier than R-13.18.05, provide the start time and the
time zone for a 90 minute window during which your Fusion Application will not be available.
Configuring this change requires a downtime of up to 90 minutes in versions earlier than R-13.18.05.
12. Click Continue.
13. Review your Support Request for completeness, and then click Submit.
Whitelisting Oracle CASB Cloud Service if Oracle HCM Cloud Fusion
POD is Whitelisted

If Oracle HCM Cloud Fusion POD is whitelisted, you must whitelist some IP addresses for Oracle CASB Cloud
Service.

Oracle CASB

Login to OCI (Oracle Cloud Infrastructure) Cloud with your credentials

Search for CASB in Global Search

Click on Oracle CASB to open the application, it will land at dashboard.

Click on the Burger menu from top Left corner and select the application from Left pane to configure the
application.

Click on the “+” icon and select the required application, here we have selected HCMCloud.
Give the unique name this app, here HCMCLOUD app is configured for Development and Prod environments.

Click on Next
Click on Finish, it will configure HCMCloud App.

Similarly, other clouds (ERP and Sales) can be configured in Oracle CASB.

Check points

Post setting up the HCMCloud, should check the size of Data Size. It should be increased on daily basis based on
the user usage.

Click on the App, a pop-up will appear then click on View Detail.

You should be able to see Risk Activities.

Risk Events

It can be accessed from left pane. The risk events will be captured based on the policy drafted in the CASB. Risk
evets can be analyzed based on categorized for different Severity levels. The events provide detailed information
about the issue.

Categories are available.

Open the Risk and click on the Actor to see the more activity about the user.
Incidents

iService can be setup along with Oracle CASB so that incident can be directly created there for the next step.
Reports

There are various reports can be seen for the various clouds.

Example
Policy Management

It can be accessed from left pane.

Policy can be opened to see the detailed information.

FAQ

What is Oracle Cloud Access Security Broker (CASB) for Oracle Cloud Infrastructure (Oracle Cloud
Infrastructure)?
Oracle CASB monitors the security of Oracle Cloud Infrastructure deployments through a combination of pre-
defined Oracle Cloud Infrastructure-specific security controls and policies, customer-configurable security controls
and policies, and advanced security analytics using machine learning for anomaly detection. Oracle CASB security
functionality includes monitoring security configuration of Oracle Cloud Infrastructure resources, monitoring
credentials and privileges, user behavior analysis (UBA) for anomalous user actions, and threat analytics for
identifying risk events. For customers with heterogeneous multi-cloud deployments, Oracle CASB supports
monitoring of other public clouds such as AWS, Azure, Office 365, Salesforce, and more.

Why do you need Oracle CASB for Oracle Cloud Infrastructure?

Customers use Oracle Cloud Infrastructure for their mission-critical workloads when security is an important
consideration. Security of Oracle Cloud Infrastructure workloads follows the Shared Responsibility Model with
onus on customers to securely configure Oracle Cloud Infrastructure services used by their applications, while
Oracle is responsible for security of the underlying cloud infrastructure. In this context, the ability to monitor
security configuration and use of their Oracle Cloud Infrastructure resources is an important requirement for
customers. This includes monitoring changes to configurations, adherence to mandated security policies such as
key rotation and password management policies, and detecting anomalous behavior and/or use of various
resources. Oracle CASB offers automated security monitoring of Oracle Cloud Infrastructure resource configuration
and usage, and alerting on deviations from security baseline, thereby helping customers maintain security of their
Oracle Cloud Infrastructure applications.

What are the key value propositions of using Oracle CASB for Oracle Cloud Infrastructure?

Some of the key value drivers for using Oracle CASB for Oracle Cloud Infrastructure are:

 Rolling out applications faster and with a better security posture: Oracle CASB provides comprehensive Oracle
Cloud Infrastructure security monitoring and integrates tightly with Oracle Cloud Infrastructure without the
need for any agents or additional software components. Oracle acts as a full-stack cloud provider with single
channel for customer security feedback and is able to swiftly deliver Oracle CASB functionality for the
monitoring of Oracle Cloud Infrastructure resources.
 A single tool to provide comprehensive security visibility for Oracle Cloud Infrastructure: Oracle CASB provides
visibility into all Oracle Cloud Infrastructure resources by gathering information across Oracle Cloud
Infrastructure logs and configuration data. It provides out of the box policies and security controls that enable
customers to enhance the security posture of their deployment right away. Oracle CASB is a stand-alone
solution enabling the most comprehensive security monitoring of Oracle Cloud Infrastructure deployments.
 Higher productivity and lower total cost of ownership: Oracle CASB has pre-configured policies and controls
for Oracle Cloud Infrastructure, so experts in each service such as Compute, Storage, Network and IAM can
focus on higher value activities. In the absence of a tool such as Oracle CASB, customers would need to spend
significant resources and effort to develop Oracle Cloud Infrastructure-specific security rules within their
Security Information & Event Management (SIEM) tools, for monitoring their Oracle Cloud Infrastructure
deployments.

What are some examples of Oracle CASB security monitoring of Oracle Cloud Infrastructure?

Oracle CASB has pre-defined Oracle Cloud Infrastructure-specific security and policy controls available out of the
box. Below are examples of Oracle Cloud Infrastructure security monitoring provided by Oracle CASB.
  Monitoring configuration and use of resources in customer tenancies: Examples of Oracle Cloud
Infrastructure resource security monitoring include public object storage buckets, overly broad source IP
ranges (0.0.0.0/0) in Virtual Cloud Network (VCN) Security lists, allowing traffic on sensitive ports in VCN
Security List, instantiating an VCN Internet gateway (IGW), TLS certificate expiration on Load Balancers,
and deletion of storage resources (block storage volumes, object storage buckets, databases).
 Monitoring IAM users and credentials: Examples of IAM security monitoring include granting of
administrator privileges to IAM groups, changing membership of administrators IAM group, age of IAM
keys and passwords, IAM user password complexity, and MFA enablement status for IAM users.
 User behavior analytics (UBA): This allows detection of any anomalous IAM user behavior across Oracle
Cloud Infrastructure services using machine learning techniques.

What kind of integrations does CASB have and how does that help Oracle Cloud Infrastructure?

Oracle CASB integrates with multiple other products, some of which are listed below.

Cloud Solutions:

 Amazon Web Services

 Box
 Github
 G Suite
 Office 365
 Rackspace
 Salesforce
 ServiceNow
 Oracle Enterprise Resource Planning (ERP) Cloud
 Oracle Human Capital Management (HCM) Cloud
 Oracle Sales Cloud

How long data will be maintained in Oracle CASB

All logs are maintained for 90 days.

How long Oracle CASB taken to sync-up with Fusion HCM/ERP/ Sales?

It may take couple of hours to sync-up with Fusion Application.