Best Practices for Authentication & Authorization¶
Access security is crucial for system administrators as they often have privileged access to critical systems, making them prime targets for cyberattacks. Implementing robust access security measures helps protect sensitive data, systems, and infrastructure. Here are best practices for access security tailored specifically for system administrators:
Default Configurations: Avoid using default configurations. Securely configure applications, disable unnecessary features, and change default credentials.
- Keep the application owner disabled always. Refer to the Lock Application Owner Account for more information.
- Create a separate admin user account with the FND_ADMIN permission set for high-privileged administration, such as a break-glass scenario.
- Create separate user accounts to provide segregated admin functions. i.e., a separate user account with only enough privileges to provision new low-privileged IFS user accounts and another admin account for Integration related areas.
Use Strong Authentication Mechanisms¶
- Multi-Factor Authentication (MFA): We recommend to use an External Identity Providers like Entra ID, Okta or Forgerock to maintain users and Authentication. Enforce MFA for all user accounts to add an extra layer of security beyond passwords.
- Password Policies: Implement strong password policies, including length, complexity, and regular updates. Encourage the use of passphrases over simple passwords.
- Password Managers: Use password managers to securely generate, store, and manage complex passwords for various systems.
Session Management¶
- Secure Session Tokens: Use secure, signed, and encrypted tokens (e.g., JWT) for session management. Ensure tokens have an appropriate expiration time.
- Session Timeouts: Implement session timeouts, particularly for inactive sessions, to reduce exposure to unauthorized access.
Principle of Least Privilege (PoLP)¶
- Minimal Permissions: Grant Users only the access necessary to perform their tasks. Regularly review and adjust permissions as needed.
- Separate Privileged Accounts: Use separate accounts for administrative tasks and regular user activities to limit exposure.
- Temporary Privilege Elevation: Use just-in-time (JIT) access to grant temporary administrative access only when needed.
Secure Account Lifecycle Management¶
- Regular Account Reviews: Regularly review accounts and access permissions to remove inactive, unused, or outdated accounts.
- Automate Provisioning/Deprovisioning: Use SCIM to provision and deprovision access quickly, ensuring that changes in employment status are immediately reflected in access controls.
- Regular Training: Provide ongoing security training specifically focused on access security for system administrators.
These best practices for authentication and authorization help protect systems and data by ensuring that only the right people access the right resources under the right circumstances.