PeopleSoft, similar to other major ERP applications, while depending on a database to store information, arguably does not secure the supporting database. The security of the database is the client’s responsibility.
In order to give a few examples of what we are talking about when we refer to database security, the following are several of the 200+ database security checks that Integrigy performs during our PeopleSoft security configuration assessments - take a look today at your database for a few quick checks:
- Limit direct database access whenever possible. This is always our number one recommendation – how isolated is your database?
- Database CPU patching – have you applied the latest database CPU patches?
- Logging and auditing – do you have auditing enabled? How much? What monitoring tools and processes do you have?
- Database passwords – especially key accounts such as the Connect Id, Access Id, IB and PS – are they set to weak or default passwords? Are you using profiles?
- Permissions and authorizations – when was the last time you reviewed them? How many users have SELECT ANY TABLE privileges?
- Ensure the Default tablespace should never be ‘SYSTEM’ or PSDEFAULT for named users. These should be reserved for the Oracle RDBMS and application respectively
- Do not use SYSADM for day-to-day support. Use named accounts instead, are you?
If you have questions, please contact us at firstname.lastname@example.org
Michael A. Miller, CISSP-ISSMP, CCSP