The use of Secure Sockets Layer (SSL) within an EPMS deployment is a fairly controversial topic. Generally SSL is not necessary from an EPMS implementation perspective. Yes, we’re dealing with corporate financial data, and therefore extremely sensitive material. However, we’re also talking about an Intranet Only application. SSL is used in conjunction with EPMS implementations approximately 20% of the time. The fact that few EPMS clients utilize SSL should not preclude prospective clients from considering its use. However there are other things to consider when discussing security.

A common practice is to tie the Oracle EPM System into a corporate Single Sign-on System (SSO). When a user accesses a web application secured by SSO, a Security Token is generated for the user. This token contains the user’s credentials and is passed to other web applications that accept SSO tokens. The token eliminates the need for the user to enter their credentials each time they access a corporate web application. The added convenience comes with a significant risk. The security token is valid for a set amount of time, typically for 30 minutes to 1 hour. If a user were to walk away from their workstation leaving it unlocked, anyone could access the EPM System using the cached security token. This would bypass all security measures; SSL, EPMS Security, Firewalls, etc. Most corporations have a policy to lock workstations when they’re not in use. However, it’s common for that policy to be ignored at least by some users.

Before deciding to add additional complexity to an already complex system, clients should consider all potential risks and eliminate ‘low hanging fruit’. Once the decision has been made to move forward with SSL, the next step is to decide which method to use. There are three (3) common methods for implementing SSL with Oracle EPMS; SSL Offload, SSL at the Web Layer, and Full SSL. The first two (2) options are straight forward from an implementation and support perspective. The last option adds significant effort to both implementation and support. These options, along with their pros and cons will be discussed in a future Blog.
--Author, Damon Hannah