Oracle Security Solutions Identity Management and Database Security 13, September 2006 Sofia, Bulgar - PowerPoint PPT Presentation

Loading...

PPT – Oracle Security Solutions Identity Management and Database Security 13, September 2006 Sofia, Bulgar PowerPoint presentation | free to view - id: 10bfba-MjZlZ



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

Oracle Security Solutions Identity Management and Database Security 13, September 2006 Sofia, Bulgar

Description:

Oracle Security Solutions Identity Management and Database Security 13, September 2006 Sofia, Bulgar – PowerPoint PPT presentation

Number of Views:307
Avg rating:3.0/5.0
Slides: 63
Provided by: tso8
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Oracle Security Solutions Identity Management and Database Security 13, September 2006 Sofia, Bulgar


1
Oracle Security SolutionsIdentity Management and
Database Security 13, September 2006Sofia,
Bulgaria
  • Patrick McLaughlin
  • Director Security
  • EMEA Technology Solutions
  • patrick.mclaughlin_at_oracle.com

2
Agenda
  • Oracle security solutions
  • Identity and Access management solution
  • Enterprise single sign on
  • Database security solutions
  • including 10g Release 2 security enhancements
  • Oracle web services management solution
  • Sample security solution customers
  • QA

3
Oracle Security Solutions
4
(No Transcript)
5
Identity and Access Management
  • Including Provisioning and Federation

6
Oracle Internet Directory
  • Scalable
  • Highly available
  • Easily managed
  • Secure
  • Extensible

LDAP Clients
Oracle Internet Directory Server
Directory Admin Console
Oracle Database
7
Virtual Directory Drivers
  • Applications need user profile information for
    personalization and authorization management
  • Challenge
  • Information about the same identity is
    distributed across a large number of stores
    LDAP, RDBMS, AD, etc.
  • Applications dont have a uniform mechanism for
    accessing this information
  • This creates a many-to-many relationship that is
    difficult to administer opening a security risk
  • Virtual directories join different aspects of
    identity into a single object
  • Single point of administration
  • Multiple protocols in and out

8
Oracle Virtual Directory
  • Oracle Virtual Directory
  • Real-time consolidation
  • Technology abstraction
  • Complexity reduction

Customers
Partners
Protects Directory Investments Single Identity
View
9
Virtual Directory - Structure
Service Listener Protocols
WEB SERVICES
WEB GATEWAY
LDAP
WEB GATEWAY
Data Transformation,Mapping, Routing,Security,
Audit
VDE DIRECTORY ENGINE
JOIN VIEW
Custom Adapter
Local Store
Data Adapters
NT
LDAP
DB
10
Financial Services Firm
  • Problem
  • Existing SOA Provides Access to Aggregated ID
    Attributes - But Only Using Custom Web Service
  • Solution
  • Provide LDAP Access to Custom Service
  • Benefit
  • Create Unified Service
  • Reduce Operational Cost
  • Eliminate Retrofitting of Applications.

11
Access Manager
  • Benefits
  • Centralized and Consistent security across
    heterogeneous environments
  • Reduced administration cost
  • Improved end user experience
  • Better compliance
  • Features
  • Common policy management
  • Multi-level, multi-factor auth mgmt
  • Self-service and password administration
  • Delegated administration
  • Workflow engine
  • Web Services interfaces

Authentication
Authorization
Identity Admin
12
  • Web Single Sign On and Access Control
  • User, Group, and Organisation Management
  • Workflow and User Provisioning
  • Reporting and Auditing
  • Password Management

13
Oracle Access Manager building blocks
14
Partnerships for Seamless Integrations
Portals
HTTP(s)
Single Sign-on to multiple resources
Packaged E-Business Applications
Web Server
Application Servers
COREid Access Server
Mainframe Systems
COREid Mainframe Security Connector for OS/390
RACF, ACF-2, TSS
LDAP
15
IDM
  • Provisioning

16
Definition of Provisioning
  • Managing user accounts and user profiles across
    the IT environment via a combination of user
    roles and business rules
  • All account updates managed centrally
  • Change requests are done via self-service, an
    administrator or an HR system update
  • Adapters to manage accounts within enterprise
    systems such as CRM, ERP, e-mail, DB, OS, VPN,
    PBX, etc
  • Centralizes tracking and auditing of who has
    access to what at any given time

17
The Identity Provisioning Problem
  • It takes too long to get people access to the IT
    resources that they need.
  • With people changing jobs so often, its hard to
    keep track of who has access to what.
  • How do we know that when people leave the
    company, they cant still use our systems?
  • It takes an enormous cost and effort to do what
    our auditors want on a continuous basis, and
    were not even sure that what were telling them
    is right!
  • Our users cant keep track of all their IDs and
    passwords, and we cant either.
  • Its getting worse

18
Business Drivers
  • Security Risks
  • Risk of role accumulation, and ghost or orphan
    accounts
  • No systematic control of the identity management
    life-cycle
  • No commonality across policies applied
    heterogeneous resource base
  • No knowledge of who has what
  • Costs Complexity
  • Costly manual user administration as user
    resource base grows
  • Poor IT service levels to end users
  • Increasing application development maintenance
    costs
  • Lost productivity due to inefficiency
  • Compliance Requirements
  • Regulatory (SOX, privacy regulations, 21 CFR Part
    11, GLB, HIPAA)
  • Segregation of duties and other internal control
    policies
  • CxO liability arising from non-compliance
  • Massive, recurring cost to ensure nominal
    compliance

19
What Does Oracle Identity Management Do?
20
Functional Architecture
Key Features
  • Reconciliation with multiple trusted sources
  • Intelligent user profile definition
  • Delegated administration
  • Role rule-based determination of access
    privileges
  • Supports workflow
  • Ease of integration with Adapter Factory
  • Extensive reporting, analysis and auditing
    capabilities

21
Provisioning AdaptorsCovering 30 key targets
  • Directory Servers
  • IBM, AD, Sun, OID, eDirectory, Open LDAP
  • Database Servers
  • Oracle, SQLServer, DB/2, MySQL, Sybase
  • Presentation Servers
  • Weblogic Portal
  • Operating Systems
  • AIX, Netware, Windows, Solaris, Linux
  • Applications
  • Peoplesoft, SAP, Siebel, Oracle Ebiz
  • Email/Collaboration
  • Domino, Exchange, Groupwise
  • Security Managers
  • Top Secret, RACF, Secure ACS, SecureID, ACF2,
    Control SA, Cleartrust

22
Competitive Differentiation
  • Scalability
  • Users 140,000 (Accenture)
  • Resources 600 (Lehman Brothers)
  • Complexity 43,000 Security Groups (Goldman
    Sachs)
  • Time-to-Deployment Four Months (Nextel Phase I)
  • Flexibility
  • Workflow Abstraction (Approval vs. Provisioning)
  • Process decomposed into discrete tasks
  • Policy-based fine-grained provisioning,
    de-provisioning, and denial
  • Fundamental design philosophy of Configure,
    dont Customize
  • Manageability
  • State Management
  • ID Link (Identity Correlation Engine)
  • Reconciliation Engine
  • Deployment and Change Control tools

23
IDM
  • Federation

24
Secure Federation
  • Benefits
  • Secure integration with partners
  • Reduce administration cost
  • Deliver improved end user experience
  • Features
  • Seamless SSO and Identity Sharing across business
    partners
  • Multi-protocol gateway SAML, Liberty,
    WS-Federation
  • Available as Service Provider (Hub) or Identity
    Provider (Spoke) packages
  • Flexible deployment configurations
  • Integrated with Oracle Identity
  • Standalone for use with pre-existing web-access
    management solution
  • Protocol SDK for custom applications

25
Federated Identity Principles
  • Multiple authorities in a trust network
  • Each owns their customers and employees
  • Each owns their infrastructure
  • Each issues their own credentials
  • Each can decide whether to accept credentials
    from other authorities/domains
  • Avoids duplicated management of identity
    information in multiple domains
  • Keep responsibility in each owning domain
  • Can scale up to any size of service oriented
    grid
  • Open standards based

26
Existing Database Security options
  • Virtual Private Database,
  • Label Security
  • and Oracle Advanced Security

27
Oracle Advanced Security
  • Strong authentication with 3rd party industry
    leaders
  • Kerberos, CyberSafe, DCE
  • Smart cards, token cards (SecurID), biometrics
  • Industry-standard RADIUS allows authentication
    vendors to integrate solution
  • Smart cards, fingerprints, voice, etc.
  • Strong authentication within a PKI
  • X.509v3 certificates
  • Can use Hardware Security Module at Server
  • Encrypted traffic from DB to user or to app server

28
Transparent Data Encryption part of Oracle
Advanced Security 10gR2
Application
  • Transparent Data Encryption
  • Includes Key Management
  • Transparent to applications
  • Helps Address Privacy and Regulatory compliance
  • Store Username and Password in Wallet
  • Protect username and password on command line for
    batch jobs
  • SmartCard integration for SSL
  • Support existing certificates on smartcards

ASO Network Encryption
Data Written To Disk Encrypted
Data Decrypted Through SQL Interface
Data Encrypted On Backup Files
29
Centralized Identity Management Enterprise
User Security
Store users, passwords roles, and schema mappings
Oracle Internet Directory
Authentication
Authorizations
Proxy Authentication
9iAS Portal
30
Oracle Label Security
  • Based on VPD, grew out of accredited consulting
    work and over seven years of MLS efforts
  • Off-the-shelf label based RLS system
  • GUI for administration
  • No coding required

Row Label
Confidential Public Confidential High
Sens Confidential High Sens
Oncology Oncology Radiology Lab
Radiology X-ray
Patient PCP,SCP Research Patient
Admin PCP, ER
Data Rows
Levels
Groups
Compartments
31
Database Security
  • Latest features (10g Release 2)

32
Oracle Secure Backup - new standalone product
  • Oracle Secure Backup is ideal for customers
    seeking a low cost alternative to complex backup
    products
  • Best integrated end-to-end backup of Oracle
    Databases
  • Media manger for RMAN backup and recovery of
    Oracle9i and 10g databases to tape
  • Fastest Database Backup on the market
  • Backup Oracle Home, App Server and other file
    systems
  • Oracle Secure Backup includes
  • Centralized management of network backups
  • Scalability to low 100s of servers, 10s of
    millions of files
  • Easy management through Enterprise Manager
  • Encryption of backed-up data

File Systems
Linux, Unix Windows, Filers
Databases
RMAN
Oracle Backup
Supports popular tape libraries drives
33
Customers Recognize Need
  • This is the most innovative security capability
    Oracle has ever provided
  • Large defense supplier
  • This is exactly what we need for SOX compliance

  • Healthcare company
  • We need this product now..it will helps us meet
    our separation of duty reqmt. for compliance

  • Retail customer
  • This is a historical event in the intelligence
    world for information sharing..this eliminates
    many of the risks for information consolidation

  • Federal Intelligence Customer

34
Database VaultBusiness Problem
  • Internal threats require enforcement of
    operational security policies - who, what, when
    and where can data be accessed?
  • Database consolidation can result in Multiple All
    Powerful (DBA) users in the database
  • Regulations Strong Internal Controls and
    Separation of Duty (such as Sarbanes-Oxley and
    Basel II etc)

35
Oracle Database Vault
Realms
Multi Factor Authorization
Reports
Command Rules
Separation of Duty
35
36
Command Rule Flexibility
Alter Database Alter Database Alter
Function Audit Alter Package Body Alter
Procedure Alter Profile Alter Session Alter
System Alter Synonym Alter Table Alter
Trigger Alter User Password Alter
Tablespace Alter View Change Password Connect Com
ment Create Function Create Index Create
Package Create Database Link Create
Procedure Create Role Create Package Body Create
User Create View Create Table Grant Insert Noa
udit Rename Lock Table Create
Tablespace Create Trigger Truncate
Table Update Insert Delete Execute Select
37
Built-In Factors
Additional factors can be defined
38
Oracle Advanced Security Integration
  • Realms work transparently with Transparent Data
    Encryption

Data automatically encrypted through SQL
Data automatically decrypted through SQL
Realm
Realm
Realm
Sensitive Data Encrypted On Backup Files
  • Transparent Data Encryption works with RMAN to
    encrypt backups written to disk

Oracle Advanced Security With RMAN Can
Encrypt Backups Sent to Disk
Realm
Realm
Realm
39
Oracle Label SecurityIntegration
Factor Intranet Access
FactorExternal
Headquarters
Highly Sensitive
Sensitive
Public
Oracle Label Security Restricts Access To Labeled
Data Based On Database Vault Factors
40
Oracle Database Vault Realms and Rules
Realms can be easily applied to existing
applications with minimal performance impact
40
41
Oracle Database Vault Factors and Command Rules
41
42
Oracle Database Vault Reports
43
Database VaultPartner and ISV Strategy
  • Product Announcement April 26, 2006 Collaborate
    06
  • Technology Adoption Strategy
  • Target TOP 50 ISVs
  • Target TOP Compliance and Risk Mgmt Firms

Compliance
Technical ISVs
44
Oracle Audit Vault in beta
Oracle Application Server
Oracle RAC Nodes
Firewall
Firewall
Oracle Financials Database
  • Audit Vault Console
  • Audit Policy Management
  • Built-in Reports
  • Business Intelligence
  • Statistical Analysis
  • Partition Management
  • Graphs for Activity Visualization
  • Archiving Policies

Firewall
Audit Data
Oracle Identity Management
(Audit Activity Identity Resolution)
Audit Data
Audit Data
Oracle Audit Vault
45
Oracle Audit Vault
A Specialized Warehouse for Audit Data
  • Consolidated audit solution
  • Protected schema blocks DBA from viewing audit
    data
  • Separation of duty / defined roles
  • Hardened configuration
  • Support for multiple audit sources
  • Common Audit reports
  • Audit policy / Audit Settings management

46
Oracle Audit Vault
Protect, Consolidate, Detect, Monitor, Manage,
Alert Report
Audit Archival Mgmt
Proactive Detection and Alerts
Audit Reports
Audit Dashboard
Audit Collection
Audit Policy Mgmt
Data Mining Analysis
Audit Admin
Custom Reports
v1
Collectors can be developed using the Audit
Vault SDK
47
Web Services Security Management
48
Oracle Web Services Manager
  • Provides a decentralized platform for deploying
    operating policies across apps and web services
  • Layers best-practice security and management
    across all applications
  • Does not require developers to modify
    applications or services
  • Supports WS- standards such as WS-Security,
    WS-Policy, etc.
  • Tools for building and monitoring operating
    policies
  • Agents and gateways for executing policies in
    real time

49
Web Services Management
SOA App
Centralised Monitoring Policy Enforcement
Databases
Oracle AS 10g
Web Services Management Gateway
BPEL Processes
SOA App
Clients
IBM, BEA, JBOSS
  • Auditing
  • Logging
  • Tracing
  • Security
  • Billing
  • Monitoring
  • PerformanceAnalysis

Legacy Systems
SOA App
MSFT.NET
Custom Apps
Management Console
Packaged Apps
50
Oracle WSM Components
Gateway
  • Policy Enforcement Points (PEP)
  • Gateway
  • Agent
  • Server Components
  • Policy Manager
  • Monitor
  • Console

Agent
Agent
Policy Manager
Monitor
51
Some Policy Steps
WS-Security Decrypt and Verify Signature Sign
Message Sign Message and Encrypt XML Decrypt XML
Encrypt
Authorization COREid Authorize Active Directory
Authorize File Authorize LDAP Authorize SiteMinder
Authorize
Credential Management Extract Credentials Insert
WSBASIC Credentials
Transport-specific QoS HTTP Messenger MQ
Messenger JMS Messenger
Authentication Active Directory Authenticate File
Authenticate LDAP Authenticate LDAP Certificate
Authenticate COREid Authenticate SiteMinder
Authenticate Verify Certificate Verify Signature
SAML SAML Copy Token SAML Insert Token SAML Save
Token SAML Validate Token
Others Content-based routing XML
Transform Logging Data gathering (SLA, Metering)
52
Oracle Enterprise Single Sign On
  • (Passlogix)

53
Enterprise Sign-on Business Drivers
  • Password Management
  • Simplify the end user experience, reduce password
    related help desk costs and enhance security by
    eliminating poor end user password management
  • Identity Management
  • Integrated enterprise sign-on is a key
    requirement, and often a first step, of a
    complete identity management solution
  • Stronger Authentication
  • Extending strong user authentication to
    enterprise applications is a key requirement of a
    strong authentication initiative
  • Compliance
  • Eliminate the hidden end user costs associated
    with compliance driven initiatives
  • Extend audit and reporting capabilities to
    include user sign-on data

54
Oracle eSSO Suite
  • Oracle eSSO Logon Manager
  • Sign-on to any Windows, Web, host, mainframe or
    Java application
  • No scripts, connectors or application
    modification
  • Oracle eSSO Provisioning Gateway
  • Provides interface to Oracle Identity Manager to
    accept credentials and settings from the
    provisioning system
  • User never knows or touches their application
    credentials
  • Oracle eSSO Authentication Manager
  • Support multiple authenticators smart card,
    biometric or token
  • Adjust SSO authorizations based on grade of
    provided user authentication
  • Oracle eSSO Kiosk Manager
  • Monitor kiosk sessions and provide security
    controls for sessions left unattended
  • Safe application termination and fast user
    switching
  • Oracle eSSO Password Reset
  • In-the-flow reset for Windows password from GINA
    prompt
  • Confidence scoring allows errors instead of
    forcing call to helpdesk

55
Oracle eSSO Suite Architecture
56
Highlights of Functional Capabilities
  • A suite of five products that
  • Accepts user authentication from Windows logon
    with password, smart card, biometric, token or
    proximity device
  • Users can reset their Windows password without
    calling the helpdesk
  • Users can still access system if they lose their
    smart card or token
  • Responds to logon and password change events on
    all Windows, web, and mainframe/host applications
    with the correct credentials (id/password)
  • No scripting, programming or integration
  • Automatically shuts down inactive sessions and
    any open applications
  • Credentials can be provisioned by end-user,
    administrator or provisioning system
  • Automates and enforces compliance to policies
  • password management and password selection
  • account access and any associated strong
    authentication requirements

57
Oracle eSSO Suite Pricing and Packaging
  • Oracle delivering 5 products in two product
    bundles
  • Oracle eSSO Suite - 60 per user
  • Oracle eSSO Logon Manager
  • Oracle eSSO Password Reset
  • Oracle eSSO Authentication Manager
  • Oracle eSSO Provisioning Gateway
  • Oracle eSSO Kiosk Manager
  • Oracle eSSO Password Reset - 7 per user
  • Sold separately to address the strong demand for
    desktop password reset
  • Integrated with Oracle Identity Management,
    Oracle applications and other Oracle products
  • OEM from Passlogix
  • Leading vendor with over 2 million seats deployed
  • Available in summer 2006

58
Learn More
  • Visit oracle.com/identity
  • Webinars
  • White Papers
  • Buyers Guides
  • Product Discussion Forums
  • Software Downloads
  • Identity Management Blogs

59
Sample Customers
60
Case Study State of Minnesota HIPAA Compliance
  • Business Challenge
  • Minnesotas Department of Human Services (DHS)
    30,000 medical providers and 80,000 users submit
    electronic claims. These must be secured to
    comply with federal HIPAA regulations.
    Management overhead of all users is tremendous as
    providers and users change regularly
  • Solution
  • State of Minnesota selected Oracle COREid Access
    and Identity to secure access claims submission
    portal, using audit and log capabilities
  • Results
  • Medical claims are secure and processed more
    quickly
  • State of Minnesota is HIPAA compliant

61
PCASSO Project uses OLS
Patient Centered Access to Secure Systems Online
  • SAIC and UCSD Patient and health care providers
    access patients complete medical records over
    the Internet
  • 178,000 patients
  • In defining those levels, we needed to
    separately protect highly sensitive information
    that by law- requires special protection.
    Label-based access control is ideal for this
    purpose
  • Dixie Baker, corporate VP of technology and CTO
    for SAICs healthcare practice

62
Southwest Airlines Boeing Lower Document Access
Costs
  • Business Challenge
  • Wanted to obtain engineering drawings,
    blueprints, color coding reports and other
    technical documents from the manufacturer via the
    Web
  • Increase efficiency
  • Reduce the business costs of transactions with
    the aircraft manufacturers
  • Oracle solution
  • Oracle COREid Access and Identity and COREid
    Federation
  • 1st in airline industry to implement SAML
  • Results
  • Oracle COREid solution saves Southwest 30/month
    per employee 40k users for a total of 1.2
    million per month.
  • Also reduced equipment idle time at 15,000 per
    hour

63
General MotorsLower Operational Costs
  • Business Challenge
  • Provide secure access to its supplier
    network53,000 external suppliers and 17,000
    employees to access inventory and production
    schedules while reducing administrative burden.
    Solution must integrate with the existing access
    control system (Tivoli).
  • Oracle Solution
  • GM deployed Oracle COREid Access and Identity
    using delegated administration and group
    management features, delegating the
    administration of users to individuals suppliers.
  • Results
  • Accelerated production schedules
  • Secure supplier network
  • Cost reduction through delegated administration
  • Selected as the identity management standard at GM

64
VPD/OLS Live Customers
  • Ford (VPD)
  • Vendor Managed Inventory for suppliers
  • Schlumberger (OLS)
  • National Data Repositories for Oil and Gas
  • Data separation at Dept. levels
  • Consolidation while maintaining security
  • Lowered operating costs
  • Oracle Sales Online / Oracle Hosting Manager
  • Subscriber ID for hosting
  • Saved on person-hours, hardware, DBAs

65
A
About PowerShow.com