Oracle Identity Management - PowerPoint PPT Presentation

Loading...

PPT – Oracle Identity Management PowerPoint presentation | free to download - id: 6a8071-NTZjY



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

Oracle Identity Management

Description:

Title: PowerPoint Presentation Last modified by: Erika Leetmae Created Date: 1/1/1601 12:00:00 AM Document presentation format: On-screen Show Other titles – PowerPoint PPT presentation

Number of Views:870
Avg rating:3.0/5.0
Slides: 77
Provided by: cislUcarE6
Learn more at: http://www.cisl.ucar.edu
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Oracle Identity Management


1
(No Transcript)
2
Oracle Identity Management
  • Erika.Leetmae_at_oracle.com
  • Senior Technical Sales Consultant
  • NCAR/UCAR 20 June 2005

3
Agenda
  • Security/IdM business drivers
  • Oracle Identity Management
  • Oblix
  • Demonstration of IdM
  • Oracle Database 10g
  • Where to go for more information

4
Security and Identity Management Business Drivers
5
State of Security United States
  • 90 of respondents detected computer security
    breaches within the last twelve months.
  • 80 of respondents acknowledged financial losses
    due to computer breaches.
  • 455,848,000 in quantifiable losses
  • 170,827,000 theft of proprietary information
  • 115,753,000 in financial fraud
  • 74 cited their Internet connection as a frequent
    point of attack
  • 33 cited internal systems as a frequent point of
    attack

Source 2002 CSI/FBI Computer Crime and
Security Survey
6
Citigroup lost information on 3.9 million
customers while in transit to a credit bureau
(June 6, 2005)
Polo Ralph Lauren 180,000 Credit Cards Stolen -
April 14, 2005
Former AOL Employee Pleads Guilty in Customer
Data Theft February 7, 2005
Bank of America/Wachovia Employees Stole and
Sold Over 100,000 Customers Account Information
May 23, 2005
MasterCard reports breach of over 19.9 million
credit cards (June 19, 2005)
Boston College Database Hacked for 120,000 Alumni
Records March 17, 2005
7
10 x
Cost for compliance by taking one-off versus
integrated approach to compliance projects
8
15-30
Percentage of support calls relating to forgotten
passwords
9
20
Percentage of active accounts belonging to
employees or contractors that no longer work for
the organization
10
16 min
Time per day, on average, signing into systems
and being authenticated. This equals 2,666
employee hours in a typical 10,000 employee
organization
11
If you spend more on coffee than on IT security,
then you will be hacked what's more, you deserve
to be hacked!
Richard Clarke, 2002 Special Advisor to the
President Cyberspace Security
12
Security Drivers
  • Government Regulations
  • Compliance Drivers
  • Shortened Supply-Chain
  • Everything is Online, Everybody is Online
  • Business Continuity
  • 24x7 availability
  • Risk Mitigation
  • Assess what is at risk

Ask your analysts to do a security TCO!
13
Regulations vs. Cost Effective Compliance
Regulations Are you at risk?
Sarbanes-Oxley Act ?
SEC NYSE regulations ?
HIPAA ?
USA Patriot Act ?
DOD 5015 ?
Food and Drug Admin., title 21 ?
NASD 3010, 3110 ?
Freedom of Information Act ?
European Data Privacy Act ?
SB 1386 for California ?
14
Oracles Response
  • Product and Process Security
  • Secure Installation Configuration
  • Independent Evaluations
  • Secure Product Development Life Cycle
  • Oracle Platform Security
  • Oracle Database Security
  • Oracle Application Server Security
  • J2EE Security, Best practices for deployment
  • Oracle Identity Management
  • LDAP Server, Single Sign On, Provisioning
    Solutions and Certificate Authority, Federation

15
Oracle Identity Management
16
LDAP and OID
  • LDAP
  • Data model, Naming model, functional model,
    security model
  • LDAP protocol itself (connection oriented
    protocol)
  • API for developing directory enabled applications
  • LDIF standard interchange format for directory
    data
  • HTTP (lock step) vs. LDAP (in flight)
  • LDAP standards define the wire protocol and the
    data model, but do not specify implementations
    considerations many details are left up to
    directory vendors.
  • Oracle Identity Management
  • Includes LDAP v3 Directory
  • Includes other pieces Provisioning framework,
    Single-Sign on, Directory Integration,
    Certificate Authority, Oblix components

17
Where does it all fit?
18
Oracle Application Server 10g
19
Identity Management
20
Identity Management Components
21
Oracle Internet Directory
  • Scalability
  • Millions of users
  • 1000s of simultaneous clients
  • High availability
  • Multimaster replication
  • Hot backup/recovery, RAC, etc.
  • Manageability
  • Multi-node monitoring
  • Security
  • Comprehensive password policy
  • Role / policy based access control
  • Audit
  • Extensibility (Plug-in framework)
  • Virtual attributes
  • External authentication
  • Custom password policies

Oracle Database
22
Directory Integration Service
External Directories
Directory Integration Service
Sun1(iPlanet)
Active Directory
Oracle Internet Directory
Oracle HR
Oracle DB
OpenLDAP
eDirectory
Connectors
23
Provisioning Integration Service
Corporate HR (Employee Enrollment)
Portal
eMail
ERP,CRM,
OID
Helpdesk Admin
Event Notification Engine
Provisioning Connectors
Policy Workflow Engine
Portal Admin
Partner Provisioning System
eMail Admin
Oracle Provisioning Integration Service
Delegated Admin Service (Pswds, preferences)
24
Delegated Administration Services
  • Admin console w/ role-based customization
  • User / group management
  • End-user vs Admin views
  • Admin delegation
  • End-user self-service
  • Self service provisioning
  • Set preferences, Org-chart
  • Pswd reset
  • Embeddable admin components
  • For integration with Apps
  • Extensively configurable
  • Accommodate new applications
  • Customize UI views

25
OracleAS Single Sign-On
OracleAS Enabled Environment
ERP, CRM,
OracleAS Single Sign-on
Portal
PKI, pwd, Win2K Native Auth
Partner SSO (Netegrity, RSA, Oblix)
SecureID, Biokey
  • Integrates Oracle and partner-SSO enabled apps

Federation / Liberty
Partner SSO Enabled Environment
Extranet
OID
26
OracleAS Certificate Authority
  • Allows Oracle customers to secure their
    deployments
  • Out-of-the-box PKI solution
  • Easy provisioning of X.509v3 digital certificates
    for end users
  • Web Based certificate management and
    administration
  • Seamless integration with Oracle Application
    Server Single Sign-On OID


27
Oracle and Oblix
28
Demonstration
29
Oracle Database 10gR2
30
Grid Computing Components
  • Storage
  • Database Servers
  • Application Servers
  • Provisioning and Management Tools

31
Grid Roadmap
  • Leverage Grid
  • Grid Control
  • Services

High ROI
  • Leverage Clustering
  • RAC
  • OC4J clusters
  • ASM
  • Consolidate schemas
  • Customer data hub
  • Oracle Fusion
  • Streams
  • Many application servers
  • Many servers
  • Many app server vendors
  • Many app server versions
  • Upgrade to 9i/10g
  • Leverage TAF/FAN
  • All Oracle
  • Standardize
  • Choose Grid platform servers
  • Many databases
  • Many servers
  • Many database vendors
  • Many database versions

Low ROI
Adaptable Infrastructure
Reactive
Managed
Agile
Axes are for illustrative purposes only
32
Oracle 10g Real Application Clusters
  • Many small servers act as one
  • Capacity on demand
  • Add/remove servers online
  • Auto server allocation on failure
  • Mission critical QoS on standard, low cost
    servers
  • Scalable AND highly available
  • Start small, grow incrementally
  • Proven technology
  • Thousands of customers
  • Supported by leading ISVs
  • Runs on all platforms

33
Oracle 10g Real Application Clusters
  • Automatic Storage Management
  • Database file system providing clustered volume
    management
  • Integrated into the Oracle kernel
  • Workload Management
  • Dynamic load balancing to meet service level
    policies
  • Integrated clusterware stack
  • Easy to install and manage
  • Lower cost, single vendor support
  • Common features on all platforms, improved single
    system image
  • Open to 3rd party clusterware
  • Clusterware API

34
Oracle Label Security
  • Pre-enabled row level security
  • Built on Virtual Private Database
  • Label Based Access Control (LBAC) framework
  • Based on stringent government and commercial
    requirements for row level security
  • Data access is based on sensitivity labels and
    customizable enforcement options
  • Leverages Identity Management for
  • Labels
  • Identities and roles
  • Policy information

35
Other Oracle 10gR2 new features
  • DBMS_Crypto package
  • Upgrade Improvements DBUA
  • Auditing Improvements
  • Multiple EM improvements
  • Database Backup to tape option
  • Flashback Improvements
  • Flashback Recovery Area (space quota) / RMAN
  • Database, Table and Row level
  • Online Transportable Tablespace
  • Enables a DBA to copy or move a tablespace of
    data using the transportable tablespaces feature
    without making the tablespace read-only in the
    source database.

36
Oracle - Delivering Better Security Technology
for gt 25 years


Identity Management


On going Security
Evaluations

Fine Grained Auditing

Oracle9iAS
JAAS

Oracle9iAS Single Sign-On

Common Criteria (EAL4)

Advanced Security FIPS 140


Oracle Label Security (2000)

Virtual Private Database (1998)

Enterprise User Security
Oracle Internet
Directory
Database Encryption API

Kerberos framework

Support for PKI
Radius
Authentication
Network Encryption

Oracle Advanced Security
introduced First
Orange Book B1 evaluation (1993)
Trusted Oracle7 Multilevel Secure Database
(1992) Stored procedures and
database roles (1992) Paranoid Customer


Commercial
1977
2003
37
Need help? More Information?
  • Erika.Leetmae_at_oracle.com 303.334.6684
  • http//www.oracle.com/technology/products/id_mgmt/
    index.html
  • Oracle by Example Series Oracle Application
    Server 10g (9.0.4) http//www.oracle.com/technol
    ogy/obe/obe_as_10g/im/index.html
  • Deploying Oracle Identity Management with
    Multi-Master Replication (white paper)

38
(No Transcript)
39
(No Transcript)
40
Supporting Slides
41
Platform Security Architecture
E-Business Suite
Collaboration Suite
OracleAS Portal /Wireless
OracleAS Portal /Wireless
3rd Party Applications
Application Security
Responsibilities, Roles .
S-MIME, Interpersonal Rights
Roles, Privilege Groups
Authorization, Privacy, audit, .
Roles, Privilege Groups
Oracle Application Server
Oracle Database
Enterprise users, VPD, Label Security Encryption,
DB Audit
JAAS, JACC, WS Security,
External Security Services
Oracle Platform Security
Oracle Identity Management
OracleAS Certificate Authority
Directory Integration Provisioning
OracleAS Single Sign-on
Delegated Administration Services
Oracle Internet Directory
42
Oracle E-Business / IdM Integration
User Enrollment
(Oracle) HR
Oracle E-Business Suite Release 11i Instances
Account Provisioning Integration
Oracle HR Sync Agent
OracleAS Portal
User Browser
Partner Web App.
OracleAS SSO
OID DIP
Delegated Admin.
43
Identity Federation
  • Enabling identities to be shared and propagated
    between different systems
  • Allows individuals to log-in once to access
    resources on networks of different enterprises
  • No need for central storage of personal
    information
  • Organization authenticates its respective users
    and vouches for their access to third party
    organizations services

44
Federation Standards - Liberty Alliance
  • Consortium of 150 organizations developing open
    standards for federated network identity
  • includes technology, business guidelines, and
    best practices
  • Oracle is a Sponsor Member of Liberty Alliance
  • Liberty protocol defines two key functions
  • Identity Provider(IDP) an entity that receives
    security-related requests and generates security
    assertions
  • Service Provider(SP) an entity that generates
    security-related requests and consumes security
    assertions (that provides useful content to its
    clients)

45
Federation Usage Scenario
  • Financial services company
  • Retirement funds management
  • 1,000 partner companies
  • Millions of end-user accounts
  • Need to be able to keep up with employment status
    changes in real time with partner companies
  • Want to provide users with transparent access to
    financial services through company portal

46
Way it is Done Today
2. Click on Partner 401K link
Company HR Database
1. Logon to Portal
Batch Mode Data Transfer
3. Logon to Partner Site
Partner Account Database
47
Implementation Using Federated Identity Standards
2. Click on Partner 401K link
1. Logon to Portal
4. Federation Protocol Between Oracle SSO
Partner Web Site
Partner website
3. Request Data from Partner Site
  • Explicit login
  • Provision and manage customer employee account

48
Oracle Consulting Services
  • Identity management specialists
  • Field sales
  • Consulting services
  • Benefits assessments
  • Architectural assessments
  • Implementation services

49
Grid computing model
Cross-Tier Routing
BLADE FARM (Local Grid)
High Speed Interconnect
BLADES
50
Oracle Security Platform
  • Key component of Oracles overall security
    strategy
  • Provides an integrated identity management
    infrastructure built upon Oracles unbreakable
    technology
  • Centralizes security management of Oracle
    applications across the enterprise
  • Provides a robust, standards-based platform for
    security services to the entire enterprise

51
Oracle Database Advanced Security Option
  • Privacy Solutions
  • Data Protection over the wire
  • Client to Server
  • Mid tier to Server
  • Dataguard (Primary to Standby)
  • JDBC (thick and thin), OCI
  • Strong Authentication
  • Strong alternatives to passwords
  • Industry Standard Solutions
  • PKI, Kerberos, RADIUS

52
How Customers are Leveraging the Oracle Security
Platform
53
Customer Case Study - Wireless Carrier
  • Problem
  • Subscriber directory for 25M cellular phone
    customers and phone number entries worldwide
  • Plans to scale to 100M numbers
  • Continuous availability required during frequent
    bulk updates
  • Solution
  • Two Oracle Internet Directory instances with
    multi-master replication
  • Why they chose Oracle
  • Reliable, multi-master replication
  • Continuous service availability during bulk
    provisioning operations

54
Customer Case Study - Government Lab
  • Problem
  • Proliferation of web applications without any
    centralized management of security and identities
  • Lots of Oracle Forms and Reports applications
  • Semi-independent departments without any central
    IT organization
  • Local privilege groups not to be visible outside
    department
  • Solution
  • Unified authentication for 5000 users across all
    web applications
  • Centralized user enrollment
  • Autonomous administration for department
    application security
  • Local Identity Management instances for fail-over
  • Why did they choose Oracle?
  • Support for autonomous fan-out Identity
    Management instances
  • Identity Management enablement for existing
    applications

55
Customer Case Study Large Insurance Company
  • Problem
  • Over 80,000 employees, multi-million customers
  • A mixed environment MS desktops, BEA, Oracle
    in-house
  • Require single password for desktop as well as
    other apps
  • Availability is critical
  • Solution
  • Oracle Internet Directory as directory hub
  • AD integration, Transparent BEA based apps and
    custom apps
  • Why did they choose Oracle?
  • Support for heterogeneous environment
  • Scalability, high availability solutions
  • Deployment on Linux

56
Oracle Database 10g Virtual Private Database
  • Column Relevant Policies
  • Policy enforced only if specific columns are
    referenced
  • Increases row level security granularity

57
Oracle Database 10g Virtual Private Database
  • Column Filtering
  • Optional VPD configuration to return all rows but
    filter out column values in rows which dont meet
    criteria

58
Oracle 10g Automatic Storage Management
  • Dynamically allocates Database storage
  • Load balances database files across disks
    Rebalanced when storage configuration changes
    (with an optional WAIT)
  • Capacity on demand
  • Add/remove storage online
  • Automatic i/o load balancing
  • Enhanced data provisioning
  • Support transportable tablespaces
  • Eliminates storage fragmentation
  • Fault tolerant, high performance
  • Automatically mirrors and stripes
  • Low cost
  • Less DBA work no i/o tuning to do
  • No volume manager or file system
  • Better disk utilization
  • Solved a lot of CW and 9i RAC issues

59
ASM How it Works
  • No volumes just a pool of storage
  • Simplifies layout of datafiles, control files,
    redo log files and flash recovery area
  • Single instance and RAC
  • Partitions total disk space into uniform sized
    megabyte units

Automatic Storage Management
60
ASM How it Works
  • No volumes just a pool of storage
  • Partitions total disk space into uniform sized
    megabyte units
  • Efficient, online add/remove of disk with
    automatic rebalancing
  • ASM Wait on Rebalance
  • Eliminates Storage Fragmentation

Automatic Storage Management
61
More on ASM
  • ASM provides (platform independent)
  • Services of a Filesystem
  • Services of a Logical Volume Manager (LVM)
  • Integrated into the Oracle kernel
  • Provides software RAID in a platform-independent
    manner
  • ASM can stripe and mirror your disks with a
    choice of redundancy
  • Allows disks to be added or removed while the
    database is under load
  • Automatically balances I/O to remove "hot spots
  • Supports direct and asynchronous I/O
  • Uses the Oracle Data Manager API (simplified I/O
    system call interface) introduced in Oracle9i

62
More on ASM
  • ASM can ONLY be used only for
  • Oracle Data Files
  • Redo Logs
  • Control Files
  • Flash Recovery Area
  • Files in ASM can be created and named
    automatically by the database or manually by the
    DBA.
  • Files in ASM are not accessible to the O/S Only
    way to perform backup and recovery on databases
    that use ASM files is through Recovery Manager
    (RMAN).
  • Memory requirements for ASM are light only 64 MB
    for most systems.
  • Support for multiple Oracle database versions
  • In RAC environments, an ASM instance must be
    running on each cluster node.
  • Choice of Redundancy
  • HIGH when files are mirrored ASM makes 2 copies
    instead of the usual 1 copy.
  • NORMAL ASM provides an additional 1 copy of
    each file (conventional mirroring)
  • EXTERNAL we rely on external storage to provide
    any redundancy

63
Automatic Workload Management
  • Application workloads can be defined as Services
  • Individually managed and controlled
  • Assigned to instances during normal startup
  • On instance failure, automatic re-assignment
  • Service performance individually tracked
  • Fine grained control with Resource Manager
  • Rules can be defined dynamically

64
Integrated Clusterware (CRS)
  • Complete Oracle cluster software solution
  • Single-vendor support
  • Low Cost
  • No need to purchase additional software
  • Easy to install, manage
  • Single Instance or RAC installs
  • CRS CD
  • Common event and management APIs
  • Support for third-party clusterware
  • CRS requires two files to be shared among all of
    the hosts in the cluster
  • Oracle Cluster Registry (100 MB)
  • CRS Voting Disk (20 MB)

65
Oracle Database Backup Low Cost Tape Backup
ASM, Database Files, Recovery Areas and OS Files
  • Low cost alternative to complex backup products
  • Best integrated end-to-end backup of Oracle
    Databases
  • Scalable to low 100s of servers, 10s of
    millions of files
  • Easy to manage EM 10g and RMAN
  • Bundled with Oracle Database - Single vendor
    support
  • Block Change Tracking incremental backups

Oracle Backup
Performant, Low Cost Tape Backup
66
Flashback Database
  • Accessible via RMAN SQLPlus
  • SQLgt FLASHBACK DATABASE to 205 PM
  • Flash Recovery Area
  • Unified storage location for recovery related
    files
  • Flashback Database logs
  • Redo Archive logs
  • RMAN backups
  • Restores just changed blocks

Disk Write
New Block Version
Old Block Version
Data Files
Flash Recovery
Rewind button for the Database
Holds old block contents
67
Flashback Time Navigation
Flashback Query see data at a point in time
Select from Emp AS OF 200 P.M. where
Flashback Transaction Query see all changes
made by a transaction
Tx 3
Select from DBA_TRANSACTION_QUERY where xid
000200030000002D
Tx 2
Flashback Row Versions - see all versions of a
row between two times, and the transactions that
changed the row
Tx 1
Select from Emp VERSIONS BETWEEN 200 PM and
300 PM where
68
Enterprise Manager Grid Control
  • Monitor and manage
  • Grid-wide view
  • End-to-end
  • Top-to-bottom
  • From anywhere

69
Manage Groups as One
  • Single-view management and monitoring across
    components
  • Standardize policies
  • Configuration
  • Performance
  • Security
  • Automate processes
  • Automated patch management

Applications
Sets of Systems
70
Managing the Software Life Cycle
Enterprise Manager Grid Control

Install/Clone
Configure
Patch
Secure
71
Service Level Management
Monitor End-user Experience ? Availability ?
Performance
Monitor Database ? Click-to-SQL Drilldowns
Monitor Application ? Click-to-EJB ? J2EE
Activity
72
Self-Managing Database 10g
  • ASM
  • Built-in intelligent infrastructure
  • Self-aware performance analysis
  • Proactive server alerts
  • Automatic tasks
  • Automatic Database Diagnostic Monitor
  • Expert engine in the database
  • Automatic SQL tuning
  • Optimize packaged and custom applications

73
Self-Optimizing SQL
Customizable Applications
Proven Cost-Based Optimizer
74
Self-Optimizing SQL
Customizable Applications
Proven Cost-Based Optimizer
75
Self-Optimizing SQL
Customizable Applications
Proven Cost-Based Optimizer
Auto SQL Analysis
SQL Advice -gt Better SQL
76
Self-Optimizing SQL
Customizable Applications
Proven Cost-Based Optimizer
Auto SQL Analysis
Auto SQL Tuning
SQL Profile -gt Improved Plan
SQL Advice -gt Better SQL
77
Flashback Error Correction
  • Database Level
  • Flashback Database restores the whole database to
    time
  • Uses Flashback Logs
  • Table Level
  • Flashback Table restores rows in a set of tables
    to time
  • UNDO_RETENTION
  • Maintains data integrity and constraints
  • Flashback Drop restores a dropped table or a
    index
  • Recycle bin for DROPs
  • Row Level
  • Flashback Rows restores rows to time
  • Uses Flashback Query

Database
Customer
Order
Select from Emp AS OF 200 P.M. where
About PowerShow.com