Title: Oracle Security Solutions Identity Management and Database Security 13, September 2006 Sofia, Bulgar
1Oracle Security SolutionsIdentity Management and
Database Security 13, September 2006Sofia,
Bulgaria
- Patrick McLaughlin
- Director Security
- EMEA Technology Solutions
- patrick.mclaughlin_at_oracle.com
2Agenda
- Oracle security solutions
- Identity and Access management solution
- Enterprise single sign on
- Database security solutions
- including 10g Release 2 security enhancements
- Oracle web services management solution
- Sample security solution customers
- QA
3Oracle Security Solutions
4(No Transcript)
5Identity and Access Management
- Including Provisioning and Federation
6Oracle Internet Directory
- Scalable
- Highly available
- Easily managed
- Secure
- Extensible
LDAP Clients
Oracle Internet Directory Server
Directory Admin Console
Oracle Database
7Virtual Directory Drivers
- Applications need user profile information for
personalization and authorization management - Challenge
- Information about the same identity is
distributed across a large number of stores
LDAP, RDBMS, AD, etc. - Applications dont have a uniform mechanism for
accessing this information - This creates a many-to-many relationship that is
difficult to administer opening a security risk - Virtual directories join different aspects of
identity into a single object - Single point of administration
- Multiple protocols in and out
8Oracle Virtual Directory
- Oracle Virtual Directory
- Real-time consolidation
- Technology abstraction
- Complexity reduction
Customers
Partners
Protects Directory Investments Single Identity
View
9Virtual Directory - Structure
Service Listener Protocols
WEB SERVICES
WEB GATEWAY
LDAP
WEB GATEWAY
Data Transformation,Mapping, Routing,Security,
Audit
VDE DIRECTORY ENGINE
JOIN VIEW
Custom Adapter
Local Store
Data Adapters
NT
LDAP
DB
10Financial Services Firm
- Problem
- Existing SOA Provides Access to Aggregated ID
Attributes - But Only Using Custom Web Service - Solution
- Provide LDAP Access to Custom Service
- Benefit
- Create Unified Service
- Reduce Operational Cost
- Eliminate Retrofitting of Applications.
11Access Manager
- Benefits
- Centralized and Consistent security across
heterogeneous environments - Reduced administration cost
- Improved end user experience
- Better compliance
- Features
- Common policy management
- Multi-level, multi-factor auth mgmt
- Self-service and password administration
- Delegated administration
- Workflow engine
- Web Services interfaces
Authentication
Authorization
Identity Admin
12- Web Single Sign On and Access Control
- User, Group, and Organisation Management
- Workflow and User Provisioning
- Reporting and Auditing
- Password Management
13Oracle Access Manager building blocks
14Partnerships for Seamless Integrations
Portals
HTTP(s)
Single Sign-on to multiple resources
Packaged E-Business Applications
Web Server
Application Servers
COREid Access Server
Mainframe Systems
COREid Mainframe Security Connector for OS/390
RACF, ACF-2, TSS
LDAP
15IDM
16Definition of Provisioning
- Managing user accounts and user profiles across
the IT environment via a combination of user
roles and business rules - All account updates managed centrally
- Change requests are done via self-service, an
administrator or an HR system update - Adapters to manage accounts within enterprise
systems such as CRM, ERP, e-mail, DB, OS, VPN,
PBX, etc - Centralizes tracking and auditing of who has
access to what at any given time
17The Identity Provisioning Problem
- It takes too long to get people access to the IT
resources that they need. - With people changing jobs so often, its hard to
keep track of who has access to what. - How do we know that when people leave the
company, they cant still use our systems? - It takes an enormous cost and effort to do what
our auditors want on a continuous basis, and
were not even sure that what were telling them
is right! - Our users cant keep track of all their IDs and
passwords, and we cant either. - Its getting worse
18Business Drivers
- Security Risks
- Risk of role accumulation, and ghost or orphan
accounts - No systematic control of the identity management
life-cycle - No commonality across policies applied
heterogeneous resource base - No knowledge of who has what
- Costs Complexity
- Costly manual user administration as user
resource base grows - Poor IT service levels to end users
- Increasing application development maintenance
costs - Lost productivity due to inefficiency
- Compliance Requirements
- Regulatory (SOX, privacy regulations, 21 CFR Part
11, GLB, HIPAA) - Segregation of duties and other internal control
policies - CxO liability arising from non-compliance
- Massive, recurring cost to ensure nominal
compliance
19What Does Oracle Identity Management Do?
20Functional Architecture
Key Features
- Reconciliation with multiple trusted sources
- Intelligent user profile definition
- Delegated administration
- Role rule-based determination of access
privileges - Supports workflow
- Ease of integration with Adapter Factory
- Extensive reporting, analysis and auditing
capabilities
21Provisioning AdaptorsCovering 30 key targets
- Directory Servers
- IBM, AD, Sun, OID, eDirectory, Open LDAP
- Database Servers
- Oracle, SQLServer, DB/2, MySQL, Sybase
- Presentation Servers
- Weblogic Portal
- Operating Systems
- AIX, Netware, Windows, Solaris, Linux
- Applications
- Peoplesoft, SAP, Siebel, Oracle Ebiz
- Email/Collaboration
- Domino, Exchange, Groupwise
- Security Managers
- Top Secret, RACF, Secure ACS, SecureID, ACF2,
Control SA, Cleartrust
22Competitive Differentiation
- Scalability
- Users 140,000 (Accenture)
- Resources 600 (Lehman Brothers)
- Complexity 43,000 Security Groups (Goldman
Sachs) - Time-to-Deployment Four Months (Nextel Phase I)
- Flexibility
- Workflow Abstraction (Approval vs. Provisioning)
- Process decomposed into discrete tasks
- Policy-based fine-grained provisioning,
de-provisioning, and denial - Fundamental design philosophy of Configure,
dont Customize - Manageability
- State Management
- ID Link (Identity Correlation Engine)
- Reconciliation Engine
- Deployment and Change Control tools
23IDM
24Secure Federation
- Benefits
- Secure integration with partners
- Reduce administration cost
- Deliver improved end user experience
- Features
- Seamless SSO and Identity Sharing across business
partners - Multi-protocol gateway SAML, Liberty,
WS-Federation - Available as Service Provider (Hub) or Identity
Provider (Spoke) packages - Flexible deployment configurations
- Integrated with Oracle Identity
- Standalone for use with pre-existing web-access
management solution - Protocol SDK for custom applications
25Federated Identity Principles
- Multiple authorities in a trust network
- Each owns their customers and employees
- Each owns their infrastructure
- Each issues their own credentials
- Each can decide whether to accept credentials
from other authorities/domains - Avoids duplicated management of identity
information in multiple domains - Keep responsibility in each owning domain
- Can scale up to any size of service oriented
grid - Open standards based
26Existing Database Security options
- Virtual Private Database,
- Label Security
- and Oracle Advanced Security
27Oracle Advanced Security
- Strong authentication with 3rd party industry
leaders - Kerberos, CyberSafe, DCE
- Smart cards, token cards (SecurID), biometrics
- Industry-standard RADIUS allows authentication
vendors to integrate solution - Smart cards, fingerprints, voice, etc.
- Strong authentication within a PKI
- X.509v3 certificates
- Can use Hardware Security Module at Server
- Encrypted traffic from DB to user or to app server
28Transparent Data Encryption part of Oracle
Advanced Security 10gR2
Application
- Transparent Data Encryption
- Includes Key Management
- Transparent to applications
- Helps Address Privacy and Regulatory compliance
- Store Username and Password in Wallet
- Protect username and password on command line for
batch jobs - SmartCard integration for SSL
- Support existing certificates on smartcards
ASO Network Encryption
Data Written To Disk Encrypted
Data Decrypted Through SQL Interface
Data Encrypted On Backup Files
29Centralized Identity Management Enterprise
User Security
Store users, passwords roles, and schema mappings
Oracle Internet Directory
Authentication
Authorizations
Proxy Authentication
9iAS Portal
30Oracle Label Security
- Based on VPD, grew out of accredited consulting
work and over seven years of MLS efforts - Off-the-shelf label based RLS system
- GUI for administration
- No coding required
Row Label
Confidential Public Confidential High
Sens Confidential High Sens
Oncology Oncology Radiology Lab
Radiology X-ray
Patient PCP,SCP Research Patient
Admin PCP, ER
Data Rows
Levels
Groups
Compartments
31Database Security
- Latest features (10g Release 2)
32Oracle Secure Backup - new standalone product
- Oracle Secure Backup is ideal for customers
seeking a low cost alternative to complex backup
products - Best integrated end-to-end backup of Oracle
Databases - Media manger for RMAN backup and recovery of
Oracle9i and 10g databases to tape - Fastest Database Backup on the market
- Backup Oracle Home, App Server and other file
systems - Oracle Secure Backup includes
- Centralized management of network backups
- Scalability to low 100s of servers, 10s of
millions of files - Easy management through Enterprise Manager
- Encryption of backed-up data
File Systems
Linux, Unix Windows, Filers
Databases
RMAN
Oracle Backup
Supports popular tape libraries drives
33Customers Recognize Need
- This is the most innovative security capability
Oracle has ever provided
- Large defense supplier
- This is exactly what we need for SOX compliance
-
Healthcare company - We need this product now..it will helps us meet
our separation of duty reqmt. for compliance -
Retail customer - This is a historical event in the intelligence
world for information sharing..this eliminates
many of the risks for information consolidation -
Federal Intelligence Customer
34Database VaultBusiness Problem
- Internal threats require enforcement of
operational security policies - who, what, when
and where can data be accessed? - Database consolidation can result in Multiple All
Powerful (DBA) users in the database - Regulations Strong Internal Controls and
Separation of Duty (such as Sarbanes-Oxley and
Basel II etc)
35Oracle Database Vault
Realms
Multi Factor Authorization
Reports
Command Rules
Separation of Duty
35
36Command Rule Flexibility
Alter Database Alter Database Alter
Function Audit Alter Package Body Alter
Procedure Alter Profile Alter Session Alter
System Alter Synonym Alter Table Alter
Trigger Alter User Password Alter
Tablespace Alter View Change Password Connect Com
ment Create Function Create Index Create
Package Create Database Link Create
Procedure Create Role Create Package Body Create
User Create View Create Table Grant Insert Noa
udit Rename Lock Table Create
Tablespace Create Trigger Truncate
Table Update Insert Delete Execute Select
37Built-In Factors
Additional factors can be defined
38Oracle Advanced Security Integration
- Realms work transparently with Transparent Data
Encryption
Data automatically encrypted through SQL
Data automatically decrypted through SQL
Realm
Realm
Realm
Sensitive Data Encrypted On Backup Files
- Transparent Data Encryption works with RMAN to
encrypt backups written to disk
Oracle Advanced Security With RMAN Can
Encrypt Backups Sent to Disk
Realm
Realm
Realm
39Oracle Label SecurityIntegration
Factor Intranet Access
FactorExternal
Headquarters
Highly Sensitive
Sensitive
Public
Oracle Label Security Restricts Access To Labeled
Data Based On Database Vault Factors
40Oracle Database Vault Realms and Rules
Realms can be easily applied to existing
applications with minimal performance impact
40
41Oracle Database Vault Factors and Command Rules
41
42Oracle Database Vault Reports
43Database VaultPartner and ISV Strategy
- Product Announcement April 26, 2006 Collaborate
06 - Technology Adoption Strategy
- Target TOP 50 ISVs
- Target TOP Compliance and Risk Mgmt Firms
Compliance
Technical ISVs
44Oracle Audit Vault in beta
Oracle Application Server
Oracle RAC Nodes
Firewall
Firewall
Oracle Financials Database
- Audit Vault Console
- Audit Policy Management
- Built-in Reports
- Business Intelligence
- Statistical Analysis
- Partition Management
- Graphs for Activity Visualization
- Archiving Policies
Firewall
Audit Data
Oracle Identity Management
(Audit Activity Identity Resolution)
Audit Data
Audit Data
Oracle Audit Vault
45Oracle Audit Vault
A Specialized Warehouse for Audit Data
- Consolidated audit solution
- Protected schema blocks DBA from viewing audit
data - Separation of duty / defined roles
- Hardened configuration
- Support for multiple audit sources
- Common Audit reports
- Audit policy / Audit Settings management
46Oracle Audit Vault
Protect, Consolidate, Detect, Monitor, Manage,
Alert Report
Audit Archival Mgmt
Proactive Detection and Alerts
Audit Reports
Audit Dashboard
Audit Collection
Audit Policy Mgmt
Data Mining Analysis
Audit Admin
Custom Reports
v1
Collectors can be developed using the Audit
Vault SDK
47Web Services Security Management
48Oracle Web Services Manager
- Provides a decentralized platform for deploying
operating policies across apps and web services - Layers best-practice security and management
across all applications - Does not require developers to modify
applications or services - Supports WS- standards such as WS-Security,
WS-Policy, etc. - Tools for building and monitoring operating
policies - Agents and gateways for executing policies in
real time
49Web Services Management
SOA App
Centralised Monitoring Policy Enforcement
Databases
Oracle AS 10g
Web Services Management Gateway
BPEL Processes
SOA App
Clients
IBM, BEA, JBOSS
- Auditing
- Logging
- Tracing
- Security
- Billing
- Monitoring
- PerformanceAnalysis
Legacy Systems
SOA App
MSFT.NET
Custom Apps
Management Console
Packaged Apps
50Oracle WSM Components
Gateway
- Policy Enforcement Points (PEP)
- Gateway
- Agent
- Server Components
- Policy Manager
- Monitor
- Console
Agent
Agent
Policy Manager
Monitor
51Some Policy Steps
WS-Security Decrypt and Verify Signature Sign
Message Sign Message and Encrypt XML Decrypt XML
Encrypt
Authorization COREid Authorize Active Directory
Authorize File Authorize LDAP Authorize SiteMinder
Authorize
Credential Management Extract Credentials Insert
WSBASIC Credentials
Transport-specific QoS HTTP Messenger MQ
Messenger JMS Messenger
Authentication Active Directory Authenticate File
Authenticate LDAP Authenticate LDAP Certificate
Authenticate COREid Authenticate SiteMinder
Authenticate Verify Certificate Verify Signature
SAML SAML Copy Token SAML Insert Token SAML Save
Token SAML Validate Token
Others Content-based routing XML
Transform Logging Data gathering (SLA, Metering)
52Oracle Enterprise Single Sign On
53Enterprise Sign-on Business Drivers
- Password Management
- Simplify the end user experience, reduce password
related help desk costs and enhance security by
eliminating poor end user password management - Identity Management
- Integrated enterprise sign-on is a key
requirement, and often a first step, of a
complete identity management solution - Stronger Authentication
- Extending strong user authentication to
enterprise applications is a key requirement of a
strong authentication initiative - Compliance
- Eliminate the hidden end user costs associated
with compliance driven initiatives - Extend audit and reporting capabilities to
include user sign-on data
54Oracle eSSO Suite
- Oracle eSSO Logon Manager
- Sign-on to any Windows, Web, host, mainframe or
Java application - No scripts, connectors or application
modification - Oracle eSSO Provisioning Gateway
- Provides interface to Oracle Identity Manager to
accept credentials and settings from the
provisioning system - User never knows or touches their application
credentials - Oracle eSSO Authentication Manager
- Support multiple authenticators smart card,
biometric or token - Adjust SSO authorizations based on grade of
provided user authentication - Oracle eSSO Kiosk Manager
- Monitor kiosk sessions and provide security
controls for sessions left unattended - Safe application termination and fast user
switching - Oracle eSSO Password Reset
- In-the-flow reset for Windows password from GINA
prompt - Confidence scoring allows errors instead of
forcing call to helpdesk
55Oracle eSSO Suite Architecture
56Highlights of Functional Capabilities
- A suite of five products that
- Accepts user authentication from Windows logon
with password, smart card, biometric, token or
proximity device - Users can reset their Windows password without
calling the helpdesk - Users can still access system if they lose their
smart card or token - Responds to logon and password change events on
all Windows, web, and mainframe/host applications
with the correct credentials (id/password) - No scripting, programming or integration
- Automatically shuts down inactive sessions and
any open applications - Credentials can be provisioned by end-user,
administrator or provisioning system - Automates and enforces compliance to policies
- password management and password selection
- account access and any associated strong
authentication requirements
57Oracle eSSO Suite Pricing and Packaging
- Oracle delivering 5 products in two product
bundles - Oracle eSSO Suite - 60 per user
- Oracle eSSO Logon Manager
- Oracle eSSO Password Reset
- Oracle eSSO Authentication Manager
- Oracle eSSO Provisioning Gateway
- Oracle eSSO Kiosk Manager
- Oracle eSSO Password Reset - 7 per user
- Sold separately to address the strong demand for
desktop password reset - Integrated with Oracle Identity Management,
Oracle applications and other Oracle products - OEM from Passlogix
- Leading vendor with over 2 million seats deployed
- Available in summer 2006
58Learn More
- Visit oracle.com/identity
- Webinars
- White Papers
- Buyers Guides
- Product Discussion Forums
- Software Downloads
- Identity Management Blogs
59Sample Customers
60Case Study State of Minnesota HIPAA Compliance
- Business Challenge
- Minnesotas Department of Human Services (DHS)
30,000 medical providers and 80,000 users submit
electronic claims. These must be secured to
comply with federal HIPAA regulations.
Management overhead of all users is tremendous as
providers and users change regularly - Solution
- State of Minnesota selected Oracle COREid Access
and Identity to secure access claims submission
portal, using audit and log capabilities - Results
- Medical claims are secure and processed more
quickly - State of Minnesota is HIPAA compliant
61PCASSO Project uses OLS
Patient Centered Access to Secure Systems Online
- SAIC and UCSD Patient and health care providers
access patients complete medical records over
the Internet - 178,000 patients
- In defining those levels, we needed to
separately protect highly sensitive information
that by law- requires special protection.
Label-based access control is ideal for this
purpose - Dixie Baker, corporate VP of technology and CTO
for SAICs healthcare practice
62Southwest Airlines Boeing Lower Document Access
Costs
- Business Challenge
- Wanted to obtain engineering drawings,
blueprints, color coding reports and other
technical documents from the manufacturer via the
Web - Increase efficiency
- Reduce the business costs of transactions with
the aircraft manufacturers - Oracle solution
- Oracle COREid Access and Identity and COREid
Federation - 1st in airline industry to implement SAML
- Results
- Oracle COREid solution saves Southwest 30/month
per employee 40k users for a total of 1.2
million per month. - Also reduced equipment idle time at 15,000 per
hour
63General MotorsLower Operational Costs
- Business Challenge
- Provide secure access to its supplier
network53,000 external suppliers and 17,000
employees to access inventory and production
schedules while reducing administrative burden.
Solution must integrate with the existing access
control system (Tivoli). - Oracle Solution
- GM deployed Oracle COREid Access and Identity
using delegated administration and group
management features, delegating the
administration of users to individuals suppliers.
- Results
- Accelerated production schedules
- Secure supplier network
- Cost reduction through delegated administration
- Selected as the identity management standard at GM
64VPD/OLS Live Customers
- Ford (VPD)
- Vendor Managed Inventory for suppliers
- Schlumberger (OLS)
- National Data Repositories for Oil and Gas
- Data separation at Dept. levels
- Consolidation while maintaining security
- Lowered operating costs
- Oracle Sales Online / Oracle Hosting Manager
- Subscriber ID for hosting
- Saved on person-hours, hardware, DBAs
65A