Oracle Security Solutions Identity Management and Database Security 13, September 2006 Sofia, Bulgar

1
Oracle Security SolutionsIdentity Management and
Database Security 13, September 2006Sofia,
Bulgaria

• Patrick McLaughlin
• Director Security
• EMEA Technology Solutions
• patrick.mclaughlin_at_oracle.com

2
Agenda

• Oracle security solutions
• Identity and Access management solution
• Enterprise single sign on
• Database security solutions
• including 10g Release 2 security enhancements
• Oracle web services management solution
• Sample security solution customers
• QA

3
Oracle Security Solutions
4
(No Transcript)
5
Identity and Access Management

• Including Provisioning and Federation

6
Oracle Internet Directory

• Scalable
• Highly available
• Easily managed
• Secure
• Extensible

LDAP Clients
Oracle Internet Directory Server
Directory Admin Console
Oracle Database
7
Virtual Directory Drivers

• Applications need user profile information for
  personalization and authorization management
• Challenge
• Information about the same identity is
  distributed across a large number of stores
  LDAP, RDBMS, AD, etc.
• Applications dont have a uniform mechanism for
  accessing this information
• This creates a many-to-many relationship that is
  difficult to administer opening a security risk
• Virtual directories join different aspects of
  identity into a single object
• Single point of administration
• Multiple protocols in and out

8
Oracle Virtual Directory

• Oracle Virtual Directory
• Real-time consolidation
• Technology abstraction
• Complexity reduction

Customers
Partners
Protects Directory Investments Single Identity
View
9
Virtual Directory - Structure
Service Listener Protocols
WEB SERVICES
WEB GATEWAY
LDAP
WEB GATEWAY
Data Transformation,Mapping, Routing,Security,
Audit
VDE DIRECTORY ENGINE
JOIN VIEW
Custom Adapter
Local Store
Data Adapters
NT
LDAP
DB
10
Financial Services Firm

• Problem
• Existing SOA Provides Access to Aggregated ID
  Attributes - But Only Using Custom Web Service
• Solution
• Provide LDAP Access to Custom Service
• Benefit
• Create Unified Service
• Reduce Operational Cost
• Eliminate Retrofitting of Applications.

11
Access Manager

• Benefits
• Centralized and Consistent security across
  heterogeneous environments
• Reduced administration cost
• Improved end user experience
• Better compliance
• Features
• Common policy management
• Multi-level, multi-factor auth mgmt
• Self-service and password administration
• Delegated administration
• Workflow engine
• Web Services interfaces

Authentication
Authorization
Identity Admin
12

• Web Single Sign On and Access Control
• User, Group, and Organisation Management
• Workflow and User Provisioning
• Reporting and Auditing
• Password Management

13
Oracle Access Manager building blocks
14
Partnerships for Seamless Integrations
Portals
HTTP(s)
Single Sign-on to multiple resources
Packaged E-Business Applications
Web Server
Application Servers
COREid Access Server
Mainframe Systems
COREid Mainframe Security Connector for OS/390
RACF, ACF-2, TSS
LDAP
15
IDM

• Provisioning

16
Definition of Provisioning

• Managing user accounts and user profiles across
  the IT environment via a combination of user
  roles and business rules
• All account updates managed centrally
• Change requests are done via self-service, an
  administrator or an HR system update
• Adapters to manage accounts within enterprise
  systems such as CRM, ERP, e-mail, DB, OS, VPN,
  PBX, etc
• Centralizes tracking and auditing of who has
  access to what at any given time

17
The Identity Provisioning Problem

• It takes too long to get people access to the IT
  resources that they need.
• With people changing jobs so often, its hard to
  keep track of who has access to what.
• How do we know that when people leave the
  company, they cant still use our systems?
• It takes an enormous cost and effort to do what
  our auditors want on a continuous basis, and
  were not even sure that what were telling them
  is right!
• Our users cant keep track of all their IDs and
  passwords, and we cant either.
• Its getting worse

18
Business Drivers

• Security Risks
• Risk of role accumulation, and ghost or orphan
  accounts
• No systematic control of the identity management
  life-cycle
• No commonality across policies applied
  heterogeneous resource base
• No knowledge of who has what
• Costs Complexity
• Costly manual user administration as user
  resource base grows
• Poor IT service levels to end users
• Increasing application development maintenance
  costs
• Lost productivity due to inefficiency

• Compliance Requirements
• Regulatory (SOX, privacy regulations, 21 CFR Part
  11, GLB, HIPAA)
• Segregation of duties and other internal control
  policies
• CxO liability arising from non-compliance
• Massive, recurring cost to ensure nominal
  compliance

19
What Does Oracle Identity Management Do?
20
Functional Architecture
Key Features

• Reconciliation with multiple trusted sources
• Intelligent user profile definition
• Delegated administration
• Role rule-based determination of access
  privileges
• Supports workflow
• Ease of integration with Adapter Factory
• Extensive reporting, analysis and auditing
  capabilities

21
Provisioning AdaptorsCovering 30 key targets

• Directory Servers
• IBM, AD, Sun, OID, eDirectory, Open LDAP
• Database Servers
• Oracle, SQLServer, DB/2, MySQL, Sybase
• Presentation Servers
• Weblogic Portal
• Operating Systems
• AIX, Netware, Windows, Solaris, Linux

• Applications
• Peoplesoft, SAP, Siebel, Oracle Ebiz
• Email/Collaboration
• Domino, Exchange, Groupwise
• Security Managers
• Top Secret, RACF, Secure ACS, SecureID, ACF2,
  Control SA, Cleartrust

22
Competitive Differentiation

• Scalability
• Users 140,000 (Accenture)
• Resources 600 (Lehman Brothers)
• Complexity 43,000 Security Groups (Goldman
  Sachs)
• Time-to-Deployment Four Months (Nextel Phase I)
• Flexibility
• Workflow Abstraction (Approval vs. Provisioning)
• Process decomposed into discrete tasks
• Policy-based fine-grained provisioning,
  de-provisioning, and denial
• Fundamental design philosophy of Configure,
  dont Customize
• Manageability
• State Management
• ID Link (Identity Correlation Engine)
• Reconciliation Engine
• Deployment and Change Control tools

23
IDM

• Federation

24
Secure Federation

• Benefits
• Secure integration with partners
• Reduce administration cost
• Deliver improved end user experience
• Features
• Seamless SSO and Identity Sharing across business
  partners
• Multi-protocol gateway SAML, Liberty,
  WS-Federation
• Available as Service Provider (Hub) or Identity
  Provider (Spoke) packages
• Flexible deployment configurations
• Integrated with Oracle Identity
• Standalone for use with pre-existing web-access
  management solution
• Protocol SDK for custom applications

25
Federated Identity Principles

• Multiple authorities in a trust network
• Each owns their customers and employees
• Each owns their infrastructure
• Each issues their own credentials
• Each can decide whether to accept credentials
  from other authorities/domains
• Avoids duplicated management of identity
  information in multiple domains
• Keep responsibility in each owning domain
• Can scale up to any size of service oriented
  grid
• Open standards based

26
Existing Database Security options

• Virtual Private Database,
• Label Security
• and Oracle Advanced Security

27
Oracle Advanced Security

• Strong authentication with 3rd party industry
  leaders
• Kerberos, CyberSafe, DCE
• Smart cards, token cards (SecurID), biometrics
• Industry-standard RADIUS allows authentication
  vendors to integrate solution
• Smart cards, fingerprints, voice, etc.
• Strong authentication within a PKI
• X.509v3 certificates
• Can use Hardware Security Module at Server
• Encrypted traffic from DB to user or to app server

28
Transparent Data Encryption part of Oracle
Advanced Security 10gR2
Application

• Transparent Data Encryption
• Includes Key Management
• Transparent to applications
• Helps Address Privacy and Regulatory compliance
• Store Username and Password in Wallet
• Protect username and password on command line for
  batch jobs
• SmartCard integration for SSL
• Support existing certificates on smartcards

ASO Network Encryption
Data Written To Disk Encrypted
Data Decrypted Through SQL Interface
Data Encrypted On Backup Files
29
Centralized Identity Management Enterprise
User Security
Store users, passwords roles, and schema mappings
Oracle Internet Directory
Authentication
Authorizations
Proxy Authentication
9iAS Portal
30
Oracle Label Security

• Based on VPD, grew out of accredited consulting
  work and over seven years of MLS efforts
• Off-the-shelf label based RLS system
• GUI for administration
• No coding required

Row Label
Confidential Public Confidential High
Sens Confidential High Sens
Oncology Oncology Radiology Lab
Radiology X-ray
Patient PCP,SCP Research Patient
Admin PCP, ER
Data Rows
Levels
Groups
Compartments
31
Database Security

• Latest features (10g Release 2)

32
Oracle Secure Backup - new standalone product

• Oracle Secure Backup is ideal for customers
  seeking a low cost alternative to complex backup
  products
• Best integrated end-to-end backup of Oracle
  Databases
• Media manger for RMAN backup and recovery of
  Oracle9i and 10g databases to tape
• Fastest Database Backup on the market
• Backup Oracle Home, App Server and other file
  systems
• Oracle Secure Backup includes
• Centralized management of network backups
• Scalability to low 100s of servers, 10s of
  millions of files
• Easy management through Enterprise Manager
• Encryption of backed-up data

File Systems
Linux, Unix Windows, Filers
Databases
RMAN
Oracle Backup
Supports popular tape libraries drives
33
Customers Recognize Need

• This is the most innovative security capability
  Oracle has ever provided
  
• Large defense supplier
• This is exactly what we need for SOX compliance
  
• 
  Healthcare company
• We need this product now..it will helps us meet
  our separation of duty reqmt. for compliance
• 
  Retail customer
• This is a historical event in the intelligence
  world for information sharing..this eliminates
  many of the risks for information consolidation
• 
  Federal Intelligence Customer

34
Database VaultBusiness Problem

• Internal threats require enforcement of
  operational security policies - who, what, when
  and where can data be accessed?
• Database consolidation can result in Multiple All
  Powerful (DBA) users in the database
• Regulations Strong Internal Controls and
  Separation of Duty (such as Sarbanes-Oxley and
  Basel II etc)

35
Oracle Database Vault
Realms
Multi Factor Authorization
Reports
Command Rules
Separation of Duty
35
36
Command Rule Flexibility
Alter Database Alter Database Alter
Function Audit Alter Package Body Alter
Procedure Alter Profile Alter Session Alter
System Alter Synonym Alter Table Alter
Trigger Alter User Password Alter
Tablespace Alter View Change Password Connect Com
ment Create Function Create Index Create
Package Create Database Link Create
Procedure Create Role Create Package Body Create
User Create View Create Table Grant Insert Noa
udit Rename Lock Table Create
Tablespace Create Trigger Truncate
Table Update Insert Delete Execute Select
37
Built-In Factors
Additional factors can be defined
38
Oracle Advanced Security Integration

• Realms work transparently with Transparent Data
  Encryption

Data automatically encrypted through SQL
Data automatically decrypted through SQL
Realm
Realm
Realm
Sensitive Data Encrypted On Backup Files

• Transparent Data Encryption works with RMAN to
  encrypt backups written to disk

Oracle Advanced Security With RMAN Can
Encrypt Backups Sent to Disk
Realm
Realm
Realm
39
Oracle Label SecurityIntegration
Factor Intranet Access
FactorExternal
Headquarters
Highly Sensitive
Sensitive
Public
Oracle Label Security Restricts Access To Labeled
Data Based On Database Vault Factors
40
Oracle Database Vault Realms and Rules
Realms can be easily applied to existing
applications with minimal performance impact
40
41
Oracle Database Vault Factors and Command Rules
41
42
Oracle Database Vault Reports
43
Database VaultPartner and ISV Strategy

• Product Announcement April 26, 2006 Collaborate
  06
• Technology Adoption Strategy
• Target TOP 50 ISVs
• Target TOP Compliance and Risk Mgmt Firms

Compliance
Technical ISVs
44
Oracle Audit Vault in beta
Oracle Application Server
Oracle RAC Nodes
Firewall
Firewall
Oracle Financials Database

• Audit Vault Console
• Audit Policy Management
• Built-in Reports
• Business Intelligence
• Statistical Analysis
• Partition Management
• Graphs for Activity Visualization
• Archiving Policies

Firewall
Audit Data
Oracle Identity Management
(Audit Activity Identity Resolution)
Audit Data
Audit Data
Oracle Audit Vault
45
Oracle Audit Vault
A Specialized Warehouse for Audit Data

• Consolidated audit solution
• Protected schema blocks DBA from viewing audit
  data
• Separation of duty / defined roles
• Hardened configuration
• Support for multiple audit sources
• Common Audit reports
• Audit policy / Audit Settings management

46
Oracle Audit Vault
Protect, Consolidate, Detect, Monitor, Manage,
Alert Report
Audit Archival Mgmt
Proactive Detection and Alerts
Audit Reports
Audit Dashboard
Audit Collection
Audit Policy Mgmt
Data Mining Analysis
Audit Admin
Custom Reports
v1
Collectors can be developed using the Audit
Vault SDK
47
Web Services Security Management
48
Oracle Web Services Manager

• Provides a decentralized platform for deploying
  operating policies across apps and web services
• Layers best-practice security and management
  across all applications
• Does not require developers to modify
  applications or services
• Supports WS- standards such as WS-Security,
  WS-Policy, etc.
• Tools for building and monitoring operating
  policies
• Agents and gateways for executing policies in
  real time

49
Web Services Management
SOA App
Centralised Monitoring Policy Enforcement
Databases
Oracle AS 10g
Web Services Management Gateway
BPEL Processes
SOA App
Clients
IBM, BEA, JBOSS

• Auditing
• Logging
• Tracing
• Security
• Billing
• Monitoring
• PerformanceAnalysis

Legacy Systems
SOA App
MSFT.NET
Custom Apps
Management Console
Packaged Apps
50
Oracle WSM Components
Gateway

• Policy Enforcement Points (PEP)
• Gateway
• Agent
• Server Components
• Policy Manager
• Monitor
• Console

Agent
Agent
Policy Manager
Monitor
51
Some Policy Steps
WS-Security Decrypt and Verify Signature Sign
Message Sign Message and Encrypt XML Decrypt XML
Encrypt
Authorization COREid Authorize Active Directory
Authorize File Authorize LDAP Authorize SiteMinder
Authorize
Credential Management Extract Credentials Insert
WSBASIC Credentials
Transport-specific QoS HTTP Messenger MQ
Messenger JMS Messenger
Authentication Active Directory Authenticate File
Authenticate LDAP Authenticate LDAP Certificate
Authenticate COREid Authenticate SiteMinder
Authenticate Verify Certificate Verify Signature
SAML SAML Copy Token SAML Insert Token SAML Save
Token SAML Validate Token
Others Content-based routing XML
Transform Logging Data gathering (SLA, Metering)
52
Oracle Enterprise Single Sign On

• (Passlogix)

53
Enterprise Sign-on Business Drivers

• Password Management
• Simplify the end user experience, reduce password
  related help desk costs and enhance security by
  eliminating poor end user password management
• Identity Management
• Integrated enterprise sign-on is a key
  requirement, and often a first step, of a
  complete identity management solution
• Stronger Authentication
• Extending strong user authentication to
  enterprise applications is a key requirement of a
  strong authentication initiative
• Compliance
• Eliminate the hidden end user costs associated
  with compliance driven initiatives
• Extend audit and reporting capabilities to
  include user sign-on data

54
Oracle eSSO Suite

• Oracle eSSO Logon Manager
• Sign-on to any Windows, Web, host, mainframe or
  Java application
• No scripts, connectors or application
  modification
• Oracle eSSO Provisioning Gateway
• Provides interface to Oracle Identity Manager to
  accept credentials and settings from the
  provisioning system
• User never knows or touches their application
  credentials
• Oracle eSSO Authentication Manager
• Support multiple authenticators smart card,
  biometric or token
• Adjust SSO authorizations based on grade of
  provided user authentication
• Oracle eSSO Kiosk Manager
• Monitor kiosk sessions and provide security
  controls for sessions left unattended
• Safe application termination and fast user
  switching
• Oracle eSSO Password Reset
• In-the-flow reset for Windows password from GINA
  prompt
• Confidence scoring allows errors instead of
  forcing call to helpdesk

55
Oracle eSSO Suite Architecture
56
Highlights of Functional Capabilities

• A suite of five products that
• Accepts user authentication from Windows logon
  with password, smart card, biometric, token or
  proximity device
• Users can reset their Windows password without
  calling the helpdesk
• Users can still access system if they lose their
  smart card or token
• Responds to logon and password change events on
  all Windows, web, and mainframe/host applications
  with the correct credentials (id/password)
• No scripting, programming or integration
• Automatically shuts down inactive sessions and
  any open applications
• Credentials can be provisioned by end-user,
  administrator or provisioning system
• Automates and enforces compliance to policies
• password management and password selection
• account access and any associated strong
  authentication requirements

57
Oracle eSSO Suite Pricing and Packaging

• Oracle delivering 5 products in two product
  bundles
• Oracle eSSO Suite - 60 per user
• Oracle eSSO Logon Manager
• Oracle eSSO Password Reset
• Oracle eSSO Authentication Manager
• Oracle eSSO Provisioning Gateway
• Oracle eSSO Kiosk Manager
• Oracle eSSO Password Reset - 7 per user
• Sold separately to address the strong demand for
  desktop password reset
• Integrated with Oracle Identity Management,
  Oracle applications and other Oracle products
• OEM from Passlogix
• Leading vendor with over 2 million seats deployed
• Available in summer 2006

58
Learn More

• Visit oracle.com/identity
• Webinars
• White Papers
• Buyers Guides
• Product Discussion Forums
• Software Downloads
• Identity Management Blogs

59
Sample Customers
60
Case Study State of Minnesota HIPAA Compliance

• Business Challenge
• Minnesotas Department of Human Services (DHS)
  30,000 medical providers and 80,000 users submit
  electronic claims. These must be secured to
  comply with federal HIPAA regulations.
  Management overhead of all users is tremendous as
  providers and users change regularly
• Solution
• State of Minnesota selected Oracle COREid Access
  and Identity to secure access claims submission
  portal, using audit and log capabilities
• Results
• Medical claims are secure and processed more
  quickly
• State of Minnesota is HIPAA compliant

61
PCASSO Project uses OLS
Patient Centered Access to Secure Systems Online

• SAIC and UCSD Patient and health care providers
  access patients complete medical records over
  the Internet
• 178,000 patients
• In defining those levels, we needed to
  separately protect highly sensitive information
  that by law- requires special protection.
  Label-based access control is ideal for this
  purpose
• Dixie Baker, corporate VP of technology and CTO
  for SAICs healthcare practice

62
Southwest Airlines Boeing Lower Document Access
Costs

• Business Challenge
• Wanted to obtain engineering drawings,
  blueprints, color coding reports and other
  technical documents from the manufacturer via the
  Web
• Increase efficiency
• Reduce the business costs of transactions with
  the aircraft manufacturers
• Oracle solution
• Oracle COREid Access and Identity and COREid
  Federation
• 1st in airline industry to implement SAML
• Results
• Oracle COREid solution saves Southwest 30/month
  per employee 40k users for a total of 1.2
  million per month.
• Also reduced equipment idle time at 15,000 per
  hour

63
General MotorsLower Operational Costs

• Business Challenge
• Provide secure access to its supplier
  network53,000 external suppliers and 17,000
  employees to access inventory and production
  schedules while reducing administrative burden.
  Solution must integrate with the existing access
  control system (Tivoli).
• Oracle Solution
• GM deployed Oracle COREid Access and Identity
  using delegated administration and group
  management features, delegating the
  administration of users to individuals suppliers.
  
• Results
• Accelerated production schedules
• Secure supplier network
• Cost reduction through delegated administration
• Selected as the identity management standard at GM

64
VPD/OLS Live Customers

• Ford (VPD)
• Vendor Managed Inventory for suppliers
• Schlumberger (OLS)
• National Data Repositories for Oil and Gas
• Data separation at Dept. levels
• Consolidation while maintaining security
• Lowered operating costs
• Oracle Sales Online / Oracle Hosting Manager
• Subscriber ID for hosting
• Saved on person-hours, hardware, DBAs

65
A