1 / 80

Oracle Security & Identity Management July 20, 2005

Oracle Security & Identity Management July 20, 2005. Gary Quarles Sr. Solutions Architect Columbus, OH 614-280-6500 gary.quarles@oracle.com. Rafael Torres Sr. Solutions Architect Cincinnati, OH 513-768-6856 rafael.torres@oracle.com. Agenda. 9am-1015am Identity Management

river
Télécharger la présentation

Oracle Security & Identity Management July 20, 2005

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Oracle Security & Identity Management July 20, 2005 Gary Quarles Sr. Solutions Architect Columbus, OH 614-280-6500 gary.quarles@oracle.com Rafael Torres Sr. Solutions Architect Cincinnati, OH 513-768-6856 rafael.torres@oracle.com

  2. Agenda • 9am-1015am • Identity Management • OID, User Provisioning, Directory Integration, Proxy Authentication • Virtual Private Database • Securing Data Access • Secure Application Roles • BREAK (15 mins)

  3. Agenda (con’t) • 1030am-1145am • Label Security • Fine Grained Auditing • Stored Data Encryption • Detecting Security Breaches • Data Privacy Compliance • Network Encryption • User Security • Oblix Roadmap • 1145am-1pm – Buffet Luncheon • 1pm-115pm – Raffle

  4. Security Legislation • Sarbanes-Oxley • Everyone • Financial statements contain no errors • Gramm-Leach-Bliley • Fin Services, Healthcare • Ensure privacy, security, confidentiality • California’s Breach Disclosure Law • Anyone with customers in California • Audit breach of PII, notify those affected • Safe Harbor • Anyone doing business in Europe • Reasonable steps to secure from unauthorized access

  5. Data Privacy Concerns • Customer information • protecting customer personally identifiable information (PII) • Employee information • majority of privacy regulations provide equal or greater rights of privacy to employees • Third Party information • protecting PII of third persons provided to you by customers or employees

  6. 25% technical 75% policy and procedures Data Privacy Compliance www.oracle.com/consulting

  7. The Expert View “90% detected computer security breaches in the past year.” “80% acknowledged financial losses due to computer breaches.” - CSI/FBI Computer Crime and Security Survey

  8. “If you spend more on coffee than on IT security, then you will be hacked…what's more, you deserve to be hacked!”Richard ClarkeSpecial Advisor to the President, Cyberspace Security

  9. State of Security – United States • 90% of respondents* detected computer security breaches within the last twelve months. • 80% of respondents acknowledged financial losses due to computer breaches. • $455,848,000 in quantifiable losses • $170,827,000 theft of proprietary information • $115,753,000 in financial fraud • 74% cited their Internet connection as a frequent point of attack • 33% cited internal systems as a frequent point of attack * Source: CSI/FBI Computer Crime and Security Survey

  10. Why Oracle for Security and Identity Management? • 25+ year history • First Oracle customer was a government customer • Information Assurance • 17 independent security evaluations over past decade • Substantial financial commitment to independent security evaluations • More evaluations than any other major database vendor • Culture of security at Oracle • Robust security features and Identity Management Infrastructure • Row level security • Fine Grained Auditing • Integrated database security and identity management • Web Single Sign-on, Oracle Internet Directory • Strong authentication

  11. Oracle Database = 25+ years of security leadership Label Sec + ID Mgmt Column Sec Policies Security Evaluation 17 Identity Mgmt Release Fine Grained Auditing Common Criteria (EAL4) Oracle9iAS JAAS Oracle9iAS Single Sign-On Oracle Label Security (2000) Virtual Private Database (1998) Enterprise User Security Oracle Internet Directory Database Encryption API Kerberos framework Support for PKI Radius Authentication Network Encryption Oracle Advanced Security introduced First Orange Book B1 evaluation (1993) Trusted Oracle7 Multilevel Secure Database (1992) Government customer 1977 2004

  12. Oracle Application Server 10g

  13. Identity Management

  14. Identity Management • process by which the complete security lifecycle for users and other entities is managed for an organization or community of organizations. • management of an organization's application users, where steps in the security lifecycle include account creation, suspension, privilege modification, and account deletion.

  15. Identity Management Components

  16. End Users Application Application Application Application Directory Server or Database Directory Server or Database Directory Server or Database Directory Server or Database User Credentials for Authentication and Authorization User Credentials for Authentication and Authorization User Credentials for Authentication and Authorization User Credentials for Authentication and Authorization Administrators Administrators Administrators Administrators The Identity Challenge • Redundant, silo’d application development • Non-uniform access policies • Orphan accounts • Audit/Log information fragmented

  17. End Users Application Application Application Application User Credentials for Authentication and Authorization Administrators Bring Order to Chaos with Identity • Centralized, policy-based management of access & authorization • Faster development and deployment • Centralized audit and logging

  18. Oracle ID Mgmt: Typical Deployments • Enterprise provisioning • Heterogeneous integration • Telco provisioning • Scalability & HA • Enterprise Portal • Single Sign-on, administrative delegation • Government R&D Organization, Corporate Conglomerates • Centralized Identities with autonomous administration of departmental applications • Multi-hosting with delegated subscriber admin • Multiple identity realms in one physical infrastructure + HA

  19. Responsibilities, Roles …. Secure Mail, Interpersonal Grants … Authorization, Privacy, audit, …. Roles, Privilege Groups … Enterprise users, VPD, Label Security Encryption, Audit JAAS, JACC, WS Security, … Platform Security Architecture BPEL Prcs Mgr, BI, Portal, ADF E-Business Suite Collaboration Suite ISV & Custom Applications Application Security Oracle Application Server Oracle Application Server Oracle Application Server Oracle Database Oracle Database Oracle Database External Security Services Oracle Platform Security Oracle Identity Management Provisioning & Delegated Administration Public Key Infrastructure RBAC & Web Authorization SSO & Identity Federation Directory Integration Access Management Provisioning Services Directory Services Oracle Internet Directory

  20. Internet Directory • Scalability • Millions of users • 1000’s of simultaneous clients • High availability • Multimaster & Fan-out replication • Hot backup/recovery, RAC, etc. • Manageability • Grid Control multi-node monitoring • Security • Comprehensive password policies • Role & policy based access control • Auditability • Extensibility & Virtualization • Plug-in Framework • Attribute and namespace virtualization • External authentication • Custom password policies LDAP Clients OID Server Directory Admin Console Oracle Database

  21. Directory Integration External Directories DirectoryIntegrationService SunOne Active Directory OracleInternet Directory Oracle HR Oracle DB OpenLDAP eDirectory Connectors

  22. Provisioning Connectors Provisioning Integration Corporate HR (Employee Enrollment) Portal eMail ERP,CRM,… OID Helpdesk Admin Event Notification Engine Policy & Workflow Engine Portal Admin Partner Provisioning System eMail Admin Oracle Provisioning Integration Service Self-service (Pswds, preferences)

  23. eMail OID Single Sign-On OracleAS Enabled Environment ERP, CRM, … OracleAS Single Sign-on Portal PKI, pwd, Win2K Native Auth… Partner SSO (Netegrity, RSA, Oblix) SecureID, Biokey, • Integrates Oracle and partner-SSO enabled apps • Transparent access to DB Tier, 3rd party web apps • Multiple AuthN options • Different auth modes to match application security levels Federation / Liberty Partner SSO Enabled Environment Extranet

  24. Demonstration IdM: SSO

  25. SSO Benefits • 1) Tightly integrated with the Oracle product stack • 2) Easy to deploy, part of Oracle Identity Management • 3) Supports PKI authentication with industry standard X.509V3 certificates • 4) Accepts Microsoft Kerberos tokens for easy authentication in a windows environment • 5) Integrated with Oracle Certificate Authority (OCA) for easy provisioning of X.509V3 certificates using OCA

  26. Oracle Internet Directory Certificate Authority • Solution for strong authentication / PKI • Easy provisioning of X.509v3 digital certificates for end users • Web Based certificate management and administration • Seamless integration with Oracle Application Server Single Sign-On & OID User Oracle Single Sign-On Metadata Repository Oracle Certificate Authority Secure IT Facility

  27. Future support • SAML (Security Assertions Meta Language) • facilitates interoperation and federation among security services. • SPML (Service Provisioning Meta Language) • XML standard that facilitates integration among provisioning environments by defining the protocol for interaction between provisioning service components and agents representing provisioned services. • DSML • XML standard for exchanging directory data as well as invoke directory operations over the Internet.

  28. Future support (con’t) • XKMS • XML Key Management Specification. It is intended to simplify deployment of PKI in a web services environment. • WS-Security • defines a set of SOAP extensions that can be used to provide message confidentiality, message integrity, and secure token propagation between Web Services and their clients • Liberty Alliance standards define the framework and protocol for network identity based interactions among users and services within a federated identity management environment.

  29. Delegated Administration Services • Admin console w/ role-based customization • User / group management • End-user vs Admin views • Admin delegation • End-user self-service • Self service provisioning • Set preferences, Org-chart • Pswd reset • Embeddable admin components • For integration with Apps • Extensively configurable • Accommodate new applications • Customize UI views

  30. Demonstration IdM: Delegated Admin Svs

  31. Delegated Admin Benefits • 1) Enables self service administration of passwords and password resets • 2) Enables administrative granularity of Identity Management components • 3) Centralized provisioning for web SSO and enterprise user database access • 4) Supports password or PKI based authentication • 5) Self Service password management without the intervention of an administrator • 6) Delegated administrators, such as non-technical managers, to create and manage both users and groups • 7) Allows users to search parts of the directory to which they have access

  32. Grid ComputingEnd-to-End Security Data Grid Application Grid Securely Proxies User Identity to RDBMS • Retrieve Authorizations for Users • Connect users to Application Schema Authenticate user Client Authenticates To App Server OID Identities, Roles & Authorizations

  33. AS10g r2 New 3-tier features • Via proxy authentication, including credential proxy of X.509 certificates or Distinguished Names (DN) to the Oracle Database • Support for Type 2 JDBC driver, connection pooling for ‘application users’ (Type 2 and Type 4 JDBC Drivers, OCI) • Integration with Oracle Identity Management for Enterprise Users (EUS).

  34. Demonstration User Security

  35. User Security Benefits • 1) Enables centralized management of traditional application users in Oracle Identity Management • 2) Oracle Identity Management directory integration services can be used for bi-directional synchronization with existing Identity Management infrastructures (AD, SunOne/iPlanet, Netscape) • 3) Optionally map users to shared schemes or retain individual account mappings in database for complete application transparency • 4) Optionally manage database roles in Oracle Identity Management infrastructure • 5) Optionally can be used with Oracle Label Security to maintain security clearances in Oracle Identity Management

  36. Intranet Web Apps Intranet Web Apps Intranet Web Apps Intranet Web Apps Employees IDs, passwords, profiles, prefs Oracle IT: Before ID Mgmt HR Oracle Files IDs, passwords, profiles, prefs IDs, passwords, profiles, prefs Employees E-Business Apps Oracle Technology Network IDs, passwords, profiles, prefs My.oracle.com IDs, passwords, profiles, prefs Web Conferencing Self-registered TechNet users Web Mail / Calendar IDs, passwords, profiles, prefs Numerous Ids / Passwords & Sign-On Global Mail IDs, passwords, profiles, prefs Partners / Suppliers Calendar DMZ Corporate Network Extranet

  37. Intranet Web Apps Intranet Web Apps Intranet Web Apps Intranet Web Apps Employees Oracle IT: After ID Mgmt HR Oracle Files Employees E-Business Apps Oracle Technology Network My.oracle.com Oracle IdM Infrastructure Web Conferencing Self-registered TechNet users Web Mail / Calendar Global Mail Single ID/Pswd & SSO Partners / Suppliers Calendar DMZ Extranet Corporate Network

  38. Oracle IdM Summary • Oracle Identity Management is a complete infrastructure providing • directory services • directory synchronization • user provisioning • delegated administration • web single sign-on • and an X.509v3 certificate authority. • Oracle Identity Management is designed to provide ready, out-of-the-box deployment for Oracle applications, as well as serve as a general-purpose identity management infrastructure for the enterprise and beyond.

  39. Break 15 minutes

  40. Privacy & Access Control

  41. Oracle9i/10g Secure Application Role CREATE ROLE SAR identified using SCHEMA_USER.PACKAGE_NAME; JDBC / Net8 / ODBC User A, HR Application User A, Financials Application Oracle9i 10g User A, Ad-Hoc Reports • Secure application role is a role enabled by security code • Application asks database to enable role (can be called transparently) • Security code performs desired validation before setting role (privileges)

  42. Security policy can check anything: time of day day of week IP address/domain Local or remote connection user connected through application X.509 data, etc. Database controls whether privileges are enabled Multiple applications can access database securely Allows secure handshake between applications and database Secure Application Role Benefits

  43. Demonstration Secure Application Role

  44. Store ID AX703 B789C JFS845 SF78SD Revenue 10200.34 18020.34 12341.34 13243.34 Department Finance Engineering Legal HR Select store_id, revenue… (enforce) OK Oracle Database 10g Virtual Private Database • Column Relevant Policies • Policy enforced only if specific columns are referenced • Increases row level security granularity

  45. Store ID AX703 B789C JFS845 SF78SD Revenue 10200.34 18020.34 12341.34 13243.34 Department Finance Engineering Legal HR Select revenue…..(enforce) OK OK OK OK Oracle Database 10g Virtual Private Database • Column Filtering • Optional VPD configuration to return all rows but filter out column values in rows which don’t meet criteria

  46. Demonstration Virtual Private Database

  47. Object Access Control SELECT Org A SELECT Org B DATA TABLE

  48. Oracle9i/10g Label Security • Out-of-the-box, customizable row level security • Design based on stringent commercial and government requirements for row level security Project AX703 B789C JFS845 SF78SD Location Chicago Dallas Chicago Miami Department Corporate Affairs Engineering Legal Human Resource Sensitivity Label Public Sensitive Highly Sensitive Confidential : Europe

  49. Components of Label Security Label Components are the encoding within data labels and user labels that determine access. • Levels • Sensitivity Level (e.g., “Top Secret, Secret, Unclassified”) • Compartments • (‘X’,’Y’,’Z’), User must possess all • Groups for “Need to Know” • Hierarchical • Supports Organization Infrastructure

  50. Oracle Label Security Oracle9i OLS Oracle Label Security Authorizations Confidential : Partners Application Table Project AX703 B789C JFS845 SF78SD Location Boston Denver Boston Miami Department Finance Engineering Legal HR Sensitivity Label Public Confidential: Partners Company Confidential Company Confidential OK OK

More Related