Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
1 © 2011 Oracle Corporation
<在此处插入图片>
Creating Business Values and Improving Control with Oracle Enterprise
Security
2 © 2011 Oracle Corporation
Agenda
IDM Evolution and Market Trends
Identity Management in Huawei
Case Studies
3 © 2011 Oracle Corporation
Agenda
IDM Evolution and Market Trends
Identity Management in Huawei
Case Studies
4 © 2011 Oracle Corporation
Don Draper goes to the Data Center Marketers are teaming up with CIO. It’s the beginning of a beautiful relationship
Age of Consumerization
Age of Deprimeterization
5 © 2011 Oracle Corporation
2010
Source: Google Internal Data, based on a basket of 20,000 keywords
iPhone
iPhone 3G
Android G1
Blackberry Storm Palm Pre
iPhone 3GS
Android Nexus One
Android myTouch
Moto Droid & Eris
2008 2009
3,000% + growth in 3 years
12% of all Google queries in
Dec 2010 came from mobile devices
Mobile web adoption 8x faster than the desktop web
Increasing Importance of Mobile Devices
6 © 2011 Oracle Corporation
Increasing Importance of Mobile Devices
81% use a personal electronic device for work related functions
Source: Harris poll 2011
50% companies surveyed that had
not deployed transactional applications ranked security
as one of their top three concerns
5.9B Devices globally today, ~30% connect to corporate network
Source: Mobility Revolution Redux mar 2012
Source: Ziff Davis in conjunction with The Strategy Group
7 © 2011 Oracle Corporation
Social Media
75% of online purchases don't occur because visitors abandon their shopping carts for simple requirement to register before making a purchase. High abandon rate results in millions of dollars in lost revenue
40% Of consumers prefer social logins over creating a new or guest account
8 © 2011 Oracle Corporation
CLOUD COMPUTING
Private Cloud increased 28% from 2010 to 2011
and Public Cloud 50% in similar period
74% rate cloud security issues as very
significant
Source: IDC
Source: IOUG ResearchWire member studies on Cloud Computing, conducted in Aug-Sept 2010 and Aug-Sept 2011
Private
Public
Hybrid
9 © 2011 Oracle Corporation
Cloud Security
“The Promise”
10 © 2011 Oracle Corporation
Cloud Security
“The Promise” “The Reality”
11 © 2011 Oracle Corporation
Cloud Security
“The Promise” “The Reality” “The Worst Case”
12 © 2011 Oracle Corporation
Cloud Security
13 © 2011 Oracle Corporation
WHAT IS HOLDING BACK THE TREND
14 © 2011 Oracle Corporation
Security Risk is a Strategic Concern The number of external threats is increasing
$1Trillion Cyber Crime Cost Globally
$7.2 Million Cost of Average Data Breach
6M Passwords Stolen
12M Credit cards stolen
1.3M On-line accounts
Sony
SEGA
Ponemon 2011
Security Week Dec 15, 2011
Seven Significant Hacks of 2011 BetaNews
June 6, 2012
McAfee 2010
15 © 2011 Oracle Corporation
The Risk Threatens Your Business Brand, reputation, liability & shareholder value
97% Avoidable through simple controls
Verizon DBIR 2012 Security Week Dec 15, 2011
Seven Significant Hacks of 2011
Bloomberg June 8 2011
Sony 3x Decline in Brand Value
RSA $100M Cost Banking Alone
Societe Generale $7Bn Loss
UBS $1Bn Loss & CEO Resigns
16 © 2011 Oracle Corporation
Compliance & Governance Pressure Increasing Regulation & governance increase as perceived risk increases
Directive 95/46/EC
SOX
PIPEDA
PCI DSS BASEL 2
HIPAA
GLBA
CMR 201
ISO27001
SEC
Source: The Value of Corporate Secrets by Forrester Consulting (March 2010)
FIPS
COSO
FISMA
17 © 2011 Oracle Corporation
“Most security organizations continue to focus inappropriate attention on network vulnerabilities and reactive network security tools rather than on proactive application security practices”.
The Business Response Is Reactive IT security has shifted attention away from the applications & data
18 © 2011 Oracle Corporation
The Reactive Approach Fails Increased IT spending & focused on the wrong risks
8.2% IT Budget
2007 14% IT Budget
2010 Endpoint Security
Vulnerability Management
Network Security
Email Security
Other Security
94% against servers
66% of sensitive data in
databases
96% Non-compliance PCI
5% Privilege Misuse
32% Of hacking involved stolen
login credentials
The Evolution of IT Security 2010 to 2011
Verizon DBIR 2012 & IDC 2011 IDC 2011 :Effective Data Leak Prevention Programs
19 © 2011 Oracle Corporation
The Root Causes are Inside Simple controls on the core systems could prevent most breaches
RSA Malware using employee access
Societe Generale Trader with excessive access
Sony Un-encrypted credit cards
Linkedin Passwords lightly encrypted
20 © 2011 Oracle Corporation
Trust relationship is expected.
Unmanaged security risk
destroy this relationship.
25 © 2011 Oracle Corporation
Agenda
IDM Evolution and Market Trends
Identity Management in Huawei
Case Studies
26 © 2011 Oracle Corporation
UNLOCK THE OPPORTUNITIES
PREVENT THE THREATS
MANAGE THE RISKS
Transform IT Security Cost effectively reduce risk and improve results
SECURITY INSIDE-OUT SECURITY INSIDE-OUT
28 Oracle Confidential – Do Not Distribute
Start Inside Security at every layer & between systems
Security at Each Layer Security Between Layers Security Between Systems
Services & Consulting
29 Oracle Confidential – Do Not Distribute
Transform IT Security Three transformational solutions to start with
Fraud Detection Data Security Compliance Reporting
• Detect & prevent
• Monitor activity
• Report and analyze
• Detect anomalies
• Pattern detection
• Secure databases
• Encrypt & mask
• Secure backup
• Encrypt storage
• Secure SOA
• Authorize data
access
• Review privileges
• Control transactions
• Control processes
• Reduce access
• Disable accounts
• Control passwords
30 Oracle Confidential – Do Not Distribute Copyright © 2011, Oracle and/or its affiliates. All right
Oracle Identity Management 11gR2 现代化平台
身份治理
• 访问请求和审批
• 基于角色的用户供应
• 基于风险的访问检定
• 闭环修正
• 角色挖掘和管理
• 特权帐号管理
访问管理
• 移动访问管理
• 社交身份访问
• 单点登录和联邦登录
• 认证
• 授权和细粒度授权
• Web服务安全
目录服务
• 灵活的可扩展性
• 基于代理的搜索
• LDAP存储
• 虚拟身份访问
• LDAP同步
平台安全服务 开发人员使用的身份服务
收购与合并 新业务动作
IDM解决方案框架
组织变化
员工
临时员工
供应商 数据分类 Top Secret … General Information
信息安全 Access Control … Password Policies
IT服务管理 SLO, SLA … IT Process Service Improvement
IT治理 Business Objectives Business Process … IT Controls…
多接入渠道
OS & Mainframe
Database
Custom App
Portal, CRM, ERP, SCM, Agile
OA & Domains
IT应用和基础设施
治理与控制
最终用户
Cloud & Partners
业务活动
访问管理 身份管理
用户概要管理
帐号生命周期管理
审计与报告
自服务与授权管理
集中认证
单点登录/移动设备单点登录
基于风险分析的访问控制
应用细粒度授权
Web Service安全
Oracle Confidential
身份管理消除鸿沟
身份
管理
审计
风险管理
身份验证和授权
自适应访问
• 情境/风险感知
• 异常检测
• 欺诈检测
访问
• 一次性登录
• 口令策略
• 授权策略
• 授权
可伸缩信息库
• 身份同步
• 身份虚拟化
• 报表
工具 单点登录方案 平台化 智能化
私有内部云
企业
私有托管云
公有云
管理
• 角色管理
• 供应
• 身份分析
• 认证
Oracle Confidential
云身份管理维度
身份是通往云的桥梁
c c 您是否在使用云应用? 您是否在构建云应用? 您是否需要 IdM 但又不想维护?
身份是云的基础 身份作为云服务托管
Oracle Confidential
云应用之间的身份验证和 SSO
• 随时随地通过任意设备访问
• 移动身份验证、SSO 和访问控制
• 将 Internet 和社交身份连接到企业身份
• 实现与企业的无缝集成和控制
• 移动程序访问安全 • 集成原生移动程序和移动Web程序
• 访问管理、授权和欺诈检测
• 支持iOS和Android
• 移动设备安全元素 • 设备安全 – 登录时越狱检测
• 设备生命周期 – 白名单/黑名单/设备丢失管理
• 设备指纹信息
Mobility 移动设备访问
Mobile Authentication 设备、应用和用户的灵活选择
Mobile Single Sign-on Mobility
Oracle 身份管理是“Cloud’s Ready”
SaaS 应用
桌面/移动 内部部署型应用
社交网络
合作伙伴
39
Oracle Fusion Applications Powered by Oracle Fusion Middleware
• Oracle Fusion Applications are built from the ground
up on Oracle Fusion Middleware
• Oracle Fusion Applications leverage the various
foundation capabilities provided by Oracle Fusion
Middleware
• Standards-based application development framework
(Oracle ADF)
• Business intelligence
• Content management
• Enterprise performance management
• Business process management
• Security and identity management
40 © 2011 Oracle Corporation
Identity in Huawei
Identity
Store 工作流 Workflow 应用连接器
审批Approval
用户自服务 Self Service
Business Policies
Workflows
Policy Roles
角色规则引擎 Rules Engine
AD\PO\AP\... 终端应用系统授权
HRMS 人事系统
同步引擎
Admin 管理员
End User 华为员工
Rules (SoD Engine)
41 © 2011 Oracle Corporation
用户Profile中集中管理角色和岗位信息
42 © 2011 Oracle Corporation
用户、角色与资源基于规则的对应关系
43
Oracle Maximum Security Architecture
Oracle Audit Vault
Oracle Database Firewall
Applications
Procurement
HR
Rebates
HR
Rebates
Auditing
Authorization
Authentication
Sensitive
Confidential
Public
Multi-factor Authorization
DB Consolidation Security
Unauthorized DBA Activity
Oracle Database Vault
Encrypted Database Encrypted Traffic
Oracle Advanced Security Oracle Data Masking Mask For Test and Dev
2011 Oracle Corporation – Proprietary and Confidential 43
Enterprise Manager Grid Control
Secure Configuration
Scanning
Patch Management
44
Oracle Solutions for GRC
GRC Application Controls
Transaction
Monitoring SoD &
Access
Application
Configuratio
n
Reporting KRI & Alerts Dashboards
GRC Reporting & Analytics
GRC Process Management
Audit Management
Assessment
Custom or Legacy Applications
GRC Infrastructure Controls
Change
Mgmt Digit
al
Right
s
Data
Securit
y
Identit
y
Mgmt
Record
s Mgmt
Pre-integrated with Oracle
applications and
technology, supports
heterogeneous
environments
Purpose-built business
solutions for key
industries and GRC
initiatives
Best-in-class GRC core
solutions to support all
mandates and regulations
Issue &
Remediatio
n
Event &
Loss Mgmt
45 © 2011 Oracle Corporation
Agenda
IDM Evolution and Market Trends
Identity Management in Huawei
Case Studies: Learnings & Approach
46 © 2011 Oracle Corporation
The Workforce Lifecycle
“Day-1”: Employee Joins The
Organization
“Day-2”: Employee
Starts Being Productive
“Change”: Employee
Changes Role /
Organizational Restructure
“Last Day”:
Employee Leaves
Organization
46
47 © 2011 Oracle Corporation
Challenges in Accessing Applications & Systems
“Day-1”: Employee Joins The
Organisation
“Day-2”: Employee
Starts Being Productive
“Change”: Employee
Changes Role /
Organisational Restructure
“Last Day”:
Employee Leaves
Organisation
Request-Based Access - Not All Required Applications Accounts & Access In-Place for New Starter
Access May Not Be Timely or Completely Removed
Organisational Restructure may have an even larger scale impact – losing or gaining too much access
Employee may still retain a lot of previously granted access even though have transferred internally
Job Transfers and Changes May Require New Access. Policy Checks, Temporary and Proxy Assignments Further Complicates Issue
Re-establishing New Joiner who is Previous Employee May Inherit Old App Access even if not relevant
Attestation and Policy Checks May Not Be Complete and Uniform Across All Apps
47
48 © 2011 Oracle Corporation
Challenges in Accessing Applications & Systems
“Day-1”: Employee Joins The
Organisation
“Day-2”: Employee
Starts Being Productive
“Change”: Employee
Changes Role /
Organisational
Restructure
“Last Day”:
Employee Leaves
Organisation
Request-Based Access - Not All Required Applications Accounts & Access In-Place for New Starter
Requests for Access and Wait Time Impacts Productivity
Organisational Restructure may have an even larger scale impact
Employee may still retain a lot of previously granted access even though have transferred internally
Role Change May Require New Access - Impacts Productivity Again. Temporary and Proxy Assignments Further Complicates Issue
Re-establishing New Joiner who is Previous Employee May Break Current Process
We Simplified The Diagram:
Users may not know what access is required or may take time to realize what is required
Access may not be appropriate under certain conditions and
this may not be easily picked up
Changing the policies can take a long time and can be a big challenge to enforce it consistently across all systems
48
49 © 2011 Oracle Corporation
Front-Office
Applications Back-Office
Applications
Legacy Applications
End User Policy Administrator
Security Auditor
IAM
Framework
IAM Framework Benefits
Identity & Access
Roles & Governance
1. Business Enablement Faster application enablement
and enforcement of policy
changes, while improving
overall security posture and
auditability
2. Risk & Compliance: Reduced Business Risk
Exposure & Streamline
Compliance Efforts
3. Single Identity: One username and one
password means improved
and consistent end-user
experience
49
50 © 2011 Oracle Corporation
Case Study #1 Key IDM Issues
• Provisioning across multiple applications
• Large number of new employees in the last 2 years (20% increase) resulting in
lots of manual provisioning
• Huge maintenance effort to manage the responsibilities and map them to the
roles manually with no automated workflow approvals
• Complex global employee definition and approvals across the globe
• Highly confidential nature of the business resulting in strict procedures on
access, roles, functions needing SoD validation and rules matrix definition
• Enormous solution footprint resulting in large scale manual responsibility
maintenance
• Large compliance needs due to multiple reporting standards adherence
50
51 © 2011 Oracle Corporation
Different, complex identity management process in each system
Manual provisioning
Ghost account due to no de-provisioning
Low user IT satisfaction due to no Single Sign On
Lack of audit trail to Shared account
Lots of credential memorizing due to periodic password change policy
Repeatable development cost for new system IAM requirement
Central management by IM system implementation
Pain Points Tasks
Automatic provisioning Process implementation
Provide User Self-Service, UI consolidation
Standardized approval workflow design & implementation
Who has access to what reporting and monitoring
Cost saving by standard reusable IAM module and central policy
Single Sign On implementation
Siloed User Info Management
Identity Management
SSO / Access Management
Audit / Report
51
Case Study #2 Key IDM Issues
52 © 2011 Oracle Corporation
IDM Deployment Application Lifecycle
Know Who Has
Access
Automated RBAC
Automated Provisioning
On Request
Rogue Access
Controlled
Manual Provisioning Semi-Automated Provisioning Automated Provisioning
Validated Access A Systematic Access
Removal
A Application Roles
Engineered
Access By Account
Request
B
B
Business Roles
Engineered
Access By Role
Request
Automated Role
Grant
Rule Based Control
Role Based Control
52
53 © 2011 Oracle Corporation
Stage 1: Minimum Control
Know Who Has
Access Validated Access A
Systematic Access
Removal B
• Execution strategy:
– Reconcile application accounts & entitlements to a central repository
– Leverage existing provisioning process / system as-is
– Focus on process and data, not system integration/automation
– Validate and clean up access using attestation
– Drive de-provisioning based on HR events
• Benefits
– Rapidly develop a central repository of “Who Had Access To What” with historical snapshots
– Rapidly close down security loopholes
53
54 © 2011 Oracle Corporation
Stage 2: Rule Based Control
• Execution strategy:
– Access granted based on request and approval processes
– Request can be at entitlement or at application role level
– Use app. roles to ensure process is more scalable & user friendly
– Leverage existing provisioning process / system as-is
– Automate provisioning only as needed
– Migrate to role based process when ready
• Benefits
– Methodically deliver incremental control
– Approval workflow and rules can be easier to define than roles
– Complementary to role based control
Rogue Access
Controlled A
Application Roles
Engineered
Access By Account
Request
Automated Provisioning
On Request
54
55 © 2011 Oracle Corporation
Stage 3: Role Based Control
• Execution strategy:
– Access granted based on roles
– Phased approach for implementing RBAC
• Request for roles then provision by role
• Automatically grant roles and provision by role
– Leverage existing provisioning process / system as-is
– Automate provisioning only as needed
• Benefits
– Methodically achieve full RBAC
– Maximum automation and control, most compliant
Rogue Access
Controlled B
Business Roles
Engineered
Access By Role
Request
Automated Role
Grant Automated RBAC
55
56 © 2011 Oracle Corporation
Potential Risks & Mitigation Challenge Mitigation
Completeness of data Not all data may be captured to drive policies and automation
Quality of data Ensure to choose the right authoritative sources like HR systems and spend sometime on data cleansing activities.
Big bang approach Consider to start small and grow slowly. Choose the most significant and easy to implement trusted systems and target systems.
Spread the project in multiple phases.
New or Future systems having
undefined requirements
IAM Framework needs to open, flexible and standards based. Strong governance and architectural standards and principles to be
enforced
Workflows Be conservative with the numbers of workflows to be implemented and their levels. Choose to start with basic and well documented
ones.
Business Policies As IdM is not only a tool implementation but also includes business process modifications. So its important to understand the
existing business process and see how these can be changed.
Change management and
communication
Make sure the projects have enough change management is part of project to transition from current state to new IdM systems.
Skills and Training Make sure right skills and adequate training are provided
Approach & Methodology Use a proven methodology for the implementation. Oracle Consulting OUM.
Setting Right Scope and
Requirements
Define a boundary with scopes and requirements. Align them to business objectives and priorities
Underestimating Non-Functional
requirements
Use best practices and benchmarks to put together the solution. Spend time in project to understand them.
56
57 © 2011 Oracle Corporation
Best Practices
• Get executive sponsorship for project
• Don’t try to become completely role based
• Utilize a knowledgeable implementation partner
• Use a phased approach to the implementation
• Define measurable milestones
• Implement an identity management program and not just a
provisioning project
57