Creating Business Values and Improving Control with Oracle ......Oracle Confidential – Do Not Distribute 29 Transform IT Security Three transformational solutions to start with Fraud

1 © 2011 Oracle Corporation

<在此处插入图片>

Creating Business Values and Improving Control with Oracle Enterprise

Security


Agenda

IDM Evolution and Market Trends

Identity Management in Huawei

Case Studies


Agenda



Case Studies


Don Draper goes to the Data Center Marketers are teaming up with CIO. It’s the beginning of a beautiful relationship

Age of Consumerization

Age of Deprimeterization


2010

Source: Google Internal Data, based on a basket of 20,000 keywords

iPhone

iPhone 3G

Android G1

Blackberry Storm Palm Pre

iPhone 3GS

Android Nexus One

Android myTouch

Moto Droid & Eris

2008 2009

3,000% + growth in 3 years

12% of all Google queries in

Dec 2010 came from mobile devices

Mobile web adoption 8x faster than the desktop web

Increasing Importance of Mobile Devices


Increasing Importance of Mobile Devices

81% use a personal electronic device for work related functions

Source: Harris poll 2011

50% companies surveyed that had

not deployed transactional applications ranked security

as one of their top three concerns

5.9B Devices globally today, ~30% connect to corporate network

Source: Mobility Revolution Redux mar 2012

Source: Ziff Davis in conjunction with The Strategy Group


Social Media

75% of online purchases don't occur because visitors abandon their shopping carts for simple requirement to register before making a purchase. High abandon rate results in millions of dollars in lost revenue

40% Of consumers prefer social logins over creating a new or guest account


CLOUD COMPUTING

Private Cloud increased 28% from 2010 to 2011

and Public Cloud 50% in similar period

74% rate cloud security issues as very

significant

Source: IDC

Source: IOUG ResearchWire member studies on Cloud Computing, conducted in Aug-Sept 2010 and Aug-Sept 2011

Private

Public

Hybrid


Cloud Security

“The Promise”


Cloud Security

“The Promise” “The Reality”


Cloud Security

“The Promise” “The Reality” “The Worst Case”


Cloud Security


WHAT IS HOLDING BACK THE TREND


Security Risk is a Strategic Concern The number of external threats is increasing

$1Trillion Cyber Crime Cost Globally

$7.2 Million Cost of Average Data Breach

6M Passwords Stolen

12M Credit cards stolen

1.3M On-line accounts

Linkedin

Sony

SEGA

Ponemon 2011

Security Week Dec 15, 2011

Seven Significant Hacks of 2011 BetaNews

June 6, 2012

McAfee 2010


The Risk Threatens Your Business Brand, reputation, liability & shareholder value

97% Avoidable through simple controls

Verizon DBIR 2012 Security Week Dec 15, 2011

Seven Significant Hacks of 2011

Bloomberg June 8 2011

Sony 3x Decline in Brand Value

RSA $100M Cost Banking Alone

Societe Generale $7Bn Loss

UBS $1Bn Loss & CEO Resigns


Compliance & Governance Pressure Increasing Regulation & governance increase as perceived risk increases

Directive 95/46/EC

SOX

PIPEDA

PCI DSS BASEL 2

HIPAA

GLBA

CMR 201

ISO27001

SEC

Source: The Value of Corporate Secrets by Forrester Consulting (March 2010)

FIPS

COSO

FISMA

http://download.microsoft.com/download/F/2/3/F2398E9C-94FE-496C-BFB2-9DEFE1502ABD/Forrester TLP - The Value of Corporate Secrets.pdf


“Most security organizations continue to focus inappropriate attention on network vulnerabilities and reactive network security tools rather than on proactive application security practices”.

The Business Response Is Reactive IT security has shifted attention away from the applications & data


The Reactive Approach Fails Increased IT spending & focused on the wrong risks

8.2% IT Budget

2007 14% IT Budget

2010 Endpoint Security

Vulnerability Management

Network Security

Email Security

Other Security

94% against servers

66% of sensitive data in

databases

96% Non-compliance PCI

5% Privilege Misuse

32% Of hacking involved stolen

login credentials

The Evolution of IT Security 2010 to 2011

Verizon DBIR 2012 & IDC 2011 IDC 2011 :Effective Data Leak Prevention Programs


The Root Causes are Inside Simple controls on the core systems could prevent most breaches

RSA Malware using employee access

Societe Generale Trader with excessive access

Sony Un-encrypted credit cards

Linkedin Passwords lightly encrypted


Trust relationship is expected.

Unmanaged security risk

destroy this relationship.


Agenda



Case Studies


UNLOCK THE OPPORTUNITIES

PREVENT THE THREATS

MANAGE THE RISKS

Transform IT Security Cost effectively reduce risk and improve results

SECURITY INSIDE-OUT SECURITY INSIDE-OUT

28 Oracle Confidential – Do Not Distribute

Start Inside Security at every layer & between systems

Security at Each Layer Security Between Layers Security Between Systems

Services & Consulting

29 Oracle Confidential – Do Not Distribute

Transform IT Security Three transformational solutions to start with

Fraud Detection Data Security Compliance Reporting

• Detect & prevent

• Monitor activity

• Report and analyze

• Detect anomalies

• Pattern detection

• Secure databases

• Encrypt & mask

• Secure backup

• Encrypt storage

• Secure SOA

• Authorize data

access

• Review privileges

• Control transactions

• Control processes

• Reduce access

• Disable accounts

• Control passwords

30 Oracle Confidential – Do Not Distribute Copyright © 2011, Oracle and/or its affiliates. All right

Oracle Identity Management 11gR2 现代化平台

身份治理

• 访问请求和审批

• 基于角色的用户供应

• 基于风险的访问检定

• 闭环修正

• 角色挖掘和管理

• 特权帐号管理

访问管理

• 移动访问管理

• 社交身份访问

• 单点登录和联邦登录

• 认证

• 授权和细粒度授权

• Web服务安全

目录服务

• 灵活的可扩展性

• 基于代理的搜索

• LDAP存储

• 虚拟身份访问

• LDAP同步

平台安全服务开发人员使用的身份服务

收购与合并新业务动作

IDM解决方案框架

组织变化

员工

临时员工

供应商数据分类 Top Secret … General Information

信息安全 Access Control … Password Policies

IT服务管理 SLO, SLA … IT Process Service Improvement

IT治理 Business Objectives Business Process … IT Controls…

多接入渠道

OS & Mainframe

Database

Custom App

Portal, CRM, ERP, SCM, Agile

OA & Domains

IT应用和基础设施

治理与控制

最终用户

Cloud & Partners

业务活动

访问管理身份管理

用户概要管理

帐号生命周期管理

审计与报告

自服务与授权管理

集中认证

单点登录/移动设备单点登录

基于风险分析的访问控制

应用细粒度授权

Web Service安全

Oracle Confidential

身份管理消除鸿沟

身份

管理

审计

风险管理

身份验证和授权

自适应访问

• 情境/风险感知

• 异常检测

• 欺诈检测

访问

• 一次性登录

• 口令策略

• 授权策略

• 授权

可伸缩信息库

• 身份同步

• 身份虚拟化

• 报表

工具单点登录方案平台化智能化

私有内部云

企业

私有托管云

公有云

管理

• 角色管理

• 供应

• 身份分析

• 认证

Oracle Confidential

云身份管理维度

身份是通往云的桥梁

c c 您是否在使用云应用？您是否在构建云应用？您是否需要 IdM 但又不想维护？

身份是云的基础身份作为云服务托管

Oracle Confidential

云应用之间的身份验证和 SSO

• 随时随地通过任意设备访问

• 移动身份验证、SSO 和访问控制

• 将 Internet 和社交身份连接到企业身份

• 实现与企业的无缝集成和控制

• 移动程序访问安全 • 集成原生移动程序和移动Web程序

• 访问管理、授权和欺诈检测

• 支持iOS和Android

• 移动设备安全元素 • 设备安全 – 登录时越狱检测

• 设备生命周期 – 白名单/黑名单/设备丢失管理

• 设备指纹信息

Mobility 移动设备访问

Mobile Authentication 设备、应用和用户的灵活选择

Mobile Single Sign-on Mobility

Oracle 身份管理是“Cloud’s Ready”

SaaS 应用

桌面/移动内部部署型应用

社交网络

合作伙伴

39

Oracle Fusion Applications Powered by Oracle Fusion Middleware

• Oracle Fusion Applications are built from the ground

up on Oracle Fusion Middleware

• Oracle Fusion Applications leverage the various

foundation capabilities provided by Oracle Fusion

Middleware

• Standards-based application development framework

(Oracle ADF)

• Business intelligence

• Content management

• Enterprise performance management

• Business process management

• Security and identity management


Identity in Huawei

Identity

Store 工作流 Workflow 应用连接器

审批Approval

用户自服务 Self Service

Business Policies

Workflows

Policy Roles

角色规则引擎 Rules Engine

AD\PO\AP\... 终端应用系统授权

HRMS 人事系统

同步引擎

Admin 管理员

End User 华为员工

Rules (SoD Engine)


用户Profile中集中管理角色和岗位信息


用户、角色与资源基于规则的对应关系

43

Oracle Maximum Security Architecture

Oracle Audit Vault

Oracle Database Firewall

Applications

Procurement

HR

Rebates

HR

Rebates

Auditing

Authorization

Authentication

Sensitive

Confidential

Public

Multi-factor Authorization

DB Consolidation Security

Unauthorized DBA Activity

Oracle Database Vault

Encrypted Database Encrypted Traffic

Oracle Advanced Security Oracle Data Masking Mask For Test and Dev

2011 Oracle Corporation – Proprietary and Confidential 43

Enterprise Manager Grid Control

Secure Configuration

Scanning

Patch Management

44

Oracle Solutions for GRC

GRC Application Controls

Transaction

Monitoring SoD &

Access

Application

Configuratio

n

Reporting KRI & Alerts Dashboards

GRC Reporting & Analytics

GRC Process Management

Audit Management

Assessment

Custom or Legacy Applications

GRC Infrastructure Controls

Change

Mgmt Digit

al

Right

s

Data

Securit

y

Identit

y

Mgmt

Record

s Mgmt

Pre-integrated with Oracle

applications and

technology, supports

heterogeneous

environments

Purpose-built business

solutions for key

industries and GRC

initiatives

Best-in-class GRC core

solutions to support all

mandates and regulations

Issue &

Remediatio

n

Event &

Loss Mgmt

http://www.salesforce.com/




Agenda



Case Studies: Learnings & Approach


The Workforce Lifecycle

“Day-1”: Employee Joins The

Organization

“Day-2”: Employee

Starts Being Productive

“Change”: Employee

Changes Role /

Organizational Restructure

“Last Day”:

Employee Leaves

Organization

46


Challenges in Accessing Applications & Systems


Organisation




Changes Role /

Organisational Restructure

“Last Day”:

Employee Leaves

Organisation

Request-Based Access - Not All Required Applications Accounts & Access In-Place for New Starter

Access May Not Be Timely or Completely Removed

Organisational Restructure may have an even larger scale impact – losing or gaining too much access

Employee may still retain a lot of previously granted access even though have transferred internally

Job Transfers and Changes May Require New Access. Policy Checks, Temporary and Proxy Assignments Further Complicates Issue

Re-establishing New Joiner who is Previous Employee May Inherit Old App Access even if not relevant

Attestation and Policy Checks May Not Be Complete and Uniform Across All Apps

47


Challenges in Accessing Applications & Systems


Organisation




Changes Role /

Organisational

Restructure

“Last Day”:

Employee Leaves

Organisation

Request-Based Access - Not All Required Applications Accounts & Access In-Place for New Starter

Requests for Access and Wait Time Impacts Productivity

Organisational Restructure may have an even larger scale impact

Employee may still retain a lot of previously granted access even though have transferred internally

Role Change May Require New Access - Impacts Productivity Again. Temporary and Proxy Assignments Further Complicates Issue

Re-establishing New Joiner who is Previous Employee May Break Current Process

We Simplified The Diagram:

Users may not know what access is required or may take time to realize what is required

Access may not be appropriate under certain conditions and

this may not be easily picked up

Changing the policies can take a long time and can be a big challenge to enforce it consistently across all systems

48


Front-Office

Applications Back-Office

Applications

Legacy Applications

End User Policy Administrator

Security Auditor

IAM

Framework

IAM Framework Benefits

Identity & Access

Roles & Governance

1. Business Enablement Faster application enablement

and enforcement of policy

changes, while improving

overall security posture and

auditability

2. Risk & Compliance: Reduced Business Risk

Exposure & Streamline

Compliance Efforts

3. Single Identity: One username and one

password means improved

and consistent end-user

experience

49


Case Study #1 Key IDM Issues

• Provisioning across multiple applications

• Large number of new employees in the last 2 years (20% increase) resulting in

lots of manual provisioning

• Huge maintenance effort to manage the responsibilities and map them to the

roles manually with no automated workflow approvals

• Complex global employee definition and approvals across the globe

• Highly confidential nature of the business resulting in strict procedures on

access, roles, functions needing SoD validation and rules matrix definition

• Enormous solution footprint resulting in large scale manual responsibility

maintenance

• Large compliance needs due to multiple reporting standards adherence

50


Different, complex identity management process in each system

Manual provisioning

Ghost account due to no de-provisioning

Low user IT satisfaction due to no Single Sign On

Lack of audit trail to Shared account

Lots of credential memorizing due to periodic password change policy

Repeatable development cost for new system IAM requirement

Central management by IM system implementation

Pain Points Tasks

Automatic provisioning Process implementation

Provide User Self-Service, UI consolidation

Standardized approval workflow design & implementation

Who has access to what reporting and monitoring

Cost saving by standard reusable IAM module and central policy

Single Sign On implementation

Siloed User Info Management

Identity Management

SSO / Access Management

Audit / Report

51

Case Study #2 Key IDM Issues


IDM Deployment Application Lifecycle

Know Who Has

Access

Automated RBAC

Automated Provisioning

On Request

Rogue Access

Controlled

Manual Provisioning Semi-Automated Provisioning Automated Provisioning

Validated Access A Systematic Access

Removal

A Application Roles

Engineered

Access By Account

Request

B

B

Business Roles

Engineered

Access By Role

Request

Automated Role

Grant

Rule Based Control

Role Based Control

52


Stage 1: Minimum Control

Know Who Has

Access Validated Access A

Systematic Access

Removal B

• Execution strategy:

– Reconcile application accounts & entitlements to a central repository

– Leverage existing provisioning process / system as-is

– Focus on process and data, not system integration/automation

– Validate and clean up access using attestation

– Drive de-provisioning based on HR events

• Benefits

– Rapidly develop a central repository of “Who Had Access To What” with historical snapshots

– Rapidly close down security loopholes

53


Stage 2: Rule Based Control


– Access granted based on request and approval processes

– Request can be at entitlement or at application role level

– Use app. roles to ensure process is more scalable & user friendly


– Automate provisioning only as needed

– Migrate to role based process when ready

• Benefits

– Methodically deliver incremental control

– Approval workflow and rules can be easier to define than roles

– Complementary to role based control

Rogue Access

Controlled A

Application Roles

Engineered

Access By Account

Request

Automated Provisioning

On Request

54


Stage 3: Role Based Control


– Access granted based on roles

– Phased approach for implementing RBAC

• Request for roles then provision by role

• Automatically grant roles and provision by role


– Automate provisioning only as needed

• Benefits

– Methodically achieve full RBAC

– Maximum automation and control, most compliant

Rogue Access

Controlled B

Business Roles

Engineered

Access By Role

Request

Automated Role

Grant Automated RBAC

55


Potential Risks & Mitigation Challenge Mitigation

Completeness of data Not all data may be captured to drive policies and automation

Quality of data Ensure to choose the right authoritative sources like HR systems and spend sometime on data cleansing activities.

Big bang approach Consider to start small and grow slowly. Choose the most significant and easy to implement trusted systems and target systems.

Spread the project in multiple phases.

New or Future systems having

undefined requirements

IAM Framework needs to open, flexible and standards based. Strong governance and architectural standards and principles to be

enforced

Workflows Be conservative with the numbers of workflows to be implemented and their levels. Choose to start with basic and well documented

ones.

Business Policies As IdM is not only a tool implementation but also includes business process modifications. So its important to understand the

existing business process and see how these can be changed.

Change management and

communication

Make sure the projects have enough change management is part of project to transition from current state to new IdM systems.

Skills and Training Make sure right skills and adequate training are provided

Approach & Methodology Use a proven methodology for the implementation. Oracle Consulting OUM.

Setting Right Scope and

Requirements

Define a boundary with scopes and requirements. Align them to business objectives and priorities

Underestimating Non-Functional

requirements

Use best practices and benchmarks to put together the solution. Spend time in project to understand them.

56


Best Practices

• Get executive sponsorship for project

• Don’t try to become completely role based

• Utilize a knowledgeable implementation partner

• Use a phased approach to the implementation

• Define measurable milestones

• Implement an identity management program and not just a

provisioning project

57

Documents

Creating Business Values and Improving Control with Oracle ......Oracle Confidential – Do Not Distribute 29 Transform IT Security Three transformational solutions to start with Fraud