View
218
Download
0
Tags:
Embed Size (px)
Citation preview
Oracle Security & Identity Management
July 20, 2005
Oracle Security & Identity Management
July 20, 2005
Rafael TorresSr. Solutions ArchitectCincinnati, [email protected]
Gary QuarlesSr. Solutions ArchitectColumbus, [email protected]
Agenda 9am-1015am
– Identity Management OID, User Provisioning, Directory Integration,
Proxy Authentication
– Virtual Private Database– Securing Data Access– Secure Application Roles
BREAK (15 mins)
Agenda (con’t) 1030am-1145am
– Label Security– Fine Grained Auditing– Stored Data Encryption– Detecting Security Breaches– Data Privacy Compliance– Network Encryption– User Security– Oblix Roadmap
1145am-1pm – Buffet Luncheon
1pm-115pm – Raffle
Security Legislation Sarbanes-Oxley
– Everyone– Financial statements contain no errors
Gramm-Leach-Bliley– Fin Services, Healthcare– Ensure privacy, security, confidentiality
California’s Breach Disclosure Law– Anyone with customers in California– Audit breach of PII, notify those affected
Safe Harbor– Anyone doing business in Europe– Reasonable steps to secure from unauthorized access
Data Privacy Concerns
Customer information– protecting customer personally identifiable
information (PII)
Employee information– majority of privacy regulations provide equal or
greater rights of privacy to employees
Third Party information– protecting PII of third persons provided to you by
customers or employees
25% technical75% policy and procedures
Data Privacy Compliance
www.oracle.com/consulting
“90% detected computer security
breaches in the past year.”
“80% acknowledged financial losses
due to computer breaches.”
The Expert View
- CSI/FBI Computer Crime and Security Survey
“If you spend more on coffee than on IT security, then you will be hacked…what's more, you deserve to be hacked!”
Richard ClarkeSpecial Advisor to the President, Cyberspace Security
State of Security – United States 90% of respondents* detected computer security
breaches within the last twelve months. 80% of respondents acknowledged financial
losses due to computer breaches. – $455,848,000 in quantifiable losses– $170,827,000 theft of proprietary information– $115,753,000 in financial fraud
74% cited their Internet connection as a frequent point of attack
33% cited internal systems as a frequent point of attack
* Source: CSI/FBI Computer Crime and Security Survey
Why Oracle for Security and Identity Management?
25+ year history – First Oracle customer was a government customer
Information Assurance– 17 independent security evaluations over past decade– Substantial financial commitment to independent security evaluations– More evaluations than any other major database vendor– Culture of security at Oracle
Robust security features and Identity Management Infrastructure
– Row level security– Fine Grained Auditing– Integrated database security and identity management
Web Single Sign-on, Oracle Internet Directory– Strong authentication
Oracle Database = 25+ years of security leadership
1977 2004
Label Sec + ID Mgmt
Column Sec Policies
Security Evaluation 17
Identity Mgmt Release
Fine Grained Auditing
Common Criteria (EAL4)
Oracle9iAS JAAS
Oracle9iAS Single Sign-On
Oracle Label Security (2000)
Virtual Private Database (1998)
Enterprise User Security
Oracle Internet Directory
Database Encryption API Kerberos framework
Support for PKI
Radius Authentication
Network Encryption
Oracle Advanced Security introduced
First Orange Book B1 evaluation (1993)
Trusted Oracle7 Multilevel Secure Database (1992)
Government customer
Oracle Application Server 10g
Identity Management
Identity Management
process by which the complete security lifecycle for users and other entities is managed for an organization or community of organizations.
management of an organization's application users, where steps in the security lifecycle include account creation, suspension, privilege modification, and account deletion.
Identity Management Components
The Identity Challenge
User Credentials for Authentication and Authorization
Directory Server or Database
Application
User Credentials for Authentication and Authorization
Directory Server or Database
Application
User Credentials for Authentication and Authorization
Directory Server or Database
Application
User Credentials for Authentication and Authorization
Directory Server or Database
Application
End Users
Administrators Administrators Administrators Administrators
Redundant, silo’d application development
Non-uniform access policies
Orphan accounts Audit/Log
information fragmented
Bring Order to Chaos with Identity
Application Application Application Application
End Users
Administrators
User Credentials for
Authentication and
Authorization
Centralized, policy-based management of access & authorization
Faster development and deployment
Centralized audit and logging
Oracle ID Mgmt:Typical Deployments
Enterprise provisioning – Heterogeneous integration
Telco provisioning – Scalability & HA
Enterprise Portal– Single Sign-on, administrative delegation
Government R&D Organization, Corporate Conglomerates – Centralized Identities with autonomous administration of
departmental applications
Multi-hosting with delegated subscriber admin – Multiple identity realms in one physical infrastructure + HA
Platform Security Architecture
External Security Services Oracle
Platform Security
Application Security
E-Business Suite
Collaboration Suite
Oracle Internet Directory
Public Key Infrastructure
DirectoryIntegration
RBAC &Web Authorization
Provisioning &Delegated Administration
ISV & CustomApplications
BPEL Prcs Mgr,BI, Portal, ADF
Oracle Database
Oracle Identity Management
Oracle Application Server
Access Management
DirectoryServices
ProvisioningServices
SSO &IdentityFederation
Oracle DatabaseOracle Application Server Oracle DatabaseOracle Application Server
Responsibilities, Roles ….
Secure Mail, Interpersonal Grants …
Authorization, Privacy, audit, ….
Roles, Privilege Groups …
Enterprise users, VPD, Label SecurityEncryption, Audit
JAAS, JACC, WS Security, …
Internet Directory Scalability
– Millions of users – 1000’s of simultaneous clients
High availability– Multimaster & Fan-out replication– Hot backup/recovery, RAC, etc.
Manageability– Grid Control multi-node monitoring
Security– Comprehensive password policies– Role & policy based access control– Auditability
Extensibility & Virtualization– Plug-in Framework– Attribute and namespace virtualization– External authentication– Custom password policies
LDAPClients
DirectoryAdmin
Console
OID Server
OracleDatabase
Directory Integration
Connectors
External Directories
SunOne
Active Directory
Oracle HR
Oracle DB
OpenLDAP
eDirectory
OracleInternet
Directory
DirectoryIntegration
Service
Provisioning Integration
ERP,CRM,… eMail Portal
Partner Provisioning System
Oracle Provisioning Integration Service
Event Notification
Engine
Policy &Workflow
Engine
Self-service (Pswds, preferences)
Corporate HR(Employee Enrollment)
Helpdesk Admin
eMail Admin
OID
Portal Admin
Pro
visi
on
ing
Co
nn
ecto
rs
OracleAS
Single Sign-on
Single Sign-On
PKI, pwd, Win2K Native Auth…
SecureID, Biokey,
ERP,CRM,…
Portal
Partner SSO (Netegrity, RSA, Oblix)
Partner SSO Enabled Environment
OracleAS Enabled Environment
OID
Extranet
Extranet
Federation / Liberty
Integrates Oracle and partner-SSO enabled apps
Transparent access to DB Tier, 3rd party web apps
Multiple AuthN options Different auth modes to match
application security levels
Demonstration
IdM: SSO
SSO Benefits 1) Tightly integrated with the Oracle product
stack 2) Easy to deploy, part of Oracle Identity
Management 3) Supports PKI authentication with industry
standard X.509V3 certificates 4) Accepts Microsoft Kerberos tokens for easy
authentication in a windows environment 5) Integrated with Oracle Certificate Authority
(OCA) for easy provisioning of X.509V3 certificates using OCA
Certificate Authority
Solution for strong
authentication / PKI
Easy provisioning of X.509v3
digital certificates for end
users
Web Based certificate
management and
administration
Seamless integration with
Oracle Application Server
Single Sign-On & OID
User
OracleCertificateAuthority
Metadata Repository
Secure IT Facility
OracleSingle
Sign-On
OracleInternet
Directory
Future support
SAML (Security Assertions Meta Language) – facilitates interoperation and federation among security services.
SPML (Service Provisioning Meta Language) – XML standard that facilitates integration among provisioning
environments by defining the protocol for interaction between provisioning service components and agents representing provisioned services.
DSML– XML standard for exchanging directory data as well as invoke
directory operations over the Internet.
Future support (con’t)
XKMS– XML Key Management Specification. It is intended to simplify deployment
of PKI in a web services environment.
WS-Security – defines a set of SOAP extensions that can be used to provide message
confidentiality, message integrity, and secure token propagation between Web Services and their clients
Liberty Alliance standards define the framework and protocol for network identity based interactions among users and services within a federated identity management environment.
Delegated Administration Services Admin console w/ role-based
customization– User / group management– End-user vs Admin views– Admin delegation
End-user self-service– Self service provisioning– Set preferences, Org-chart– Pswd reset
Embeddable admin components– For integration with Apps
Extensively configurable– Accommodate new applications– Customize UI views
Demonstration
IdM: Delegated Admin Svs
Delegated Admin Benefits 1) Enables self service administration of passwords
and password resets 2) Enables administrative granularity of Identity
Management components 3) Centralized provisioning for web SSO and
enterprise user database access 4) Supports password or PKI based authentication 5) Self Service password management without the
intervention of an administrator 6) Delegated administrators, such as non-technical
managers, to create and manage both users and groups
7) Allows users to search parts of the directory to which they have access
Client Client AuthenticatesAuthenticatesTo App ServerTo App Server
Securely Proxies User Securely Proxies User Identity to RDBMSIdentity to RDBMS
OIDOIDIIdentities, Rolesdentities, Roles& Authorizations& Authorizations
Grid ComputingEnd-to-End Security
• Retrieve Retrieve Authorizations Authorizations for Usersfor Users
• Connect users Connect users to Application to Application SchemaSchema
Authenticate userAuthenticate user
Application GridApplication Grid Data GridData Grid
AS10g r2 New 3-tier features
Via proxy authentication, including credential proxy of X.509 certificates or Distinguished Names (DN) to the Oracle Database
Support for Type 2 JDBC driver, connection pooling for ‘application users’ (Type 2 and Type 4 JDBC Drivers, OCI)
Integration with Oracle Identity Management for Enterprise Users (EUS).
Demonstration
User Security
User Security Benefits 1) Enables centralized management of traditional
application users in Oracle Identity Management 2) Oracle Identity Management directory
integration services can be used for bi-directional synchronization with existing Identity Management infrastructures (AD, SunOne/iPlanet, Netscape)
3) Optionally map users to shared schemes or retain individual account mappings in database for complete application transparency
4) Optionally manage database roles in Oracle Identity Management infrastructure
5) Optionally can be used with Oracle Label Security to maintain security clearances in Oracle Identity Management
My.
ora
cle.
com
Employees
Self-registered TechNet users
Oracle Technology Network
IDs, passwords, profiles, prefs
Oracle Files
IDs, passwords, profiles, prefs
Global Mail
IDs, passwords, profiles, prefs
Calendar
IDs, passwords, profiles, prefs
Web Mail / Calendar
IDs, passwords, profiles, prefs
ExtranetDMZ
Employees
Corporate Network
HR
IDs, passwords, profiles, prefs
Web ConferencingIntranet Web
AppsIntranet WebAppsIntranet Web
AppsIntranet WebApps
IDs, passwords, profiles, prefs
E-Business Apps
Oracle IT: Before ID Mgmt
Numerous Ids / Passwords & Sign-On
Partners / Suppliers
My.
ora
cle.
comEmployee
s
Self-registered TechNet users
Oracle Technology Network
Oracle Files
Global Mail
Calendar
Web Mail / Calendar
Extranet DMZEmployee
s
Corporate Network
HR
Web Conferencing
Intranet WebAppsIntranet Web
AppsIntranet WebAppsIntranet Web
Apps
E-Business Apps
Oracle IT: After ID Mgmt
Partners / Suppliers
Oracle IdM Infrastructure
Single ID/Pswd & SSO
Oracle IdM Summary Oracle Identity Management is a complete
infrastructure providing – directory services– directory synchronization– user provisioning– delegated administration– web single sign-on– and an X.509v3 certificate authority.
Oracle Identity Management is designed to provide ready, out-of-the-box deployment for Oracle applications, as well as serve as a general-purpose identity management infrastructure for the enterprise and beyond.
Break
15 minutes
Privacy & Access Control
Oracle9i/10g Secure Application Role
• Secure application role is a role enabled by security code
• Application asks database to enable role (can be called transparently)
• Security code performs desired validation before setting role (privileges)
CREATE ROLE SAR identified using SCHEMA_USER.PACKAGE_NAME;
Oracle9i 10g
User A, HR ApplicationUser A, Financials Application
User A, Ad-Hoc Reports
JDBC / Net8 / ODBC
Secure Application Role Benefits Security policy can
check anything:– time of day– day of week– IP address/domain– Local or remote
connection– user connected through
application– X.509 data, etc.
Database controls whether privileges are enabled
Multiple applications can access database securely
Allows secure handshake between applications and database
Demonstration
Secure Application Role
Oracle Database 10g Virtual Private Database
Column Relevant Policies– Policy enforced only if specific columns are
referenced– Increases row level security granularity
Store ID
AX703
B789C
JFS845
SF78SD
Revenue
10200.34
18020.34
12341.34
13243.34
Department
Finance
Engineering
Legal
HR
OK
Select store_id, revenue… (enforce)
Oracle Database 10g Virtual Private Database
Column Filtering– Optional VPD configuration to return all rows but
filter out column values in rows which don’t meet criteria
OK
OK
OK
OK
Store ID
AX703
B789C
JFS845
SF78SD
Revenue
10200.34
18020.34
12341.34
13243.34
Department
Finance
Engineering
Legal
HR
Select revenue…..(enforce)
Demonstration
Virtual Private Database
Object Access Control
DATA TABLE
SELECT
Org ASELECT
Org B
Oracle9i/10g Label Security
Out-of-the-box, customizable row level security Design based on stringent commercial and
government requirements for row level security
Sensitivity LabelSensitivity Label
PublicPublic
SensitiveSensitive
Highly SensitiveHighly Sensitive
Confidential : EuropeConfidential : Europe
ProjectProject
AX703
B789C
JFS845
SF78SD
LocationLocation
Chicago
Dallas
Chicago
Miami
DepartmentDepartment
Corporate Affairs
Engineering
Legal
Human Resource
Components of Label Security
Levels– Sensitivity Level (e.g., “Top Secret, Secret,
Unclassified”) Compartments
– (‘X’,’Y’,’Z’), User must possess all Groups for “Need to Know”
– Hierarchical– Supports Organization Infrastructure
Label Components are the encoding within data labels and user labels that determine access.
Oracle Label Security
Application Table
Oracle Label Security AuthorizationsConfidential : Partners
Sensitivity Label
Public
Confidential: Partners
Company Confidential
Company Confidential
Project
AX703
B789C
JFS845
SF78SD
Location
Boston
Denver
Boston
Miami
Department
Finance
Engineering
Legal
HR
OK
OK
Oracle9Oracle9iiOLSOLS
Demonstration
Oracle Label Security
Fine-grained Auditing
Select name, salary from emp where name = ‘KING’, <timestamp>, <username>
Audit Record Shows...
Enforce Audit Policy in Database
Employee Table
...Where Salary > 500000AUDIT COLUMN = Salary
Select name, salary from emp where...
User Queries...
“ …Companies that properly maintain the security of their
systems will eliminate 90 percent of all potential exploits. Companies that fail to take these precautions should prepare for breaches at an
increasing rate.”
“ …Companies that properly maintain the security of their
systems will eliminate 90 percent of all potential exploits. Companies that fail to take these precautions should prepare for breaches at an
increasing rate.”
- Giga Information
The Expert View
Stored Data Encryption
DBMS_OBFUSCATION (9i)
DBMS_CRYPTO (10g)
Credit Card !3Asjfk234 #k230d23* [email protected] #dkal3j49I3!
FirstDianaPaulJuliaSteven
LastRobertsNelsonPattersonDrake
Store Id100200100300
Oracle9Oracle9iiDatabaseDatabase
Supported Encryption Standards
AES (128, 192 and 256 Key)RC4 (40, 56, 128, 256 Key)3DES (2 Key and 3 Key)MD5SHA1
Demonstration
Data Encryption
Advanced Security Option
Encryption for data in motion– RSA RC4 Public Key Encryption– 40, 56 and 128 bit key lengths– Support for Data Encryption Standard (DES)
algorithm– Support for Message Digest 5 (MD5)
checksumming algorithm
Advanced Security Option
Authentication device support– RADIUS device– Token cards (securID for example)– Biometric devices
Secure Socket Layer– With X.509 V3 certificate support
Support for Open Software Foundation’s Distributed Computing Environment (DCE)
Threats to Networks and Internet
1. Data Theft
Eavesdropperscan seeall data
x
2. Data Modification or Replay
x3. Data Disruption Packets can be
stolen -- data never arrives
$500 becomes $50,000
Demonstration
Network Encryption
Oblix
Brief Overview and Roadmap
Oblix: Pure-Play Product Leader
Gartner: “Leader” in Access
Management
Loosely Coupled: “Leader” in Web
Services Management
AbilityTo
Execute
Source Gartner Research(June 2004)
Oblix COREidCOREid Access
Web Single Sign-On
Flexible Authentication Methods
Policy-based Authorization
COREid Provisioning
Template-based workflow
Agent and Agentless account provisioning
Metadirectory synchronization
Password synchronization
Cross-platform connectivity
COREid Reporting
Centralized auditing
Pre-built identity and security reports
Global View user access
Robust logging framework
COREid Integration
Pre-built Connectors – to leading application servers, web servers, portal servers, and directory servers.
“Data Anywhere” Configuration
Benefits
Increased Security
Integrated solution
Define and enforce security, administrative, and access control policies consistently across enterprise applications
Increased Compliance
Audit events across entire enterprise
Who has access to which applications
Access control managed per attribute
Meet Sarbanes-Oxley, HIPAA, and Gramm-Leach-Bliley compliance
Increased Governance
Centralized policy definition with localized enforcement
User, Group, and Organization Management
Delegated Administration
Self Service and Self Registration
Unified Workflow
Identity Web Services Controls
Password Management
COREid Identity
Delegated Admin Service
Meta Directory (DIP)
Directory (OID)
Cert. Authority / PKI(OCA)
OracleAS SSO
Provisioning Integration (DIP)
Federation(Liberty / SAML-2.0)
Web Authorization
Virtual Directory
Provisioningconnectors
COREid Access
COREid Provisioning
COREid Identity
10g / 10.1.3 Oblix
Current Portfolios
Identity Grid Control
COREsv Web Services Management
Oracle / Oblix IdM Integration Roadmap
SHAREidIdentity Federation
Access Control
Integrated Portfolio
Directory (OID)
Identity Provisioning
Meta-Directory
Certificate Authority
SSO
WS Management Gateway
OracleAS Option
Virtual Directory
ID Grid Control
Auditing & Reporting
Oracle Identity Mgmt
Integration Roadmap
COREid Provisioning
COREid Identity &Access
Immediate Availability
Directory (OID)
Delegated Admin Service
Provisioning Integration
Certificate Authority
Oracle AS SSO
WS Management (COREsv)
Oracle-Oblix IdM
Oracle Identity Mgmt
OracleAS Option
COREid Federation
IdM – What does Oracle offer today?
YesIdentity Integration
Directory
Virtual Directory Meta-Directory
Identity & Access Mgmt
PKI Certificate Services
Password Management
Web Authorizations
Identity Federation
Security Monitoring &
Audit Services
Privacy & Compliance
ManagementSSO
DelegatedAdmin
Policy Based Access Ctrl
Role Based Access Ctrl
Non-web & 3rd party SSO
Oracle - Full FunctionalityOracle - Full Functionality
Oracle - Limited FunctionalityOracle - Limited Functionality Planned FunctionalityPlanned FunctionalityPartner OfferingPartner Offering
Enterprise Provisionin
gAutomation
Current offering with Oblix today
YesIdentity Integration
Directory
Virtual Directory Meta-Directory
Identity & Access Mgmt
PKI Certificate Services
Password Management
Web Authorizations
Identity Federation
Security Monitoring &
Audit Services
Privacy & Compliance
ManagementSSO
DelegatedAdmin
Policy Based Access Ctrl
Role Based Access Ctrl
Non-web & 3rd party SSO
Oracle - Full FunctionalityOracle - Full Functionality
Oracle - Limited FunctionalityOracle - Limited Functionality Planned FunctionalityPlanned FunctionalityPartner OfferingPartner Offering
Enterprise Provisionin
gAutomation
Thursday, August 11, 20058:00 am - 11:00 am
(Breakfast & Registration at 8:00am)
Oracle Office - Cincinnati 312 Elm Street
Suite 1525Cincinnati, OH 45202
•Oracle COREid Access & Identity
•Oracle COREid Federation
•Oracle COREid Provisioning
•Oracle Single Sign On/Oracle Internet Directory
•Oracle Application Server, Enterprise Edition
•Oracle Web Services Manager
http://www.oracle.com/webapps/events/EventsDetail.jsp?p_eventId=42000&src=3830746&src=3830746&Act=41
AQ&Q U E S T I O N SQ U E S T I O N S
A N S W E R SA N S W E R S
Additional Slides
Security Tips 101
“Oracle Security Step-by-step”– By Pete Finnigan– SANS Press
Security Tips 101
Keep up with security patches!– Security alerts from Oracle Technology Network site– Security Issues Website
Security Tips 101
Check your file system privileges
If on Windows, use NTFS not FAT or FAT32
Prevent seeing passwords with UNIX “ps” command–Note 136480.1 or 1009091.6
Check privileges on export files in OS
Security Tips 101
If a full export is done to populate a test database, immediately change all passwords
No database user except SYS must have:–ALTER SYSTEM–ALTER SESSION
Security Tips 101 Change default passwords:
– List of default users and passwords– Where to get this list
SYS should not be “CHANGE_ON_INSTALL” !!!! SYSTEM should not be “MANAGER” !!!!
Security Tips 101
Check scripts that are in the file system that have embedded passwords!
Make sure REMOTE_OS_AUTHENT = FALSE–(Allows login without password)
REMOTE_OS_ROLES = FALSE also
Check for all users with DBA role
Check for users or roles with an “ANY” privilege–UPDATE ANY TABLE
–DROP ANY TABLE
Security Tips 101
Revoke RESOURCE role from normal users
No users or roles should have access to:–dba_users–Sys.link$
–Sys.user$–Sys.user_history$
These have clear text passwords!
Security Tips 101
Make sure your listener has a password
Use “Current User” database links if possible –“CONNECT TO CURRENT USER”
Check database links from Test, Dev and QA
instances. Remove any that are not absolutely necessary
Avoid plain text passwords in batch files. Use an
encryption utilityAvoid external accounts for batch processes
Security Tips 101
Use the Oracle Security Checklists:– 9i R2 Security Checklist– 9iAS Security Checklist
Or third party utilities to check your security Oracle Enterprise Manager 10g includes
Security Checking
Security Tips 101 1. Only two highly trusted DBAs have sys privileges 2. All other DBAs log in using unique user IDs and those
IDs be granted ONLY the privileges needed to do their job.
3. Partition responsibilities as much as possible between the DBAs
4. Security administration, not DBAs, have the ability to grant or change access privileges
5. Employ strong password policies 6. Audit ALL activities the DBAs do 7. Audit ALL activities the two trusted DBAs do both in
their regular login and when connected as sys. (9iR2 and higher)
Security Tips 101 8. Audit logs are locked out of DBAs reach and
monitored and reviewed by security administration, possibly stored on a separate system
9. Replicate the logs to help identify if a log has been tampered with
10. Audit ALL DML on the audit logs 11. Set up fine grained auditing alerts on key
information when there is attempted access by unauthorized persons. These alerts are sent to the security administrator.
12. If offshore DBA services are employed, track everything they do very closely and restrict what they can see or do.