View
253
Download
1
Tags:
Embed Size (px)
Citation preview
Copyright©2014Oracleand/oritsaffiliates.Allrightsreserved.|
OracleSecurityInsideOutIden?ty&AccessManagementOverview
MauriceLuizink([email protected])PrincipalSolu?onArchitectIDM
1
Copyright©2014Oracleand/oritsaffiliates.Allrightsreserved.|
SafeHarborStatementThefollowingisintendedtooutlineourgeneralproductdirec?on.Itisintendedforinforma?onpurposesonly,andmaynotbeincorporatedintoanycontract.Itisnotacommitmenttodeliveranymaterial,code,orfunc?onality,andshouldnotberelieduponinmakingpurchasingdecisions.Thedevelopment,release,and?mingofanyfeaturesorfunc?onalitydescribedforOracle’sproductsremainsatthesolediscre?onofOracle.
3
Copyright©2014Oracleand/oritsaffiliates.Allrightsreserved.|
AcceleratedPaceofChangeRapidlyEvolvingOpportuni7esinBusinessandSociety
80% OF USER ACCESS
WILL BE MOBILE BY 2020
44% OF ORGANIZATIONS PLAN TO SOCIAL
ENABLE APPLICATIONS
CLOUD COMPUTING
WILL BECOME THE BULK OF
NEW IT SPEND BY 2016
THERE WILL BE 26 BILLION
CONNECTED DEVICES BY 2020
Copyright©2014Oracleand/oritsaffiliates.Allrightsreserved.|
AcceleratedApplica?onProlifera?onUniqueIden7tyRequirementsforEachPla?orm
Mobile Apps
Cloud Apps
Enterprise Apps
Copyright©2014Oracleand/oritsaffiliates.Allrightsreserved.|
ChallengesoftheNewDigitalEconomy
• Moreapplica?onstoonboardandmanage
• OutdatedRequest&Fulfillmentprocesses
• LimitedvisibilityacrossEnterprise,Mobile&Cloudapplica?ons
• Manualaccesscer?fica?onprocesses• Delaysrevokingunauthorizedaccess
EnablingUsersandMaintainingAccessControls–Iden7tyGovernance
Copyright©2014Oracleand/oritsaffiliates.Allrightsreserved.|
RequirementsfortheNewDigitalEconomy
• BusinessFriendlyAccessRequest&ApprovalInterfaces
• Scalable&FlexibleAccessCer?fica?on
• AutomatedProvisioning&ClosedLoopRemedia?on
• Managementofstandardandprivilegeduseraccounts
• CommonConnectorFramework
UnifiedIden7tyGovernance
Copyright©2014Oracleand/oritsaffiliates.Allrightsreserved.| 10
MobileSecurity
Iden7tyGovernance
Directory
ServicesAccess
Management
Encryp7on
&Redac7on
Privileged
UserControlKey
Management
Ac7vityMonitoring
Configura7on
ManagementDatabaseFirewall
SECURING ACCESS TO APPS & DATA
IDENTITYMANAGEMENT DATABASESECURITY
Copyright©2014Oracleand/oritsaffiliates.Allrightsreserved.|
MobileSecurity– MobileApplica?onManagement– MobileDeviceManagement– MobileAccessManagement– APISecurity– MobileAuthen?cator
Iden7tyGovernance– AccessRequest– AccessGovernance– AutomatedProvisioning– PrivilegedAccountManagement
AccessManagement– Authen?ca?on– Authoriza?on– Audit– Federa?on
DirectoryServices– EnterpriseDirectory– Cloud/MobileAppDirectory
– VirtualDirectory
OracleIden?tyManagement
Copyright©2014Oracleand/oritsaffiliates.Allrightsreserved.|
OracleIden?tyManagement11gR2PS3–Highlights• MobileSecurity
– Supportscorporate-owneddevicesusingMobileDeviceManagement(MDM)– Integrateswithexis?ngIden?tyManagementsolu?onsforsimplifiedopera?onsand?ghtersecurity
• Iden7tyGovernance– Convergedrolemanagement,SoD,andclosed-loopremedia?on– Windowssessionrecordingforprivilegedaccounts– Simplifiedandintelligentself-serviceandaccessrequest
• OtherKeyImprovements– Con?nuedsuitesimplifica?onviaautomatedpatchingandupgrades– MobileAuthen?catorenhancedtoallowPIN-less2-factorauthen?ca?on– Convergenceofvirtualiza?onintoOracleUnifiedDirectory(OUD)
Copyright©2014Oracleand/oritsaffiliates.Allrightsreserved.|
OracleMobileSecuritySecureCorpData.Op7mizeUserExperience
13
• MobileAppManagement
• Strongauthen?ca?on
• Securityforna?veapps
• Integratedauthen?ca?on
andaccess
• BYODwithcorporate
policies
Copyright©2014Oracleand/oritsaffiliates.Allrightsreserved.|
Oracle’sMobileSecurityStrategyComprehensiveEnterpriseMobilityManagement
14
• Secure Container • Application Management • Device Management • Content Management
• Web and Native App SSO • Enterprise App Store • Productivity Apps • Unified Self-Service Console
Secure Device & Data Simplify User Experience Restore Control
• Governance & Compliance • Strong Authentication • API Security • Unified Delegated Admin
Console
Copyright©2014Oracleand/oritsaffiliates.Allrightsreserved.|
UnifiedMobileSecurityFeatures
Managecorporatedata,notdevices
MDMisnotapre-requisiteforBYOD
SecureCommunica7onChannelobviatesVPN
Re-use&extendcorporateIden7ty,user,roles,policies
ISVfriendly,norecodingandredeploymentofapps
Highersecurity,nocachedcreden7als
15
Copyright©2014Oracleand/oritsaffiliates.Allrightsreserved.|
OracleMobileSecuritySuiteSecureCorpData.Op7mizeUserExperience
16
• MobileIden?ty
• AppIsola?on
• AppManagement
• SecureAccess
• MDM
• Containerizedapps
Copyright©2014Oracleand/oritsaffiliates.Allrightsreserved.|
OracleMobileSecuritySuite11gR2PS3–NewFeatures• MobileDeviceManagement• IntegratedAdministra?on&Self-ServicewithOAM&OIM• RiskBasedStep-upauthen?ca?on• SupportforAndroid5incl.securestorageusingNDKAPI• Supportforkioskmode• Supportforaddi?onalLDAPdirectories
Copyright©2014Oracleand/oritsaffiliates.Allrightsreserved.|
OracleSecureMobilitySecureBOTHconsumerandcontainerizedapps
CorporateDMZ CorporateNetwork
HTT
P/R
ES
T/S
OA
P/O
AU
TH
SOAP/REST and Legacy Web Services
Oracle Mobile Access Server
Oracle API Gateway
Corporate Resources
Oracle IDM Stack
Oracle Mobile Security Manager
Oracle Identity
Governance
Oracle Access Management
Unified Registry
Copyright©2014Oracleand/oritsaffiliates.Allrightsreserved.|
APIManagementandSecurity
• ExtendAccessManagementtoRESTAPIs
• Contextaware• Authen?ca?on• Authoriza?on• Frauddetec?on• Securitytokens• Dataredac?on• Audit
19
Securemobileaccesstocorporateinforma7on
Transforma7on
APIControl&Governance
APIManagement&Monitoring
ThreatProtec7on
SecureRESTAPI’s
OAUTH2.0Client&Server
ClientThro[ling
Native JSON & XML Processing
<XML>
{“JSON”}
APIKeyManagement
Ora
cle
Acc
ess
Man
agem
ent
Copyright©2014Oracleand/oritsaffiliates.Allrightsreserved.| 20
Finegrainedauthoriza7onforMobileAppsExposingSecureAPIs
/customer/get
/customer/update
/customer/delete
CustomerServiceRESTAPI
Request
“User”: Bob Doe
“Org”: Acme Corp
“Grade” : Marketing Manager
“Customer”:
“ID”: 12345
Copyright©2014Oracleand/oritsaffiliates.Allrightsreserved.|
/customer/get
/customer/update
/customer/delete
CustomerServiceRESTAPI
Request
21
Finegrainedauthoriza7onforMobileAppsExposingSecureAPIs
APIGateway
En7tlementsServer
PEP
PDP
isAuthorized(user = Bob Doe, userOrg = Acme Corp userRole = Marketing Manager resource = Customer Service action = /customer/get customerID = 12345)
Copyright©2014Oracleand/oritsaffiliates.Allrightsreserved.|
/customer/get
/customer/update
/customer/delete
CustomerServiceRESTAPI
Request
22
Finegrainedauthoriza7onforMobileAppsExposingSecureAPIs
APIGateway
En7tlementsServer
PEP
PDP
isAuthorized(user = Bob Doe, userOrg = Acme Corp userRole = Marketing Manager resource = Customer Service action = /customer/get customerID = 99999)
Copyright©2014Oracleand/oritsaffiliates.Allrightsreserved.|
Finegrainedauthoriza7onforMobileAppsExposingSecureAPIs
/customer/get
/customer/update
/customer/delete
CustomerServiceRESTAPI
Response
“Customer”:
“ID”: 99999
“Name”: Sally Smith
“Phone”: 01323 232125
“NI”: AB 12 34 56 B
“CreditCard”: 1122 3344 5566
“Purchase History”: …
Copyright©2014Oracleand/oritsaffiliates.Allrightsreserved.|
Finegrainedauthoriza7onforMobileAppsExposingSecureAPIs
/customer/get
/customer/update
/customer/delete
CustomerServiceRESTAPI
Response
APIGateway
En7tlementsServer
PEP
PDP
isAuthorized(user = Bob Doe, userOrg = Acme Corp userRole = Marketing Manager resource = Customer Service action = /customer/get customerID = 99999)
“Customer”:
“ID”: 99999
“Name”: Sally Smith
“Phone”: 01323 232125
“NI”: @^*%&@$#%!
“CreditCard”: **** **** 5566
“Purchase History”: …
Copyright©2014Oracleand/oritsaffiliates.Allrightsreserved.|
OracleIden?tyGovernanceUnifiedApproachtoCompleteIden7tyGovernance
• Iden?tyAdministra?on
• AccessProvisioning
• RoleLifeCycleManagement
• AccessRequestManagement
• AccessCer?fica?on
• Iden?tyAudit/SoD
• AuditandRepor?ng
• ConnectorFramework
• PrivilegedAccountManagement
25
Copyright©2014Oracleand/oritsaffiliates.Allrightsreserved.|
OracleIden?tyGovernanceTransla7ngbusinessNeedstoRepeatableProcesses
Business-FriendlyRequestCatalog
StreamlinedBusinessProcessforApprovals
IntelligentandFlexibleCer7fica7on
ScalableandRapidFulfillment
ModularandPluggableArchitecture
PrivilegedAccessandAudit
26
Copyright©2014Oracleand/oritsaffiliates.Allrightsreserved.|
KeyfocusareasforPS3SimplifiedIden7tyGovernance
27
• CleanUIwithaCloudlookandfeel,withfasterperformance
• End-usersgeteasyaccesstobusinessfunc?onswithoutrequiringcustomiza?on
• Collabora?vecer?fica?onprocess• IntelligentAccessCatalog
Copyright©2014Oracleand/oritsaffiliates.Allrightsreserved.|
OracleIden?tyGovernance11gR2PS3–NewFeatures
• BusinessFriendlyInterfaces&IntelligentCatalog• ComprehensiveRoleManagement&Con?nuousCompliance• SODDetec?on&ClosedLoopRemedia?on• Iden?tyServicesforMobile&Extranet(RESTAPI-SCIM2.0)• EnhancedPrivilegedAccess• EnhancedAudi?ng(synchronous)• Temporalgrantsfornewandexis?ngaccess
Copyright©2014Oracleand/oritsaffiliates.Allrightsreserved.|
Iden?tyAdministra?on
• SelfService– SelfRegistra?on,Selfprofilemanagement– SelfPasswordmanagement–Reset/ForgotPassword,ChallengeQues?ons
• UserManagement– UserLifeCycleMgt,DelegatedAdministra?on,ProxyUser– ConfigurablepoliciesforUserNameandPasswordgenera?on
• PasswordPolicy– Global– Organiza?onScoped
• SupportforREST,SPMLandRemoteAPIs
• Orchestra?onengineforextensibility–Plug-inandEventHandlers
OracleSolu7on
Copyright©2014Oracleand/oritsaffiliates.Allrightsreserved.|
AccessProvisioning
• Provisioningframeworkanddatamodelformodelingtargetapplica?ons
• RoleBasedAccessControls
• Iden?tyConnectors
• Reconcilia?on
• DisconnectedApplica?onFramework
OracleSolu7on
Copyright©2014Oracleand/oritsaffiliates.Allrightsreserved.|
AccessProvisioning
• CommonConnectorsforallGovernanceneeds
• Supportsmul?pletargetversionsandmul?pleinstancesofatargetsimultaneously
• Flexibledeploymentop?ons–localandremotedeployment
• Extensible–Administratorscanextendthecapabili?eswithoutcoding
• ConnectorforWebServices
Identity Connector Framework
Access Request
Access Certification
Privileged Access
Identity Connectors
Cloud Applications
Enterprise Applications
Directories
Databases
Custom Applications and Mainframes
PROVISIONING ENGINE
SOD Evaluation
Iden7tyConnectors
Copyright©2014Oracleand/oritsaffiliates.Allrightsreserved.|
• Controlandprovideinforma?onforac?vi?es,suchas:• Crea7onofroles.• Modifica7onofrolea[ributes.• Modifica7onofrolemembers.• Dele7onofroles.
• Businessuserscanrequestcrea?onofnewrolesandchangestoexis?ngones
• RolerequestscanleveragethesamerequestandapprovalframeworkavailableforAccessRequestsandCer?fica?on
• Roleownerscanseecomprehensiveaudi?ngandpriorversions
RoleLifeCycleManagementOracleSolu7on
Copyright©2014Oracleand/oritsaffiliates.Allrightsreserved.|
• Comprehensiveroleanaly?csallowsbusinessuserstoseetheimpactofnewrolesandchangestoexis?ngones
• Roleownerscanreduceroleexplosionbyreviewtheeffec?venessoftherolesandconsolidatenewroleswithexis?ngones
• Businessuserscancreaterolesusing“modelusers”
Comprehensivemanagementfunc7onalityRoleLifeCycleManagement
Copyright©2014Oracleand/oritsaffiliates.Allrightsreserved.|
AccessRequestManagement
• AccessCatalogprovidesabilitytobrowseandsearch
• SmartsearchformsallowuserstonavigatetheCataloginaguidedmanner
• Catalogsearchresultsindicaterelevance• AccessCatalogcanrecommendaccessbasedonpre-definedanduser-definedcriteria
• SupportforStart/EndDatesforAccessGrants
• Preventa?veSoDAnalysis
IntelligentAccessCatalog
Copyright©2014Oracleand/oritsaffiliates.Allrightsreserved.|
AccessRequestManagement
• Administratorscandefinecustomsecurityrolestocontrolwhocandowhatatanaoributelevel
• Userscanbeassignedsecurityrolesviarulesreducingadministra?onburden
• Userac?onsandthecontextthattheyusedtoperformtheac?onareaudited
• SOAbasedapprovalworkflow
Simplifiedyetgranularsecurity
Copyright©2014Oracleand/oritsaffiliates.Allrightsreserved.|
• Configurableriskdefini7onandperiodicriskaggrega7on
• FourTypesofIden?tyCer?fica?on(User,Role,AppInstance,En?tlement).
• Schedule,monitor,delegateandauditcer7fica7ons
• Onlineandofflineusercer?fica?on
• Mul7PhasedReview
• Closed-loopremedia7on
• Generateuser/applica?oncer?fica?ons
• Generatecer?fica?onreports
OracleSolu7onAccessCer?fica?on
Access Certification JDOE Accounts Payable JDOE Accounts Receivable
Copyright©2014Oracleand/oritsaffiliates.Allrightsreserved.|
• SODRuleandPolicyDefini?on• Definerulesacrossusers,applica?ons,rolesanden?tlements
• Detec?veSODAnalysis• Detec?vePolicyEnforcement–ClosedLoopRemedia?on
• AccessHistorytoauditallviola?onsanddecisions
• ReviewHighRiskpolicyviola?onsinCer?fica?ons
• Preventa?veSODAnalysis• EnforceSODpoliciesduringaccessrequests• Reviewpolicyviola?onsduringapprovalsandlaunchexcep?onworkflows
OracleSolu7onIden?tyAudit/Segrega?onofDu?es
Copyright©2014Oracleand/oritsaffiliates.Allrightsreserved.|
Oracle Identity
Manager
Database
Metadata
Audit/Compliance
BI Publisher
Reads Oracle Identity Manager database to provide
Identity Management reports
Conducts Identity Management while saves/audits information
– Embedded BIP, No separate BIP infrastructure required – New Lightweight Audit Engine
– Supports new entities and processes
AuditandRepor7ngIden?tyAudit/Segrega?onofDu?es
Copyright©2014Oracleand/oritsaffiliates.Allrightsreserved.|
• Ac?onabledashboardsforriskanalysisandcompliance
• 80+OOTBreportsprovidinga360deg.viewofusers’access
• Flexibledeploymentop?ons,includingabilitytoschedulereportruns
• Publiclyavailableschema
ReportsandDashboardsIden?tyAudit/Segrega?onofDu?es
Copyright©2014Oracleand/oritsaffiliates.Allrightsreserved.|
OraclePrivilegedAccountManagement
40
Controlaccesstohighprivilegedaccounts
• Managedtargets• Unix/Linux• WindowsLocalAccount• HyperVisorandNetworkDevices• SAP• ScriptedConnector(SSH)tospeedupintegra?onwithnetworkdevices
• SessionManagementcontrolpolicies
• Windows(DVR-like)sessionrecording
Copyright©2014Oracleand/oritsaffiliates.Allrightsreserved.|
OracleAccessManagementUnifiedApproachtoCompleteAuthen7ca7on,Authoriza7onandAudit
• WebAccessManagement
• Federated&SocialSSO
• MobileAccessManagement
• CloudAccessManagement
• Authoriza?onManagement
• FraudPreven?on
• StrongAuthen?ca?on
41
Copyright©2014Oracleand/oritsaffiliates.Allrightsreserved.|
UnifiedAccessManagementKeySolu7onRequirements
SeamlessMul7-ChannelAccess
AccessAnyApplica7on,FromAnyDevice,AnyWhere
Scalablefortoday’sInternetNeeds
StandardsBasedModularArchitecture
IntegratedRisk,Fraud&StrongAuthen7ca7on
IncreaseAgilitywithExternalSecurityPolicies
42
Copyright©2014Oracleand/oritsaffiliates.Allrightsreserved.|
OracleAccessManager
43
SimplifiedConvergedCompleteAccessSolu7on• Singlepla]ormtosecureon-premise,Cloud,andmobileaccess
• Supportseamlessmul?-channelaccesswithmodernuserexperience
• FullyConvergedFedera?onSolu?on• IntelligentContextAwareAuthen?ca?on– Na?veOTPVia:SMS,Email,Mobile– StepUpBasedonpostauthRuleorauthlevel
• SeamlesslyintegratewithOracleandthird-partyenterpriseapplica?ons
Copyright©2014Oracleand/oritsaffiliates.Allrightsreserved.|
OracleAccessManagerCloudAccessPortal
• DeliverUserSingleSign-onToCloudAppsFromLaunchpadPortal
• ProvideSeamlessAccessFromSmartPhone,TabletandPC
• SupportForFederatedandUnfederatedApps
• SwitlyRemoveUnauthorizedAccess
44
Copyright©2014Oracleand/oritsaffiliates.Allrightsreserved.|
OracleAccessManager
• Pushno?fica?onandone-buoonverifica?on
• Supportformul?pleaccountregistra?on
• CustomBranding(modifytheappname,font,icons,etc)
• IntegratedintoAccessManagement
• Clientappdownloadedfromcorporateappstore
OracleMobileAuthen7cator
Copyright©2014Oracleand/oritsaffiliates.Allrightsreserved.|
OracleAccessManagerIntegratedSupportforOAuth
46
• EnableUserToAuthorize3rdPartyAppstoAccessandLeverageUserData
• Avoidstoringiden?tydatainunnecessaryloca?ons
• ProvideSupportforbothserverandclient,2and3legged,profileservices
• Connectsupportwithenterpriseiden?tymanagementsystems
Copyright©2014Oracleand/oritsaffiliates.Allrightsreserved.|
OracleDirectoryServicesScalable,SecureandPerformant
• Iden?tyRepository
• NamingServices
• HostAccessControl
• VirtualDirectory
47
Copyright©2014Oracleand/oritsaffiliates.Allrightsreserved.|
UnifiedDirectoryServicesOracleDifferen7ators
Publishedperformancebenchmarks
Op7mizedforCloudandMobile
Integratedvirtualiza7on
Supportforan7quatedIden7tystores
Iden7tyIsola7onfromtransac7onaldata
InternetScaleforbillionIden77es
48
Copyright©2014Oracleand/oritsaffiliates.Allrightsreserved.|
OUD
Virtualiza7onStorage Synchroniza7on
CloudAppsDatabases
EnterpriseApps Servers
MobileApps
HRDBDSEEAc7ve
Directory
OUD–TheAllinOneDirectory
49
• Storage,virtualiza?onandSync
• Highperformance
• Extremescalability
• RESTsupport
Copyright©2014Oracleand/oritsaffiliates.Allrightsreserved.|
LicensingIden?ty&AccessManagementSolu?ons• Models
– EmployeeandNon-Employee– CPUandNUP
• Iden?ty&AccessManagementLicensingGuide– hop://docs.oracle.com/cd/E55108_01/doc.1213/e56762/toc.htm
• ProductsandSuites– APIGateway– En?tlementsServerSecurityModule– Iden?tyManagerConnectors
50
Copyright©2014Oracleand/oritsaffiliates.Allrightsreserved.|
LicensingIden?ty&AccessManagementSolu?ons• Suites
– Iden?ty&AccessManagementSuitePlus• Iden?tyManager,AccessManager,Iden?tyFedera?on,andDirectoryServicesSuitePlus
– Iden?tyGovernanceSuite• Iden?tyManager,PrivilegedAccountManagement,Iden?tyAnaly?cs,andvariousConnectors
– AccessManagementSuitePlus• AccessManager,Adap?veAccessManager,En?tlementsServer,Iden?tyFedera?on
– DirectoryServicesSuitePlus• InternetDirectory,UnifiedDirectory,VirtualDirectory
51
Copyright©2014Oracleand/oritsaffiliates.Allrightsreserved.|
LicensingIden?ty&AccessManagementSolu?ons• Suites
– MobileSecuritySuite– EnterpriseSingleSignOnSuitePlus– EnterpriseIden?tyServicesSuite
• DirectoryServicesSuitePlus,Iden?tyGovernanceSuite,AccessManagementSuite,andMobileSecuritySuite
52
Copyright©2014Oracleand/oritsaffiliates.Allrightsreserved.|
JointheCommunity
Twioertwioer.com/OracleIDM
Facebookfacebook.com/OracleIDM
OracleBlogsBlogs.oracle.com/OracleIDM
OracleIdMWebsiteoracle.com/Iden?ty