Overview Oracle Identity Management tijdens AMIS Simplified Security seminar

Copyright©2014Oracleand/oritsaffiliates.Allrightsreserved.|

OracleSecurityInsideOutIden?ty&AccessManagementOverview

MauriceLuizink([email protected])PrincipalSolu?onArchitectIDM

1


SafeHarborStatementThefollowingisintendedtooutlineourgeneralproductdirec?on.Itisintendedforinforma?onpurposesonly,andmaynotbeincorporatedintoanycontract.Itisnotacommitmenttodeliveranymaterial,code,orfunc?onality,andshouldnotberelieduponinmakingpurchasingdecisions.Thedevelopment,release,and?mingofanyfeaturesorfunc?onalitydescribedforOracle’sproductsremainsatthesolediscre?onofOracle.

3


OracleMarketTrends


AcceleratedPaceofChangeRapidlyEvolvingOpportuni7esinBusinessandSociety

80% OF USER ACCESS

WILL BE MOBILE BY 2020

44% OF ORGANIZATIONS PLAN TO SOCIAL

ENABLE APPLICATIONS

CLOUD COMPUTING

WILL BECOME THE BULK OF

NEW IT SPEND BY 2016

THERE WILL BE 26 BILLION

CONNECTED DEVICES BY 2020


AcceleratedApplica?onProlifera?onUniqueIden7tyRequirementsforEachPla?orm

Mobile Apps

Cloud Apps

Enterprise Apps


ChallengesoftheNewDigitalEconomy

• Moreapplica?onstoonboardandmanage

• OutdatedRequest&Fulfillmentprocesses

•  LimitedvisibilityacrossEnterprise,Mobile&Cloudapplica?ons

• Manualaccesscer?fica?onprocesses• Delaysrevokingunauthorizedaccess

EnablingUsersandMaintainingAccessControls–Iden7tyGovernance


RequirementsfortheNewDigitalEconomy

•  BusinessFriendlyAccessRequest&ApprovalInterfaces

•  Scalable&FlexibleAccessCer?fica?on

•  AutomatedProvisioning&ClosedLoopRemedia?on

• Managementofstandardandprivilegeduseraccounts

•  CommonConnectorFramework

UnifiedIden7tyGovernance


OracleIAMpor]olio

Copyright©2014Oracleand/oritsaffiliates.Allrightsreserved.| 10

MobileSecurity

Iden7tyGovernance

Directory

ServicesAccess

Management

Encryp7on

&Redac7on

Privileged

UserControlKey

Management

Ac7vityMonitoring

Configura7on

ManagementDatabaseFirewall

SECURING ACCESS TO APPS & DATA

IDENTITYMANAGEMENT DATABASESECURITY


MobileSecurity–  MobileApplica?onManagement–  MobileDeviceManagement–  MobileAccessManagement–  APISecurity–  MobileAuthen?cator

Iden7tyGovernance–  AccessRequest–  AccessGovernance–  AutomatedProvisioning–  PrivilegedAccountManagement

AccessManagement–  Authen?ca?on–  Authoriza?on–  Audit–  Federa?on

DirectoryServices–  EnterpriseDirectory–  Cloud/MobileAppDirectory

–  VirtualDirectory

OracleIden?tyManagement


OracleIden?tyManagement11gR2PS3–Highlights• MobileSecurity

–  Supportscorporate-owneddevicesusingMobileDeviceManagement(MDM)–  Integrateswithexis?ngIden?tyManagementsolu?onsforsimplifiedopera?onsand?ghtersecurity

•  Iden7tyGovernance–  Convergedrolemanagement,SoD,andclosed-loopremedia?on– Windowssessionrecordingforprivilegedaccounts–  Simplifiedandintelligentself-serviceandaccessrequest

•  OtherKeyImprovements–  Con?nuedsuitesimplifica?onviaautomatedpatchingandupgrades– MobileAuthen?catorenhancedtoallowPIN-less2-factorauthen?ca?on–  Convergenceofvirtualiza?onintoOracleUnifiedDirectory(OUD)


OracleMobileSecuritySecureCorpData.Op7mizeUserExperience

13

• MobileAppManagement

• Strongauthen?ca?on

• Securityforna?veapps

•  Integratedauthen?ca?on

andaccess

• BYODwithcorporate

policies


Oracle’sMobileSecurityStrategyComprehensiveEnterpriseMobilityManagement

14

•  Secure Container •  Application Management •  Device Management •  Content Management

•  Web and Native App SSO •  Enterprise App Store •  Productivity Apps •  Unified Self-Service Console

Secure Device & Data Simplify User Experience Restore Control

•  Governance & Compliance •  Strong Authentication •  API Security •  Unified Delegated Admin

Console


UnifiedMobileSecurityFeatures

Managecorporatedata,notdevices

MDMisnotapre-requisiteforBYOD

SecureCommunica7onChannelobviatesVPN

Re-use&extendcorporateIden7ty,user,roles,policies

ISVfriendly,norecodingandredeploymentofapps

Highersecurity,nocachedcreden7als

15


OracleMobileSecuritySuiteSecureCorpData.Op7mizeUserExperience

16

• MobileIden?ty

• AppIsola?on

• AppManagement

• SecureAccess

• MDM

• Containerizedapps


OracleMobileSecuritySuite11gR2PS3–NewFeatures• MobileDeviceManagement•  IntegratedAdministra?on&Self-ServicewithOAM&OIM• RiskBasedStep-upauthen?ca?on•  SupportforAndroid5incl.securestorageusingNDKAPI•  Supportforkioskmode•  Supportforaddi?onalLDAPdirectories


OracleSecureMobilitySecureBOTHconsumerandcontainerizedapps

CorporateDMZ CorporateNetwork

HTT

P/R

ES

T/S

OA

P/O

AU

TH

SOAP/REST and Legacy Web Services

Oracle Mobile Access Server

Oracle API Gateway

Corporate Resources

Oracle IDM Stack

Oracle Mobile Security Manager

Oracle Identity

Governance

Oracle Access Management

Unified Registry


APIManagementandSecurity

•  ExtendAccessManagementtoRESTAPIs

•  Contextaware•  Authen?ca?on•  Authoriza?on•  Frauddetec?on•  Securitytokens•  Dataredac?on•  Audit

19

Securemobileaccesstocorporateinforma7on

Transforma7on

APIControl&Governance

APIManagement&Monitoring

ThreatProtec7on

SecureRESTAPI’s

OAUTH2.0Client&Server

ClientThro[ling

Native JSON & XML Processing

<XML>

{“JSON”}

APIKeyManagement

Ora

cle

Acc

ess

Man

agem

ent


Finegrainedauthoriza7onforMobileAppsExposingSecureAPIs

/customer/get

/customer/update

/customer/delete

CustomerServiceRESTAPI

Request

“User”: Bob Doe

“Org”: Acme Corp

“Grade” : Marketing Manager

“Customer”:

“ID”: 12345


/customer/get

/customer/update

/customer/delete


Request

21


APIGateway

En7tlementsServer

PEP

PDP

isAuthorized(user = Bob Doe, userOrg = Acme Corp userRole = Marketing Manager resource = Customer Service action = /customer/get customerID = 12345)


/customer/get

/customer/update

/customer/delete


Request

22


APIGateway

En7tlementsServer

PEP

PDP




/customer/get

/customer/update

/customer/delete


Response

“Customer”:

“ID”: 99999

“Name”: Sally Smith

“Phone”: 01323 232125

“NI”: AB 12 34 56 B

“CreditCard”: 1122 3344 5566

“Purchase History”: …



/customer/get

/customer/update

/customer/delete


Response

APIGateway

En7tlementsServer

PEP

PDP


“Customer”:

“ID”: 99999

“Name”: Sally Smith

“Phone”: 01323 232125

“NI”: @^*%&@$#%!

“CreditCard”: **** **** 5566

“Purchase History”: …


OracleIden?tyGovernanceUnifiedApproachtoCompleteIden7tyGovernance

•  Iden?tyAdministra?on

• AccessProvisioning

• RoleLifeCycleManagement

• AccessRequestManagement

• AccessCer?fica?on

•  Iden?tyAudit/SoD

• AuditandRepor?ng

• ConnectorFramework

• PrivilegedAccountManagement

25


OracleIden?tyGovernanceTransla7ngbusinessNeedstoRepeatableProcesses

Business-FriendlyRequestCatalog

StreamlinedBusinessProcessforApprovals

IntelligentandFlexibleCer7fica7on

ScalableandRapidFulfillment

ModularandPluggableArchitecture

PrivilegedAccessandAudit

26


KeyfocusareasforPS3SimplifiedIden7tyGovernance

27

•  CleanUIwithaCloudlookandfeel,withfasterperformance

•  End-usersgeteasyaccesstobusinessfunc?onswithoutrequiringcustomiza?on

•  Collabora?vecer?fica?onprocess•  IntelligentAccessCatalog


OracleIden?tyGovernance11gR2PS3–NewFeatures

•  BusinessFriendlyInterfaces&IntelligentCatalog•  ComprehensiveRoleManagement&Con?nuousCompliance•  SODDetec?on&ClosedLoopRemedia?on•  Iden?tyServicesforMobile&Extranet(RESTAPI-SCIM2.0)•  EnhancedPrivilegedAccess•  EnhancedAudi?ng(synchronous)•  Temporalgrantsfornewandexis?ngaccess


Iden?tyAdministra?on

•  SelfService–  SelfRegistra?on,Selfprofilemanagement–  SelfPasswordmanagement–Reset/ForgotPassword,ChallengeQues?ons

•  UserManagement–  UserLifeCycleMgt,DelegatedAdministra?on,ProxyUser–  ConfigurablepoliciesforUserNameandPasswordgenera?on

•  PasswordPolicy–  Global–  Organiza?onScoped

•  SupportforREST,SPMLandRemoteAPIs

•  Orchestra?onengineforextensibility–Plug-inandEventHandlers

OracleSolu7on


AccessProvisioning

•  Provisioningframeworkanddatamodelformodelingtargetapplica?ons

•  RoleBasedAccessControls

•  Iden?tyConnectors

•  Reconcilia?on

•  DisconnectedApplica?onFramework

OracleSolu7on


AccessProvisioning

•  CommonConnectorsforallGovernanceneeds

•  Supportsmul?pletargetversionsandmul?pleinstancesofatargetsimultaneously

•  Flexibledeploymentop?ons–localandremotedeployment

•  Extensible–Administratorscanextendthecapabili?eswithoutcoding

•  ConnectorforWebServices

Identity Connector Framework

Access Request

Access Certification

Privileged Access

Identity Connectors

Cloud Applications

Enterprise Applications

Directories

Databases

Custom Applications and Mainframes

PROVISIONING ENGINE

SOD Evaluation

Iden7tyConnectors


•  Controlandprovideinforma?onforac?vi?es,suchas:•  Crea7onofroles.•  Modifica7onofrolea[ributes.•  Modifica7onofrolemembers.•  Dele7onofroles.

•  Businessuserscanrequestcrea?onofnewrolesandchangestoexis?ngones

•  RolerequestscanleveragethesamerequestandapprovalframeworkavailableforAccessRequestsandCer?fica?on

•  Roleownerscanseecomprehensiveaudi?ngandpriorversions

RoleLifeCycleManagementOracleSolu7on


•  Comprehensiveroleanaly?csallowsbusinessuserstoseetheimpactofnewrolesandchangestoexis?ngones

•  Roleownerscanreduceroleexplosionbyreviewtheeffec?venessoftherolesandconsolidatenewroleswithexis?ngones

•  Businessuserscancreaterolesusing“modelusers”

Comprehensivemanagementfunc7onalityRoleLifeCycleManagement


AccessRequestManagement

•  AccessCatalogprovidesabilitytobrowseandsearch

•  SmartsearchformsallowuserstonavigatetheCataloginaguidedmanner

•  Catalogsearchresultsindicaterelevance•  AccessCatalogcanrecommendaccessbasedonpre-definedanduser-definedcriteria

•  SupportforStart/EndDatesforAccessGrants

•  Preventa?veSoDAnalysis

IntelligentAccessCatalog


AccessRequestManagement

•  Administratorscandefinecustomsecurityrolestocontrolwhocandowhatatanaoributelevel

•  Userscanbeassignedsecurityrolesviarulesreducingadministra?onburden

•  Userac?onsandthecontextthattheyusedtoperformtheac?onareaudited

•  SOAbasedapprovalworkflow

Simplifiedyetgranularsecurity


•  Configurableriskdefini7onandperiodicriskaggrega7on

•  FourTypesofIden?tyCer?fica?on(User,Role,AppInstance,En?tlement).

•  Schedule,monitor,delegateandauditcer7fica7ons

•  Onlineandofflineusercer?fica?on

•  Mul7PhasedReview

•  Closed-loopremedia7on

•  Generateuser/applica?oncer?fica?ons

•  Generatecer?fica?onreports

OracleSolu7onAccessCer?fica?on

Access Certification JDOE Accounts Payable JDOE Accounts Receivable


•  SODRuleandPolicyDefini?on•  Definerulesacrossusers,applica?ons,rolesanden?tlements

•  Detec?veSODAnalysis•  Detec?vePolicyEnforcement–ClosedLoopRemedia?on

•  AccessHistorytoauditallviola?onsanddecisions

•  ReviewHighRiskpolicyviola?onsinCer?fica?ons

•  Preventa?veSODAnalysis•  EnforceSODpoliciesduringaccessrequests•  Reviewpolicyviola?onsduringapprovalsandlaunchexcep?onworkflows

OracleSolu7onIden?tyAudit/Segrega?onofDu?es


Oracle Identity

Manager

Database

Metadata

Audit/Compliance

BI Publisher

Reads Oracle Identity Manager database to provide

Identity Management reports

Conducts Identity Management while saves/audits information

– Embedded BIP, No separate BIP infrastructure required – New Lightweight Audit Engine

– Supports new entities and processes

AuditandRepor7ngIden?tyAudit/Segrega?onofDu?es


•  Ac?onabledashboardsforriskanalysisandcompliance

•  80+OOTBreportsprovidinga360deg.viewofusers’access

•  Flexibledeploymentop?ons,includingabilitytoschedulereportruns

•  Publiclyavailableschema

ReportsandDashboardsIden?tyAudit/Segrega?onofDu?es


OraclePrivilegedAccountManagement

40

Controlaccesstohighprivilegedaccounts

• Managedtargets•  Unix/Linux• WindowsLocalAccount•  HyperVisorandNetworkDevices•  SAP•  ScriptedConnector(SSH)tospeedupintegra?onwithnetworkdevices

•  SessionManagementcontrolpolicies

• Windows(DVR-like)sessionrecording


OracleAccessManagementUnifiedApproachtoCompleteAuthen7ca7on,Authoriza7onandAudit

• WebAccessManagement

• Federated&SocialSSO

• MobileAccessManagement

• CloudAccessManagement

• Authoriza?onManagement

• FraudPreven?on

• StrongAuthen?ca?on

41


UnifiedAccessManagementKeySolu7onRequirements

SeamlessMul7-ChannelAccess

AccessAnyApplica7on,FromAnyDevice,AnyWhere

Scalablefortoday’sInternetNeeds

StandardsBasedModularArchitecture

IntegratedRisk,Fraud&StrongAuthen7ca7on

IncreaseAgilitywithExternalSecurityPolicies

42


OracleAccessManager

43

SimplifiedConvergedCompleteAccessSolu7on•  Singlepla]ormtosecureon-premise,Cloud,andmobileaccess

•  Supportseamlessmul?-channelaccesswithmodernuserexperience

•  FullyConvergedFedera?onSolu?on•  IntelligentContextAwareAuthen?ca?on–  Na?veOTPVia:SMS,Email,Mobile–  StepUpBasedonpostauthRuleorauthlevel

•  SeamlesslyintegratewithOracleandthird-partyenterpriseapplica?ons


OracleAccessManagerCloudAccessPortal

•  DeliverUserSingleSign-onToCloudAppsFromLaunchpadPortal

•  ProvideSeamlessAccessFromSmartPhone,TabletandPC

•  SupportForFederatedandUnfederatedApps

•  SwitlyRemoveUnauthorizedAccess

44


OracleAccessManager

•  Pushno?fica?onandone-buoonverifica?on

•  Supportformul?pleaccountregistra?on

•  CustomBranding(modifytheappname,font,icons,etc)

•  IntegratedintoAccessManagement

•  Clientappdownloadedfromcorporateappstore

OracleMobileAuthen7cator


OracleAccessManagerIntegratedSupportforOAuth

46

•  EnableUserToAuthorize3rdPartyAppstoAccessandLeverageUserData

•  Avoidstoringiden?tydatainunnecessaryloca?ons

•  ProvideSupportforbothserverandclient,2and3legged,profileservices

•  Connectsupportwithenterpriseiden?tymanagementsystems


OracleDirectoryServicesScalable,SecureandPerformant

•  Iden?tyRepository

• NamingServices

• HostAccessControl

• VirtualDirectory

47


UnifiedDirectoryServicesOracleDifferen7ators

Publishedperformancebenchmarks

Op7mizedforCloudandMobile

Integratedvirtualiza7on

Supportforan7quatedIden7tystores

Iden7tyIsola7onfromtransac7onaldata

InternetScaleforbillionIden77es

48


OUD

Virtualiza7onStorage Synchroniza7on

CloudAppsDatabases

EnterpriseApps Servers

MobileApps

HRDBDSEEAc7ve

Directory

OUD–TheAllinOneDirectory

49

•  Storage,virtualiza?onandSync

•  Highperformance

•  Extremescalability

•  RESTsupport


LicensingIden?ty&AccessManagementSolu?ons• Models

– EmployeeandNon-Employee– CPUandNUP

•  Iden?ty&AccessManagementLicensingGuide– hop://docs.oracle.com/cd/E55108_01/doc.1213/e56762/toc.htm

• ProductsandSuites– APIGateway– En?tlementsServerSecurityModule– Iden?tyManagerConnectors

50


LicensingIden?ty&AccessManagementSolu?ons•  Suites

– Iden?ty&AccessManagementSuitePlus•  Iden?tyManager,AccessManager,Iden?tyFedera?on,andDirectoryServicesSuitePlus

– Iden?tyGovernanceSuite•  Iden?tyManager,PrivilegedAccountManagement,Iden?tyAnaly?cs,andvariousConnectors

– AccessManagementSuitePlus•  AccessManager,Adap?veAccessManager,En?tlementsServer,Iden?tyFedera?on

– DirectoryServicesSuitePlus•  InternetDirectory,UnifiedDirectory,VirtualDirectory

51


LicensingIden?ty&AccessManagementSolu?ons•  Suites

– MobileSecuritySuite– EnterpriseSingleSignOnSuitePlus– EnterpriseIden?tyServicesSuite

•  DirectoryServicesSuitePlus,Iden?tyGovernanceSuite,AccessManagementSuite,andMobileSecuritySuite

52


JointheCommunity

Twioertwioer.com/OracleIDM

Facebookfacebook.com/OracleIDM

OracleBlogsBlogs.oracle.com/OracleIDM

OracleIdMWebsiteoracle.com/Iden?ty


Ques?ons

54


Technology

Overview Oracle Identity Management tijdens AMIS Simplified Security seminar