Oracle Privileged Account Manager 11gR2. Karsten Müller-Corbach

Transcription

1 R2 Oracle Privileged Account Manager 11gR2 Karsten Müller-Corbach

2 The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle s products remains at the sole discretion of Oracle. 2

3 Agenda Introduction Oracle Privileged Account Manager 11gR2 OPAM and Oracle s Governance Platform OPAM and Oracle Security Solutions 3

4 Introduction 4

5 With Great Power Comes Great Risks Root Access Databases Directory Servers Unix Servers Privileged accounts are a key entry point for fraud Difficult to monitor shared accounts across multiple administrators Excessive access privileges is the number one attack vector against databases 5

6 IDM Overcome Threats and Regulations to Unlock Opportunities Threats Increased Online Threat Costly Insider Fraud Compliance Tougher Regulations Greater Focus on Risk Stronger Governance Opportunities 76% Data Stolen From Servers 86% Hacking Involve Stolen Credentials 48% Caused by Insiders 17% Involved Privilege Misuse Social Media Cloud Computing Mobile Access 2011 Data Breach Investigations Report Copyright 2011, Oracle and/or its affiliates. All right 6

7 Privileged Accounts Most Powerful but Most Unprotected Unlimited power Shared Passwords Never Changed Access not audited or certified Unix/ Linux, Windows, databases, applications, routers, firewalls etc Each and every IT asset in the enterprise 7

8 Managing Privilege Access Is Not Well Defined SCALE Manual solutions don t scale (like managing privileged access via spreadsheets) RISK Using default system passwords is prone to risk COST Deploying point solutions can increase integration costs 8

9 Two Big Management Problems IDENTIFYING PRIVILEGED ACCOUNTS TRACKING PRIVILEGED ACCOUNTS 9

10 The Right Approach is Self-Reinforcing Reporting & Certification Access Request Self-Reinforcing Auto- Provisioning VISIBILITY ACROSS COMPLETE USER ACCESS IS KEY Remediation 10

11 Privileged Account Management A Platform Approach Shared Connectors Centralized Policies Workflow Integration Reduce Risk Improve Compliance Common Reporting Copyright 2012, Oracle and/or its affiliates. All rights Reserved 11

12 Oracle Offers Security at Every Layer Security inside each later and across layers Infrastructure Security Governance & Compliance Identity&Access Management Database Security Cloud Services 12

13 Governance Password Reset Privileged Accounts Access Request Roles Based Provisioning Role Mining Attestation Separation of Duties Access Web Single Sign-on Federation Mobile, Social & Cloud External Authorization SOA Security Integrated ESSO Token Services Fraud Detection Directory LDAP Storage Virtual Directory Meta Directory Platform Security Services 13 Copyright 2013, Oracle and/or its affiliates. All rights reserved.

14 Oracle Privileged Account Manager 11gR2 Copyright 2012, Oracle and/or its affiliates. All rights Reserved 14

15 Introducing Oracle Privileged Account Manager Secure vault to centrally manage passwords for privileged and shared accounts Targets include Databases, Operating Systems and LDAP Directories, Oracle FMW applications Multiple access points for OPAM users and administrator Automatic password change using Identity Connector Framework Policy based password check-out and check-in Flexible usage policies Customizable audit reports through BI Publisher and real time status Extension to Identity Governance OIM and OIA integration for complete governance Copyright 2012, Oracle and/or its affiliates. All rights Reserved 15

16 OPAM Architecture Copyright 2011, Oracle and/or its affiliates. All right 16

17 A Typical Use Case User logs in as DBA Adds Table to DB System out of space Return DBA password HR Application Database Set DBA password for HR App Database based on password policy for HR App Database Request DBA password Return unix password Request unix password Verify OPAM User in HR DBA Role User checks in passwords DBA Oracle Privileged Account Manager LDAP Server User logs in as superuser Adds disk space Unix Server Copyright 2011, Oracle and/or its affiliates. All right 17

18 User Check-Out Password Screen Copyright 2011, Oracle and/or its affiliates. All right 18

19 Supported Clients / Targets Generic UNIX Systems Generic Database Servers Generic LDAP Directories UNIX 19

20 Default Supported Targets OPAM will support all OIM ICF connectors Will ship with following connectors Generic UNIX Any UNIX/LINUX server with SSH Generic Database Oracle 9i, 10g, 11g Any Generic LDAP Copyright 2012, Oracle and/or its affiliates. All rights Reserved 20

21 OPAM Benefits Enforce internal security policies and eliminate potential security threats from privileged users Cost-effectively enforce and attest to regulatory requirements Reduce IT costs through efficient self service and common security infrastructure Real time usage reports Customizable audit reports through BI Publisher Copyright 2012, Oracle and/or its affiliates. All rights Reserved 21

22 OPAM and Oracle Access Management OAM provides access control to OPAM service console Centralized, policy-driven services for web applications authentication Web single sign-on Session control OAAM for layered access control to OPAM service console Real-time fraud prevention Software-based multifactor authentication Copyright 2012, Oracle and/or its affiliates. All rights Reserved 22

23 OPAM and Oracle s Governance Platform Copyright 2012, Oracle and/or its affiliates. All rights Reserved 23

24 Supports Oracle Identity Manager Enterprise Roles Request access De-provision access Reuse connectors Works with request catalog 24

25 OPAM OIM and OIA a Complete Governance Platform Use case 1 OIM to provision users to OPAM directory Leverage OIM policy/role based provisioning, a system admin may be provisioned to specific LDAP groups that OPAM uses for privileged account access Workflow and approval will be followed as defined Use case 2 Request for Privileged Account Access Through OIM OIM to publish privileged account entitlements in request catalog An admin user uses access request self service, search the catalog, pick the privileged accounts he needs and submit for approval The request kicks off workflow and approval as defined The user is provisioned with group membership after approval The user can access OPAM for privileged password checkout and checkin Copyright 2012, Oracle and/or its affiliates. All rights Reserved 25

26 OPAM OIM and OIA a Complete Governance Platform Use case 3 Break glass access request through OIM Ability for admins to request emergency access to certain privileged account(s) s/he normally is not entitled to. E.g., a critical server is down but the designated server admin is not available. The admin goes through the OIM request process as defined earlier, but indicates this is break glass emergency request Submission of the request will kick off break glass workflow with minimal or auto approval (per customer process) The admin is presented with privileged password for emergency use Special alert is generated for the event and sent to security administrators The access is automatically de-provisioned afterward (e.g., after some time) Copyright 2012, Oracle and/or its affiliates. All rights Reserved 26

27 OPAM OIM and OIA a Complete Governance Platform Use case 4 delegated access Example Bob is on vacation for 3 weeks, Joe is authorized to access the accounts Bob has access to. Joe s access is revoked after Bob returns. Use case 5 Risk based certification and close-loop remediation with OIA Through existing OIM OIA integration and OIM OPAM integration, privileged access info is made available to OIA for certification. Risk can be calculated based on its privilege status and other data such as provisioning method etc If access violation is found, it can be revoked based on OIM OIA close-loop remediation Copyright 2012, Oracle and/or its affiliates. All rights Reserved 27

28 OPAM, OIM and OIA a Complete Governance Platform Central governance of regular and privileged users Complete auditing, reporting and certification of user s individual and shared accounts More secure and more compliant Copyright 2012, Oracle and/or its affiliates. All rights Reserved 28

29 OPAM and Oracle Security Solutions Copyright 2012, Oracle and/or its affiliates. All rights Reserved 29

30 OPAM and Database Security Enterprise User Security allows non-privileged users to use their enterprise LDAP/AD password to connect to the database Database Vault provides stronger separation of duties for databases OPAM manages passwords for privileged users including SYS, SYSTEM and application accounts A complete Database Security solution from Oracle Copyright 2012, Oracle and/or its affiliates. All rights Reserved 30

31 Database User Management Complete Solution Service Description Use Existing Enterprise LDAP Passwords for End-User Passwords Supported by EUS Map Database Roles to Enterprise Roles Manage SYS/SYSTEM Passwords EUS OPAM Manage Application Passwords OPAM Manage non-oracle database passwords OPAM Copyright 2011, Oracle and/or its affiliates. All right 31

32 Database Vault Integration Complete Solution Service Description Privileged user access control to limit access to application data Supported by DB Vault Multi-factor authorization for enforcing enterprise security policies DB Vault Secure application consolidation DB Vault Manage DB Vault Privileged Accounts Passwords like user_manager, sec_admin Manage SYS/SYSTEM and other DB Privileged Accounts Passwords OPAM OPAM Copyright 2011, Oracle and/or its affiliates. All right 32

33 OPAM and UNIX/LINUX User Management Oracle Authentication Services For Operating Systems (OAS4OS) enables non-privileged UNIX/LINUX users to authenticate to LDAP OAS4OS simplifies migration from NIS to LDAP OPAM provides password management for user accounts such as root and other privileged application accounts on the server Copyright 2012, Oracle and/or its affiliates. All rights Reserved 33

34 UNIX/LINUX User Management Complete Solution Service Description Use Existing Enterprise LDAP for End-User Passwords Supported by OAS4OS Map UNIX Groups & NIS Maps to LDAP OAS4OS Manage ROOT Passwords OPAM Manage superuser Application Account Manage Windows passwords OPAM OPAM Copyright 2011, Oracle and/or its affiliates. All right 34

35 Improve Security Of Oracle Middleware and Database Application passwords are often privileged and unmanaged OPAM can automatically manage application passwords for software that uses Oracle Fusion Middleware or connects to Oracle database This includes: Oracle Credential Security Framework (CSF) Oracle Wallet (planned post R2) Copyright 2012, Oracle and/or its affiliates. All rights Reserved 35

36 Summary Copyright 2012, Oracle and/or its affiliates. All rights Reserved 36

37 Summary Improves compliance and auditing of privileged account activities Can be deployed standalone or as part of complete Oracle Identity Governance platform A key components of Oracle Identity Governance Together with OIM and OIA Central governance of regular and privileged users Complete auditing, reporting and certification of user s individual and shared accounts Copyright 2012, Oracle and/or its affiliates. All rights Reserved 37

38 blogs.oracle.com/oracleidm 38

39 39

40 40