Identity and Access Management

Transcription

1 <Insert Picture Here> Apresentação de solução da Oracle para autorização de usuários em aplicativos/sistemas Identity and Access Management Alexandre Freire Principal Sales Solution Security Specialist Identity and Access Management GRC Technology Oracle Latin America Strategic Accounts

2 <Insert Picture Here> Oracle Entitlements Server Introdução

3 Oracle Identity and Access Management Commitment to Leadership & Innovation Innovate Lead Id. Assurance Partner Alliance Oracle Access Management Suite Acquisition of BEA OES Acquisition of Bharosa OAAM Acquisition of Bridgestream ORM Identity Governance Framework Market Leader in Forrester s IAM Wave Oracle IdM Eco-system Oracle esso Leader in Gartner s UP & WAM Magic Quadrant Oracle Identity and Access Management Suite Identity Audit and Compliance offering Build Acquisition of OctetString OVD Acquisition of Thor OIM Acquisition of Oblix OAM, OIF & OWSM Acquisition of Phaos Federation and WS technologies Oracle Internet Directory

4 Leader in Magic Quadrants Oracle assumes the No. 1 position - Earl Perkins, Perry Carpenter, Aug (Research G ) User Provisioning, H Web Access Management, H Magic Quadrant Disclaimer: The Magic Quadrant is copyrighted by Gartner, Inc. and is reused with permission. The Magic Quadrant is a graphical representation of a marketplace at and for a specific time period. It depicts Gartner's analysis of how certain vendors measure against criteria for that marketplace, as defined by Gartner. Gartner does not endorse any vendor, product or service depicted in the Magic Quadrant, and does not advise technology users to select only those vendors placed in the "Leaders" quadrant. The Magic Quadrant is intended solely as a research tool, and is not meant to be a specific guide to action. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

5 Comentários do Gartnet sobre Entitlements Oracle WAM Market - Strengths Trends for 2008 Oracle Market now segmentation sells OAM as (access part of management integrated suites of vs. access management commodity WAM components, vs. consumer including extranets): Oracle Identity The strategic Federation, Oracle direction Entitlements for WAM tools Server is diverging and Oracle as the Adaptive market Access matures. Manager, Larger, enterprise-focused providing improved vendors authorization (IBM, CA, functionality Sun, Novell, beyond Web Oracle, applications, Evidian and as Siemens) well as fraud are detection developing capabilities. access The wide range management of access suites, management which include functions WAM, platform in the suite access puts Oracle control, on fine-grained an excellent entitlement footing with management, broad suite offerings identity from IBM federation and CA. and, often, Web services security tools, combined with unified administration and audit facilities. Smaller vendors (for example, Cafesoft and P2 Security) are focused on low-cost, low-complexity SMB offerings. A few vendors (including EMC/RSA Security and Entrust) are focused specifically on the consumer extranet. Source:

6 Market Leader According To Oracle has established itself as Leader. - The Forrester Wave: Identity And Access Management, Q Oracle reached the top of our evaluation through a combination of the breadth, depth, interoperability, and packaging of its IAM features alongside the strategy and current state of market execution on its application-centric identity vision. - The Forrester Wave: Identity And Access Management, Q1 2008

7 Oracle s Identity Management Suite Identity Admin. Role Manager Identity Manager Access Management Identity Management 2.0 Adaptive Access Manager Entitlements Server Web Services Manager Core Platform Access Manager Identity Federation Enterprise Single Sign-On Directory Services Virtual Directory Internet Directory Authentication Service for OS Audit & Compliance Identity Management Suite Manageability Enterprise Manager IdM Pack

8 <Insert Picture Here> Oracle Entitlements Server Arquitetura Funcional

9 Oracle Entitlement Server O que é? É um Sistema de Controle de Privilégios que possibilta uma definição centralizada de privilégios de complexas aplicações e a execução runtime dos controles destes privilégios. Permite externalizar o controle de privilégios Separa as decisões de segurança, da lógica de negócio das aplicações; Centraliza a gestão das políticas de acesso para vários ambientes de aplicações.

10 Oracle Entitlement Server O que é? Modelo de Políticas suporta a hierarquica natural dos objetos de negócio, roles e direitos de acesso. Protege tanto os componetes de software (ex. URLs, EJBs, etc.) quanto os objetos de negócio (ex. Contas, registros de pacientes, etc.). Prove uma implantação flexível e de fácil integração com os sistemas de segurança e identidades existentes.

11 Entitlements Server Gerenciamento de direitos Presentation Tier Business Logic Tier Data Access Tier Databases Policy Decision Point Entitlements Management Policy Decision Point Policy Decision Point Policy Decision Point Repositório de políticas centralizado Aproveita e potencializa os investimentos existentes em segurança e Identity Management Enforcement da Política de Segurança da corporação Tira a responsabilidade da criação e manutenção das políticias da mão dos desenvolvedores Controle quem pode fazer, ou ver algo, quando e como.

12 Oracle Entitlements Server Architecture Policy Decision Point (PDP) (Standalone) Browser Policy Administration Point (PAP) Admin Server SSM ATN ATZ RM AD CM Admin Server Policies XACML 2.0 Policy Policy Decision Point (PDP/PEP) (Embedded) App Server Entitlements Server SSM ATN ATZ RM AD CM Client Plan Old Java Object (POJO).Net Client Generic SOAP Client Policy Information Point (PIP) Entitlements Entitlements LDAP Relational DB Service Data Objects Attribute Retriever API Embedded Entitlements SSM ATN ATZ RM AD CM User or application directories or database that contain information that is required to make an access decision. Entitlements Server Such information includes user, group, and resource attributes. Oracle Confidential For Internal Use Only

13 OES Administration Server (PAP) Web Browser OES Admin Server (J2EE) Admin UI Application Entitlements API SSM Mgmt Tools Management API ATN ATZ RM AD CM Policy Loader/Exporter Policy Store Policy Files Policy Distributor Admin Scripts To SSMs Runs on WebLogic, Tomcat, WebSphere Web-based Admin Console Policy Reporting Management Tools Management API via Java and Web Services Transactional policy distribution to SSMs Oracle Confidential For Internal Use Only

14 Security Service Module (PDP) Security Service Module Framework API Authentication Authorization Role Mapping Auditing Cred Mapping Identity Directories Entitlements Entitlements Secure Audit Logs External Application Integrate with LDAP, RDBMS, Custom Identity Stores Leverage multiple stores simultaneously Assert identity from SSO or custom tokens Establishes JAAS Subject Provide Grant/Deny decisions based upon policies Integrate external entitlement attribute data from LDAP, RDBMS, SDO Dynamically map users to Roles based upon policy Log messages generated by framework events Write to everything from log4j to secured filesystems Describe custom handlers for various events Translate credentials into custom formats Helps propagate identity across disparate systems Oracle Confidential For Internal Use Only

15 SSM Configurations Standalone Server (PDP) Entitlements Server SSM ATN ATZ RM AD CM J2EE/JVM (PDP/PEP) Embedded Entitlements SSM ATN ATZ RM AD CM Java API.Net API SOAP API XACML 2.0 Oracle DB (with VPD) SharePoint WebLogic Server, Tomcat, Websphere Plain Old Java Object (POJO) Oracle Service Bus Documentum Client/Content Server* SSMs are kept synchronized with central policy store Handle push from Admin Server Retrieve policy upon startup SSMs maintain local persistent caches of relevant policy SSMs maintain local caches of attribute and policy decisions Oracle Confidential For Internal Use Only

16 OES Access Policy OES Access policy is used to grant or deny privileges to resources in the application to specific users, groups, or roles Authorization Request Authorization Response Grant (view, /app/sales/revenuereport, /role/manager) if region = East ; Effect Grant Deny Delegate Action Read Write View Resources Subjects Constraint Boolean Attributes Eval Functions Maps to Application Objects Based on Identity Store(s) Read from External Data Oracle Confidential For Internal Use Only

17 OES Role Policy OES role policy is used to dynamically determine role membership Authorization Request Authorization Response Grant (/role/executive, /app/sales/, /sgrp/manager) if level > 5; Effect Grant Deny Delegate Roles Based on Resources Maps to Subjects Constraint Boolean Attributes Eval Functions Application Based on Read from Objects Identity Store(s) External Data Oracle Confidential For Internal Use Only

18 Entitlements Management Gerenciamento centralizado Gerenciamento dos Entitlements User Roles Application Resources Authorization Policies Role Membership Policies Create Separation of Duties Rules Distribute Entitlements to SSMs Administração das Identidades User Identity Directories User Attributes Auditoria Run Policy Reports Oracle Confidential For Internal Use Only

19 Entitlements Lifecycle Enforcement das Policies sem alterar as aplicações Operations and Compliance Staff Business Owner Developer Developer Oracle Entitlements Server Security Administrator

20 <Insert Picture Here> Oracle Entitlements Server Arquitetura Técnica

21 OAM-OAAM-OES Arquitetura OAM Admin OVD Oracle Access Server Access Manager Partners Web Server 1 (Web Gate) Oracle Internet Directory Load-balancer OAAM Server (OASA) Application Server 1 (SSM) Vendors Web Server 2 (Web Gate) Oracle XE Database Policy Store OAAM Sever (OARM) OES Admin Application Server 2 (SSM) Entitlement Server

22 OES Arquitetura Plataformas (PAP) Table 1 Core Components Component Platforms Operating Systems Admin Console Browser MS IE 6.0, 7.0 Windows 2000 SP4, 2003 R2, XP SP2 E-UI Browser MS IE 6.0, 7.0 Firefox 2.0.x Windows 2000 SP4, 2003 R2, XP SP2 Admin Server Platform WebLogic Server MP2 WebLogic Server 10.0 MP1 WebLogic Server 10gR3 (10.3) 2 WebSphere Application Server Tomcat Sun Solaris 8, 9, 10 (32-bit) Windows 2000 SP4, 2003 R2, XP SP2, Red Hat Adv. Server 3.0, 4.0 Suse Linux & 10.0 AIX OES Policy Store Oracle , , , Sybase , 15 MS-SQL 2000 & 2005 PointBase 5.1 DB2 Universal DB Enterprise Server 9.1 User Directory Oracle Identity Directory Microsoft Active Directory 2000 & Microsoft ADAM SunONE Directory Server v5.2 Novell edirectory v Open LDAP v Oracle , , , 11g Sybase , 15 DB2 Enterprise Server Edition 9.1 MS-SQL 2000 & 2005

23 OES Arquitetura Plataformas (SSM) Table 2 Security Modules Category Platform Version(s) Windows 1 Solaris RHAS 2 Suse 3 9.2, 10.0 AIX , 9, , 4.0 Web Services / RMI MS.NET 1.1 & WL Workshop 9.0, 10.0 Studio 3.0 Yes Yes Yes Yes No Oracle WebLogic Products WebLogic Server , 8.1.6, 9.2.2, 10.0 MP1, WebLogic Portal 8.1.5, 8.1.6, 9.2.2, , 10.2 WebLogic Integration Yes Yes Yes Yes No Other Oracle Products ODSI (formerly ALDSP) 2.5, 3.0, OSB (formerly ALSB) 2.6, OBPM (formerly ALBPM) 6.0 Yes Yes Yes Yes No IBM WebSphere WebSphere 6.1 Yes Yes Yes Yes Yes Java Sun JVM 1.4.2, 5.0, 6.0 JRockit 1.4.2, 5.0, 6.0 IBM JDK 1.4.2, Yes Yes Yes Yes No Web Servers Apache Yes Yes Yes Yes No MS IIS Other Applications Oracle Database 10g Documentum Content Server v5 Microsoft Office SharePoint Server 2007 Yes Yes Yes No Yes N/A No Yes N/A No Yes N/A No Yes N/A

24 High Availability - Runtime Security Module/PDP continues to provide security services even if external components it relies on (such as authentication database, for example) become unavailable. Failover for authentication sources Failover for entitlement sources (attribute retrievers) Failover for Credential Mapper sources For data replication between data sources we recommend to use vendor specific approach or use solutions like Oracle RAC Runtime independence of SM/PDP from Admin Server Application Environment Security Framework Security Service Module Authentication Providers Auditing Providers Role Providers Authorization Providers Credential Providers Source specific replication Primary Authentication Source Back-up Authentication Source Primary Entitlements Source Source specific replication Back-up Entitlements Source Oracle Confidential For Internal Use Only

25 High Availability Management Time New York Tokyo London Application Environment Application Environment Application Environment SSM SSM SSM Primary Admin Server Secondary Admin Server Primary OES DB RDBMS specific replication Secondary OES DB OES Administrator OES Administrator OES Administrator Oracle Confidential For Internal Use Only

26 High Availability Management Time New York Tokyo London Application Environment Application Environment Application Environment SSM SSM SSM Primary Admin Server Secondary Admin Server Primary ALES DB Secondary ALES DB ALES Administrator ALES Administrator ALES Administrator Oracle Confidential For Internal Use Only

27 D E M O N S T R A T I O N Oracle Entitlements Server Live demonstration on a Vmware environment

28