Oracle Identity Management Securing The New Digital Experience

Transcription

1 Oracle Identity Management Securing The New Digital Experience Security: User Single Sign-On, Certifying User Access, and Masking Sensitive Data Henry Anzarouth Principal Sales Consultant, Security and Identity Management

2 This document is for informational purposes. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described in this document remains at the sole discretion of Oracle. This document in any form, software or printed matter, contains proprietary information that is the exclusive property of Oracle. This document and information contained herein may not be disclosed, copied, reproduced or distributed to anyone outside Oracle without prior written consent of Oracle. This document is not part of your license agreement nor can it be incorporated into any contractual agreement with Oracle or its subsidiaries or affiliates. Copyright 2011, Oracle and/or its affiliates. All right 2

3 Agenda User Single Sign-On with Oracle Access Manager Certifying User Access with Oracle Identity Analytics Masking Sensitive Data with Oracle Enterprise Manager and EBS Accelerator (Masking Template) 3 Copyright 2012, Oracle and/or its affiliates. All rights reserved.

4 The New Identity Platform Complete and Converged Identity Governance Access Management Lifecycle Management & 360 visibility Regular & Privileged identities Complete access control & SSO Fraud Detection Converged Policy Administration & Control Directory Services LDAP, Virtualization Fraud & Meta-directory Detection Unified Administration & Management Copyright 2012, Oracle and/or its affiliates. All right 4

5 Identity Management Portfolio 11gR2 Modern, Innovative & Integrated Governance Password Reset Privileged Accounts Access Request Roles Based Provisioning Role Mining Attestation Separation of Duties Access Web Single Sign-on Federation Mobile, Social & Cloud External Authorization SOA Security Integrated ESSO Token Services Fraud Detection Directory LDAP Storage Virtual Directory Meta Directory Platform Security Services Copyright 2012, Oracle and/or its affiliates. All right 5

15 Oracle Identity Business Today 30K Customers in 45 Countries INDUSTRY LEADERSHIP These graphics were published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any of warranties of merchantability or fitness for a particular purpose. User Provisioning Identity Governance Web Access Management Copyright 2012, Oracle and/or its affiliates. All right 15

17 Oracle Identity Governance Governance Platform Connectors Provision Grant User Access De-Provision Monitor User Access Access Request Privileged Account Request Role Lifecycle Management Check-in/ Checkout Identity Certifications IT Audit Monitoring Rogue Detection & Reconciliation Reporting & Privileged Access Monitoring Roles Entitlements Access Catalog IT Ownership Accounts Glossaries Business Attributes 17

18 Oracle Identity Governance Suite Governance Platform Oracle Identity Manager Provisioning Reconciliation Identity Administration Access Request Oracle Identity Analytics ERP, DB and Mainframes Fusion Applications Oracle Privileged Account Manager Role Mgmt. Monitoring Dashboards Segregation of Duties Access Certification Cloud Applications Policy Management Password Check-in/ Check-out 18

20 Attestation Sign-Off 1 Set Up Periodic Review 2 Reviewer Is Notified Goes to Self Service Reviewer Selections 3 Automated Action is taken based on Periodic Review 4 Report Built And Results Stored in DB What Is Reviewed? Who Reviews It? Start When? How Often? Certify Reject Decline Delegate Comments Result to User Automatically Terminate User Notify the Process Owner Notify Delegated Reviewer Audit Attested Data Attestation Actions Delegation & Revocation Paths 20 Copyright 2009, Oracle. All rights reserved

21 Scenario s Actors Certification & Closed Loop Remediation Manager Administrator Complete user access certification Create and track certification progress 21 Copyright 2012, Oracle and/or its affiliates. All rights reserved.

29 View details of this entitlement 29 Copyright 2012, Oracle and/or its affiliates. All rights reserved. Last certification action (e.g.: Revoked, Certified) Provisioning Method (e.g.: access request with OIM, Reconciliation)

35 Remedition Tracking 35 Copyright 2012, Oracle and/or its affiliates. All rights reserved. The last certification requires the revocation of an entitlement. OIM is instructed to remove the entitlement.

37 37 Copyright 2012, Oracle and/or its affiliates. All rights reserved. The only user impacted was Elliot Ness The entitlement has been removed by OIM. This closes the remediation loop (Closed-loop remediation)

38 Maximum Security with Oracle Database Security 12c Henry Anzarouth Principal Sales Consultant, Security and Identity Management Oracle

39 Billions of Database Records Breached Globally 97% of Breaches Were Avoidable with Basic Controls 98% records stolen from databases 84% records breached using stolen credentials 71% fell within minutes 92% discovered by third party 39

40 Oracle Database Security Solutions Defense-in-Depth for Maximum Security PREVENTIVE DETECTIVE ADMINISTRATIVE Encryption Activity Monitoring Privilege Analysis Redaction and Masking Database Firewall Sensitive Data Discovery Privileged User Controls Auditing and Reporting Configuration Management 40

42 Encryption is the Foundation Preventive Control for Oracle Databases Oracle Advanced Security Transparent data encryption Prevents access to data at rest Requires no application changes Built-in two-tier key management Near Zero overhead with hardware Integrations with Oracle technologies e.g. Exadata, Advanced Compression, ASM, Golden Gate, DataPump, etc. Applications Disk Backups Exports Off-Site Facilities 42

43 Masking Data for Non-Production Use Preventive Control for Oracle Databases Oracle Data Masking Replace sensitive application data Extensible template library and formats Application templates available Referential integrity detected/preserved At source masking and sub-setting* Support for masking data in non-oracle databases LAST_NAME SSN SALARY AGUILAR ,000 BENSON ,000 Production Non-Production Test Dev LAST_NAME SSN SALARY ANSKEKSL ,000 *Requires use of Oracle Test Data Management Production BKJHHEIEDK ,000 43

44 Test Data Management Solutions Sensitive Data Identification Data Subsetting Data Relationship Modeling Test System Setup Data Masking 44 Copyright 2011, Oracle and/or its affiliates. All rights reserved.

45 Data Discovery and Modeling Application Data Models Scans application schemas to model relationships between tables and columns Extract data relationships from Oracle Applications meta-data Oracle ebusiness Suite Oracle Fusion Applications Store referential relationships stored in repository Enables test data operations such as data subsetting, masking Data Relationship Modeling Sensitive Data Identification Test System Setup Data Subsetting Data Masking 45 Copyright 2011, Oracle and/or its affiliates. All rights reserved.

46 Data Discovery and Modeling Sensitive Data Identification Sensitive data discovery Pattern-based database scanning Import from pre-built mask templates Data Masking Templates for Oracle Applications E-Business Suite Fusion Applications Data Relationship Modeling Sensitive Data Identification Test System Setup Data Subsetting Data Masking 46 Copyright 2011, Oracle and/or its affiliates. All rights reserved.

47 Oracle Data Masking Comprehensive and Extensible Mask Library Mask formats for common sensitive data Accelerates solution deployment of masking Extensible mask routines Enables customization of business rules Define once, apply everywhere Ensures consistent enforcement of policies 47 Copyright 2011, Oracle and/or its affiliates. All rights reserved.

48 Oracle Data Masking Sophisticated Masking Techniques Conditionbased Masking Compound Masking Compound Mask Sets of related columns masked together e.g. Address, City, State, Zip, Phone Condition-based Masking Specify separate mask format for each condition, e.g. driver s license format for each state SQL-expression based masking Use SQL functions, e.g. UPPER, SUBSTR, TO_CHAR, to generate mask values, e.g. SUBSTR(%ORIG_VALUE%,1,3) Copyright 2011, Oracle and/or its affiliates. All rights reserved.

49 E-Business Suite Data Masking E-Business Suite Masking Template Metadata for the EM Masking tool Columns, Relationships, and Masking rules for PII and Sensitive attributes for E-Business Suite products Instructions for wiping credentials after cloning (Support Note ) 950 Columns / 1900 rules 65% HCM - Payroll, Employment Details, Personal Info Also TCA, ATG, Financials, Projects Not split out by product or family De-identification needs to be done across the DB 49 Copyright 2011, Oracle and/or its affiliates. All rights reserved.

50 Goals in Application Masking De-Identify the data Scramble identifiers of individuals (PII) Name, account, address, location, drivers license Mask sensitive data Mask the data that, if associated with PII, would cause privacy concerns Compensation Health Employment Information Maintain Data Validity 50 Copyright 2011, Oracle and/or its affiliates. All rights reserved.

51 PersonaIIy Identifiable Information Categories Name Business Location Business Phone Business ID Accounts (Bank, debit, credit) Location External ID (drivers license) National ID (social security number) Web Site Phone 51 Copyright 2011, Oracle and/or its affiliates. All rights reserved.

52 Personally Identifiable Information 50 Attributes Person Name Web Site Pension ID Number Maiden Name National Identifier Article Number Business Address Passport Number Civil Identifier Number Business Telephone Number Drivers License Number Hafiza Number Business Address Personal Address Social Security Number Custom Name Personal Telephone Number Trade Union Membership Number Employee Number Personal Address Pension Registration Number User Global Identifier Visa Number or Work Permit National Insurance Number Customer Number Bank Account Number Health Insurance Number Account Name Card Number (credit or debit) Personal Public Service Number Mail Stop Tax Registration Number or National Taxpayer Identifier Electronic Taxpayer Identification Number GPS Location Person Identification Number Biometrics Data Student Examination Hall Ticket Number Welfare Pension Insurance Number Digital ID Club Membership ID Unemployment Insurance Number Citizenship Number Library Card Number Government Affiliation ID Voter Identification Number Identity Card Number Military Service ID Residency Number (Green Card) Instant Messaging Address Social Insurance Number 52 Copyright 2011, Oracle and/or its affiliates. All rights reserved.

53 Sensitive Data Compensation Employment details Nationality / Citizenship Health Information Personal information Mother's maiden name Passwords Encryption keys Audit information Session information 53 Copyright 2011, Oracle and/or its affiliates. All rights reserved.

54 Privileged User Controls Preventive Control for Oracle Databases Database Vault Limit DBA access to application data Multi-factor SQL command rules Realms create protective zones Enforce enterprise data governance, least privilege, segregation of duties Out of the box application policies Applications Procurement HR Finance select * from finance.customers Security DBA DBA Applicatio n DBA 54

56 Database Activity Monitoring and Firewall Detective Control for Oracle and non-oracle Databases Oracle Audit Vault and Database Firewall Monitors network traffic, detect and block unauthorized activity Highly accurate SQL grammar analysis Can detect/stop SQL injection attacks Whitelist approach to enforce activity Users Apps Allow Log Alert Substitute Block Blacklists for managing high risk activity Scalable secure software appliance SQL Analysis Whitelist Blacklist Policy Factors 56

57 Audit, Report, and Alert in Real-Time Detective Control for Oracle and non-oracle Databases Oracle Audit Vault and Database Firewall Centralized secure repository delivered as secure, scalable software appliance Powerful alerting - thresholds, groupby Out-of-the box and custom reports Consolidated multi-source reporting Audit Data & Event Logs Oracle Database Firewall OS & Storage Directories Databases! Alerts Built-in Reports Custom Reports Policies SOC Auditor Built-in fine grain segregation of duties Custom Security Analyst 57

58 Oracle Audit Vault and Database Firewall New Solution for Oracle and Non-Oracle Databases Users Applications Database Firewall Allow Log Alert Substitute Block Firewall Events SOC Alerts! Auditor Security Analyst Built-in Reports Custom Reports Policies Audit Vault Audit Data OS, Directory, File System & Custom Audit Logs 58

60 Oracle Database Security Solutions Customer Benefits Enterprise ready Security and compliance Simple and flexible Speed and scale Customers Worldwide Rely on Oracle oracle.com/goto/database/security-customers 60

61 Oracle Database Security Solutions Key Benefits Enterprise Ready Security and Compliance Simple and Flexible Speed and Scale 61

62 Q&A 62

63 63