OracleAS Identity Management Solving Real World Problems

OracleAS Identity Management Solving Real World Problems

Web applications are great... Inexpensive development Rapid deployment Access from anywhere BUT.

but they can be an administrative and usability nightmare!

Business Problem Many more users of your business system Anyone with PC has potential access Not all users are employees or students partners, suppliers and hackers Managing users is more complicated Authorized users need to access multiple applications Proliferation of accounts, passwords, privileges Critical business applications and data are online Real risk is greater, awareness of risk is also greater Legal mandates for protection of certain data

IT operational challenges New employee or student enrollment Create identity and credentials for the user Create accounts for all applications he/she needs Define authorizations User s organizational role changes (or user terminated) Automate privilege changes in applications Revoke accounts and authorizations for all applications he/she had access to Disable user s identity and credentials

IT operational challenges, contd. Manage user authentication securely Enforce password complexity Detect and prevent password attacks Implement efficient procedures for password resets Deploy a new application Integrate the application with corporate Portal Delegate administration Leverage an existing authentication service Automate account provisioning for the application Maintain synch among existing directories such as AD

IT operational challenges, contd. Support complex deployment scenarios Deploy many applications and servers securely, with least privilege Decentralized IT administration High availability Support load balancers, firewalls, HW accelerators

Oracle s Solution Security platform enabled by Oracle Identity Management Platform components with high assurance

What is Identity Management? Identity management is the process by which the complete security lifecycle for users and other entities is managed and controlled for an organization or community of organizations.

Identity Management Infrastructure An enterprise directory - Oracle Internet Directory (OID) Directory of users, groups, applications, roles & policies Meta-directory platform and connectors - Directory Synchronization Service (DSS) Access management services Single Sign-on (SSO) Centralized authorization repository (OID) Provisioning platform - Prov. Integration Service (PIS) Provisioning policy and account management tools Provisioning integration platform Provisioning event propagation, workflow automation Provisioning connectors

Identity Management Infrastructure Delegated Administration Services (DAS) End user self-service tools Enterprise user, group and role management tools Application administration delegation tools Public Key Infrastructure Services Oracle Certificate Authority (OCA) Certificate / key archives Online certificate status Auditing and security monitoring services Enterprise audit policy management tools Central audit log archive and mining tools

Identity Management Benefits Saves Money Centralized user management reduces admin cost Easier to automate and less error prone Improves Security By preventing fragmented security Enhances user experience Single password and Single Sign-on Personalization Delegated Administration and Self-service

Oracle Identity Management in Oracle Security Architecture 4 JAAS Roles, Component access Controls, Java2 Permissions, Enterprise Roles VPD Label Security,.. E-Biz Responsibility File privileges, Secure Mail, Interpersonal Rights granting OracleAS 10g Oracle 10g RDBMS Oracle E-Business Suite Oracle Collaboration Suite Delegated Administration Services Oracle Certificate Authority Provisioning Service Oracle Internet Directory OracleAS SSO Directory Integration Services OracleAS (9i or 10g) 3rd Party Authentication Service 3rd Party Directory Service

Oracle Identity Management Value Proposition An enterprise infrastructure that leverages Oracle s unbreakable technology reliability, scalability, security, performance Enables deployment of all Oracle products out of the box AS, DB, OCS, ebiz A single point of integration for customer s existing identity management solutions Transparent 3 rd party integration for OIM enabled products An open, standards-based infrastructure to accommodate variety of partner solutions and customer deployments Accommodate a wide variety of deployments and partner solutions.

Specific Problems and Solutions

New Student Enrollment Create user in OID - creates user in Enterprise Oracle products recognize identity Third party (e.g., AD) provisioning via PIS Improved provisioning support through OIM Single user in OID Student System-based provisioning though PIS Windows (and other third party) integration via DSS Automated certificate provisioning with OCA

User s organizational role changes Change role and/or remove user from OID Directly via DAS or indirectly via PIS Immediately changes user in OIM-aware applications Other applications can be synchronized via DSS, PIS Dynamic group support in OID

Manage User Authentication Securely Single Sign On OracleAS SSO for web single sign on Enterprise User Security for client-server SSO to database Multilevel authentication in OracleAS SSO 10g Windows Native Authentication Proxy authentication for multi-tier database access Advanced password management policies in OID Password history, Password hints and reset upon expiry IP address based lockout policies Centralizes password management for OIM-based applications

Manage User Authentication Securely, cont. External authentication plug-ins for 3 rd party LDAP DAS management of account lockout status DAS Self Service password hint and password reset Standalone database continues to support customizable password management

Deploy New Application OID/SSO provide authentication and authorization services which are shared across enterprise Many hooks to leverage OID/SSO mod_osso JAZN Partner application toolkit Enterprise users (for database applications) PIS provides automated account provisioning DSS, PIS supports synch with existing directories

Deploy New Application, cont. Direct JAAS integration with 3rd party directory via Loginmodule API DAS supports delegated administrative model Can delegate admin authority to components of overall directory tree Can delegate admin authority down to the attribute level New install/admin model in OracleAS ensures least privilege for instance administration

Windows Integration Windows Directory Connector for Oracle Internet Directory Pre-packaged solution for Windows directories Built on Oracle Directory Integration Platform Windows Native Authentication Automatic logon to AS based on Windows logon Improves Windows user experience Windows Authentication and Password Plug-ins Referral of authentication to Windows O/S; password synchronization not required Update of Windows passwords from Oracle administration tools

User Provisioning from Windows Oracle9iAS Single Sign-On Oracle Portal 1 - Add user Windows Environment 3- User synchronized with OID 4 - User provisioned in Oracle environment Oracle E-Business Suite Release 11i 2 - User created in ADS Microsoft ADS Oracle Internet Directory Delegated Administration Console

Improved Admin Privilege Model Least privilege for install/admin Separation of install and runtime admin privileges Privilege to administer one 9iAS instance doesn t imply privilege to administer every instance Allows multiple 9iAS instances to share an infrastructure securely Greatly improves security for real world deployments

Case Study: Golden Gate University s Legacy Environment Operating systems: Solaris, Windows, MPE/ix, Netware, Mac OS, Digital Unix Hardware platforms: SUN (Sparc), Dell (Intel), HP 3000, Macintosh, DEC Alpha Databases: Oracle, SQL Server, Access, FoxPro, HP Image Development: Coldfusion, HTML, Javascript, UniBasic No common code, data, OS, management process, customer experience

IBM IBM IBM GGU s new Web Architecture Migrate legacy apps / File / Print / Messaging Human Resource Financials Student Data Mining / Reporting JSP Pages/ XML/HTML Portal Application Server / Business Tier Application Layer Oracle Text Search Oracle Collaboration Suite Enterprise Database Oracle 9i Enterprise Edition DBMS LDAP - Oracle OID Server Tier Linux / Solaris Storage Tier Storage Area Network / Physical Data Layer

Summary Key Business Problem Address security threats Manage users efficiently, intelligently Key Solution Features Complete security for real world deployments Pervasive High Assurance Common across Oracle Components Supports wide range of deployment options Identity Management Suite Integrated solution for Oracle products Enterprise scalability, reliability, performance

Summary, cont. Key Oracle Differentiators Reputation for reliability, scalability, availabity, assurance Oracle offers nearly all the enterprise pieces App Server, database, apps, collab suite Security and Identity Management is pervasive, integrated