Data Protection, Identity/Access
Management and Governance, Risk and Compliance
Enabling Effective Security in Enabling Effective Security in an Insecure World:an Insecure World:
AgendaAgenda
Business Drivers and Pain Points Oracle Solution
Oracle Advanced Security Oracle Label Security Oracle Audit Vault Oracle Data Vault Oracle Identity Management Oracle Identity Federation Oracle Internet Directory Oracle Virtual Directory Oracle Access Manager Oracle Enterprise Single Sign-On
Summary/Contact Info
Breaches Common Front Page NewsBreaches Common Front Page News
Publicly Available = Public ExposurePublicly Available = Public Exposure
5
Regulatory Compliance Challenges Regulatory Compliance Challenges Costly and ComplexCostly and Complex
More global data privacy regulations 90% companies fail compliance
Costly breach disclosure laws $239/record Up to $35M/breach
Complex IT requirements Separation of duties Proof of compliance Constant self assessment On-the-spot audit reporting
SOX
K-SOX
GLBAPCI
HIPAA
EU Directives
Basel II
PIPEDA
J-SOX
SAS70
21 CFR Part 11
Enterprise Security Strategy GoalsEnterprise Security Strategy GoalsMitigate Risk and CostMitigate Risk and Cost
Provisioning: Streamline Onboarding & Offboarding Automate user account Add/Mod/Deletion to the Content Server
Simplify & secure access to all content SSO & unified Web access control & Web Services security
Secure stored data Securely store data in motion, data at rest and data in
hibernation
Role Management Holistic view of business users, job functions and entitlements
Information Rights Management (IRM) Protect sensitive/confidential information, audit usage, control
actions Ensure destruction of obsolete/remote content based on
business rules
IT LandscapeIT Landscape
EmployeesCustomersPartners
Directories
Web Servers
Packaged Apps (PSFT,
EBS, Hyperion,
Siebel, SAP)
BI and Content
Management
Portal and App
Servers
Email / File
Servers
Mainframe
Web Services
(External)Web
Services(Internal
)
Databases
DataWarehous
es
Unstructured
Content
Presentation Tier
8
Logic (Business) Tier Data
Tier
Presentation TierPresentation Tier
EmployeesCustomersPartners
Logic (Business) Tier
Presentation Tier
DataTier
Web Servers
Packaged Apps (PSFT,
EBS, Hyperion,
Siebel, SAP)
BI and Content
Management
Portal and App
Servers
Email / File
Servers
Mainframe
Web Services
(External)Web
Services(Internal
)
Presentation Tier
This Includes Web Servers, Fat Clients and Externally exposed web services
Databases
Directories
DataWarehous
es
Unstructured
Content
EmployeesCustomersPartners
Logic (Business) Tier
Presentation Tier
DataTier
Web Servers
Packaged Apps (PSFT,
EBS, Hyperion,
Siebel, SAP)
BI and Content
Management
Portal and App
Servers
Email / File
Servers
Mainframe
Web Services
(External)Web
Services(Internal
)
Presentation Tier SolutionsPresentation Tier Solutions
Databases
Directories
DataWarehous
es
Unstructured
Content
Risk-Based Authentication
Deploy Online Fraud Detection
Use stronger forms of Authentication than a password like software authenticators
Self Service
Deploy web-based, self-help tools for Password Reset, Registration and Account Administration
Centralize Authorization
Centralize the protection of your Web Applications AND Web
ServicesSingle Sign On
Simplify User Access with SSO:
1. Web-based Apps
2. Client / Server-based Apps
3. Partners with Federation
EmployeesCustomersPartners
Logic (Business) Tier
Presentation Tier
DataTier
Web Servers
Packaged Apps (PSFT,
EBS, Hyperion,
Siebel, SAP)
BI and Content
Management
Portal and App
Servers
Email / File
Servers
Mainframe
Web Services
(External)Web
Services(Internal
)
Logic (Business) Tier This Includes Packaged Applications, Application
Servers, Mainframes, Email Servers and File Servers as well
as internal web services
Logic (Business) TierLogic (Business) Tier
Databases
Directories
DataWarehous
es
Unstructured
Content
EmployeesCustomersPartners
Logic (Business) Tier
Presentation Tier
DataTier
Web Servers
Packaged Apps (PSFT,
EBS, Hyperion,
Siebel, SAP)
BI and Content
Management
Portal and App
Servers
Email / File
Servers
Mainframe
Web Services
(External)Web
Services(Internal
)
Logic (Business) Tier SolutionsLogic (Business) Tier Solutions
Databases
Directories
DataWarehous
es
Unstructured
Content
Identity Management
Automate On-Boarding, Off-
Boarding and User Change based HR
data
Enterprise-Level Role Management
Mine, create and manage roles at an “Enterprise Level” spanning many
applications
Password Management
Reduce the number of passwords by
synchronizing them across systems
Identity Audit/Governance
Use a integrated, web-based system to:
• Quickly tell you “Who Has (and Had) access to what?”
• Allows you to schedule and delegate attestation of user entitlements
• Notifies you about rogue accounts
EmployeesCustomersPartners
Logic (Business) Tier
Presentation Tier
DataTier
Web Servers
Packaged Apps (PSFT,
EBS, Hyperion,
Siebel, SAP)
BI and Content
Management
Portal and App
Servers
Email / File
Servers
Mainframe
Web Services
(External)Web
Services(Internal
)
Data TierData Tier
Data Tier
This Includes Oracle and Non-Oracle Databases, Directories,
File Shares, etc
Databases
Directories
DataWarehous
es
Unstructured
Content
EmployeesCustomersPartners
Logic (Business) Tier
Presentation Tier
DataTier
Web Servers
Packaged Apps (PSFT,
EBS, Hyperion,
Siebel, SAP)
BI and Content
Management
Portal and App
Servers
Email / File
Servers
Mainframe
Web Services
(External)Web
Services(Internal
)
Data Tier SolutionsData Tier Solutions
Databases
Directories
DataWarehous
es
Unstructured
Content
Encryption
Secure your data with
integrated, tested and
proven database options
Database User Management
Externalize and Centralize users and
passwords for database users in existing
directories (like AD)
Access Control
Lock Down access to ANY
Oracle Database data
• Credit cards,
• Employee Data
from unauthorized access…even
the DBA
Lots of Data Stores, Need a Common View
Create a single “Virtual” LDAP view of heterogeneous data stores (Directories, Database Tables, Web services)
Data
Defense in DepthDefense in Depth
Privacy &integrity of
data
Comprehensiveauditing
Privacy &integrity of
communications
Network
Users
Authenticate Accesscontrol
KNOX 12029
KYTE 17045
CAREY 12032
HOECHST 18029
PIERMAR 17170
SCOTT 14220
KING 18031
Org 10
Org 20
Admin
Org 30
16
Data Privacy and Regulatory ComplianceData Privacy and Regulatory ComplianceDatabase Security Focus AreasDatabase Security Focus Areas
Protecting Access Protecting Access to Application Datato Application Data
Data Data ClassificationClassification
Database Database Monitoring Monitoring
De-Identifying De-Identifying Information for Information for
SharingSharing
Protecting Protecting Data-at-RestData-at-Rest
17
Prevent privileged users from accessing data outside their authorization
Eliminate security risks from database consolidation
Enforce Separation of Duties, Least Privilege, and other policies
No changes to existing applications required
Protecting Data Access: Oracle Protecting Data Access: Oracle Database Vault Database Vault
DBA
HR App DBA
SELECT * FROM HR.EMP
FIN App DBA
HR
HR Realm
FIN
FIN Realm
18
Oracle Database VaultOracle Database VaultReal-Time Multi-Factor AuthorizationReal-Time Multi-Factor Authorization
HR Application User
FIN Application DBA
HR
FIN
CONNECT …
CREATE …
Business hours
Unexpected IP address
Command rules consider multiple factors
Enforce two-admin rules and other security policies
Prevent application by-pass and ad-hoc access
Out-of-the-box policies for Oracle applications
19
Protecting Data-At-Rest: Oracle Protecting Data-At-Rest: Oracle Advanced SecurityAdvanced Security Protect sensitive application data
by transparently encrypting: Specific columns (credit cards) Entire application tables New SecureFile type (images,
documents)
Automated built-in key management Two-tier scheme for separation of
duties Hardware Security Modules (HSM)
integration
No changes to applications required
NetworkEncryption
^#^ *75000
20
Data Classification: Oracle Label Data Classification: Oracle Label SecuritySecurity
Classify data with labels
Assign clearances to users
Use classification label to enforce security policies “Need to Know”
Labels can be "factors" in Oracle Database Vault policies
Confidential
Highly Sensitive
Sensitive
User Label Authorizations
Sensitive Highly Sensitive
21
De-Identifying Shared Information: De-Identifying Shared Information: Enterprise Manager Data Masking PackEnterprise Manager Data Masking Pack
Turn sensitive information into non-sensitive information for sharing
Consistent masking via extensible format library
Maintains referential integrity for applications
Automated data masking for databases enterprise-wide
Cloned Database
MaskProduction Database
LAST_NAME CREDIT_CARD AMT
AGUILAR 4408041254369873 80.00
BENSON 4417123456789112 60.00
LAST_NAME CREDIT_CARD AMT
ANSKEKSL 4111111111111111 80.00
BKJHHEIEDK 4408041234567890 60.00
22
Monitoring Database Activity: Oracle Monitoring Database Activity: Oracle Audit VaultAudit Vault Manage Audit Data
Secure consolidation of audit data from all Oracle databases
Centrally manage all Oracle database audit settings
Detect suspicIous activitiesMonitor all database users –
especially privileged usersAlert on unauthorized
activities
Simplify compliance reportingBuilt-in compliance reportsDefine custom reports
Other Sources
(Future)Oracle Database
Audit Data
Oracle Audit VaultOracle Audit Vault
23
Audit Vault ReportsAudit Vault ReportsOut-of-the-box Audit Assessments and ReportsOut-of-the-box Audit Assessments and Reports
Out-of-the-box reports Privileged user activity Role grants DDL activity
User-defined reportsWhat privileged users did
on the financial database?What user ‘A’ did across
multiple databases?Who accessed sensitive
data?
Identity Management – Key AreasIdentity Management – Key Areas
Access Control Single Sign-On Identity Federation Web Access Control Web Services Security*
Identity Administration User, Role Management User Provisioning
Identity Infrastructure Virtual Directory Directory
*Oracle Web Services Manager licensed separately from the Identity and Access Management Suite
Enterprise Identity ManagementEnterprise Identity Management
NOS/DirectoriesOS (Unix)
Systems & RepositoriesApplications
ERP CRM HR Mainframe
Auditing
and
Reporting
Policy and Workflow
EmployeesIT Staff SOA
Applications
Partners
External
Delegated
Admin
SOA
Applications
Customers
Internal
Identity Management Service
Access Management
•Authentication & SSO
•Authorization & RBAC
• Identity Federation
Identity Administration
•Delegated Administration
•Self-Registration & Self-Service
•User & Group Management
Directory Services
•LDAP Directory
•Meta-Directory
•Virtual Directory
Identity Provisioning
•Agent-based
•Agentless
•Password Synchronization
Monitoring
and
Management
Oracle Identity ManagerOracle Identity Manager Features
Automated user provisioning and de-provisioning
Rich, flexible connector framework User-friendly request & policy wizards Sophisticated workflow & reconciliation
engines Unique compliance automation & reporting
Benefits Reduced administration cost Improved end user experience Critical for regulatory compliance Improved security
Differentiators Enables compliance via comprehensive audit
history and periodic attestation framework Powers largest global provisioning
implementation by number of targets Adapter Factory significantly lowers the TCO
of customers’ solutions over time
HRMS
User created or
removed in
HR system
Business Applications
Workflow;Assign or
revoke roles,
privileges
Application Driven Identity
SystemProvision
accounts and access rights
Oracle Identity FederationOracle Identity Federation Features
Identity and trust sharing across business partners, both as Service Provider (Hub) or Identity Provider (Spoke)
Lightweight, multi-protocol gateway – SAML, Liberty, WS-Federation
Integrates with leading Identity Management platforms
Benefits Reduced cost of interaction between
business partners Reduce administration cost Deliver improved end user experience
Differentiators Self-contained, easy to deploy solution Flexible deployment configurations Rich, 100% web-based configuration
interfaces for improved administrator and end user experience
Proven scalability - large production deployments
Oracle Internet DirectoryOracle Internet Directory Features
Full feature LDAP server with a RDBMS data-store
Industry leading scalability and HA capabilities
Strong Oracle Platform integration VSLDAP certified and EAL4 compliant
Benefits Reduced operational cost with
Oracle Grid support Seamless integration with Oracle Applications
and Products
Differentiators RDBMS backend provides proven scalability &
performance Rich, built in auditing of all events and
operations Flexible data replication and redundancy
features Ships with built-in directory integration
functionality
Oracle Virtual DirectoryOracle Virtual Directory Features
Virtualization, Proxy, Join & Routing capabilities
Modern Java & Web Services technology
Superior extensibility Scalable multi-site administration Direct data access
Benefits Perform Real-time directory integration Accelerate application deployment Lower development costs
Differentiators Lightweight & flexible architecture Supports true virtualization without
local cache, enabling stringent policy or privacy requirements
Modular architecture supports the addition of connectors to a wide array of identity stores
LDAP
VDE DIRECTORY ENGINE
WEB GATEWAYWEB SERVICES WEB GATEWAY
JOIN VIEW
LocalStore LDAP DB NT
Custom
Oracle Access ManagerOracle Access Manager Features
Multi-level, multi-factor authentication Web and App server level authorization Workflow driven Self-service & Delegated
administration Services-based architecture eases
integration with existing IT infrastructure Benefits
Policy-based access management Centralized and consistent security
across heterogeneous environments Reduced administration cost Increased IT governance and compliance
readiness
Differentiators Administrative scalability via workflow
and delegation Access control leverages up to date
identity information Comprehensive auditing to a common
database
Authentication
Authorization
Identity Admin
Oracle Enterprise Single Sign-on (ESSO) Oracle Enterprise Single Sign-on (ESSO) SuiteSuite Oracle ESSO Logon Manager is an event-driven single sign-
on solution that eliminates the need for end users to remember and manage their sign-on credentials
Oracle ESSO Password Reset enables end users to reset their Windows password from a locked workstation (note: also available stand-alone)
Oracle ESSO Authentication Manager enables end users to authenticate with forms of strong authentication and grant specific levels of access based on the form of authentication
Oracle ESSO Provisioning Gateway enables OIM to add, edit and delete credentials within an end user’s Oracle ESSO credential store
Oracle ESSO Kiosk Manager provides fast user switching and sign-on/sign-off support for kiosk users
33
Oracle Enterprise Security SolutionsOracle Enterprise Security SolutionsAddresses top 3 Security Focus AreasAddresses top 3 Security Focus Areas
IT Governance
IT Risk Mgmt
IT Compliance
Oracle AccessManager
Oracle eSSOSuite
AdvancedSecurity Option
Oracle SecureBackup
Oracle IdentityFederation
Oracle VirtualDirectory
Oracle IdentityManager
Oracle InternetDirectory
OracleAppServer SSO
Database VaultOracle Label
Security
Oracle AuditVault
Oracle IdentityManager
Contents DB/Records DB
Database Vault
Oracle WebServices Mgr.
Database Vault AdvancedSecurity Option
Oracle IRMSensitive docs
Oracle OAACGApplication Control
34 34
Strongest Vendor According ToStrongest Vendor According To
“Oracle is currently the IdM vendor to beat”
- VantagePoint 2007: Identity and Privacy Trends in Enterprise IT
“Oracle continues to increase in
mindshare while broadening its IdM
portfolio.”- VantagePoint 2008: Identity and Privacy
Trends in Enterprise IT
35 35
Market Leader According ToMarket Leader According To
“Oracle has established itself as Leader.”
- The Forrester Wave: Identity And Access Management, Q1 2008
Oracle reached the top of our evaluation through a combination of the breadth, depth, interoperability, and packaging of its IAM features alongside the strategy and current state of market execution on its application-centric identity vision.- The Forrester Wave: Identity And Access Management, Q1 2008
TUSC – Trusted Oracle Expertise Across TUSC – Trusted Oracle Expertise Across Techology and ApplicationsTechology and Applications
• Oracle E-Business Suite
• PeopleSoft Enterprise
• Siebel CRM
• JD Edwards EnterpriseOne
• JD Edwards World
• Oracle Retail
• i-flex
• Communications Billing
• ProfitLogic
• G-Log
• Application Server
• Integration / SOA
• Hot-Pluggable
• Business Intelligence
• Identity Management
• Data Hubs
• Collaboration Services
• Process Orchestration
• Java Development Tools
• Database
• Real Application Clusters (RAC)
• Enterprise Manager
• Partitioning
• OLAP
• Security
• Lite
• Times Ten
Fusion
MiddlewareInformation Age
ApplicationsDatabase and
Grid Computing
Contact UsContact Us
West: Brian Decker, [email protected], (626) 836-9574 South/Central: Lisa DiNitto, [email protected], (770) 325-2191 East/Central: Mike Margulies, [email protected], (203) 293-4422
For additional information and consultation Oracle Investment Value Analysis™
Review of existing Oracle topology and architecture, including deployment growth and capacity analysis
Review of existing Oracle licenses ownership and license surplus/exposure analysis
License optimization recommendations, including leveraging maximum available discounts and financing options
Solutions Requirements Assessments Security/Identity/Compliance healthcheck and other delivery
options