icam oracle-webcast-2012-10-10


The preceding is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract.It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.


ICAM Framework for Enabling Agile, Flexible Service Delivery

Derrick Harcey, P.E., CISSP Enterprise Security Architect

Darin PendergraftPrincipal Product Marketing Director


Agenda

• ICAM Overview

Oracle Identity Platform

Deployment Recommendations

Questions


•ICAM Overview


IDMAnalyticsWAM

Identity ManagementEvolution

Single Sign-on Automation Governance

Password Mgmt

Audit

1990s 2000s 2010 Current


Government Security Momentum

e-authentication

Federal PKI – 2002

FISMA

PIV, PIV-I, HSPD-12

NIEM 1.0 Federal Identity, Credentialing and Access Management (FICAM)

NIEM 2.0

HITECH

OMB 11-11

ARRA Mandates State HIE compliance by 2014, HIX

SICAM Roadmap released

National Strategy for Trusted Identities in Cyberspace (NSTIC)

HIPPA - 1996

1990s 2000s 2010 Current


Identify Security ControlsModel for Classification and Trust NIST 800-37 / FISMA

NIST 800-53, NIST 800-30

NIST 800-63, NIST 800-37, FIPS 199

NIST 800-63, NIST 800-53

NIST 800-63

NIST 800-53, NIST 800-53 A

NIST 800-37, NIST 800-53, NIST 800-53 A

Step 1: Categorize Information System

Step 2: Select Security Controls

Step 3: Implement Security Controls

Step 4: Assess Security Controls

Step 5: Authorize Information System

Step 6: Monitor Security Controls

Data Classification

Impact Assessments and Authentication Levels

Authentication and Identity Proofing requirements

Identity Management Controls Implemented

Initial Security Certification and Accreditation

Annual Certification and Accreditation

OutcomeProcess Standards

NIST SP 800-37, NIST SP 800-18, NIST SP 800-60, NIST SP 800-53


AssuranceLevel

High Level Requirements

1 Secure pseudonym without ID proofing - password

2 Secure pseudonym with ID proofing - password

3 Two factor authentication with ID proofing

4 Hard crypto with ID proofing

NIST800-63

National Institute of Standards and Technology: http://www.nist.gov

NIST 800-63Authentication Assurance Levels


FederalIdentityCredentialAccessManagement

The purpose of the Roadmap is to outline a common framework for ICAM within the Federal Government and to provide supporting implementation guidance for

agencies as they plan and execute their architecture for ICAM programs.

- Federal Chief Information Officer (CIO) Council - ICAM Roadmap

FICAM


StateIdentityCredentialAccessManagement

The implementation of SICAM initiatives will facilitate the creation of government services that are more accessible, efficient, and easy to use.

- NASCIO SICAM Roadmap and Implementation Guidelines

SICAM


ICAM Architecture

SUNY

• Centralized Services• Standards Based Enterprise Architecture• Foundation for Trust and Interoperability

FICAM Services

SICAM Services


Requirement Oracle Product Mapping

Token

Identity Proofing

Authentication

Assertion

Oracle ICAM components NIST 800-63 mapping


FICAM – Service Framework


Identity and Access ManagementModern, Innovative & Integrated ICAM Foundation

Identity Governance

• Access Request & Approval

• Roles based User Provisioning

• Risk-based Access Certification

• Closed Loop Remediation

• Role Mining & Management

• Privileged Account Management

Access Management

• Mobile Access Management

• Social Identity Access

• Single Sign-On & Federation

• Authentication + Credentials

• Authorization & Entitlements

• Web Services Security

Directory Services

• Elastic Scalability

• Proxy-based Search

• LDAP Storage

• Virtualized Identity Access

• LDAP Synchronization

Platform Security Services


Oracle Identity Platform


Governance

Password Reset

Privileged Accounts

Access Request

Roles Based Provisioning

Role Mining

Attestation

Separation of Duties

Access

Web Single Sign-on

Federation

Mobile, Social & Cloud

External Authorization

SOA Security

Integrated ESSO

Token Services

Directory

LDAP Storage

Virtual Directory

Meta Directory

Platform Security Services

Identity and Access Management Platform


Oracle IDM – Themes and DriversSimplify and Innovate

Simplified Experience

Cloud, Mobile and Social

Extreme Scale

Clear Upgrade Path Faster

Deployment Lower

TCO

Modernized Platform

$


Oracle Identity Governance

Self Service Actionable compliance dashboards 80+ OOTB 360 deg. view of user access Role Governance

– Role Mining

– Role Consolidation

– Role Versioning

Provisioning, Certification, Role Governance, SoD


End-User friendly User InterfaceBrowser-based customizable UI


Access RequestShopping Cart Simplicity

Search &Select

Track ReceiptConfirmation

Browse


Spreadsheet approach Risk Analytics Business – IT collaboration

Access CertificationMaking Certification sustainable


Insert Picture Here

WORK IS SOCIALPlan to social enable applications in the near future 44%

Source: Enterprise strategy group 2012

Of the world reached by social media sites82%ComScore Datamine Jan 2012


CLOUD, MOBILE, SOCIAL

SIGN-ON

Social Trust

REST Sign-on

Fraud Detection

Mobile Sign-on

Device Attributes

Location Data

New Access Management


Get Citizen Information:John, Doe

99343 Anywhere Street,Waterson Street, MD

20147

555-223-2233

444-33-2222

Tuesday April 10th

2:15 am PDT

Has he accesses between 00:00 – 03:00 in the

last two months?

Has he used this device more than 20% in the last three months?

Behavioral Patterns

Does subject live in same residence as requestor?

Does usually perform citizen lookups?

Context Aware Access ManagementExample

Valid Credentials given from inside network, but already logged in from outside network.

Which session is really who we think it is?


- getUserDetail

- updateUser

- deleteUser…

User Service

PII Protection & Data Redaction

Response

isAuthorized(user = Bob Doe, Acme Corp Device = iOS 5.0, non-registered

Location = 37.53043790,-122.26648800 userId = 99999

action = getUserDetail)

HT

TP

/ RE

ST

/ SO

AP

/ OA

uth

Clie

nts

Oracle Entitlements Server

26

Oracle Enterprise Gateway

JSON

• Context Aware Authorization of Transactions • Authorization for REST API’s• Selective Data Redaction of the response payload• Authorization Service can also be exposed directly to Any client even mobile

{ “UserDetailResponse“: { “usererID”: “99999” “name”: “Sally Smith” “phone”: “555-1234567” “SSN”: “***********“ “creditCardNo”: ”@^*%&@$#%!“ “purchaseHistory”: “…” }}

• Threat Detection & Protection• API Security & Management• Secure Cloud Connectivity• Mobile Access Gateway

Request


Oracle Unified Directory

Extreme Scale

Next Generation

Integrated and Interoperable

• Scale to 10’s of Billions

• Convergence of directories

• Integrated with Enterprise Manager

• Interoperable with all certified ODSEE ISV software

• Integrated with ODS+

Features


3X PERFORMANCE1/3 COST

OPTIMIZED SYSTEM

DIRECTORY SERVER

Hardware/Software Synergy


Partner for Success Upgrade to a more cost effective

and feature rich solution Leverage experienced SI partners Make use of available tools Coexistence strategy or replatform?

Focusing on Action

Sun2Oracle Upgrade Program


Platform Architectural Benefits

Shared Connectors Less Customization Faster Implementation

Centralized Policies Standardize Access Reduced Risk

Workflow Integration Automated Process Improved Compliance

Common Data Model Standard Reporting Fewer Data Stores


Platform Approach Reduces Cost

BenefitsOracle IDM Platform

Advantage

Increased End-User Productivity

• Emergency Access

• End-user Self Service

• 11% faster

• 30% faster

Reduced Risk• Suspend/revoke/de-provision

end user access• 46% faster

Enhanced Agility• Integrate a new app faster with

the IAM infrastructure

• Integrate a new end user role faster into the solution

• 64% faster

• 73% faster

Enhanced Security and Compliance

• Reduces unauthorized access

• Reduces audit deficiencies

• 14% fewer

• 35% fewer

Reduced Total Cost • Reduces total cost of IAM

initiatives• 48% lower

14%

Cost Savings48%Fewer instances of unauthorized access

35% Fewer Audit Deficiencies

Source: Aberdeen “Analyzing Point Solutions vs. Platform” 2011


ScalableOperationally

SatisfiedUsers

EasyAdoption

Architecture Simplicity

Business Friendly

Suite Consolidation

Oracle Identity Management


Deployment Recommendations


Federal ICAM Recommendations

• Expand and Modernize FICAM Architecture• Application Integration

• Application Request Lifecycle• Risk Management• Application Access Control (M 11-11)

• Align with Agency External Services


State Government Recommendations

• Define State Strategy for SICAM• Implement Governance Process• Implement Shared Services – Identity Providers• Integrate Key Relying Parties


FICAM AAES* – Oracle AlignmentAAES 1 Provides aggregation of identity attributes OVD

AAES 2 Supports deployment of connectors and service interfaces to retrieve identity attributes for distributed sources. OVD, OIM

AAES 3 Utilizes a unique person identifier to distinguish between identities. OIM, OVD

AAES 4 Provides transformation of identity attributes from authoritative source data storage format to a standardized format to present data externally. OVD

AAES 5 Provides correlation of identity attributes from distributed sources of identity information. OIM, OVD

AAES 6 Provides the capability to reconcile differences between different sources of identity attributes. OIM

AAES 7 Provides an interface to request identity attributes over common protocols such as LDAP/s, DSML, SAML, and SPML. OEG, OIM, OIF

AAES 8 Provides security to protect data against unauthorized access and logging to facilitate audits. OES, OEG, OVD

AAES 9 Provides various views of identity attributes and display them only to users or systems that are authorized to view those attributes. OVD

AAES 10 Provides the ability to request identity data based on a variety of methods (name, globally unique identifier, email, DOB). OVD

AAES 11 Provides reports of identity attributes. OBIEE

AAES 12 Provides the capability to push or pull identity attributes including the ability to distribute new identities and updates to existing identity attributes. OIM

AAES 13 Provides the capability to protect data at rest. OUD, DB Sec

AAES 14 Provides the capability to sign attribute assertions. OIF, STS, OEG

* Authoritative Attribute Exchange Service


Oracle Solution AdvantagesFederated Trust, but Verify

Protected Resources

CredentialJohn Smith

Service Provider Security Layers

User authenticated by an Identity Provider (out of SP control) with ICAM Scheme*

SP can trust the assertion but assess risk of access request

Challenge users for additional identity verification based on risk

Identity Provider

DeviceTracking

Location Profile

Verify IDUser Profile

*idmanagement.gov

http://idmanagement.gov/


Oracle ICAM Identity Platform

HTTP GET/POST

REST

XML

SOAP

JMS

RESTAccess Services

OAM, OAAM, OIC,OIF,OES

.Net Web Apps

.Net Web Apps

MQ, JMSMQ, JMS

Mobile Clients

Mobile Clients

Web Applications

Web Applications

Extranet DMZ Intranet App Tier

Directory ServicesOVD, OUD

Identity Governance ServicesOIM/OIA

En

terp

rise

Ga

tew

ay

En

titl

em

en

t S

erve

r P

EP

/PD

P

Java EE Web Apps

Java EE Web Apps

.Net Web Srvcs

.Net Web Srvcs

Intranet Data Tier

Web

Gat

es

DB Firewall

Third-party StoresDatabase/Directories

Java EE Web Srvcs

Java EE Web Srvcs

OW

SM

A

gen

ts

Web Services

Web Services

ESSO


Oracle’s ICAM Resources

Oracle Secure Government Resource Center– ICAM Resources

Oracle Security– Identity and Access Management

– Database Security

Oracle Secure Government Blog http://blogs.oracle.com/securegov/

ICAM Engagements ICAM Engagements ICAM Assessment Workshop

http://www.oracle.com/identity

http://www.oracle.com/us/products/database/security/overview/index.html

http://blogs.oracle.com/securegov/

http://blogs.oracle.com/securegov/


Government Security Summary

1 Standards based Enterprise Architecture

2

3

4

Standard Processes for Security Controls

Data Security

Web Services Secure Services

5 Comprehensive ICAM Solution


Oracle Identity Management Overview:http://www.oracle.com/technetwork/middleware/id-mgmt/overview/index.htmlOracle Identity Management 11g Whitepaper:http://www.oracle.com/technetwork/middleware/id-mgmt/overview/oracle-idm-wp-11gr2-1708738.pdfOracle Reference Architecture for Security:http://www.oracle.com/technetwork/topics/entarch/oracle-ra-security-r3-0-176702.pdfOracle Identity Management 11.1.2 - Enterprise Deployment Blueprinthttp://www.oracle.com/technetwork/database/availability/maa-deployment-blueprint-1735105.pdfOracle Real Application Clusters Administration and Deployment Guidehttp://download.oracle.com/docs/cd/E11882_01/rac.112/e16795/toc.htm

Oracle Internet Directory 11g in the Facebook Agehttp://www.oracle.com/technetwork/middleware/id-mgmt/overview/oid11g-500m-socialmedia-benchmark-349887.pdf

Two Billion Entry Directory Benchmark – Oraclehttp://www.oracle.com/technetwork/middleware/id-mgmt/overview/peg-oid-benchmark-131118.pdf

Oracle Identity Federationhttp://download.oracle.com/docs/cd/E10773_01/doc/oim.1014/b25355/deployinstall.htm#BABHIJGJ

Oracle Product Information

http://www.oracle.com/technetwork/middleware/id-mgmt/overview/index.html

http://www.oracle.com/technetwork/middleware/id-mgmt/overview/oracle-idm-wp-11gr2-1708738.pdf

http://www.oracle.com/technetwork/topics/entarch/oracle-ra-security-r3-0-176702.pdf

http://www.oracle.com/technetwork/database/availability/maa-deployment-blueprint-1735105.pdf

http://download.oracle.com/docs/cd/E11882_01/rac.112/e16795/toc.htm

http://www.oracle.com/technetwork/middleware/id-mgmt/overview/oid11g-500m-socialmedia-benchmark-349887.pdf

http://www.oracle.com/technetwork/middleware/id-mgmt/overview/peg-oid-benchmark-131118.pdf

http://download.oracle.com/docs/cd/E10773_01/doc/oim.1014/b25355/deployinstall.htm


Upcoming Secure Government Activities

Safeguarding Government CyberspaceNovember 28, 2012, 2:00 p.m. EThttp://events.oracle.com

Oracle Federal Forum: Secure Government TrackNovember 14, 2012 8:00 a.m. – 5:00 p.m. ETwww.oracle.com/goto/OracleFedForum

http://www.oracle.com/goto/OracleFedForum

http://www.oracle.com/goto/OracleFedForum


Secure Government Resource Center

Access Link: http://www.oracle.com/go/?&Src=7618005&Act=32&pcode=WWMK12041319MPP022

Helping Organizations Achieve Security Throughout the

EnterpriseCloud SecurityCyber SecurityData Security

Identity, Credential and Access Management (ICAM) Security Framework

http://www.oracle.com/go/?&Src=7618005&Act=32&pcode=WWMK12041319MPP022

http://www.oracle.com/go/?&Src=7618005&Act=32&pcode=WWMK12041319MPP022


Questions

icam oracle-webcast-2012-10-10

Documents