icam oracle-webcast-2012-10-10
DESCRIPTION
Slides from an Oracle ICAM webcast on 10/10/2012TRANSCRIPT
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.1
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.2
The preceding is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract.It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.3
ICAM Framework for Enabling Agile, Flexible Service Delivery
Derrick Harcey, P.E., CISSP Enterprise Security Architect
Darin PendergraftPrincipal Product Marketing Director
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.4
Agenda
• ICAM Overview
Oracle Identity Platform
Deployment Recommendations
Questions
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.5
•ICAM Overview
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.6
IDMAnalyticsWAM
Identity ManagementEvolution
Single Sign-on Automation Governance
Password Mgmt
Audit
1990s 2000s 2010 Current
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.7
Government Security Momentum
e-authentication
Federal PKI – 2002
FISMA
PIV, PIV-I, HSPD-12
NIEM 1.0 Federal Identity, Credentialing and Access Management (FICAM)
NIEM 2.0
HITECH
OMB 11-11
ARRA Mandates State HIE compliance by 2014, HIX
SICAM Roadmap released
National Strategy for Trusted Identities in Cyberspace (NSTIC)
HIPPA - 1996
1990s 2000s 2010 Current
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.8
Identify Security ControlsModel for Classification and Trust NIST 800-37 / FISMA
NIST 800-53, NIST 800-30
NIST 800-63, NIST 800-37, FIPS 199
NIST 800-63, NIST 800-53
NIST 800-63
NIST 800-53, NIST 800-53 A
NIST 800-37, NIST 800-53, NIST 800-53 A
Step 1: Categorize Information System
Step 2: Select Security Controls
Step 3: Implement Security Controls
Step 4: Assess Security Controls
Step 5: Authorize Information System
Step 6: Monitor Security Controls
Data Classification
Impact Assessments and Authentication Levels
Authentication and Identity Proofing requirements
Identity Management Controls Implemented
Initial Security Certification and Accreditation
Annual Certification and Accreditation
OutcomeProcess Standards
NIST SP 800-37, NIST SP 800-18, NIST SP 800-60, NIST SP 800-53
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.99
AssuranceLevel
High Level Requirements
1 Secure pseudonym without ID proofing - password
2 Secure pseudonym with ID proofing - password
3 Two factor authentication with ID proofing
4 Hard crypto with ID proofing
NIST800-63
National Institute of Standards and Technology: http://www.nist.gov
NIST 800-63Authentication Assurance Levels
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.10
FederalIdentityCredentialAccessManagement
The purpose of the Roadmap is to outline a common framework for ICAM within the Federal Government and to provide supporting implementation guidance for
agencies as they plan and execute their architecture for ICAM programs.
- Federal Chief Information Officer (CIO) Council - ICAM Roadmap
FICAM
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.11
StateIdentityCredentialAccessManagement
The implementation of SICAM initiatives will facilitate the creation of government services that are more accessible, efficient, and easy to use.
- NASCIO SICAM Roadmap and Implementation Guidelines
SICAM
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.12
ICAM Architecture
SUNY
• Centralized Services• Standards Based Enterprise Architecture• Foundation for Trust and Interoperability
FICAM Services
SICAM Services
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.13
Requirement Oracle Product Mapping
Token
Identity Proofing
Authentication
Assertion
Oracle ICAM components NIST 800-63 mapping
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.14
FICAM – Service Framework
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.15
Identity and Access ManagementModern, Innovative & Integrated ICAM Foundation
Identity Governance
• Access Request & Approval
• Roles based User Provisioning
• Risk-based Access Certification
• Closed Loop Remediation
• Role Mining & Management
• Privileged Account Management
Access Management
• Mobile Access Management
• Social Identity Access
• Single Sign-On & Federation
• Authentication + Credentials
• Authorization & Entitlements
• Web Services Security
Directory Services
• Elastic Scalability
• Proxy-based Search
• LDAP Storage
• Virtualized Identity Access
• LDAP Synchronization
Platform Security Services
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.16
Oracle Identity Platform
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.17
Governance
Password Reset
Privileged Accounts
Access Request
Roles Based Provisioning
Role Mining
Attestation
Separation of Duties
Access
Web Single Sign-on
Federation
Mobile, Social & Cloud
External Authorization
SOA Security
Integrated ESSO
Token Services
Directory
LDAP Storage
Virtual Directory
Meta Directory
Platform Security Services
Identity and Access Management Platform
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.18
Oracle IDM – Themes and DriversSimplify and Innovate
Simplified Experience
Cloud, Mobile and Social
Extreme Scale
Clear Upgrade Path Faster
Deployment Lower
TCO
Modernized Platform
$
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.19
Oracle Identity Governance
Self Service Actionable compliance dashboards 80+ OOTB 360 deg. view of user access Role Governance
– Role Mining
– Role Consolidation
– Role Versioning
Provisioning, Certification, Role Governance, SoD
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.20
End-User friendly User InterfaceBrowser-based customizable UI
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.21
Access RequestShopping Cart Simplicity
Search &Select
Track ReceiptConfirmation
Browse
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.22
Spreadsheet approach Risk Analytics Business – IT collaboration
Access CertificationMaking Certification sustainable
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.23
Insert Picture Here
WORK IS SOCIALPlan to social enable applications in the near future 44%
Source: Enterprise strategy group 2012
Of the world reached by social media sites82%ComScore Datamine Jan 2012
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.24
CLOUD, MOBILE, SOCIAL
SIGN-ON
Social Trust
REST Sign-on
Fraud Detection
Mobile Sign-on
Device Attributes
Location Data
New Access Management
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.25
Get Citizen Information:John, Doe
99343 Anywhere Street,Waterson Street, MD
20147
555-223-2233
444-33-2222
Tuesday April 10th
2:15 am PDT
Has he accesses between 00:00 – 03:00 in the
last two months?
Has he used this device more than 20% in the last three months?
Behavioral Patterns
Does subject live in same residence as requestor?
Does usually perform citizen lookups?
Context Aware Access ManagementExample
Valid Credentials given from inside network, but already logged in from outside network.
Which session is really who we think it is?
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.26
- getUserDetail
- updateUser
- deleteUser…
User Service
PII Protection & Data Redaction
Response
isAuthorized(user = Bob Doe, Acme Corp Device = iOS 5.0, non-registered
Location = 37.53043790,-122.26648800 userId = 99999
action = getUserDetail)
HT
TP
/ RE
ST
/ SO
AP
/ OA
uth
Clie
nts
Oracle Entitlements Server
26
Oracle Enterprise Gateway
JSON
• Context Aware Authorization of Transactions • Authorization for REST API’s• Selective Data Redaction of the response payload• Authorization Service can also be exposed directly to Any client even mobile
{ “UserDetailResponse“: { “usererID”: “99999” “name”: “Sally Smith” “phone”: “555-1234567” “SSN”: “***********“ “creditCardNo”: ”@^*%&@$#%!“ “purchaseHistory”: “…” }}
• Threat Detection & Protection• API Security & Management• Secure Cloud Connectivity• Mobile Access Gateway
Request
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.27
Oracle Unified Directory
Extreme Scale
Next Generation
Integrated and Interoperable
• Scale to 10’s of Billions
• Convergence of directories
• Integrated with Enterprise Manager
• Interoperable with all certified ODSEE ISV software
• Integrated with ODS+
Features
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.28
3X PERFORMANCE1/3 COST
OPTIMIZED SYSTEM
DIRECTORY SERVER
Hardware/Software Synergy
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.29
Partner for Success Upgrade to a more cost effective
and feature rich solution Leverage experienced SI partners Make use of available tools Coexistence strategy or replatform?
Focusing on Action
Sun2Oracle Upgrade Program
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.30
Platform Architectural Benefits
Shared Connectors Less Customization Faster Implementation
Centralized Policies Standardize Access Reduced Risk
Workflow Integration Automated Process Improved Compliance
Common Data Model Standard Reporting Fewer Data Stores
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.31
Platform Approach Reduces Cost
BenefitsOracle IDM Platform
Advantage
Increased End-User Productivity
• Emergency Access
• End-user Self Service
• 11% faster
• 30% faster
Reduced Risk• Suspend/revoke/de-provision
end user access• 46% faster
Enhanced Agility• Integrate a new app faster with
the IAM infrastructure
• Integrate a new end user role faster into the solution
• 64% faster
• 73% faster
Enhanced Security and Compliance
• Reduces unauthorized access
• Reduces audit deficiencies
• 14% fewer
• 35% fewer
Reduced Total Cost • Reduces total cost of IAM
initiatives• 48% lower
14%
Cost Savings48%Fewer instances of unauthorized access
35% Fewer Audit Deficiencies
Source: Aberdeen “Analyzing Point Solutions vs. Platform” 2011
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.32
ScalableOperationally
SatisfiedUsers
EasyAdoption
Architecture Simplicity
Business Friendly
Suite Consolidation
Oracle Identity Management
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.33
Deployment Recommendations
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.34
Federal ICAM Recommendations
• Expand and Modernize FICAM Architecture• Application Integration
• Application Request Lifecycle• Risk Management• Application Access Control (M 11-11)
• Align with Agency External Services
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.35
State Government Recommendations
• Define State Strategy for SICAM• Implement Governance Process• Implement Shared Services – Identity Providers• Integrate Key Relying Parties
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.36
FICAM AAES* – Oracle AlignmentAAES 1 Provides aggregation of identity attributes OVD
AAES 2 Supports deployment of connectors and service interfaces to retrieve identity attributes for distributed sources. OVD, OIM
AAES 3 Utilizes a unique person identifier to distinguish between identities. OIM, OVD
AAES 4 Provides transformation of identity attributes from authoritative source data storage format to a standardized format to present data externally. OVD
AAES 5 Provides correlation of identity attributes from distributed sources of identity information. OIM, OVD
AAES 6 Provides the capability to reconcile differences between different sources of identity attributes. OIM
AAES 7 Provides an interface to request identity attributes over common protocols such as LDAP/s, DSML, SAML, and SPML. OEG, OIM, OIF
AAES 8 Provides security to protect data against unauthorized access and logging to facilitate audits. OES, OEG, OVD
AAES 9 Provides various views of identity attributes and display them only to users or systems that are authorized to view those attributes. OVD
AAES 10 Provides the ability to request identity data based on a variety of methods (name, globally unique identifier, email, DOB). OVD
AAES 11 Provides reports of identity attributes. OBIEE
AAES 12 Provides the capability to push or pull identity attributes including the ability to distribute new identities and updates to existing identity attributes. OIM
AAES 13 Provides the capability to protect data at rest. OUD, DB Sec
AAES 14 Provides the capability to sign attribute assertions. OIF, STS, OEG
* Authoritative Attribute Exchange Service
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.37
Oracle Solution AdvantagesFederated Trust, but Verify
Protected Resources
CredentialJohn Smith
Service Provider Security Layers
User authenticated by an Identity Provider (out of SP control) with ICAM Scheme*
SP can trust the assertion but assess risk of access request
Challenge users for additional identity verification based on risk
Identity Provider
DeviceTracking
Location Profile
Verify IDUser Profile
*idmanagement.gov
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.38
Oracle ICAM Identity Platform
HTTP GET/POST
REST
XML
SOAP
JMS
RESTAccess Services
OAM, OAAM, OIC,OIF,OES
.Net Web Apps
.Net Web Apps
MQ, JMSMQ, JMS
Mobile Clients
Mobile Clients
Web Applications
Web Applications
Extranet DMZ Intranet App Tier
Directory ServicesOVD, OUD
Identity Governance ServicesOIM/OIA
En
terp
rise
Ga
tew
ay
En
titl
em
en
t S
erve
r P
EP
/PD
P
Java EE Web Apps
Java EE Web Apps
.Net Web Srvcs
.Net Web Srvcs
Intranet Data Tier
Web
Gat
es
DB Firewall
Third-party StoresDatabase/Directories
Java EE Web Srvcs
Java EE Web Srvcs
OW
SM
A
gen
ts
Web Services
Web Services
ESSO
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.39
Oracle’s ICAM Resources
Oracle Secure Government Resource Center– ICAM Resources
Oracle Security– Identity and Access Management
– Database Security
Oracle Secure Government Blog http://blogs.oracle.com/securegov/
ICAM Engagements ICAM Engagements ICAM Assessment Workshop
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.40
Government Security Summary
1 Standards based Enterprise Architecture
2
3
4
Standard Processes for Security Controls
Data Security
Web Services Secure Services
5 Comprehensive ICAM Solution
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.41
Oracle Identity Management Overview:http://www.oracle.com/technetwork/middleware/id-mgmt/overview/index.htmlOracle Identity Management 11g Whitepaper:http://www.oracle.com/technetwork/middleware/id-mgmt/overview/oracle-idm-wp-11gr2-1708738.pdfOracle Reference Architecture for Security:http://www.oracle.com/technetwork/topics/entarch/oracle-ra-security-r3-0-176702.pdfOracle Identity Management 11.1.2 - Enterprise Deployment Blueprinthttp://www.oracle.com/technetwork/database/availability/maa-deployment-blueprint-1735105.pdfOracle Real Application Clusters Administration and Deployment Guidehttp://download.oracle.com/docs/cd/E11882_01/rac.112/e16795/toc.htm
Oracle Internet Directory 11g in the Facebook Agehttp://www.oracle.com/technetwork/middleware/id-mgmt/overview/oid11g-500m-socialmedia-benchmark-349887.pdf
Two Billion Entry Directory Benchmark – Oraclehttp://www.oracle.com/technetwork/middleware/id-mgmt/overview/peg-oid-benchmark-131118.pdf
Oracle Identity Federationhttp://download.oracle.com/docs/cd/E10773_01/doc/oim.1014/b25355/deployinstall.htm#BABHIJGJ
Oracle Product Information
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.42
Upcoming Secure Government Activities
Safeguarding Government CyberspaceNovember 28, 2012, 2:00 p.m. EThttp://events.oracle.com
Oracle Federal Forum: Secure Government TrackNovember 14, 2012 8:00 a.m. – 5:00 p.m. ETwww.oracle.com/goto/OracleFedForum
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.43
Secure Government Resource Center
Access Link: http://www.oracle.com/go/?&Src=7618005&Act=32&pcode=WWMK12041319MPP022
Helping Organizations Achieve Security Throughout the
EnterpriseCloud SecurityCyber SecurityData Security
Identity, Credential and Access Management (ICAM) Security Framework
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.44
Questions
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.45
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.46