oracle privileged account manager 11gr2
TRANSCRIPT
![Page 2: Oracle Privileged Account Manager 11gR2](https://reader031.vdocuments.mx/reader031/viewer/2022013101/61d21d8848debe26a46e6a9f/html5/thumbnails/2.jpg)
The following is intended to outline our general product direction.
It is intended for information purposes only, and may not be
incorporated into any contract. It is not a commitment to deliver
any material, code, or functionality, and should not be relied
upon in making purchasing decisions. The development, release,
and timing of any features or functionality described for Oracle’s
2
and timing of any features or functionality described for Oracle’s
products remains at the sole discretion of Oracle.
![Page 3: Oracle Privileged Account Manager 11gR2](https://reader031.vdocuments.mx/reader031/viewer/2022013101/61d21d8848debe26a46e6a9f/html5/thumbnails/3.jpg)
Agenda
• Introduction
• Oracle Privileged Account Manager 11gR2
• OPAM and Oracle’s Governance Platform
• OPAM and Oracle Security Solutions
3
• OPAM and Oracle Security Solutions
• Summary
• Q & A
![Page 4: Oracle Privileged Account Manager 11gR2](https://reader031.vdocuments.mx/reader031/viewer/2022013101/61d21d8848debe26a46e6a9f/html5/thumbnails/4.jpg)
Introduction
4
Introduction
![Page 5: Oracle Privileged Account Manager 11gR2](https://reader031.vdocuments.mx/reader031/viewer/2022013101/61d21d8848debe26a46e6a9f/html5/thumbnails/5.jpg)
With Great Power Comes Great Risks
Root
Access
5
DatabasesDirectory Servers Unix Servers
• Privileged accounts are a key entry point for fraud
• Difficult to monitor shared accounts across multiple administrators
• Excessive access privileges is the number one attack vector against databases
![Page 6: Oracle Privileged Account Manager 11gR2](https://reader031.vdocuments.mx/reader031/viewer/2022013101/61d21d8848debe26a46e6a9f/html5/thumbnails/6.jpg)
IDM – Overcome Threats and Regulations to Unlock Opportunities
76% Data Stolen From
Servers
86% Hacking Involve
Stolen Credentials
ThreatsThreats
Compliance Compliance
� Increased Online Threat
� Costly Insider Fraud
� Tougher Regulations
� Greater Focus on Risk
6Copyright © 2011, Oracle and/or its affiliates. All right
2011 Data Breach Investigations Report
Stolen Credentials
48% Caused by Insiders
17% Involved Privilege
MisuseOpportunities Opportunities
� Greater Focus on Risk
� Stronger Governance
� Social Media
� Cloud Computing
� Mobile Access
![Page 7: Oracle Privileged Account Manager 11gR2](https://reader031.vdocuments.mx/reader031/viewer/2022013101/61d21d8848debe26a46e6a9f/html5/thumbnails/7.jpg)
Privileged Accounts – Most Powerful but Most Unprotected
• Unlimited power
• Shared Passwords
• Never Changed
• Access not audited or
7
• Access not audited or
certified
• Unix/ Linux, Windows, databases, applications, routers, firewalls etc
• Each and every IT asset in the enterprise
![Page 8: Oracle Privileged Account Manager 11gR2](https://reader031.vdocuments.mx/reader031/viewer/2022013101/61d21d8848debe26a46e6a9f/html5/thumbnails/8.jpg)
Managing Privilege Access Is Not Well Defined
8
Deploying point solutions can increase
integration costs
RISKSCALE
Manual solutions don’t scale (like managing
privileged access via spreadsheets)
Using default system passwords is
prone to risk
COST
![Page 9: Oracle Privileged Account Manager 11gR2](https://reader031.vdocuments.mx/reader031/viewer/2022013101/61d21d8848debe26a46e6a9f/html5/thumbnails/9.jpg)
IDENTIFYING
PRIVILEGED
ACCOUNTS
Two Big Management Problems
9
TRACKING
PRIVILEGED ACCOUNTS
![Page 10: Oracle Privileged Account Manager 11gR2](https://reader031.vdocuments.mx/reader031/viewer/2022013101/61d21d8848debe26a46e6a9f/html5/thumbnails/10.jpg)
The Right Approach is Self-Reinforcing
Reporting &
Access Request
Auto-Self-Reinforcing
VISIBILITY ACROSS COMPLETE
10
Reporting & Certification
Auto-Provisioning
Remediation
Self-Reinforcing COMPLETE USER ACCESS IS KEY
![Page 11: Oracle Privileged Account Manager 11gR2](https://reader031.vdocuments.mx/reader031/viewer/2022013101/61d21d8848debe26a46e6a9f/html5/thumbnails/11.jpg)
Shared Connectors
Centralized Policies
Privileged Account ManagementA Platform Approach
Reduce
Risk
11Copyright © 2012, Oracle and/or its affiliates. All rights Reserved
Workflow Integration
Common Reporting
Improve
Compliance
![Page 12: Oracle Privileged Account Manager 11gR2](https://reader031.vdocuments.mx/reader031/viewer/2022013101/61d21d8848debe26a46e6a9f/html5/thumbnails/12.jpg)
Oracle Offers Security at Every Layer Security inside each later and across layers
Infrastructure
Security Governance &
Compliance
12
Identity&Access
Management
Database
Security
Cloud
Services
![Page 13: Oracle Privileged Account Manager 11gR2](https://reader031.vdocuments.mx/reader031/viewer/2022013101/61d21d8848debe26a46e6a9f/html5/thumbnails/13.jpg)
Governance
Password Reset
Privileged Accounts
Access Request
Roles Based
Provisioning
Role Mining
Access
Web Single Sign-on
Federation
Mobile, Social & Cloud
External Authorization
SOA Security
Directory
LDAP Storage
Virtual Directory
Meta Directory
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.13
Role Mining
Attestation
Separation of Duties
Integrated ESSO
Token Services
Fraud Detection
Platform Security Services
![Page 14: Oracle Privileged Account Manager 11gR2](https://reader031.vdocuments.mx/reader031/viewer/2022013101/61d21d8848debe26a46e6a9f/html5/thumbnails/14.jpg)
Oracle Privileged Account Manager 11gR2
14Copyright © 2012, Oracle and/or its affiliates. All rights Reserved
Oracle Privileged Account Manager 11gR2
![Page 15: Oracle Privileged Account Manager 11gR2](https://reader031.vdocuments.mx/reader031/viewer/2022013101/61d21d8848debe26a46e6a9f/html5/thumbnails/15.jpg)
Introducing Oracle Privileged Account Manager
• Secure vault to centrally manage passwords for privileged and shared accounts
• Targets include Databases, Operating Systems and LDAP Directories, Oracle FMW
applications
• Multiple access points for OPAM users and administrator
• Automatic password change using Identity Connector Framework
15Copyright © 2012, Oracle and/or its affiliates. All rights Reserved
• Policy based password check-out and check-in
• Flexible usage policies
• Customizable audit reports through BI Publisher and real time status
• Extension to Identity Governance – OIM and OIA integration for complete
governance
![Page 16: Oracle Privileged Account Manager 11gR2](https://reader031.vdocuments.mx/reader031/viewer/2022013101/61d21d8848debe26a46e6a9f/html5/thumbnails/16.jpg)
OPAM Architecture
16Copyright © 2011, Oracle and/or its affiliates. All right
![Page 17: Oracle Privileged Account Manager 11gR2](https://reader031.vdocuments.mx/reader031/viewer/2022013101/61d21d8848debe26a46e6a9f/html5/thumbnails/17.jpg)
A Typical Use Case
HR Application Database
• User logs in as DBA
• Adds Table to DB
• System out of space
Verify OPAM User in HR DBA
Role
Set DBA password for HR App
Database based on password policy
for HR App DatabaseReturn DBA password
Request DBA password
Return unix password
17Copyright © 2011, Oracle and/or its affiliates. All right
LDAP ServerDBA
Role
User checks in passwords
Oracle Privileged Account
Manager
• User logs in as superuser
• Adds disk spaceUnix Server
Request unix password
![Page 18: Oracle Privileged Account Manager 11gR2](https://reader031.vdocuments.mx/reader031/viewer/2022013101/61d21d8848debe26a46e6a9f/html5/thumbnails/18.jpg)
User Check-Out Password Screen
18Copyright © 2011, Oracle and/or its affiliates. All right
![Page 19: Oracle Privileged Account Manager 11gR2](https://reader031.vdocuments.mx/reader031/viewer/2022013101/61d21d8848debe26a46e6a9f/html5/thumbnails/19.jpg)
Supported Clients / Targets
Generic Database Servers Generic LDAP DirectoriesGeneric UNIX Systems
19
UNIX
![Page 20: Oracle Privileged Account Manager 11gR2](https://reader031.vdocuments.mx/reader031/viewer/2022013101/61d21d8848debe26a46e6a9f/html5/thumbnails/20.jpg)
Default Supported Targets
• OPAM will support all OIM ICF connectors
• Will ship with following connectors
• Generic UNIX
• Any UNIX/LINUX server with SSH
• Generic Database
• Oracle 9i, 10g, 11g
20Copyright © 2012, Oracle and/or its affiliates. All rights Reserved
• Oracle 9i, 10g, 11g
• Any
• Generic LDAP
![Page 21: Oracle Privileged Account Manager 11gR2](https://reader031.vdocuments.mx/reader031/viewer/2022013101/61d21d8848debe26a46e6a9f/html5/thumbnails/21.jpg)
OPAM Benefits
• Enforce internal security policies and eliminate potential security threats
from privileged users
• Cost-effectively enforce and attest to regulatory requirements
• Reduce IT costs through efficient self service and common security
infrastructure
21Copyright © 2012, Oracle and/or its affiliates. All rights Reserved
• Real time usage reports
• Customizable audit reports through BI Publisher
![Page 22: Oracle Privileged Account Manager 11gR2](https://reader031.vdocuments.mx/reader031/viewer/2022013101/61d21d8848debe26a46e6a9f/html5/thumbnails/22.jpg)
OPAM and Oracle Access Management
• OAM provides access control to OPAM service console
• Centralized, policy-driven services for web applications authentication
• Web single sign-on
• Session control
• OAAM for layered access control to OPAM service console
22Copyright © 2012, Oracle and/or its affiliates. All rights Reserved
• OAAM for layered access control to OPAM service console
• Real-time fraud prevention
• Software-based multifactor authentication
![Page 23: Oracle Privileged Account Manager 11gR2](https://reader031.vdocuments.mx/reader031/viewer/2022013101/61d21d8848debe26a46e6a9f/html5/thumbnails/23.jpg)
OPAM and Oracle’s Governance Platform
23Copyright © 2012, Oracle and/or its affiliates. All rights Reserved
OPAM and Oracle’s Governance Platform
![Page 24: Oracle Privileged Account Manager 11gR2](https://reader031.vdocuments.mx/reader031/viewer/2022013101/61d21d8848debe26a46e6a9f/html5/thumbnails/24.jpg)
Supports Oracle Identity Manager
Enterprise Roles
• Request access
• De-provision access
• Reuse connectors
24
• Reuse connectors
• Works with request catalog
![Page 25: Oracle Privileged Account Manager 11gR2](https://reader031.vdocuments.mx/reader031/viewer/2022013101/61d21d8848debe26a46e6a9f/html5/thumbnails/25.jpg)
OPAM OIM and OIA – a Complete Governance Platform
• Use case 1 – OIM to provision users to OPAM directory• Leverage OIM policy/role based provisioning, a system admin may be provisioned to specific
LDAP groups that OPAM uses for privileged account access
• Workflow and approval will be followed as defined
• Use case 2 – Request for Privileged Account Access Through OIM• OIM to publish privileged account entitlements in request catalog
25Copyright © 2012, Oracle and/or its affiliates. All rights Reserved
• OIM to publish privileged account entitlements in request catalog
• An admin user uses access request self service, search the catalog, pick the privileged accounts
he needs and submit for approval
• The request kicks off workflow and approval as defined
• The user is provisioned with group membership after approval
• The user can access OPAM for privileged password checkout and checkin
![Page 26: Oracle Privileged Account Manager 11gR2](https://reader031.vdocuments.mx/reader031/viewer/2022013101/61d21d8848debe26a46e6a9f/html5/thumbnails/26.jpg)
OPAM OIM and OIA – a Complete Governance Platform
• Use case 3 – Break glass access request through OIM• Ability for admins to request emergency access to certain privileged account(s) s/he normally is
not entitled to. E.g., a critical server is down but the designated server admin is not available.
• The admin goes through the OIM request process as defined earlier, but indicates this is break
glass emergency request
• Submission of the request will kick off break glass workflow with minimal or auto approval (per
customer process)
• The admin is presented with privileged password for emergency use
26Copyright © 2012, Oracle and/or its affiliates. All rights Reserved
• The admin is presented with privileged password for emergency use
• Special alert is generated for the event and sent to security administrators
• The access is automatically de-provisioned afterward (e.g., after some time)
![Page 27: Oracle Privileged Account Manager 11gR2](https://reader031.vdocuments.mx/reader031/viewer/2022013101/61d21d8848debe26a46e6a9f/html5/thumbnails/27.jpg)
OPAM OIM and OIA – a Complete Governance Platform
• Use case 4 – delegated access• Example Bob is on vacation for 3 weeks, Joe is authorized to access the accounts Bob has access
to. Joe’s access is revoked after Bob returns.
• Use case 5 – Risk based certification and close-loop remediation with OIA• Through existing OIM OIA integration and OIM OPAM integration, privileged access info is made
27Copyright © 2012, Oracle and/or its affiliates. All rights Reserved
• Through existing OIM OIA integration and OIM OPAM integration, privileged access info is made
available to OIA for certification.
• Risk can be calculated based on its privilege status and other data such as provisioning method etc
• If access violation is found, it can be revoked based on OIM OIA close-loop remediation
![Page 28: Oracle Privileged Account Manager 11gR2](https://reader031.vdocuments.mx/reader031/viewer/2022013101/61d21d8848debe26a46e6a9f/html5/thumbnails/28.jpg)
OPAM, OIM and OIA – a Complete Governance Platform
• Central governance of regular and privileged users
• Complete auditing, reporting and certification of user’s individual
and shared accounts
• More secure and more compliant
28Copyright © 2012, Oracle and/or its affiliates. All rights Reserved
![Page 29: Oracle Privileged Account Manager 11gR2](https://reader031.vdocuments.mx/reader031/viewer/2022013101/61d21d8848debe26a46e6a9f/html5/thumbnails/29.jpg)
OPAM and Oracle Security Solutions
29Copyright © 2012, Oracle and/or its affiliates. All rights Reserved
OPAM and Oracle Security Solutions
![Page 30: Oracle Privileged Account Manager 11gR2](https://reader031.vdocuments.mx/reader031/viewer/2022013101/61d21d8848debe26a46e6a9f/html5/thumbnails/30.jpg)
OPAM and Database Security
• Enterprise User Security allows non-privileged users to use their
enterprise LDAP/AD password to connect to the database
• Database Vault provides stronger separation of duties for databases
• OPAM manages passwords for privileged users including SYS,
SYSTEM and application accounts
30Copyright © 2012, Oracle and/or its affiliates. All rights Reserved
SYSTEM and application accounts
• A complete Database Security solution from Oracle
![Page 31: Oracle Privileged Account Manager 11gR2](https://reader031.vdocuments.mx/reader031/viewer/2022013101/61d21d8848debe26a46e6a9f/html5/thumbnails/31.jpg)
Database User ManagementComplete Solution
Service Description Supported by
Use Existing Enterprise LDAP Passwords for End-User Passwords EUS
Map Database Roles to Enterprise Roles EUS
Manage SYS/SYSTEM Passwords OPAM
31Copyright © 2011, Oracle and/or its affiliates. All right
Manage SYS/SYSTEM Passwords OPAM
Manage Application Passwords OPAM
Manage non-Oracle database passwords OPAM
![Page 32: Oracle Privileged Account Manager 11gR2](https://reader031.vdocuments.mx/reader031/viewer/2022013101/61d21d8848debe26a46e6a9f/html5/thumbnails/32.jpg)
Database Vault IntegrationComplete Solution
Service Description Supported by
Privileged user access control to limit access to application data DB Vault
Multi-factor authorization for enforcing enterprise security policies DB Vault
Secure application consolidation DB Vault
32Copyright © 2011, Oracle and/or its affiliates. All right
Secure application consolidation DB Vault
Manage DB Vault Privileged Accounts Passwords like user_manager,
sec_admin
OPAM
Manage SYS/SYSTEM and other DB Privileged Accounts Passwords OPAM
![Page 33: Oracle Privileged Account Manager 11gR2](https://reader031.vdocuments.mx/reader031/viewer/2022013101/61d21d8848debe26a46e6a9f/html5/thumbnails/33.jpg)
OPAM and UNIX/LINUX User Management
• Oracle Authentication Services For Operating Systems
(OAS4OS) enables non-privileged UNIX/LINUX users to
authenticate to LDAP
• OAS4OS simplifies migration from NIS to LDAP
• OPAM provides password management for user accounts
33Copyright © 2012, Oracle and/or its affiliates. All rights Reserved
• OPAM provides password management for user accounts
such as root and other privileged application accounts on the
server
![Page 34: Oracle Privileged Account Manager 11gR2](https://reader031.vdocuments.mx/reader031/viewer/2022013101/61d21d8848debe26a46e6a9f/html5/thumbnails/34.jpg)
UNIX/LINUX User ManagementComplete Solution
Service Description Supported by
Use Existing Enterprise LDAP for End-User Passwords OAS4OS
Map UNIX Groups & NIS Maps to LDAP OAS4OS
Manage ROOT Passwords OPAM
34Copyright © 2011, Oracle and/or its affiliates. All right
Manage ROOT Passwords OPAM
Manage superuser Application Account OPAM
Manage Windows passwords OPAM
![Page 35: Oracle Privileged Account Manager 11gR2](https://reader031.vdocuments.mx/reader031/viewer/2022013101/61d21d8848debe26a46e6a9f/html5/thumbnails/35.jpg)
Improve Security Of Oracle Middleware and Database
• Application passwords are often privileged and unmanaged
• OPAM can automatically manage application passwords for
software that uses Oracle Fusion Middleware or connects to
Oracle database
• This includes:
35Copyright © 2012, Oracle and/or its affiliates. All rights Reserved
• This includes:
• Oracle Credential Security Framework (CSF)
• Oracle Wallet (planned post R2)
![Page 36: Oracle Privileged Account Manager 11gR2](https://reader031.vdocuments.mx/reader031/viewer/2022013101/61d21d8848debe26a46e6a9f/html5/thumbnails/36.jpg)
Summary
36Copyright © 2012, Oracle and/or its affiliates. All rights Reserved
Summary
![Page 37: Oracle Privileged Account Manager 11gR2](https://reader031.vdocuments.mx/reader031/viewer/2022013101/61d21d8848debe26a46e6a9f/html5/thumbnails/37.jpg)
Summary
• Improves compliance and auditing of privileged account activities
• Can be deployed standalone or as part of complete Oracle Identity
Governance platform
37Copyright © 2012, Oracle and/or its affiliates. All rights Reserved
• A key components of Oracle Identity Governance
• Together with OIM and OIA
• Central governance of regular and privileged users
• Complete auditing, reporting and certification of user’s individual and shared accounts
![Page 38: Oracle Privileged Account Manager 11gR2](https://reader031.vdocuments.mx/reader031/viewer/2022013101/61d21d8848debe26a46e6a9f/html5/thumbnails/38.jpg)
www.oracle.com/Identity
38
www.facebook.com/OracleIDM
www.twitter.com/OracleIDM
blogs.oracle.com/OracleIDM
![Page 39: Oracle Privileged Account Manager 11gR2](https://reader031.vdocuments.mx/reader031/viewer/2022013101/61d21d8848debe26a46e6a9f/html5/thumbnails/39.jpg)
39
![Page 40: Oracle Privileged Account Manager 11gR2](https://reader031.vdocuments.mx/reader031/viewer/2022013101/61d21d8848debe26a46e6a9f/html5/thumbnails/40.jpg)
40