Jerry Held

1
(No Transcript)
2
Sudha IyerPrincipal Product Manager Oracle
Corporation
3
Identity Management for Database
Applications 40128
4
Reminder please complete the OracleWorld
online session surveyThank you.
5
Agenda

• Business Drivers for Security
• Identity and Security related?
• Key Benefits of Identity Management
• Strategies for deployed applications
• Oracle Database 10g
• Questions

6
Business Drivers for Security

• Why security?

7
Business Environment

• Increased threat to business continuity
• Internal threats
• External threats
• Government Regulations (US and Foreign)
• Security Policy
• Security Products
• Manageability and High Availability with Security

8
Measuring ROI in Security

• Opportunity Cost
• What does lost business, delayed payments and
  customer retention mean to your business?
• Lower Administrative Costs
• Patch Management
• User Provisioning
• Eliminate Password Management woes

9
Security Identity Management

• Where do they meet?

10
Critical aspects of Security

• Privacy
• Consumers vs. Businesses
• Staying anonymous is expensive
• Authentication
• Critical to establish trust
• Integrity
• Non repudiation
• Audit

11
Identity and Security

• Identity
• Username, Certificate DN, Global UID
• Authenticate
• Password (what you know)
• Stronger alternatives (smart card, Certificate,
  TGT)
• Trust
• Secure the channel
• Evaluate Access Control
• Assist in non repudiation

12
Identity Management in Oracle 10g
Oracle Internet Directory
LDAP standard repository for identity information
DirectorySynchronization
Integration with other directories (e.g. ADS,
iPlanet)
ProvisioningIntegration
Automatic provisioning of users in the
Oracle environment
DelegatedAdministration
Self service administration tools for managing
identity information across the enterprise
AS 10gSingleSign-On
Single sign-on to web applications
Oracle CertificateAuthority
Issue and manage X.509v3 compliant certificates
to secure email and network connections
13
Oracle Security Architecture
Oracle E-Business Suite
Oracle Collaboration Suite
OracleAS Portal Wireless
Application Component Security
Responsibilities, Roles .
Secure Mail, Interpersonal Rights
Roles, Privilege Groups
OracleAS 10g
Oracle 10g
OracleAS 10g
Oracle 10g
OracleAS 10g
Oracle 10g Database
Oracle 10g Platform Security Bindings
JAAS, WS Security Java2 Permissions..
Enterprise users, VPD, Encryption Label Security
JAAS, WS Security Java2 Permissions..
Enterprise users, VPD, Encryption Label Security
JAAS, WS Security Java2 Permissions..
Enterprise users, VPD, Encryption, Label Security
External Security Services
Access Management
OracleAS Certificate Authority
Directory Integration Provisioning
OracleAS Single Sign-on
Delegated Administration Services
Enterprise Security Infrastructure
Directory Services
Oracle Internet Directory
Provisioning Services
Oracle Identity Management
14
Benefits of Identity Management

• Valuable with over capacity in technology

15
Where is the pain?

• User Administration
• Scalability
• too many accounts for additions, deletions, role
  changes across 100s of databases
• Solution Directory Integration for Centralized
  User/Privilege Management
• Ease of Use and Flexibility
• too many passwords to remember/administer
• Solution Single Sign-On with digital
  certificates, and Single Password

16
Oracle Identity Management

• Improve ROI on administration
• One network identity for a user
• Eliminates maintaining users across databases
• Enable self service for user management
• Lost Passwords retrieved by end users
• Security with Usability
• SSL and Kerberos with ease of administration

17
Database Security for Directory Users
Users, Label Security policies, User
Privileges managed in OID

• Apps may rely on
• Database Roles alone
• Enterprise Roles in the directory
• Single Sign On Users and
• Enterprise users are unified in OID

Applications can enforce VPD policies And Label
security Audit records, for directory users
Jane Surgeon
Apps_User
Apps_User
Nurse
Oracle Databases
18
Ongoing User Administration
List Group Access
Define a group In OID
19
Directory Users for Legacy Apps

• Strategies to get more for less

20
Where to begin?

• Understand application user model
• Understand access control model
• Understand security policies
• Decide on new user model
• Strategy
• Centralize users first
• Centralize roles second

21
Application User Model - 1

• Every application user is a database user
• Application uses databases authentication and
  authorization capability
• Every user has an exclusive schema
• Where are the application objects?

22
Best Practice - 1

• Usually, App objects are in an app schema
• Move the database users to the directory
• Map the user to a shared schema
• Consider using Enterprise Roles
• If app relies entirely on database roles

23
Application User Model - 2

• Application user is a database user but,
• Some objects are shared and others are owned by
  each user
• Application relies on database roles for access
  control enforcement

24
Best Practice - 2

• Move the database users to the directory
• Each user has an exclusive schema
• Consider using Virtual Private Database
• Eliminate exclusive schemas use shared schema

25
User Management for Model for 1 2

• Database users are transformed into Enterprise
  users
• mapped to shared schema, or
• Have exclusive schema

Database looks up user credentials and gets all
enterprise roles assigned
Oracle DB
Guest_Schema

• Apps may rely on
• Database Roles
• Enterprise Roles

• Client Server App,
• Jane logs into the database
• One Database Connection
• established

APP_SCHEMA
Jane
26
Application User Model - 3

• Every application user is a database user
• Application has its access control module
• Application may use a pre-seeded App User
• Home grown audit module
• Direct access to database objects restricted by
  PUP
• Product user profile

27
Best Practice - 3

• Cost effective to map users to shared schema
• Consider replacing home grown admin module using
  enterprise roles/database global roles

28
User Management - 3
Database users are transformed into Enterprise
users, mapped to shared schema (APP_SCHEMA). Apps_
User proxies directory users.
Oracle DB
Apps_User
Jane
APP_SCHEMA
Apps_User
Jill
29
Application User Model - 4

• Application has robust user management module
• Application uses application context to track
  users
• How can these users leverage an Enterprise
  Directory?

30
Best Practice - 4

• Integrate with AS Single Sign-On
• Provisioning of users handled automatically by HR
• Password management policies of Oracle Internet
  Directory enforced
• Eases integration with other applications in the
  enterprise
• Second stage delegate access control to DB/OID

31
Oracle 10g
32
Kerberized Enterprise Users

• Directory users
• Use Kerberos credentials to authenticate to the
  Oracle Database
• Benefits
• End-to-end security with desktop sign-on
• Virtually no administrative cost
• Centralized administration in heterogeneous
  environment

33
Integrated Enterprise User Security

• Identity Management infrastructure
• Unified user model (one password)
• Simplified configuration
• Provide alternate secure channel for Database
  Directory communication
• Benefits
• Easy, low cost administration of users
• Identity flows end-to-end aiding accountability
• Database security for web application users
• Rapid prototype

34
Security and Identity Management for GRID

• Central provisioning of users for database
  services
• Apply database security features for GRID users
• Central administration of security policies for
  GRID users

35
Security with Usability a scenario
Unix
Windows
KDC MIT v5 / MSKDC
New employee Provisioned in AD
Krb TGT
Patient Profile
Surgeon
Patient Care
Microsoft ADS
Oracle Internet Directory
AD Connector
36
Oracle Label Security, OID Integration

• Centrally administer
• Oracle Label Security policies
• sensitivity labels
• user label authorizations
• Benefit
• Label authorizations enforced for directory users
• Enforce uniform policies centrally
• Aids GRID computing
• Eases administration

37
Summary Increase Returns on Investment

• Lower administrative costs
• Simplify user experience
• Password resets, single password
• Strong authentication alternatives
• SSL, Kerberos
• Assist Audit Compliance
• Integrate with Database Security
• Oracle Label Security, Virtual Private Database

38
A
39
Next Steps.

• Recommended sessions
• Securing J2EE Applications with Oracle Identity
  Management
• Planning your Identity Management Deployment
  (40207)
• Oracle and Thor Identity Management Provisioning
  (40017)
• Recommended demos and/or hands-on labs
• Security and Identity Management Demo Pods
• Oracle Security Command Center - Booth 1736
• See Your Business in Our Software
• Visit the DEMOgrounds for a customized
  architectural review, see a customized demo with
  Solutions Factory, or receive a personalized
  proposal.

40
Reminder please complete the OracleWorld
online session surveyThank you.
41
(No Transcript)