oracle security & identity management july 20, 2005
DESCRIPTION
Oracle Security & Identity Management July 20, 2005. Gary Quarles Sr. Solutions Architect Columbus, OH 614-280-6500 [email protected]. Rafael Torres Sr. Solutions Architect Cincinnati, OH 513-768-6856 [email protected]. Agenda. 9am-1015am Identity Management - PowerPoint PPT PresentationTRANSCRIPT
Oracle Security & Identity Management
July 20, 2005
Rafael TorresSr. Solutions ArchitectCincinnati, [email protected]
Gary QuarlesSr. Solutions ArchitectColumbus, [email protected]
Agenda 9am-1015am
– Identity Management OID, User Provisioning, Directory Integration,
Proxy Authentication– Virtual Private Database– Securing Data Access– Secure Application Roles
BREAK (15 mins)
Agenda (con’t) 1030am-1145am
– Label Security– Fine Grained Auditing– Stored Data Encryption– Detecting Security Breaches– Data Privacy Compliance– Network Encryption– User Security– Oblix Roadmap
1145am-1pm – Buffet Luncheon
1pm-115pm – Raffle
Security Legislation Sarbanes-Oxley
– Everyone– Financial statements contain no errors
Gramm-Leach-Bliley– Fin Services, Healthcare– Ensure privacy, security, confidentiality
California’s Breach Disclosure Law– Anyone with customers in California– Audit breach of PII, notify those affected
Safe Harbor– Anyone doing business in Europe– Reasonable steps to secure from unauthorized access
Data Privacy Concerns Customer information
– protecting customer personally identifiable information (PII)
Employee information– majority of privacy regulations provide equal or
greater rights of privacy to employees Third Party information
– protecting PII of third persons provided to you by customers or employees
25% technical75% policy and procedures
Data Privacy Compliance
www.oracle.com/consulting
“90% detected computer security breaches in the past year.”
“80% acknowledged financial losses due to computer breaches.”
The Expert View
- CSI/FBI Computer Crime and Security Survey
“If you spend more on coffee than on IT security, then you will be hacked…what's more, you deserve to be hacked!”
Richard ClarkeSpecial Advisor to the President, Cyberspace Security
State of Security – United States 90% of respondents* detected computer security
breaches within the last twelve months. 80% of respondents acknowledged financial
losses due to computer breaches. – $455,848,000 in quantifiable losses– $170,827,000 theft of proprietary information– $115,753,000 in financial fraud
74% cited their Internet connection as a frequent point of attack
33% cited internal systems as a frequent point of attack * Source: CSI/FBI Computer Crime and Security Survey
Why Oracle for Security and Identity Management? 25+ year history
– First Oracle customer was a government customer Information Assurance
– 17 independent security evaluations over past decade– Substantial financial commitment to independent security evaluations– More evaluations than any other major database vendor– Culture of security at Oracle
Robust security features and Identity Management Infrastructure– Row level security– Fine Grained Auditing– Integrated database security and identity management
Web Single Sign-on, Oracle Internet Directory– Strong authentication
Oracle Database = 25+ years of security leadership
1977 2004
Label Sec + ID Mgmt Column Sec Policies Security Evaluation 17 Identity Mgmt Release
Fine Grained Auditing Common Criteria (EAL4) Oracle9iAS JAAS Oracle9iAS Single Sign-On Oracle Label Security (2000) Virtual Private Database (1998) Enterprise User Security Oracle Internet Directory Database Encryption API Kerberos framework Support for PKI Radius Authentication Network Encryption Oracle Advanced Security introduced First Orange Book B1 evaluation (1993) Trusted Oracle7 Multilevel Secure Database (1992) Government customer
Oracle Application Server 10g
Identity Management
Identity Management process by which the complete security lifecycle
for users and other entities is managed for an organization or community of organizations.
management of an organization's application users, where steps in the security lifecycle include account creation, suspension, privilege modification, and account deletion.
Identity Management Components
The Identity Challenge
User Credentials for Authentication and Authorization
Directory Server or Database
Application
User Credentials for Authentication and Authorization
Directory Server or Database
Application
User Credentials for Authentication and Authorization
Directory Server or Database
Application
User Credentials for Authentication and Authorization
Directory Server or Database
Application
End Users
Administrators Administrators Administrators Administrators
Redundant, silo’d application development
Non-uniform access policies
Orphan accounts Audit/Log
information fragmented
Bring Order to Chaos with Identity
Application Application Application Application
End Users
AdministratorsUser Credentials
for Authentication
and Authorization
Centralized, policy-based management of access & authorization
Faster development and deployment
Centralized audit and logging
Oracle ID Mgmt:Typical Deployments
Enterprise provisioning – Heterogeneous integration
Telco provisioning – Scalability & HA
Enterprise Portal– Single Sign-on, administrative delegation
Government R&D Organization, Corporate Conglomerates – Centralized Identities with autonomous administration of
departmental applications Multi-hosting with delegated subscriber admin
– Multiple identity realms in one physical infrastructure + HA
Platform Security Architecture
External Security Services Oracle
Platform Security
Application Security
E-Business Suite
Collaboration Suite
Oracle Internet Directory
Public Key Infrastructure
DirectoryIntegration
RBAC &Web Authorization
Provisioning &Delegated Administration
ISV & CustomApplications
BPEL Prcs Mgr,BI, Portal, ADF
Oracle Database
Oracle Identity Management
Oracle Application Server
Access Management
DirectoryServices
ProvisioningServices
SSO &IdentityFederation
Oracle DatabaseOracle Application Server Oracle DatabaseOracle Application Server
Responsibilities, Roles ….
Secure Mail, Interpersonal Grants …
Authorization, Privacy, audit, ….
Roles, Privilege Groups …
Enterprise users, VPD, Label SecurityEncryption, Audit
JAAS, JACC, WS Security, …
Internet Directory Scalability
– Millions of users – 1000’s of simultaneous clients
High availability– Multimaster & Fan-out replication– Hot backup/recovery, RAC, etc.
Manageability– Grid Control multi-node monitoring
Security– Comprehensive password policies– Role & policy based access control– Auditability
Extensibility & Virtualization– Plug-in Framework– Attribute and namespace virtualization– External authentication– Custom password policies
LDAPClients
DirectoryAdmin
Console
OID Server
OracleDatabase
Directory Integration
Connectors
External Directories
SunOne
Active Directory
Oracle HR
Oracle DB
OpenLDAP
eDirectory
OracleInternet
Directory
DirectoryIntegration
Service
Provisioning Integration
ERP,CRM,… eMail Portal
Partner Provisioning System
Oracle Provisioning Integration Service
Event Notification
Engine
Policy &Workflow
Engine
Self-service (Pswds, preferences)
Corporate HR(Employee Enrollment)
Helpdesk Admin
eMail Admin
OID
Portal Admin
Prov
isio
ning
Con
nect
ors
OracleAS
Single Sign-on
Single Sign-On
PKI, pwd, Win2K Native Auth…
SecureID, Biokey,
ERP,CRM,…
Portal
Partner SSO (Netegrity, RSA, Oblix)
Partner SSO Enabled Environment
OracleAS Enabled Environment
OID
Extranet
Federation / Liberty
Integrates Oracle and partner-SSO enabled apps
Transparent access to DB Tier, 3rd party web apps
Multiple AuthN options Different auth modes to match
application security levels
Demonstration
IdM: SSO
SSO Benefits 1) Tightly integrated with the Oracle product
stack 2) Easy to deploy, part of Oracle Identity
Management 3) Supports PKI authentication with industry
standard X.509V3 certificates 4) Accepts Microsoft Kerberos tokens for easy
authentication in a windows environment 5) Integrated with Oracle Certificate
Authority (OCA) for easy provisioning of X.509V3 certificates using OCA
Certificate Authority
Solution for strong authentication / PKI
Easy provisioning of X.509v3 digital certificates for end users
Web Based certificate management and administration
Seamless integration with Oracle Application Server Single Sign-On & OID
User
OracleCertificateAuthority
Metadata Repository
Secure IT Facility
OracleSingle
Sign-On
OracleInternet
Directory
Future support SAML (Security Assertions Meta Language)
– facilitates interoperation and federation among security services. SPML (Service Provisioning Meta Language)
– XML standard that facilitates integration among provisioning environments by defining the protocol for interaction between provisioning service components and agents representing provisioned services.
DSML– XML standard for exchanging directory data as well as invoke
directory operations over the Internet.
Future support (con’t) XKMS
– XML Key Management Specification. It is intended to simplify deployment of PKI in a web services environment.
WS-Security – defines a set of SOAP extensions that can be used to provide message
confidentiality, message integrity, and secure token propagation between Web Services and their clients
Liberty Alliance standards define the framework and protocol for network identity based interactions among users and services within a federated identity management environment.
Delegated Administration Services Admin console w/ role-based
customization– User / group management– End-user vs Admin views– Admin delegation
End-user self-service– Self service provisioning– Set preferences, Org-chart– Pswd reset
Embeddable admin components– For integration with Apps
Extensively configurable– Accommodate new applications– Customize UI views
Demonstration
IdM: Delegated Admin Svs
Delegated Admin Benefits 1) Enables self service administration of passwords and
password resets 2) Enables administrative granularity of Identity
Management components 3) Centralized provisioning for web SSO and enterprise
user database access 4) Supports password or PKI based authentication 5) Self Service password management without the
intervention of an administrator 6) Delegated administrators, such as non-technical
managers, to create and manage both users and groups
7) Allows users to search parts of the directory to which they have access
Client Client AuthenticatesAuthenticatesTo App ServerTo App Server
Securely Proxies User Securely Proxies User Identity to RDBMSIdentity to RDBMS
OIDOIDIIdentities, Rolesdentities, Roles& Authorizations& Authorizations
Grid ComputingEnd-to-End Security
• Retrieve Retrieve Authorizations Authorizations for Usersfor Users
• Connect users Connect users to Application to Application SchemaSchema
Authenticate userAuthenticate user
Application GridApplication Grid Data GridData Grid
AS10g r2 New 3-tier features Via proxy authentication, including credential
proxy of X.509 certificates or Distinguished Names (DN) to the Oracle Database
Support for Type 2 JDBC driver, connection pooling for ‘application users’ (Type 2 and Type 4 JDBC Drivers, OCI)
Integration with Oracle Identity Management for Enterprise Users (EUS).
Demonstration
User Security
User Security Benefits 1) Enables centralized management of traditional
application users in Oracle Identity Management 2) Oracle Identity Management directory
integration services can be used for bi-directional synchronization with existing Identity Management infrastructures (AD, SunOne/iPlanet, Netscape)
3) Optionally map users to shared schemes or retain individual account mappings in database for complete application transparency
4) Optionally manage database roles in Oracle Identity Management infrastructure
5) Optionally can be used with Oracle Label Security to maintain security clearances in Oracle Identity Management
My.
orac
le.c
omEmployees
Self-registered TechNet users
Oracle Technology Network
IDs, passwords, profiles, prefs
Oracle Files
IDs, passwords, profiles, prefs
Global Mail
IDs, passwords, profiles, prefs
Calendar
IDs, passwords, profiles, prefs
Web Mail / Calendar
IDs, passwords, profiles, prefs
ExtranetDMZ
Employees
Corporate Network
HR
IDs, passwords, profiles, prefs
Web ConferencingIntranet Web
AppsIntranet WebAppsIntranet Web
AppsIntranet WebApps
IDs, passwords, profiles, prefs
E-Business Apps
Oracle IT: Before ID Mgmt
Numerous Ids / Passwords & Sign-On
Partners / Suppliers
My.
orac
le.c
omEmployee
s
Self-registered TechNet users
Oracle Technology Network
Oracle Files
Global Mail
Calendar
Web Mail / Calendar
Extranet DMZEmployee
s
Corporate Network
HR
Web Conferencing
Intranet WebAppsIntranet Web
AppsIntranet WebAppsIntranet Web
Apps
E-Business Apps
Oracle IT: After ID Mgmt
Partners / Suppliers
Oracle IdM Infrastructure
Single ID/Pswd & SSO
Oracle IdM Summary Oracle Identity Management is a complete
infrastructure providing – directory services– directory synchronization– user provisioning– delegated administration– web single sign-on– and an X.509v3 certificate authority.
Oracle Identity Management is designed to provide ready, out-of-the-box deployment for Oracle applications, as well as serve as a general-purpose identity management infrastructure for the enterprise and beyond.
Break
15 minutes
Privacy & Access Control
Oracle9i/10g Secure Application Role
• Secure application role is a role enabled by security code
• Application asks database to enable role (can be called transparently)
• Security code performs desired validation before setting role (privileges)
CREATE ROLE SAR identified using SCHEMA_USER.PACKAGE_NAME;
Oracle9i 10g
User A, HR ApplicationUser A, Financials ApplicationUser A, Ad-Hoc Reports
JDBC / Net8 / ODBC
Secure Application Role Benefits Security policy can
check anything:– time of day– day of week– IP address/domain– Local or remote
connection– user connected through
application– X.509 data, etc.
Database controls whether privileges are enabled
Multiple applications can access database securely
Allows secure handshake between applications and database
Demonstration
Secure Application Role
Oracle Database 10g Virtual Private Database
Column Relevant Policies– Policy enforced only if specific columns are
referenced– Increases row level security granularity
Store ID
AX703
B789C
JFS845
SF78SD
Revenue
10200.34
18020.34
12341.34
13243.34
Department
Finance
Engineering
Legal
HR
OK
Select store_id, revenue… (enforce)
Oracle Database 10g Virtual Private Database Column Filtering
– Optional VPD configuration to return all rows but filter out column values in rows which don’t meet criteria
OKOK
OK
OKStore ID
AX703
B789C
JFS845
SF78SD
Revenue
10200.34
18020.34
12341.34
13243.34
Department
Finance
Engineering
Legal
HR
Select revenue…..(enforce)
Demonstration
Virtual Private Database
Object Access Control
DATA TABLE
SELECT
Org ASELECT
Org B
Oracle9i/10g Label Security
Out-of-the-box, customizable row level security Design based on stringent commercial and
government requirements for row level security
Sensitivity LabelSensitivity Label
PublicPublic
SensitiveSensitive
Highly SensitiveHighly Sensitive
Confidential : EuropeConfidential : Europe
ProjectProject
AX703
B789C
JFS845
SF78SD
LocationLocation
Chicago
Dallas
Chicago
Miami
DepartmentDepartment
Corporate Affairs
Engineering
Legal
Human Resource
Components of Label Security
Levels– Sensitivity Level (e.g., “Top Secret, Secret,
Unclassified”) Compartments
– (‘X’,’Y’,’Z’), User must possess all Groups for “Need to Know”
– Hierarchical– Supports Organization Infrastructure
Label Components are the encoding within data labels and user labels that determine access.
Oracle Label Security
Application Table
Oracle Label Security AuthorizationsConfidential : Partners
Sensitivity Label
Public
Confidential: Partners
Company Confidential
Company Confidential
Project
AX703
B789C
JFS845
SF78SD
Location
Boston
Denver
Boston
Miami
Department
Finance
Engineering
Legal
HR
OK
OK
Oracle9Oracle9iiOLSOLS
Demonstration
Oracle Label Security
Fine-grained Auditing
Select name, salary from emp where name = ‘KING’, <timestamp>, <username>
Audit Record Shows...
Enforce Audit Policy in Database
Employee Table
...Where Salary > 500000AUDIT COLUMN = Salary
Select name, salary from emp where...
User Queries...
“ …Companies that properly maintain the security of their
systems will eliminate 90 percent of all potential exploits. Companies that fail to take these precautions should prepare for breaches at an
increasing rate.”- Giga Information
The Expert View
Stored Data Encryption
DBMS_OBFUSCATION (9i)DBMS_CRYPTO (10g)
Credit Card !3Asjfk234 #k230d23* [email protected] #dkal3j49I3!
FirstDianaPaulJuliaSteven
LastRobertsNelsonPattersonDrake
Store Id100200100300
Oracle9Oracle9iiDatabaseDatabase
Supported Encryption Standards
AES (128, 192 and 256 Key)RC4 (40, 56, 128, 256 Key)3DES (2 Key and 3 Key)MD5SHA1
Demonstration
Data Encryption
Advanced Security Option Encryption for data in motion
– RSA RC4 Public Key Encryption– 40, 56 and 128 bit key lengths– Support for Data Encryption Standard (DES)
algorithm– Support for Message Digest 5 (MD5)
checksumming algorithm
Advanced Security Option Authentication device support
– RADIUS device– Token cards (securID for example)– Biometric devices
Secure Socket Layer– With X.509 V3 certificate support
Support for Open Software Foundation’s Distributed Computing Environment (DCE)
Threats to Networks and Internet
1. Data Theft
Eavesdropperscan seeall data
x
2. Data Modification or Replay
x3. Data Disruption Packets can be stolen -- data never arrives
$500 becomes $50,000
Demonstration
Network Encryption
OblixBrief Overview and Roadmap
Oblix: Pure-Play Product Leader
Gartner: “Leader” in Access
Management
Loosely Coupled: “Leader” in Web
Services Management
AbilityTo
Execute
Source Gartner Research(June 2004)
Oblix COREidCOREid Access
Web Single Sign-On Flexible Authentication Methods Policy-based Authorization
COREid Provisioning
Template-based workflow Agent and Agentless account
provisioning Metadirectory synchronization Password synchronization Cross-platform connectivity
COREid Reporting
Centralized auditing Pre-built identity and security
reports Global View user access Robust logging framework
COREid Integration
Pre-built Connectors – to leading application servers, web servers, portal servers, and directory servers.
“Data Anywhere” Configuration
Benefits
Increased Security Integrated solution Define and enforce security, administrative,
and access control policies consistently across enterprise applications
Increased Compliance Audit events across entire enterprise Who has access to which applications Access control managed per attribute Meet Sarbanes-Oxley, HIPAA, and Gramm-
Leach-Bliley compliance
Increased Governance Centralized policy definition with localized
enforcement
User, Group, and Organization Management
Delegated Administration Self Service and Self
Registration Unified Workflow Identity Web Services Controls Password Management
COREid Identity
Delegated Admin Service
Meta Directory (DIP)
Directory (OID)
Cert. Authority / PKI(OCA)
OracleAS SSO
Provisioning Integration (DIP)
Federation(Liberty / SAML-2.0)
Web Authorization
Virtual Directory
Provisioningconnectors
COREid Access
COREid Provisioning
COREid Identity
10g / 10.1.3 Oblix
Current Portfolios
Identity Grid Control
COREsv Web Services Management
Oracle / Oblix IdM Integration Roadmap
SHAREidIdentity Federation
Access Control
Integrated Portfolio
Directory (OID)
Identity Provisioning
Meta-Directory
Certificate Authority
SSO
WS Management Gateway
OracleAS Option
Virtual Directory
ID Grid Control
Auditing & Reporting
Oracle Identity Mgmt
Integration Roadmap
COREid Provisioning
COREid Identity &Access
Immediate Availability
Directory (OID)
Delegated Admin Service
Provisioning Integration
Certificate Authority
Oracle AS SSO
WS Management (COREsv)
Oracle-Oblix IdM
Oracle Identity Mgmt
OracleAS Option
COREid Federation
IdM – What does Oracle offer today?
YesIdentity Integration Directory
Virtual Directory Meta-Directory
Identity & Access Mgmt
PKI Certificate Services
Password Management
Web Authorizations
Identity Federation
Security Monitoring &
Audit Services
Privacy & Compliance
ManagementSSO
DelegatedAdmin
Policy Based Access Ctrl
Role Based Access Ctrl
Non-web & 3rd party SSO
Oracle - Full FunctionalityOracle - Full FunctionalityOracle - Limited FunctionalityOracle - Limited Functionality Planned FunctionalityPlanned Functionality
Partner OfferingPartner Offering
Enterprise Provisionin
gAutomation
Current offering with Oblix today
YesIdentity Integration Directory
Virtual Directory Meta-Directory
Identity & Access Mgmt
PKI Certificate Services
Password Management
Web Authorizations
Identity Federation
Security Monitoring &
Audit Services
Privacy & Compliance
ManagementSSO
DelegatedAdmin
Policy Based Access Ctrl
Role Based Access Ctrl
Non-web & 3rd party SSO
Oracle - Full FunctionalityOracle - Full FunctionalityOracle - Limited FunctionalityOracle - Limited Functionality Planned FunctionalityPlanned Functionality
Partner OfferingPartner Offering
Enterprise Provisionin
gAutomation
Thursday, August 11, 20058:00 am - 11:00 am
(Breakfast & Registration at 8:00am)
Oracle Office - Cincinnati 312 Elm Street
Suite 1525Cincinnati, OH 45202
•Oracle COREid Access & Identity
•Oracle COREid Federation
•Oracle COREid Provisioning
•Oracle Single Sign On/Oracle Internet Directory
•Oracle Application Server, Enterprise Edition
•Oracle Web Services Manager
http://www.oracle.com/webapps/events/EventsDetail.jsp?p_eventId=42000&src=3830746&src=3830746&Act=41
AQ&Q U E S T I O N SQ U E S T I O N SA N S W E R SA N S W E R S
Additional Slides
Security Tips 101“Oracle Security Step-by-step”
– By Pete Finnigan– SANS Press
Security Tips 101 Keep up with security patches!
– Security alerts from Oracle Technology Network site– Security Issues Website
Security Tips 101 Check your file system privileges If on Windows, use NTFS not FAT or FAT32
Prevent seeing passwords with UNIX “ps” command–Note 136480.1 or 1009091.6
Check privileges on export files in OS
Security Tips 101 If a full export is done to populate a test
database, immediately change all passwords
No database user except SYS must have:–ALTER SYSTEM–ALTER SESSION
Security Tips 101 Change default passwords:
– List of default users and passwords– Where to get this list
SYS should not be “CHANGE_ON_INSTALL” !!!!SYSTEM should not be “MANAGER” !!!!
Security Tips 101 Check scripts that are in the file system that
have embedded passwords! Make sure REMOTE_OS_AUTHENT = FALSE
–(Allows login without password) REMOTE_OS_ROLES = FALSE also Check for all users with DBA role
Check for users or roles with an “ANY” privilege–UPDATE ANY TABLE
–DROP ANY TABLE
Security Tips 101 Revoke RESOURCE role from normal users
No users or roles should have access to:–dba_users–Sys.link$
–Sys.user$–Sys.user_history$
These have clear text passwords!
Security Tips 101 Make sure your listener has a password Use “Current User” database links if possible
–“CONNECT TO CURRENT USER” Check database links from Test, Dev and QA instances. Remove any that are not absolutely necessary
Avoid plain text passwords in batch files. Use an encryption utilityAvoid external accounts for batch processes
Security Tips 101 Use the Oracle Security Checklists:
– 9i R2 Security Checklist– 9iAS Security Checklist
Or third party utilities to check your security Oracle Enterprise Manager 10g includes
Security Checking
Security Tips 101 1. Only two highly trusted DBAs have sys privileges 2. All other DBAs log in using unique user IDs and those
IDs be granted ONLY the privileges needed to do their job. 3. Partition responsibilities as much as possible between
the DBAs 4. Security administration, not DBAs, have the ability to
grant or change access privileges 5. Employ strong password policies 6. Audit ALL activities the DBAs do 7. Audit ALL activities the two trusted DBAs do both in their
regular login and when connected as sys. (9iR2 and higher)
Security Tips 101 8. Audit logs are locked out of DBAs reach and
monitored and reviewed by security administration, possibly stored on a separate system
9. Replicate the logs to help identify if a log has been tampered with
10. Audit ALL DML on the audit logs 11. Set up fine grained auditing alerts on key information
when there is attempted access by unauthorized persons. These alerts are sent to the security administrator.
12. If offshore DBA services are employed, track everything they do very closely and restrict what they can see or do.