1
Securing Privileged Accounts with an Integrated IDM Solution Olaf.Stullich@oracle.com Product Manager, Oracle Mike Laramie Oracle Cloud for Industry Architecture Team Buddhika Kottahachchi OPAM Architect
Safe Harbor Statement The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decision. The development, release, and timing of any features or functionality described for Oracle s products remains at the sole discretion of Oracle. 3
Program Agenda Introduction What is Oracle Privileged Account Manager? OPAM Integration with Oracle Identity Governance and Database Security Use Case: Oracle Cloud for Industry and OPAM Demo 4
Introduction 5
What do have these two in Common? Privileged account access Excessive access privileges Difficult to monitor shared accounts across multiple administrators 6
IDM Overcome Threats and Regulations to Unlock Opportunities Threats Increased Online Threat Costly Insider Fraud Compliance Tougher Regulations Greater Focus on Risk Stronger Governance Opportunities 76% Data Stolen From Servers 86% Hacking Involve Stolen Credentials 48% Caused by Insiders 17% Involved Privilege Misuse Social Media Cloud Computing Mobile Access 2011 Data Breach Investigations Report 7
Managing Privilege Access Is Not Well Defined SCALE Manual solutions don t scale (like managing privileged access via spreadsheets) RISK Using default system passwords is prone to risk COST Deploying point solutions can increase integration costs 8
Two Big Management Problems IDENTIFYING PRIVILEGED ACCOUNTS TRACKING PRIVILEGED ACCOUNTS 9
The Right Approach is Self-Reinforcing Reporting & Certification Access Request Auto- Provisioning Self- Reinfor cing VISIBILITY ACROSS COMPLETE USER ACCESS IS KEY Remediation 10
Privileged Account Management A Platform Approach Shared Connectors Centralized Policies Workflow Integration Common Reporting Reduce Risk Improve Compliance 11
What is Oracle Privileged Account Manager 12
Oracle Fusion Middleware Business Innovation Platform for the Enterprise and Cloud Web Social Mobile Business Process Management Service Integration User Engagement Content Management Identity Management Business Intelligence Data Integration Complete and Integrated Best-in-class Open standards On-premise and Cloud Foundation for Oracle Fusion Applications and Oracle Cloud Development Tools Cloud Application Foundation Enterprise Management 13
Identity Management Securing the Social Enterprise Simplified Identity Governance Access Request Portal with Catalog and Shopping cart UI In product, durable customization of UIs, forms and work flows Privileged Account Management leverage Identity connectors, workflows, audit Complete Access Management Integrated SSO, Federation, API Management, Token Management, Granular Authorization Mobile application security with SSO, device finger printing and step up authentication Social identity log-in from popular social media sites REST, OAuth, XACML Directories that Scale OUD optimized on T4 hardware delivering 3x performance gain and 15% of set up time 14
Privileged Account Manager Definition of Terms Privileged Account A human accessible accounts with elevated permissions (root for UNIX, Linux, or SYS for DB) Service Account Most customers use the term service accounts when they refer to Privileged Accounts Some customers use the term service accounts when they refer to Application Accounts OPAM uses services accounts in the connector configuration End User An administrator who is accessing OPAM to check-out an account Administrator The OPAM server Administrator An Administrator who is accessing OPAM to checkout an account Application accounts Accounts that are used by application (stored in applications) to access e.g. a database Target OPAM manages account access on Targets 15
Privileged Account Manager Overview of Product Capabilities Secure password vault to centrally manage passwords for privileged accounts OPAM uses an Oracle DB EE instance using TDE to encrypt passwords Session Management and Auditing Session control without revealing a privileged account password Session History and searchable Session Recording Extensible Framework JAVA based for customized solutions Audit Reporting Customizable audit reports through BI Publisher Real time status available via the OPAM dashboard (charts, tables, etc.) 16
Privileged Account Manager Overview of Product Capabilities Integrated with Identity Governance Platform Shared Connectors and Workflow integration with OIM Centralized Policies Management via OIM and OIA Using out-of-the-box connectors, OPAM Targets can be configured for Databases, Operating Systems and LDAP Directories, and Oracle FMW applications Policy-based access to privileged accounts via grants Grants control if and when a given administrator has access to a privileged account Grants are represented as OPAM Usage Policies. Grants are typically assigned through LDAP Group Membership in the identity store Flexible Password Policies Mirror corporate password standards 17
Supported Clients / Targets Generic UNIX Systems Generic Database Servers Generic LDAP Directories UNIX MS SQLServer Sybase 15 18
Typical OPAM Use-Case User logs in as SYSTEM Adds Table to DB System out of space Return SYSTEM password Request SYSTEM password Return root password Request root password HR Application Database OPAM sets the SYSTEM password for HR App Database, based on the password policy for HR App Database Verify the OPAM User, Joe, is in the HR DBA Role User checks in passwords Database and Unix Admin (Joe) User logs in as root Adds disk space Oracle Privileged Account Manager Unix Server OPAM sets the root password for the Unix Server, based on the password policy for Unix Server. LDAP Server 19
OPAM Integration with Oracle Identity Governance and Database Security 20
OPAM and OIM - a Complete Governance Platform Request for Privileged Account Access Leverage OIM policy/role based provisioning A system admin may be provisioned to specific LDAP groups that OPAM uses for privileged account access Workflow and approval will be followed as defined 22
OPAM and OIM - a Complete Governance Platform Request for Privileged Account Access OIM to publish privileged account entitlements in request catalog An admin user uses access request self service, search the catalog, pick the privileged accounts he needs and submit for approval The request kicks off workflow and approval as defined The user is provisioned with group membership after approval The user can access OPAM for privileged password checkout and checkin 23
OPAM and OIM - a Complete Governance Platform Risk based certification Through existing OIM OPAM integration, privileged access information is made available for certification. Risk can be calculated based on its privilege status and other data such as provisioning method etc If access violation is found, it can be revoked based on OIM close-loop remediation 24
OPAM and Database Security Enterprise User Security allows non-privileged users to use their enterprise LDAP/AD password to connect to the database Database Vault provides stronger separation of duties for databases OPAM manages DB passwords for privileged users including SYS, SYSTEM and application accounts A complete Database Security solution from Oracle 25
Database User Management Complete Solution Service Description Use Existing Enterprise LDAP Passwords for End-User Passwords Supported by EUS Map Database Roles to Enterprise Roles Manage SYS/SYSTEM Passwords EUS OPAM Manage Application Passwords OPAM Manage non-oracle database passwords OPAM 26
Database Vault Integration Complete Solution Service Description Privileged user access control to limit access to application data Supported by DB Vault Multi-factor authorization to enforce enterprise security policies DB Vault Secure application consolidation DB Vault Manage DB Vault Privileged Accounts Passwords like user_manager, sec_admin Manage SYS/SYSTEM and other DB Privileged Accounts Passwords OPAM OPAM 27
Use Case: Oracle Cloud for Industry and OPAM 28
Oracle Cloud for Industry Overview What is OCI? An internal provider of cloud-based IaaS and PaaS services available to Oracle Global Business Units (GBUs) for the packaging of Oracle Industry Solutions to end customers. E.g. Financial Services, Healthcare, Retail http://www.oracle.com/us/industries/index.html 29
Oracle Cloud for Industry Operational Roles Different operational roles require different levels of access Server Admins Network Admins DB Admins Some groups may require access to multiple resources 30
Oracle Cloud for Industry Problems Disparate privileged account practices between multiple operational roles Password vault utilities Spreadsheets Minimal auditing/reporting on privileged account usage Difficulty of access Which vault is that stored in? Additional requirements driven by regulatory compliance PCI HIPAA/HITECH 31
Oracle Cloud for Industry Solution Implement password solution that Easy to use Supports privileged accounts from multiple teams with differing requirements Reliable Secure Auditable Meets or exceeds regulatory compliance Solution OPAM 32
Oracle Cloud for Industry OCI & OPAM How did OPAM help? Role based access to privileged accounts: LDAP group membership determines which privileged accounts users can access Convenient, accessible BUI Automated reporting of privileged account access and usage Centralized, secure repository Automated password management Unique passwords for each system 33
Oracle Cloud for Industry OCI Use Cases Unix Targets Guest VM/Hypervisor privileged accounts Database Targets Sys/System/Application LDAP Targets Service Accounts Lockbox Targets Storage appliances Application passwords Network devices 34
Oracle Cloud for Industry PCI & OPAM How did OPAM help with PCI Compliance? Addressed PCI DSS 2.0 Requirements: 2.1 8.5.8 8.5.9» Always change vendor supplied passwords before installing a system» Do not use group, shared, or generic accounts and passwords» Change user passwords at least every 90 days. 35
Oracle Cloud for Industry OPAM Flexibility Customized scripts for password aging reporting Required for 8.5.9 Wrote custom script to retrieve data from OPAM and email admins as necessary RFE submitted to include functionality in future release s BUI Daily reports of check-in/check-out activity Currently done through BI Publisher Emailed to security team nightly On-Demand reporting will be in future release 36
Case Study Overview Solution Securely stores local privileged account information in a central location Access to accounts is limited by LDAP group membership (RBAC) Reportable audit trail on account usage 37
OPAM Privileged Account Manager in Action 38
Oracle Privileged Account Manager in Action Demo Overview How OPAM lockbox is used by Oracle Cloud for Industry How does OPAM Session Management and Auditing enhances the lockbox concept to provide additional compliance data How to extend OPAM operations to enable emergency access 39
HOW WE DID IT 40
Demo Laptop Demo Server Request Privileged Access to Avitek Retail Host Oracle Identity Governance Session Manager REQUESTING PRIVILEGED ACCESS Approval via smartphone Approval workflow 41
Demo Laptop Command executed on Demo Server Demo Server Sending commands Oracle Identity Governance Session Manager EXECUTING COMMANDS Command recorded in Session Log 42
Demo Laptop Access checkout history report Oracle Identity Governance Session Manager REVIEWING THE PRIVILEGED ACCESS Session Logs /Transcripts 43
Looking Forward A Physical Security Demo Lockitron Internet connected lock Exposes REST interfaces Protected by an Access Token OPAM Protect Access Token in a Lockbox OPAM Plug-in Unlock/Lock as part of Checkout/Check-in (using Access Token) 44
Summary 45
OPAM Benefits Enforce internal security policies and eliminate potential security threats from privileged users Session Management and Auditing User activities (who, did what, when) Cost-effectively enforce and attest to regulatory requirements Reduce IT costs through efficient self service and common security infrastructure Extensible Java based Framework 46
Sessions not to miss CON8823 CON8826 CON8902 CON8836 CON 4342 CON9024 Wednesday 09/25, 5:00PM Thursday, 09/26, 3:30PM Thursday,09/26 2:00PM Thursday 09/26, 11:00AM Thursday 09/26, 12:30PM Thursday09/26, 2:00PM MosconeWest, Room 2018 MosconeWest, Room 2018 Marriot Marquis Golden Gate C3 MosconeWest, Room 2018 MosconeWest, Room 2018 MosconeWest, Room 2018 Access Management for the Internet of Things Zero Capital Investment by leveraging Identity Management as a Service Developing Secure Mobile Applications Leveraging the Cloud to simplify your Identity Management implementation Identity Services in the New GMIT Next Generation Optimized Directory - Oracle Unified Directory Kanishk Mahajan, Oracle Mike Neuenschwander, Oracle Mark Wilcox, Oracle Guru Shashikumar, Oracle GM Etienne Remillon, Oracle 47
Join the Oracle Community Twitter twitter.com/oracleidm Facebook facebook.com/oracleidm Oracle Blogs Blogs.oracle.com/OracleIDM Oracle.com/Identity 48
Further Information Oracle Privileged Account Manager http://www.oracle.com/technetwork/middleware/id-mgmt/overview/opamhomepage-1697430.html Documentation Oracle Fusion Middleware 11gR2 Release (11.1.2.1.0) Software http://www.oracle.com/technetwork/middleware/id-mgmt/downloads/index.html 49
50
51