Copyright 2013, Oracle and/or its affiliates. All rights reserved.

Similar documents
1 Copyright 2011, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 7

Liferay Security Features Overview. How Liferay Approaches Security

Security Readiness Assessment

Access Governance in a Cloudy Environment. Nabeel Nizar VP Worldwide Solutions

Security Compliance and Data Governance: Dual problems, single solution CON8015

Copyright 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 13

The 10 Principles of Security in Modern Cloud Applications

A Practical Step-by-Step Guide to Managing Cloud Access in your Organization

5 OAuth EssEntiAls for APi AccEss control layer7.com

CIAM: Need for Identity Governance & Assurance. Yash Prakash VP of Products

Privileged Account Security: A Balanced Approach to Securing Unix Environments

GDPR How we can help. Solvit Networks CA. ALL RIGHTS RESERVED.

Oracle Buys Automated Applications Controls Leader LogicalApps

Passwords Are Dead. Long Live Multi-Factor Authentication. Chris Webber, Security Strategist

Managing Your Privileged Identities: The Choke Point of Advanced Attacks

BEYOND AUTHENTICATION IDENTITY AND ACCESS MANAGEMENT FOR THE MODERN ENTERPRISE

5 OAuth Essentials for API Access Control

2-4 April 2019 Taets Art and Event Park, Amsterdam CLICK TO KNOW MORE

Cloud Customer Architecture for Securing Workloads on Cloud Services

Actual4Test. Actual4test - actual test exam dumps-pass for IT exams

Oracle Privileged Account Manager

Managing the Risk of Privileged Accounts and Passwords

MySQL CLOUD SERVICE. Propel Innovation and Time-to-Market

Who s Protecting Your Keys? August 2018

the SWIFT Customer Security

Poor PAM processes and policies leave the crown jewels susceptible to security breaches Global Survey of IT Security Professionals

with Oracle IDM Peter Heintzen, Sen. Mgr. Information Security Oracle

Privileged Identity Management

OpenIAM Identity and Access Manager Technical Architecture Overview

SailPoint IdentityIQ Integration with the BeyondInsight Platform. Providing Complete Visibility and Auditing of Identities

7 Steps to Complete Privileged Account Management. September 5, 2017 Fabricio Simao Country Manager

Privilege Security & Next-Generation Technology. Morey J. Haber Chief Technology Officer

Microsoft Security Management

MDM Partner Summit 2015 Oracle Enterprise Data Quality Overview & Roadmap

COMPONENTS/PRODUCTS IN OIM

Centrify Identity Services for AWS

COMPLIANCE BRIEF: HOW VARONIS HELPS WITH PCI DSS 3.1

Google Identity Services for work

Virtual Machine Encryption Security & Compliance in the Cloud

CAN MICROSOFT HELP MEET THE GDPR

Oracle Enterprise Manager 12c Sybase ASE Database Plug-in

MySQL Enterprise Security

Oracle Audit Vault. Trust-but-Verify for Enterprise Databases. Tammy Bednar Sr. Principal Product Manager Oracle Database Security

Practical Guide to Platform as a Service.

OFFICE 365 GOVERNANCE: Top FAQ s & Best Practices. Internal Audit, Risk, Business & Technology Consulting

Oracle Risk Management Cloud

Service Description VMware Workspace ONE

Oracle Identity Manager 11gR2-PS2 Hands-on Workshop Tech Deep Dive DB Schema, Backup & Restore, Bulkload, Reports, Archival & Purge

SAP Security in a Hybrid World. Kiran Kola

Managing and Auditing Organizational Migration to the Cloud TELASA SECURITY

Governance, Risk, and Compliance: A Practical Guide to Points of Entry

WHITE PAPER AIRWATCH SUPPORT FOR OFFICE 365

Oracle Identity and Access Management

Understanding Oracle ADF and its role in the Oracle Fusion Platform

Mapping BeyondTrust Solutions to

Oracle Database Security Assessment Tool (DBSAT) Overview

WebLogic Security Top Ten

Security in the Privileged Remote Access Appliance

Top Reasons To Audit An IAM Program. Bryan Cook Focal Point Data Risk

Single Secure Credential to Access Facilities and IT Resources

Identity-Powered Security

Database Centric Information Security. Speaker Name / Title

hidglobal.com HID ActivOne USER FRIENDLY STRONG AUTHENTICATION

Open mustard seed. Patrick Deegan, Ph.D. ID3

CSN38: Tracking Privileged User Access within an ArcSight Logger and SIEM Environment Philip Lieberman, President and CEO

SnapCenter Software 4.0 Concepts Guide

Oracle DB in der Oracle Cloud Überblick und Praxis

ArcGIS Enterprise Security: An Introduction. Gregory Ponto & Jeff Smith

MOVE BEYOND GPO FOR NEXT-LEVEL PRIVILEGE MANAGEMENT

Centralized Database User Management Using Active Directory

Compliance and Privileged Password Management

NETWORKING &SECURITY SOLUTIONSPORTFOLIO

1Z Oracle Identity Governance Suite 11g PS3 Implementation Essentials Exam Summary Syllabus Questions

Question: 1 Which item must be enabled on the client side to allow users to complete certification in offline mode?

Security in Bomgar Remote Support

The Old is New Again Engineering Security in the Age of Data Access from Anywhere

W H IT E P A P E R. Salesforce Security for the IT Executive

ArcGIS Enterprise: Portal Administration BILL MAJOR CRAIG CLEVELAND

SOFTWARE DEMONSTRATION

SAML-Based SSO Solution

Oracle Audit Vault Implementation

ISACA Silicon Valley. APIs The Next Hacker Target or a Business and Security Opportunity? Tim Mather, CISO Cadence Design Systems

Improving Your Business with Oracle Data Integration See How Oracle Enterprise Metadata Management Can Help You

Oracle Identity Governance 11g R2: Develop Identity Provisioning

HIPAA Regulatory Compliance

Securing Privileged Access and the SWIFT Customer Security Controls Framework (CSCF)

Oracle WebCenter Interaction: Roadmap for BEA AquaLogic User Interaction. Ajay Gandhi Sr. Director of Product Management Enterprise 2.

SECURING AWS ACCESS WITH MODERN IDENTITY SOLUTIONS

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

Securing an Oracle Private Cloud using Oracle Directory Suite

Netwrix Auditor for SQL Server

Oracle Payment Interface Token Proxy Service Security Guide Release 6.1 E November 2017

Identity Management as a Service

Oracle Enterprise Manager 12c IBM DB2 Database Plug-in

All the resources you need to get buy-in from your team and advocate for the tools you need.

Oracle Policy Automation The modern enterprise advice platform

Use Cases for Unix & Linux

Migration Best Practices for Oracle Access Manager 10gR3 deployments O R A C L E W H I T E P A P E R M A R C H 2015

McAfee Database Security

Private Clouds: Opportunity to Improve Data Security and Lower Costs. InfoTRAMS Fusion Tematyczny, Bazy Danych, Kariera I Prywatny Sprzęt t W Pracy

Transcription:

1

Securing Privileged Accounts with an Integrated IDM Solution Olaf.Stullich@oracle.com Product Manager, Oracle Mike Laramie Oracle Cloud for Industry Architecture Team Buddhika Kottahachchi OPAM Architect

Safe Harbor Statement The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decision. The development, release, and timing of any features or functionality described for Oracle s products remains at the sole discretion of Oracle. 3

Program Agenda Introduction What is Oracle Privileged Account Manager? OPAM Integration with Oracle Identity Governance and Database Security Use Case: Oracle Cloud for Industry and OPAM Demo 4

Introduction 5

What do have these two in Common? Privileged account access Excessive access privileges Difficult to monitor shared accounts across multiple administrators 6

IDM Overcome Threats and Regulations to Unlock Opportunities Threats Increased Online Threat Costly Insider Fraud Compliance Tougher Regulations Greater Focus on Risk Stronger Governance Opportunities 76% Data Stolen From Servers 86% Hacking Involve Stolen Credentials 48% Caused by Insiders 17% Involved Privilege Misuse Social Media Cloud Computing Mobile Access 2011 Data Breach Investigations Report 7

Managing Privilege Access Is Not Well Defined SCALE Manual solutions don t scale (like managing privileged access via spreadsheets) RISK Using default system passwords is prone to risk COST Deploying point solutions can increase integration costs 8

Two Big Management Problems IDENTIFYING PRIVILEGED ACCOUNTS TRACKING PRIVILEGED ACCOUNTS 9

The Right Approach is Self-Reinforcing Reporting & Certification Access Request Auto- Provisioning Self- Reinfor cing VISIBILITY ACROSS COMPLETE USER ACCESS IS KEY Remediation 10

Privileged Account Management A Platform Approach Shared Connectors Centralized Policies Workflow Integration Common Reporting Reduce Risk Improve Compliance 11

What is Oracle Privileged Account Manager 12

Oracle Fusion Middleware Business Innovation Platform for the Enterprise and Cloud Web Social Mobile Business Process Management Service Integration User Engagement Content Management Identity Management Business Intelligence Data Integration Complete and Integrated Best-in-class Open standards On-premise and Cloud Foundation for Oracle Fusion Applications and Oracle Cloud Development Tools Cloud Application Foundation Enterprise Management 13

Identity Management Securing the Social Enterprise Simplified Identity Governance Access Request Portal with Catalog and Shopping cart UI In product, durable customization of UIs, forms and work flows Privileged Account Management leverage Identity connectors, workflows, audit Complete Access Management Integrated SSO, Federation, API Management, Token Management, Granular Authorization Mobile application security with SSO, device finger printing and step up authentication Social identity log-in from popular social media sites REST, OAuth, XACML Directories that Scale OUD optimized on T4 hardware delivering 3x performance gain and 15% of set up time 14

Privileged Account Manager Definition of Terms Privileged Account A human accessible accounts with elevated permissions (root for UNIX, Linux, or SYS for DB) Service Account Most customers use the term service accounts when they refer to Privileged Accounts Some customers use the term service accounts when they refer to Application Accounts OPAM uses services accounts in the connector configuration End User An administrator who is accessing OPAM to check-out an account Administrator The OPAM server Administrator An Administrator who is accessing OPAM to checkout an account Application accounts Accounts that are used by application (stored in applications) to access e.g. a database Target OPAM manages account access on Targets 15

Privileged Account Manager Overview of Product Capabilities Secure password vault to centrally manage passwords for privileged accounts OPAM uses an Oracle DB EE instance using TDE to encrypt passwords Session Management and Auditing Session control without revealing a privileged account password Session History and searchable Session Recording Extensible Framework JAVA based for customized solutions Audit Reporting Customizable audit reports through BI Publisher Real time status available via the OPAM dashboard (charts, tables, etc.) 16

Privileged Account Manager Overview of Product Capabilities Integrated with Identity Governance Platform Shared Connectors and Workflow integration with OIM Centralized Policies Management via OIM and OIA Using out-of-the-box connectors, OPAM Targets can be configured for Databases, Operating Systems and LDAP Directories, and Oracle FMW applications Policy-based access to privileged accounts via grants Grants control if and when a given administrator has access to a privileged account Grants are represented as OPAM Usage Policies. Grants are typically assigned through LDAP Group Membership in the identity store Flexible Password Policies Mirror corporate password standards 17

Supported Clients / Targets Generic UNIX Systems Generic Database Servers Generic LDAP Directories UNIX MS SQLServer Sybase 15 18

Typical OPAM Use-Case User logs in as SYSTEM Adds Table to DB System out of space Return SYSTEM password Request SYSTEM password Return root password Request root password HR Application Database OPAM sets the SYSTEM password for HR App Database, based on the password policy for HR App Database Verify the OPAM User, Joe, is in the HR DBA Role User checks in passwords Database and Unix Admin (Joe) User logs in as root Adds disk space Oracle Privileged Account Manager Unix Server OPAM sets the root password for the Unix Server, based on the password policy for Unix Server. LDAP Server 19

OPAM Integration with Oracle Identity Governance and Database Security 20

OPAM and OIM - a Complete Governance Platform Request for Privileged Account Access Leverage OIM policy/role based provisioning A system admin may be provisioned to specific LDAP groups that OPAM uses for privileged account access Workflow and approval will be followed as defined 22

OPAM and OIM - a Complete Governance Platform Request for Privileged Account Access OIM to publish privileged account entitlements in request catalog An admin user uses access request self service, search the catalog, pick the privileged accounts he needs and submit for approval The request kicks off workflow and approval as defined The user is provisioned with group membership after approval The user can access OPAM for privileged password checkout and checkin 23

OPAM and OIM - a Complete Governance Platform Risk based certification Through existing OIM OPAM integration, privileged access information is made available for certification. Risk can be calculated based on its privilege status and other data such as provisioning method etc If access violation is found, it can be revoked based on OIM close-loop remediation 24

OPAM and Database Security Enterprise User Security allows non-privileged users to use their enterprise LDAP/AD password to connect to the database Database Vault provides stronger separation of duties for databases OPAM manages DB passwords for privileged users including SYS, SYSTEM and application accounts A complete Database Security solution from Oracle 25

Database User Management Complete Solution Service Description Use Existing Enterprise LDAP Passwords for End-User Passwords Supported by EUS Map Database Roles to Enterprise Roles Manage SYS/SYSTEM Passwords EUS OPAM Manage Application Passwords OPAM Manage non-oracle database passwords OPAM 26

Database Vault Integration Complete Solution Service Description Privileged user access control to limit access to application data Supported by DB Vault Multi-factor authorization to enforce enterprise security policies DB Vault Secure application consolidation DB Vault Manage DB Vault Privileged Accounts Passwords like user_manager, sec_admin Manage SYS/SYSTEM and other DB Privileged Accounts Passwords OPAM OPAM 27

Use Case: Oracle Cloud for Industry and OPAM 28

Oracle Cloud for Industry Overview What is OCI? An internal provider of cloud-based IaaS and PaaS services available to Oracle Global Business Units (GBUs) for the packaging of Oracle Industry Solutions to end customers. E.g. Financial Services, Healthcare, Retail http://www.oracle.com/us/industries/index.html 29

Oracle Cloud for Industry Operational Roles Different operational roles require different levels of access Server Admins Network Admins DB Admins Some groups may require access to multiple resources 30

Oracle Cloud for Industry Problems Disparate privileged account practices between multiple operational roles Password vault utilities Spreadsheets Minimal auditing/reporting on privileged account usage Difficulty of access Which vault is that stored in? Additional requirements driven by regulatory compliance PCI HIPAA/HITECH 31

Oracle Cloud for Industry Solution Implement password solution that Easy to use Supports privileged accounts from multiple teams with differing requirements Reliable Secure Auditable Meets or exceeds regulatory compliance Solution OPAM 32

Oracle Cloud for Industry OCI & OPAM How did OPAM help? Role based access to privileged accounts: LDAP group membership determines which privileged accounts users can access Convenient, accessible BUI Automated reporting of privileged account access and usage Centralized, secure repository Automated password management Unique passwords for each system 33

Oracle Cloud for Industry OCI Use Cases Unix Targets Guest VM/Hypervisor privileged accounts Database Targets Sys/System/Application LDAP Targets Service Accounts Lockbox Targets Storage appliances Application passwords Network devices 34

Oracle Cloud for Industry PCI & OPAM How did OPAM help with PCI Compliance? Addressed PCI DSS 2.0 Requirements: 2.1 8.5.8 8.5.9» Always change vendor supplied passwords before installing a system» Do not use group, shared, or generic accounts and passwords» Change user passwords at least every 90 days. 35

Oracle Cloud for Industry OPAM Flexibility Customized scripts for password aging reporting Required for 8.5.9 Wrote custom script to retrieve data from OPAM and email admins as necessary RFE submitted to include functionality in future release s BUI Daily reports of check-in/check-out activity Currently done through BI Publisher Emailed to security team nightly On-Demand reporting will be in future release 36

Case Study Overview Solution Securely stores local privileged account information in a central location Access to accounts is limited by LDAP group membership (RBAC) Reportable audit trail on account usage 37

OPAM Privileged Account Manager in Action 38

Oracle Privileged Account Manager in Action Demo Overview How OPAM lockbox is used by Oracle Cloud for Industry How does OPAM Session Management and Auditing enhances the lockbox concept to provide additional compliance data How to extend OPAM operations to enable emergency access 39

HOW WE DID IT 40

Demo Laptop Demo Server Request Privileged Access to Avitek Retail Host Oracle Identity Governance Session Manager REQUESTING PRIVILEGED ACCESS Approval via smartphone Approval workflow 41

Demo Laptop Command executed on Demo Server Demo Server Sending commands Oracle Identity Governance Session Manager EXECUTING COMMANDS Command recorded in Session Log 42

Demo Laptop Access checkout history report Oracle Identity Governance Session Manager REVIEWING THE PRIVILEGED ACCESS Session Logs /Transcripts 43

Looking Forward A Physical Security Demo Lockitron Internet connected lock Exposes REST interfaces Protected by an Access Token OPAM Protect Access Token in a Lockbox OPAM Plug-in Unlock/Lock as part of Checkout/Check-in (using Access Token) 44

Summary 45

OPAM Benefits Enforce internal security policies and eliminate potential security threats from privileged users Session Management and Auditing User activities (who, did what, when) Cost-effectively enforce and attest to regulatory requirements Reduce IT costs through efficient self service and common security infrastructure Extensible Java based Framework 46

Sessions not to miss CON8823 CON8826 CON8902 CON8836 CON 4342 CON9024 Wednesday 09/25, 5:00PM Thursday, 09/26, 3:30PM Thursday,09/26 2:00PM Thursday 09/26, 11:00AM Thursday 09/26, 12:30PM Thursday09/26, 2:00PM MosconeWest, Room 2018 MosconeWest, Room 2018 Marriot Marquis Golden Gate C3 MosconeWest, Room 2018 MosconeWest, Room 2018 MosconeWest, Room 2018 Access Management for the Internet of Things Zero Capital Investment by leveraging Identity Management as a Service Developing Secure Mobile Applications Leveraging the Cloud to simplify your Identity Management implementation Identity Services in the New GMIT Next Generation Optimized Directory - Oracle Unified Directory Kanishk Mahajan, Oracle Mike Neuenschwander, Oracle Mark Wilcox, Oracle Guru Shashikumar, Oracle GM Etienne Remillon, Oracle 47

Join the Oracle Community Twitter twitter.com/oracleidm Facebook facebook.com/oracleidm Oracle Blogs Blogs.oracle.com/OracleIDM Oracle.com/Identity 48

Further Information Oracle Privileged Account Manager http://www.oracle.com/technetwork/middleware/id-mgmt/overview/opamhomepage-1697430.html Documentation Oracle Fusion Middleware 11gR2 Release (11.1.2.1.0) Software http://www.oracle.com/technetwork/middleware/id-mgmt/downloads/index.html 49

50

51

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback