Centralized Database User Management Using Active Directory CON6574 Alan Williams Product Management Oracle Database Security October 2017 Presented with Copyright 2017, Oracle and/or its affiliates. All rights reserved.
Safe Harbor Statement The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle s products remains at the sole discretion of Oracle. Copyright 2017, Oracle and/or its affiliates. All rights reserved. 3
Centrally Managed Users 1 2 3 4 5 Customer Requirements by Epsilon Oracle Database Authentication and Authorization Enterprise User Security (EUS) and Directory Services New Centrally Managed Users (CMU) Comparison Between EUS and CMU Copyright 2017, Oracle and/or its affiliates. All rights reserved. 4
Oracle Database Integration with Active Directory Requirements Keith Wilcox Vice President Database Administration, Epsilon Copyright 2017, Oracle and/or its affiliates. All rights reserved. 5
We are marketing pioneers helping our clients grow Copyright Epsilon 2017 Epsilon Data Management, LLC. All rights reserved. 6
We fuse data, technology, creative and media to connect with your customers in the moments that matter and get the results our clients need Copyright Epsilon 2017 Epsilon Data Management, LLC. All rights reserved. 7
We deliver personalized connections, build loyalty and drive business for brands around the world Data Know each of your customers on a meaningful level with Agility Audience, our premier solution offering unrivaled customer information, data resources and tools. Loyalty Create a one-of-a-kind loyalty program and grow long-lasting customer relationships with Agility Loyalty and our full suite of loyalty capabilities and services. Digital Messaging Orchestrate personalized conversations taking your marketing where it needs to go with Agility Harmony, the first platform built to be omnichannel from the ground up. Media Reach Optimize your media mix with the customer data, marketing technology and channels expertise that Epsilon and Conversant provide. We deliver personalized content that gets results. Copyright Epsilon 2017 Epsilon Data Management, LLC. All rights reserved. 8
Delivering globally with a local focus 8,000 associates globally 278M+ device IDs 70+ offices 53B+ email messages per year 4,000+ marketing databases managed 50B+ bid requests per day 1.5B individual records 600M+ memberships managed Copyright Epsilon 2017 Epsilon Data Management, LLC. All rights reserved. 9
Password Authenticated Users Works well with few databases Starts getting more complicated as more databases added Client A Prod Client A UAT Client A Test Copyright Epsilon 2017 Epsilon Data Management, LLC. All rights reserved. Client A Dev 10 10
Password Authenticated Users When multiple clients are added the password management can really become burdensome Hmm password for Client B UAT? Client A Prod Client A UAT Client A Test Client B Prod Client B UAT Client B Test Copyright Epsilon 2017 Epsilon Data Management, LLC. All rights reserved. Client A Dev Client B Dev 11 11
Password Authenticated Users Some challenges with password authentication Passwords potentially different across databases User confusion Requests to DBA/Security team for reset pw Need to have a process for terminated users (terminated users could potentially still login to the database notwithstanding other network measures) Effort of changing passwords (200 users * 2000 databases 4x yearly = 1.6 Million potential password change events yearly Audit challenges Ensure password validate function across all databases Profile settings consistent and enforced on all databases Copyright Epsilon 2017 Epsilon Data Management, LLC. All rights reserved. 12 12
Conclusion We need centralized password management included as part of the database & Active Directory is the corporate standard!!! Copyright Epsilon 2017 Epsilon Data Management, LLC. All rights reserved. 13
Need For Active Directory Integration Corp/kwilcox Microsoft Active Directory Oracle Client A Centralized authentication & Centralized authorization Corp/bsa1 DBAGroup ClientA_DBA ClientB_DBA ClientA_BSA ClientB_BSA ClientC_BSA Database Roles DBA_Role BSA_Role Copyright Epsilon 2017 Epsilon Data Management, LLC. All rights reserved. 14 14
Observation Once you connect to Active Directory why not take advantage of additional info (groups) to map those to role in the database to provide centralized management of Copyright Epsilon 2017 Epsilon Data Management, LLC. All rights reserved. roles. 15
Centrally Managed Users Alan Williams Oracle Database Security Product Management Copyright 2017, Oracle and/or its affiliates. All rights reserved. 16
Centrally Managed Users Oracle Directory Services Future EUS Password / Kerberos / PKI CMU Oracle Database Active Directory Copyright 2017, Oracle and/or its affiliates. All rights reserved. 17
Centrally Managed Users Agenda 1 2 3 4 5 Customer Requirements by Epsilon Oracle Database Authentication and Authorization Enterprise User Security (EUS) and Directory Services New Centrally Managed Users (CMU) Comparison Between EUS and CMU Copyright 2017, Oracle and/or its affiliates. All rights reserved. 18
Oracle Database Authentication and Authorization Method Authentication Authorization Password Password verifier Database Built-In (privileges and roles) Kerberos Kerberos ticket Database Built-In PKI Certificate PKI certificate Database Built-In Operating system Operating system OS Groups, Database Built-In RADIUS RADIUS RADIUS, Database Built-In Enterprise User Security directory services Password, Kerberos, certificate Directory sub-tree, enterprise roles, Database Built-In Copyright 2017, Oracle and/or its affiliates. All rights reserved. 19
Oracle Database Authentication and Authorization Method Authentication Authorization Password Password verifier Database Built-In (privileges and roles) Kerberos Kerberos ticket Database Built-In PKI Certificate PKI certificate Database Built-In OS OS OS Groups, Database Built-In RADIUS RADIUS RADIUS, Database Built-In Enterprise User Security directory services Password, Kerberos, certificate Directory sub-tree, enterprise roles, Database Built-In Copyright 2017, Oracle and/or its affiliates. All rights reserved. 20
Current Active Directory Services Integration Using EUS EUS Oracle Database Oracle Directory Services Microsoft Active Directory Copyright 2017, Oracle and/or its affiliates. All rights reserved. 21
Enterprise User Security (EUS) Authentication Password, Kerberos, PKI certificates Enforce centralized directory account policies Authorization Map DB user to directory user Map shared DB schema to directory sub-tree Support administrative users Enterprise Domains Enterprise Roles Current User trusted DB link Integrated with Oracle Label Security and XDB Consolidated reporting and management of data access Copyright 2017, Oracle and/or its affiliates. All rights reserved. 22
Current Integration Challenges with Active Directory Extra architecture elements to design and implement Multiple components to configure and maintain Complexity and cost deters customers from integrating with AD Copyright 2017, Oracle and/or its affiliates. All rights reserved. 23
Centrally Managed Users - Agenda 1 2 3 4 5 Customer Requirements by Epsilon Oracle Database Authentication and Authorization Enterprise User Security (EUS) and Directory Services New Centrally Managed Users (CMU) Comparison Between EUS and CMU Copyright 2017, Oracle and/or its affiliates. All rights reserved. 24
Future Centrally Managed Users Concept Oracle Database Release 18c Enterprise Edition Oracle Database Microsoft Active Directory Copyright 2017, Oracle and/or its affiliates. All rights reserved. 25
Future Centrally Managed Users Authentication Password Kerberos PKI Certificate Oracle Database Microsoft Active Directory Copyright 2017, Oracle and/or its affiliates. All rights reserved. 26
Centrally Managed Users Authentication Database Password Verifiers KDC CA Kerberos AD includes Kerberos Key Distribution Center PKI certificates AD verifies client DN May act as Certificate Authority Password AD stores user database password verifiers Future Copyright 2017, Oracle and/or its affiliates. All rights reserved. 27
Centrally Managed Users Oracle Password Filter Oracle database password filter generates database verifiers Microsoft Active Directory Future Oracle tool Installs Oracle database password filter Extend AD schema Oracle database password filter Generates database user verifiers when user changes AD password AD groups dictate which type of database user verifiers are generated Copyright 2017, Oracle and/or its affiliates. All rights reserved. 28
Future Supports Active Directory Account Policies Oracle Database Microsoft Active Directory Password Policy Kerberos Policy Lockout Policy Copyright 2017, Oracle and/or its affiliates. All rights reserved. 29
Future Centrally Managed Users - Authorization Oracle Database Active Directory Exclusive User Mapping Shared Schema Mapping Role Mapping Administrative Users Oracle Database Users and Groups Active Directory User and Groups Copyright 2017, Oracle and/or its affiliates. All rights reserved. 30
Future Centrally Managed Users - Authorization Oracle Database Exclusive User Mapping Active Directory 1:1 Exclusive Mapping Database User Active Directory User Copyright 2017, Oracle and/or its affiliates. All rights reserved. 31
Future Centrally Managed Users - Authorization Oracle Database Shared Schema Mapping Active Directory Shared Schema:Group Shared Schema Active Directory Group Copyright 2017, Oracle and/or its affiliates. All rights reserved. 32
Future Centrally Managed Users - Authorization Oracle Database Role Mapping Active Directory Role:Group Mapping Global Role Active Directory Group Copyright 2017, Oracle and/or its affiliates. All rights reserved. 33
Future Centrally Managed Users - Authorization Oracle Database Administrative Users Active Directory Exclusive Global User Active Directory User Database Administrator Granted Privilege: e.g. SYSOPER Shared Schema Active Directory Group Copyright 2017, Oracle and/or its affiliates. All rights reserved. 34
Authorization using Active Directory Groups and DB Roles Future Database Global user: HR_RUNTIME Global Role: HR_MGR Map: Global user HR_RUNTIME to AD Group hr-rep Global role HR_MGR to AD Group hr-mgr CREATE USER HR_RUNTIME IDENTIFIED GLOBALLY AS cn=hr-rep,ou=hr,dc=examplecorp,dc=com ; Directory Domain (dc=examplecorp, dc=com) cn = Users Users: Susan, Diana, Jennifer Groups: - hr-rep {Susan, Diana, Jennifer } - hr-mgr {Susan } CREATE ROLE HR_MGR IDENTIFIED GLOBALLY AS cn=hr-mgr,ou=hr,dc=examplecorp,dc=com ; Copyright 2017, Oracle and/or its affiliates. All rights reserved. 35
Screenshot: DB Authentication and Authorization using AD Login as Susan with password Example of Susan s Login Future 36
Screenshot: DB Authentication and Authorization using AD Login as Susan with password Example of Susan s Login Future 37
Screenshot: DB Authentication and Authorization using AD Login as Susan with password Example of Susan s Login Future 38
Screenshot: DB Authentication and Authorization using AD Login as Susan with password Example of Susan s Login Future 39
Screenshot: DB Authentication and Authorization using AD Login as Susan with password Example of Susan s Login Future 40
Screenshot: DB Authentication and Authorization using AD Login as Susan with password Example of Susan s Login Future 41
Future Connecting Oracle Database to Active Directory Net Naming Services Centrally Managed Users Active Directory Forest Copyright 2017, Oracle and/or its affiliates. All rights reserved. 42
Future Connecting Oracle Database to Active Directory Net Naming Services Oracle Directory Services Centrally Managed Users Active Directory Forest Copyright 2017, Oracle and/or its affiliates. All rights reserved. 43
Centrally Managed Users - Agenda 1 2 3 4 5 Customer Requirements by Epsilon Oracle Database Authentication and Authorization Enterprise User Security (EUS) and Directory Services New Centrally Managed Users (CMU) Comparison Between EUS and CMU Copyright 2017, Oracle and/or its affiliates. All rights reserved. 44
Future Choosing between EUS and CMU Simplified Implementation EUS CMU Authentication Password, Kerberos, PKI certificates Enforce directory account policies Authorization Role authorization Administrative users Shared DB schema mapping Exclusive user mapping Enterprise Domains Current User trusted DB link Integrated with Oracle Label Security, XDB Consolidated reporting and management of data access Copyright 2017, Oracle and/or its affiliates. All rights reserved. 45
Future Centrally Managed Users - Summary Simplified centralized directory services integration with less cost and complexity Authentication in Active Directory for password, Kerberos and PKI Map Active Directory Groups to shared database accounts and roles Map database user to exclusive Active Directory user Support Active Directory account policies No client update required Support all Oracle Database clients 10g and onwards EUS and Oracle Directory Services authentication and authorization works as before Copyright 2017, Oracle and/or its affiliates. All rights reserved. 46
Database Security at Oracle Open World 2017 Session Title Speaker Location Date & Time CON6571 Cybersecurity and Compliance in 2017: Database Security Is Business-Critical Vipin Samar, SVP, Oracle CON6574 NEW FEATURE! Centralized Database User Management Using Active Directory Alan Williams, Oracle Keith Wilcox, Epsilon CON6575 NEW! Database Security Assessment Tool Discovers Top Security Risks Pedro Lopes, Oracle CON6573 Data Management and Security in the GDPR Era Russ Lowenthal, Oracle Franck Hourdin, Oracle Mike Turner, Capgemini Moscone West - Room 3011 Moscone West - Room 3011 Moscone West - Room 3011 Moscone West - Room 3011 Mon., 1:15-2:00 PM Mon., 3:15-4:00 PM Mon., 5:45-6:30 PM Tues., 3:45-4:30 PM CON6580 Encrypt Your Crown Jewels and Manage Keys Efficiently with Oracle Key Vault Saikat Saha, Oracle Hamid Habet, Allianz Moscone West - Room 3011 Tues.,4:45-5:30 PM CON6576 Accelerate Your Compliance Program with Oracle Audit Vault and Database Firewall Ram Subramanian, Symantec Rohit Muttepawar, Symantec George Csaba, Oracle Moscone West - Room 3011 Tues., 5:45-6:30 PM CON6572 Inside the Head of a Database Hacker Mark Fallon, Oracle Moscone West - Room 3014 Wed., 11:00-11:45 AM CON6618 Sneak Preview: Oracle Data Security Cloud Service Vikram Pesati, Oracle Michael Mesaros, Oracle Moscone West - Room 3011 Wed.,2:00-2:45 PM Copyright 2017, Oracle and/or its affiliates. All rights reserved. 47
Moscone West Copyright 2017, Oracle and/or its affiliates. All rights reserved. 49
Visit Us in the Oracle Database Security Demo Grounds Demo Booth Title Authentication & Authorization Encryption & Key Management Featured Solutions Centrally Managed Users, Database Vault, Real Application Security, Label Security Transparent Data Encryption, Key Vault, Data Redaction Auditing and Activity Monitoring Database Security for Application Developers Database Auditing, Audit Vault and Database Firewall, Data Security Cloud Service - Auditing Database Security Assessment Tool, Data Masking and Subsetting, Data Discovery and Data Security Cloud Service - Masking Copyright 2017, Oracle and/or its affiliates. All rights reserved. 50
Copyright 2017, Oracle and/or its affiliates. All rights reserved. 51
Connect With Us /OracleDatabase /OracleSecurity blogs.oracle.com/ SecurityInsideOut Oracle Database Insider /Oracle Database Security /Oracle Cloud http://oracle.com/database/security http://oracle.com/technetwork/database/security Copyright 2017, Oracle and/or its affiliates. All rights reserved. 52
Safe Harbor Statement The preceding is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle s products remains at the sole discretion of Oracle. Copyright 2017, Oracle and/or its affiliates. All rights reserved. 53
Copyright 2017, Oracle and/or its affiliates. All rights reserved. 54