Con8813 securing privileged accounts with an integrated idm solution - final
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

Con8813 securing privileged accounts with an integrated idm solution - final

on

  • 617 views

Olaf Stullich & Mike Laramie's OOW2013 presentation

Olaf Stullich & Mike Laramie's OOW2013 presentation

Statistics

Views

Total Views
617
Views on SlideShare
617
Embed Views
0

Actions

Likes
0
Downloads
26
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • This is our Safe Harbor statement…Please take a moment to review it…
  • With Great Power Comes Great Risk Organizations are trying to drive greater productivity out of administrators. In optimal cases today organizations can get 1K to 2K users per administrator ratio. Increasing that ratio is important Most organizations have 100s of service accounts that execute software on servers and web-servers. These accounts if hijacked are a key entry point for fraud Excessive access is also the number one attack vector at the database level. (March 28 2012) http://educationinfree.wordpress.com/2012/03/28/top-10-database-attacks/These accounts are shared across multiple administrators and becomes difficult to monitor who is doing what. Analogous to this problem is the privileged elevation problem where someone uses a privileged account to elevate the privileges of another account, then logs in to the other account and performs malicious activity … very difficult to track.
  • In most cases the exploits we are seeing exploit Identity and access weaknesses. When hackers break in they are going after password weaknesses – orphaned and dormant accounts. They are using means like phishing etc. They are using accounts that have excessive access in the organization. Most of the data stolen comes from servers – not from last laptops of stolen phones – this is something well within our control. 17% are just misuse of privileges – good people gone bad. 86% of the hacking are lost or stolen credentials – so instituting good behavior on password reset and access review can reduce that number 48% caused by insiders What’s more important is that the hackers are going after our applications and our data – they want to perform transactions that are impactful or financially beneficial … ie give yourself a raise… trade beyond the controls of the organization. They are going after customer information.. Financial information. Its really all about access – Despite all the money we have spent on firewalls and network security we have left the applications vulnerable and we can get better results for our spending if we refocused.In the Forrester Insights 2011 – they noted that companies have spent an inordinate amount of time on perimeter security and have left the applications and data vulnerable. Hence the 48% cause by insiders are not being addressed adequately. Take away : Its about your applications and data Its about access both internal and external. The ORCLE FOCUS IS THAT…..IF WE FOCUS ON CONTROLS THAT IMPACT THE 48% and FOCUS ON THE DATA AND APPS WE CAN REDUCE approx 48% OF THE PROBLEM. APPS AND DATA ARE OUR STRENGTH. – WE HAVE ONE OF THE STRONGEST IDENTITY MANAGEMENT PLATFORMS AND WE HAVE BEEN SECURING DATA FOR A VERY LONG TIME.
  • Today Managing Privilege Access is Not Well Defined Organizations have a difficult time managing privileged access because the people who have these accounts are the people we rely on to keep the business safe.  Organizations take a few approaches Ignore the issue Have help desks handle administrative requests Deploy point solutions for specific systems Largely the problem is ignored and administrative and service accounts are a huge vulnerability The help desk approach hampers productivity administrators have to wait to get access and removing the excessive is a pain to do.The impact is reduced productivity and an approach that does not scale beyond a department level.The problem is that each request is manual and takes a long time t complete There is no visibility across all privileged accessThere is no way to monitor and report on access There is no way to centralize policy control across departments or multiple systems. 
  • Two Big Management Problems Managing privileged accounts presents to big problems which point solutions don’t address well1 Identifying the accounts . they are not just root and sys admin accounts they also include any account where privileges are elevated. They include service accounts and accounts from apps to databases to operating systems to firewalls. 2. Tracking privileged accounts.. we have to have the notion of identity because they are not tied to one person . they can be tied to multiple people and that creates the risk
  • The Right Approach is Self-Reinforcing By combining the ability to control accounts on multiple platforms along with the workflow automation that can span cross system .. we can get a self-reinforcing and intelligent approach to privilege account management. We call this a platform approach.We can tie multiple identity to a privileged account We can automate the remediation and removal of excessive accessWe can automate the request of access for privileged accounts so there is no lost productivity waitingWe can track when privileges are increased because the platform approach includes the ability to automate provisioning and change controlWe get consolidated auditing And we get visibility across the complete user access which is keyWe can serve multiple systems because the platform has a breadth of target system support
  • Oracle Provide a Platform Approach to Privileged Account Management Connectors reuse – build on your existing deployment – and reduce overall TCO Centralized policy control Interoperable with the other components including OIM and OIA So what we are providing here is a password checkout system for shared OS, application and database accounts. Today these accounts are the most impactful and because they are shared increases the risk of fraud. With privilege account manager we can lease and account to a user for a period of time and remove the access when the time period as expired.It takes a platform approach leveraging the connectors, workflows, certification and closed loop remediation of OIA and OIMProvides emergency access – and removes access within a given timeframe.With service accounts – we can control the time fo day the account is used etc.
  • With Fusion Middleware, you can extend and maximize your existing technology investment with the same technologies used in Fusion Applications, including embedded analytics and social collaboration, and mobile and cloud computing. Oracle’s complete SOA platform lets your IT organization rapidly design, assemble, deploy, and manage adaptable business applications and—with Oracle’s business process management tools—even bring the task of modeling business processes directly to the business analysts. Oracle Business Intelligence foundation brings together all your enterprise data sources in a single, easy-to-use solution, delivering consistent insights whether it’s through ad hoc queries and analysis, interactive dashboards, scorecards, OLAP, or reporting. And, your existing enterprise applications can leverage the rich social networking capabilities and content sharing that users have come to expect in consumer software. Oracle Fusion Middleware is based on 100 percent open standards, so you aren’t locked into one deployment model when your business requirements change.
  • We’ll spend just a few minutes reviewing some common terms relevant to OPAM.A privileged account is….A service account is…really a privileged account, sometimes referred.From an OPAM perspective…An end user is…An administrator is…And finally…Application Accounts are…
  • The next 4-slides provide a high-level introduction into OPAM…OPAM provides a password vault capability to privileged, service and application accounts…OPAM integrates with DB Security in that it leverages Oracle DB EE as it’s password vault and uses the Transparent Data Encryption (TDE) capability of Advanced Security Options (ASO) to encrypt passwords in the Oracle DB (secure data at Rest)To support customer requirements, OPAM enables declaring a privileged account as exclusive or sharedWhen the account is “shared”, this means……multiple administrators can check-out the account credentials at the same time, e.g. if multiple administrators need to apply patches or run backup jobs…it’s difficult to know “who” was using the privileged account, when reviewing audit logs, etc.When an account is “exclusive” (e.g. not-shared), this means……only one (1) user can check-out the password at any point in time…this provides clarity into “who did what” with a privileged account by matching the check-in/out activity against the native system audit logsWith the next upcoming patchset (11g R2 PS2) we’ll address some of these potential limitation.
  • In addition to storing the privileged account passwords, OPAM provides controls for managing user access to these passwordsPassword access is available via “grant”…it controls WHICH privileged accounts any given person can access via OPAM…it optionally controls WHEN / HOW a privileged account is accessed by this personGrants are managed within OPAM as Usage Policies.Grants can be “directly-assigned” or can be indirectly assigned via LDAP Group MembershipIt is recommended as a best practice to avoid dual-paths for a user to privileged accounts, since this can lead to non-deterministicBehavior. The indirect-grants via Group Membership provides a familiar and scalable “role-based access control” model for OPAM.The other type of policy within OPAM are Password Policies…these determine the composition of the managed password. …only one Password Policy is defined for any given privileged account; but the PW Policies can be used by multiple accounts…the PW Policy must be at-least as strong as the one on the native system – e.g. database, directory, operating system… multiple password policies can be created, to mimic corporate policies. At this time OPAM cannot “simply” import existing corporate policies an OPAM administrator has to create them.The OPAM Policies and configuration also determine when a privileged account password is changed – e.g. …on check-out…on check-on…or both-- each checkout of a shared account has the same password, however once the last shared account occurs this password will be reset
  • OPAM supports a wide range of account types including:Generic UNIX Any UNIX/LINUX server with SSHGeneric DatabaseOracle 9-11AnyGeneric LDAPAny LDAP
  • Here is an example of how OPAM is Interoperable with OIM Request access De-provision access Connector reuse – means that OPAM can use all existing OIM integrations Works with the OIM request catalog – for easy searching and self service request for passwords

Con8813 securing privileged accounts with an integrated idm solution - final Presentation Transcript

  • 1. 1 Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
  • 2. Securing Privileged Accounts with an Integrated IDM Solution Olaf Stullich Product Manager, Oracle Mike Laramie Oracle Cloud for Industry Architecture Team
  • 3. Safe Harbor Statement The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decision. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle. 3 Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
  • 4. Program Agenda  Introduction  What is Oracle Privileged Account Manager?  OPAM Integration with Oracle Identity Governance and Database Security  Use Case: Oracle Cloud for Industry and OPAM  Demo 4 Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
  • 5. Introduction 5 Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
  • 6. What do have these two in Common? • Privileged account access • Excessive access privileges • Difficult to monitor shared accounts across multiple administrators 6 Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
  • 7. IDM – Overcome Threats and Regulations to Unlock Opportunities Threats  Increased Online Threat  Costly Insider Fraud Compliance  Tougher Regulations  Greater Focus on Risk  Stronger Governance Opportunities 76% Data Stolen From Servers 86% Hacking Involve Stolen Credentials 48% Caused by Insiders 17% Involved Privilege Misuse  Social Media  Cloud Computing  Mobile Access 2011 Data Breach Investigations Report 7 Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
  • 8. Managing Privilege Access Is Not Well Defined SCALE Manual solutions don’t scale (like managing privileged access via spreadsheets) 8 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. RISK Using default system passwords is prone to risk COST Deploying point solutions can increase integration costs
  • 9. Two Big Management Problems IDENTIFYING PRIVILEGED ACCOUNTS TRACKING PRIVILEGED ACCOUNTS 9 Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
  • 10. The Right Approach is Self-Reinforcing Access Request Reporting & Certification SelfReinfor cing Remediation 10 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. AutoProvisioning VISIBILITY ACROSS COMPLETE USER ACCESS IS KEY
  • 11. Privileged Account Management A Platform Approach Shared Connectors Centralized Policies Workflow Integration Common Reporting 11 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Reduce Risk Improve Compliance
  • 12. What is Oracle Privileged Account Manager 12 Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
  • 13. Oracle Fusion Middleware Business Innovation Platform for the Enterprise and Cloud  Complete and Integrated Web Social Mobile  Best-in-class User Engagement Business Process Management  Open standards Content Management Service Integration Business Intelligence Data Integration Identity Management Development Tools 13 Cloud Application Foundation Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Enterprise Management  On-premise and Cloud  Foundation for Oracle Fusion Applications and Oracle Cloud
  • 14. Identity Management Securing the Social Enterprise  Simplified Identity Governance – Access Request Portal with Catalog and Shopping cart UI – In product, durable customization of UIs, forms and work flows – Privileged Account Management – leverage Identity connectors, workflows, audit  Complete Access Management – Integrated SSO, Federation, API Management, Token Management, Granular Authorization – Mobile application security with SSO, device finger printing and step up authentication – Social identity log-in from popular social media sites – REST, OAuth, XACML  Directories that Scale – 14 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. OUD optimized on T4 hardware delivering 3x performance gain and 15% of set up time
  • 15. Privileged Account Manager Definition of Terms  Privileged Account –  A “human” accessible accounts with elevated permissions (root for UNIX, Linux, or SYS for DB) Service Account – – Some customers use the term “service accounts” when they refer to Application Accounts –  Most customers use the term “service accounts” when they refer to Privileged Accounts OPAM uses “services accounts” in the connector configuration End User –  An administrator who is accessing OPAM to check-out an account Administrator – –  The OPAM server Administrator An Administrator who is accessing OPAM to checkout an account Application accounts –  Target – 15 Accounts that are used by application (stored in applications) to access e.g. a database OPAM manages account access on “Targets” Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
  • 16. Privileged Account Manager Overview of Product Capabilities  Secure password vault to centrally manage passwords for privileged accounts –  OPAM uses an Oracle DB EE instance with limited use license to TDE to encrypt passwords Session Management and Auditing – –  Session control without revealing a privileged account password Session History and searchable Session Recording Extensible Framework –  JAVA based for customized solutions Audit Reporting – – 16 Customizable audit reports through BI Publisher Real time status available via the OPAM dashboard (charts, tables, etc.) Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
  • 17. Privileged Account Manager Overview of Product Capabilities  Integrated with Identity Governance Platform – –  Shared Connectors and Workflow integration with OIM Centralized Policies Management via OIM and OIA Using out-of-the-box connectors, OPAM Targets can be configured for –  Databases, Operating Systems and LDAP Directories, and Oracle FMW applications Policy-based access to privileged accounts via “grants” – – Grants are represented as OPAM Usage Policies. –  Grants control if and when a given administrator has access to a privileged account Grants are typically assigned through LDAP Group Membership in the identity store Flexible Password Policies – 17 Mirror corporate password standards Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
  • 18. Supported Clients / Targets Generic UNIX Systems UNIX 18 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Generic Database Servers MS SQLServer Sybase 15 Generic LDAP Directories
  • 19. Typical OPAM Use-Case • User logs in as SYSTEM • Adds Table to DB • System out of space HR Application OPAM sets the SYSTEM password for Database HR App Database, based on the password policy for HR App Database Return SYSTEM password Request SYSTEM password Verify the OPAM User, Joe, is in the “HR DBA” Role Return root password Request root password User checks in passwords Database and Unix Admin (Joe) Oracle Privileged Account Manager OPAM sets the root password for the Unix Server, based on the password policy for Unix Server. • User logs in as root • Adds disk space Unix Server 19 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. LDAP Server
  • 20. OPAM Integration with Oracle Identity Governance and Database Security 20 Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
  • 21. OPAM and OIM - a Complete Governance Platform Request for Privileged Account Access  Leverage OIM policy/role based provisioning  A system admin may be provisioned to specific LDAP groups that OPAM uses for privileged account access  Workflow and approval will be followed as defined 22 Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
  • 22. OPAM and OIM - a Complete Governance Platform Request for Privileged Account Access  OIM to publish privileged account entitlements in request catalog  An admin user uses access request self service, search the catalog, pick the privileged accounts he needs and submit for approval  The request kicks off workflow and approval as defined  The user is provisioned with group membership after approval  The user can access OPAM for privileged password checkout and checkin 23 Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
  • 23. OPAM and OIM - a Complete Governance Platform Risk based certification  Through existing OIM OIA integration and OIM OPAM integration, privileged access info is made available to OIA for certification.  Risk can be calculated based on its privilege status and other data such as provisioning method etc  If access violation is found, it can be revoked based on OIM OIA close-loop remediation 24 Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
  • 24. Use Case: Oracle Cloud for Industry and OPAM 25 Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
  • 25. Oracle Cloud for Industry Overview  What is OCI? – An internal provider of cloud-based IaaS and PaaS services available to Oracle Global Business Units (GBUs) for the packaging of Oracle Industry Solutions to end customers.  E.g. Financial Services, Healthcare, Retail – http://www.oracle.com/us/industries/index.html 26 Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
  • 26. Oracle Cloud for Industry Problems  Disparate privileged account practices between multiple operational roles – Password vault utilities – Spreadsheets  Minimal auditing/reporting on privileged account usage  Difficulty of access – “Which vault is that stored in?”  Additional requirements driven by regulatory compliance – PCI – HIPAA/HITECH 27 Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
  • 27. Oracle Cloud for Industry Solution  Implement password solution that – Easy to use – Supports privileged accounts from multiple teams with differing requirements – Reliable – Secure – Auditable – Meets or exceeds regulatory compliance  Solution – OPAM 28 Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
  • 28. Oracle Cloud for Industry OCI & OPAM  How did OPAM help? – Role based access to privileged accounts:  LDAP group membership determines which privileged accounts users can access – Convenient, accessible BUI – Automated reporting of privileged account access and usage – Centralized, secure repository – Automated password management – Unique passwords for each system 29 Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
  • 29. Oracle Cloud for Industry PCI & OPAM  How did OPAM help with PCI Compliance?  Addressed PCI DSS 2.0 Requirements: – 2.1 » “Always change vendor supplied passwords before installing a system…” – 8.5.8 » “Do not use group, shared, or generic accounts and passwords…” – 8.5.9 » “Change user passwords at least every 90 days.” 30 Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
  • 30. Oracle Cloud for Industry OPAM Flexibility  Customized scripts for password aging reporting – Required for 8.5.9 – Wrote custom script to retrieve data from OPAM and email admins as necessary  RFE submitted to include functionality in future release’s BUI  Daily reports of check-in/check-out activity – Currently done through BI Publisher  Emailed to security team nightly – On-Demand reporting will be in future release 31 Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
  • 31. Case Study Overview Solution  Securely stores local privileged account information in a central location  Access to accounts is limited by LDAP group membership (RBAC)  Reportable audit trail on account usage 32 Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
  • 32. OPAM Privileged Account Manager in Action 33 Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
  • 33. Oracle Privileged Account Manager in Action Demo Overview  How OPAM “lockbox” is used by Oracle Cloud for Industry  How does OPAM Session Management and Auditing enhances the “lockbox” concept to provide additional compliance data  How to extend OPAM operations to enable emergency access  How can emergency access be integrated with physical access security using the Lockitron lock 34 Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
  • 34. Summary 35 Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
  • 35. OPAM Benefits  Enforce internal security policies and eliminate potential security threats from privileged users  Cost-effectively enforce and attest to regulatory requirements  Reduce IT costs through efficient self service and common security infrastructure  Real time usage reports  Customizable audit reports with BI Publisher 36 Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
  • 36. Demo Pods Moscone South Moscone South Oracle Identity Governance Suite: Managing Privileged Accounts from Your Identity Platform 37 Oracle Identity Governance Suite: Complete Identity Lifecycle Management Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Moscone South Identity Management Monitoring with Oracle Enterprise Manager
  • 37. Sessions not to miss CON8823 Wednesday 09/25, 5:00PM CON8826 Thursday, 09/26, 3:30PM CON8902 Thursday, 09/26 2:00PM CON8836 Thursday 09/26, 11:00AM CON 4342 Thursday 09/26, 12:30PM CON9024 Thursday 09/26, 2:00PM 38 Moscone West, Room 2018 Moscone West, Room 2018 Marriot Marquis – Golden Gate C3 Moscone West, Room 2018 Moscone West, Room 2018 Moscone West, Room 2018 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Access Management for the Internet of Things Kanishk Mahajan, Oracle Zero Capital Investment by leveraging Identity Management as a Service Mike Neuenschwander, Oracle Developing Secure Mobile Applications Mark Wilcox, Oracle Leveraging the Cloud to simplify your Identity Management implementation Guru Shashikumar, Oracle Identity Services in the New GM IT GM Next Generation Optimized Directory Oracle Unified Directory Etienne Remillon, Oracle
  • 38. Join the Oracle Community Twitter twitter.com/OracleIDM Facebook facebook.com/OracleIDM Oracle Blogs Blogs.oracle.com/OracleIDM Oracle.com/Identity 39 Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
  • 39. 40 Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
  • 40. 41 Copyright © 2013, Oracle and/or its affiliates. All rights reserved.