Con8819 context and risk aware access control any device any where - final

  • 379 views
Uploaded on

Svetlana Kolomeyskaya & Ashish Kolli's OOW2013 presentation

Svetlana Kolomeyskaya & Ashish Kolli's OOW2013 presentation

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
379
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
21
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide
  • Securing access to systems from mobile phones and tabletsSecuring access and managing risk/compliance across enterprise and cloud applicationsIdentifying web site visitors via consumer social identitiesProliferation of APIs
  • Shunning the current complex customizationsSeeking to accelerate deployment and simplify maintenanceAvoiding multi-vendor gaps, performance issues, integration challenges, upgrade cycle timingReducing high TCO
  • Balances security vs user experienceAdjust authentication level based on application security requirementsAdapt security based on contextPass identity context through entire stack End to end security including desktop, mobile, cloud and web servicesRequire an intelligent access platform that understands context and riskIdentity context, device context, resource context, transaction context, etcWeighted risk based on real-time contextTake actions based on context and riskCompleteIdentify, authenticate, federate and authorizeReal time authorization and data redaction based on contextual authentication techniques to reduce fraudMulti-user type, multi-platform, multi-channel and multi-device securitySecure & Manage API’s Lower TCO due to common policy store for all access eventsSupport Oracle, 3rd party and custom applicationsSimplifiedConverged ServicesAuthentication and SSO (OAM)Federated SSO (OIF)Mobile & SocialSecurity Token ServiceCommon InfrastructureSession managementIdentity ContextPolicy StoreLifecycle ManagementInstall & ConfigurationInnovativeMobile SecuritySocial IdentityREST ServicesEnd-to-end Identity Context
  • Username and PasswordSocial LogonStep up Auth and OTP, can be applied:-first time with this device (device registration)-sensitive application-high risk score-user with high level of access to application
  • Selective Data RedactionWe work with a large number of customers in Financial Services, Healthcare, Public Sector / Government Agencies, Telecom, Insurance etc that are looking at exposing information and corporate systems for access from / by mobile devices, business partners, customers, and/or the cloud. Many of these organizations internally expose web services and/or have corporate systems for accessing information about customers, patients, or citizens among other things. These web services and systems were probably built a long time ago, and often return any and all information about the customer or patient, including sensitive information such as social security numbers, credit card numbers, or medical and health records to the requester. With the combination of Oracle Entitlements Server and Oracle Enterprise Gateway we can as discussed expose REST based API’s (or other types of webservices) to our clients, and define XACML based authorization policies that determine what information should actually be allowed to leave the network or need to be redacted. For example: We can control what information Bob (some user) can access about a given customer or patient (Bart Simpson above) from a given client device, location, network based on Bob’s relationship with the customer/patient (account manager, doctor, something else, or none) and have any other information be automatically redacted. In the example here we’ve determined that the current user should not be allowed to see Bart’s social security number or date of birth, whereas perhaps if Bob was to query up a different customer/patient record he would be able to see all the information (perhaps because of his relationship with the customer or we’ve determined that it is safe to do so as he is accessing the system through a secure network, or the risk score is within acceptable limits).Business TransactionsAs in the data redaction example we can also control what business transactions a given set of users are allowed to perform under various conditions. This is not only whether the user is authorized to do salary changes in general, as in the example above, but for what set of employees, the actual $$$ amount being changed, and other factors. Another example could be whether you’re allowed to submit orders over a certain amount based on Identity and Device Context. The really cool part about this is that in both these examples we can impose rules and authorization policies on what data can be accessed and whether a given business transaction can be submitted without any coding and code changes to the backend systems. This is because OEG, OES, and our Mobile Access integrations sits in front of the backend systems and we can inspect and control what messages and message content are allowed to go in either direction (request or response).An additional benefit is we also get full insight as our components provide a full audit trails and we can even monitor the transactions and information flow in real-time (or time interval) with alerts and notifications if we see anomalies in access patterns and suspicious behavior. Our solution is fully standards based and supports XACML, Role Based Access Control (RBAC), REST, SOAP, JSON, XML, JWT etcetc
  • Turns social integration into an administrator actionProvides out-of-the-box support for leading social providersProvides increased levels of assurance as user progresses to more secure servicesSimplifies registration and single sign-on from multiple providersMobile or Web basedCan plug in to existing OAM deploymentsWill you let a customer using FaceBook identity for Online banking transactions?Buying products from your online stores?Accessing company intellectual properties (IP)Higher risk transactions demand higher level of trust and security
  • OAAM evaluates the full context of an access request to determine what the level of risk is. There are three complimentary types of evaluation OAAM performs based on the specific situation at hand.Static – Known indicators of risk can easily be defined as rules.Patterns – User behavioral profiling is very valuable for detecting insider fraud/abuse and stolen/compromised credentials.Predictive – Detecting fraud that has not been seen before is best accomplished with statistical models used to make predictions.
  • 1) Publisher - Collect and publish information to Identity Context OAM – Session dataOAAM – Risk dataOESSO – Device health dataOIF – Federated Partner data2) EvaluatorEvaluate security policies based on Identity Context dataOAM – Web Perimeter PolicyOES – App-specific Policy3) PropagatorAutomatically propagate Identity Context between Publisher and EvaluatorOPSS – JEE ContainerOWSM – Web Services ManagerWe have enhanced oracle Access manager to provide mobile social sign on. Today within the enterprise we have a high degree of trust but now it’s a bring your own device culture. Each user has multiple devices and they are connecting them to the network. We are trying to re-establish the level of trust with mobile devices. If you look at a typical user’s phone they have 20+ applications. As organizations deploy more apps to the mobile devices they can’t keep up with the support cost or risk inherent in multiple passwords across applications . Mobile users and devices need access to information in the corporate network, often from legacy systems that have little or no security. How do you make this information accessible in a secure manner, how do you control and monitor what sensitive data leaves your network.We we are enabling single sign on, restful sign-on, authorize access to data, and secure your REST API’s. We are helping to rebalance risk and trust. We also support Android and IOS. So basically the case is - Organizations that want to connect with their external subscribers. To make it simple and avoid the work of managing all of the registrations we can simply trust the social networking site for authentication and dynamically provision the user without the user having to re-register again 2. And we have a customer who is looking at this as part of their deployment.
  • With Fusion Middleware, you can extend and maximize your existing technology investment with the same technologies used in Fusion Applications, including embedded analytics and social collaboration, and mobile and cloud computing. Oracle’s complete SOA platform lets your IT organization rapidly design, assemble, deploy, and manage adaptable business applications and—with Oracle’s business process management tools—even bring the task of modeling business processes directly to the business analysts. Oracle Business Intelligence foundation brings together all your enterprise data sources in a single, easy-to-use solution, delivering consistent insights whether it’s through ad hoc queries and analysis, interactive dashboards, scorecards, OLAP, or reporting. And, your existing enterprise applications can leverage the rich social networking capabilities and content sharing that users have come to expect in consumer software. Oracle Fusion Middleware is based on 100 percent open standards, so you aren’t locked into one deployment model when your business requirements change.

Transcript

  • 1. 1 Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
  • 2. CON8819: Context and Risk Aware Access Control – Any Device Any Where Svetlana Kolomeyskaya Group Product Manager, Oracle Ashish Kolli Software Development Senior Director, Oracle
  • 3. The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle. 3 Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
  • 4. Program Agenda  Market Trends  Oracle Access Management 11gR2 - Context and Risk Aware Access Control  Customer panel discussion  Q&A 4 Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
  • 5. Market Trends 5 Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
  • 6. Market Trend: New Mobile and Cloud Opportunities The Digital Experience Mobile 6 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Cloud
  • 7. Market Trend: Avoiding System Fragmentation & Reducing Cost  Accelerate deployment and simplify maintenance  Avoid multi-vendor gaps, performance issues, integration challenges, upgrade cycle timing  Reduce high TCO 7 Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
  • 8. Market Trend: Secure Access Anywhere, Anytime APIs  Security for different user identities – work, social, mobile, etc Mobile Cloud  Access anytime, anywhere, any device  Balance security vs user experience Web Based 8 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. MANAGEMENT Desktop
  • 9. Oracle Access Management 11gR2 Context and Risk Aware Access Control 9 Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
  • 10. Oracle Access Management 11gR2  Oracle Access Management 11gR2 – Web Single Sign-on Complete – Federation – Mobile and Social – Authorization Simplified – API Security – Desktop application access – Token Services Innovative – Fraud Detection  Context Driven  Risk Aware 10 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Scalable
  • 11. Oracle Access Management 11gR2 Simplified and Innovative  Converged Services – Authentication and SSO – Federated SSO – Mobile & Social – Security Token Service  Innovation – Mobile Security – Social Identity – REST Services – Identity Context 11 Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
  • 12. Oracle Access Management 11gR2 Flexible Policy Model  Adjusts authentication level based on application security requirements  Adapts security based on context 12 Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
  • 13. Mobile Authentication Flexible Options for Devices, Applications and Users 13 Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
  • 14. Device Based Security Mobile Device Information (OS, Carrier, Jailbroken, IP/MAC) Device Registration/ Fingerprint Blacklist/ Whitelist Stronger Authentication (KBA, OTP, etc) 14 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Device Based Security
  • 15. Context Aware Authorization Selective Data Redaction Business Transactions Context Aware Standards Based Full Audit Trail No Code Changes Required 15 Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
  • 16. Oracle Access Management Social Identity Social Sign On Select 16 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Login Authorize
  • 17. Behavior and Context Matter John Smith Password Device Tracking Location Profile Transaction Risk Verify ID Authentication credential is valid but is this really John Smith? Is anything suspicious about John’s behavior or the situation? Can John answer a challenge if the risk is elevated? 17 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Protected Resources
  • 18. Risk-Based Authentication Improve Usability and Security If the risk is very high: Deny access and alert the security team HIGH RISK MEDHIGH If the risk is high: Send a one-time password to users mobile phone If the risk is medium: Ask a challenge question MEDLOW If the risk is low: Do nothing LOW RESPONSE ALLOW 18 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. DENY
  • 19. Context-Aware Risk Analysis  Analyzes risk in Real-Time  Profiles Behaviors  Recognizes Patterns  Detects Anomalies Pattern Profiling • Dynamic behavioral profiling in real-time • In the last month has Joe used this device for less than 3% of his access requests? • In the last three months have less than 1% of all users accessed from the country?  Takes Preventative Actions Predictive Analysis • Indicates probability a situation would occur • Is the probability less than 5% that an access request would have this combination of data values? 19 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Static Scenarios • Specific scenarios that always equate to risk • If a device appears to be traveling faster the jet speed between logins the risk is increased.
  • 20. Oracle Access Management 11gR2 Context aware security  Security policies need access to contextual information about identity  Identity context is available from different sources – Can be static (ID Store Profile) or dynamic (User’s Risk Score)  Too much dynamic information for applications to handle – Managing “Identity Context” should be built into security infrastructure 20 Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
  • 21. Requirements for Identity Context Identity Context 1.0 Identity Context 2.0 • User Profile (Attributes, Groups) • User Profile (Attributes, Groups) • Application and Enterprise roles • Application and Enterprise roles • Authentication Level of Assurance (Weak, Strong) • Device State (Known, Managed, Trusted) • Presence (Location, Historical Patterns) • Business Partner Data (Federation Claims) • Risk Assessment Data (Pattern Analysis) 21 Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
  • 22. Oracle Access Management 11gR2 Sample Context Attributes Category Component Client • • • • Enterprise SSO Mobile and Social Risk • Is Known Device • Is Trusted Device • Risk Score Risk analysis and Fraud Detection Federation • Partner ID • Partner Attributes Federation Session • Session ID • Any attribute in the current session Web SSO Identity 22 Attributes (Sample) • Any attribute in the user’s ID Store profile • True/False result of a search Web SSO Directory Virtualization Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Is Firewall Enabled Is Anti Virus Enabled Device Fingerprint Location
  • 23. Oracle Access Management 11gR2 Context and Risk Aware Real-time context collection, propagation for risk analysis, authentication and authorization Device Tier 1. Collect Attributes Smartphone Context 23 DMZ & Web Tier Application Tier Service Tier Web Services Web SSO Federation Laptop Portal EJBs Risk / Adaptive Authentication Tablet Application SOA Databases APIs Server Service Bus Directories Authorization Authorization Authorization 2. Publish, Propagate & Evaluate attributes across Oracle’s Fusion Middleware stack Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
  • 24. Oracle Access Management 11gR2 Summary  An intelligent access platform that understands context and risk  Enhances security & improves user experience – Intelligent flexible trust model  Lowers Total Cost of Ownership (TCO) 24 Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
  • 25. Customer Panel Discussion 25 Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
  • 26. Customer Panel  Cisco Systems – Ranjan Jain, Enterprise IT Architect  MITRE – Manish Gulati, Department Head - ERP Deployment & Maintenance 26 Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
  • 27. Q&A 27 Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
  • 28. Demo Pods Moscone South Moscone South Complete and Scalable Access Management 28 Moscone South Federation and Leveraging Social Identities Mobile Access Management Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
  • 29. Sessions not to miss Tuesday 10:15am – 11:15 am • CON9437: Mobile Access Management Moscone West, Room 3022 11:45am – 12:45pm • CON9491: Enhancing End User Experience with Oracle Identity Governance Moscone West, Room 3008 1:15 pm– 2:15 pm • CON9447: Enabling Access for Hundreds of Million of Users Moscone West, Room 3008 5:00pm – 6:00pm • CON9465: Next Generation Directory – Oracle Unified Directory Moscone West, Room 3008 10:15am – 11:15am • CON9458: Eliminate end-user managed passwords while increasing security with Oracle ESSO Moscone West – 3008 11:45am-12:45pm • CON9494: SUn2Oracle: Identity Management platform transformation Moscone West – 3008 1:15pm-2:15pm • CON9493: Identity Management and the Cloud Moscone West – 3008 3:300 pm – 4:30 pm • CON9625: Real-time External Authorization for Middleware, Applications and Databases Moscone West – 3008 Wednesday 29 Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
  • 30. Join the Oracle Community Twitter twitter.com/OracleIDM Facebook facebook.com/OracleIDM Oracle Blogs Blogs.oracle.com/OracleIDM Oracle.com/Identity 30 Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
  • 31. Oracle Fusion Middleware Business Innovation Platform for the Enterprise and Cloud  Complete and Integrated Web Social Mobile  Best-in-class User Engagement Business Process Management  Open standards Content Management Service Integration Business Intelligence Data Integration Identity Management Development Tools 31 Cloud Application Foundation Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Enterprise Management  On-premise and Cloud  Foundation for Oracle Fusion Applications and Oracle Cloud
  • 32. 32 Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
  • 33. 33 Copyright © 2013, Oracle and/or its affiliates. All rights reserved.