SANS Institute Product Review: Oracle Entitlements Server


Published on

Webcast covering SANS Institute's Product Review of Oracle Entitlements Server

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • There has been a dramatic shift in the requirements for providing secure access to applications, web services and databases.Even though many organizations have centralized their web access management infrastructure, many authorization decisions are hard-wired into the application business logic itself. The business logic that makes authorization decisions is not centrally managed, governed or controlled by a security team. To make matters worse, runtime access control decisions are rarely audited. The result is a fragmented policy framework that is difficult to control and manage. External Authorization solutions overcome this problem by externalizing granular access privileges from applications and then centralizing administration. External Authorization solutions can enforce policies based on a combination of roles, attributes, context, or runtime conditions.External Authzdoes for authorization what Single Sign-On did for authentication. With SSO, we achieved the first step of externalizing user names, passwords, and logins to a centralized enterprise-wide system. With ExternalAuthz, we can now abstract policies that were previously hard-coded into applications. The benefits include– enabling your business to adapt and change on a dime as market conditions and compliance mandates require enforcement of newer and more complex policies. Centralizing policy management allows for consistent enforcement, improving security and achieving good governance across the enterprise.
  • There are three primary business drivers fueling the need to externalize authorization from applications. Regulatory considerations are getting more stringent and complex. Meeting modern regulatory demands often requires enforcement of granular access privileges at application runtime. With role based access becoming predominant, many organizations are now dealing with the challenge of role explosion wherein redundant role definitions can often make it difficult to secure transactions and data on the basis of roles. Finally, a lot of homegrown applications have authorization policies built into the business logic which makes it hard to change policies in response to evolving security and regulatory mandates. This has led to the growth of External Authorization solutions which make it easy to externalize and centralize authorization policy definitions. Solutions like Oracle Entitlement Server allow extremely rich policy definitions to be set up on the basis of context, attributes, roles or runtime conditions.
  • External Authorization solutions can be applied to solve multiple kinds of real world problems.From securing content to securing collaboration. And For securing privacy and confidentiality of data. Recent regulations such as Healthcare regulations and privacy laws have placed stricter requirements on access to applications and auditing of that access. Often meeting these compliance mandates require fine grained access control policies. In the absence of a central infrastructure to manage and enforce granular security policies, organizations find themselves constantly retooling applications to keep pace with changing regulatory demands. Regulatory demands like enforcement of segregation of duties and Chinese walls can be easily enforced by externalizing authorization. External authz solutions can keep track of entitlement activity in your enterprise. Every time an authz policy decision is made, an audit record can be created that can be later analyzed or reported on.
  • With External Authorization, organizations can enforce granular security throughout the stack - apps, web services, portals or databasescan be secured by externalizing authorization policies.SOA – ExternalAuthz can simplify and secure connectivity to SOA environments.Data - Existing security tools do not address the fundamental need of protecting the data itself based on the context of the access. Either they provide an excessively coarse-grained control over the data source – an all or nothing proposition that does not work in most cases – or they require changes in all the applications that can access the data. Every application touching the data source requires developers to write custom code to filter database tables and present only the subset of the data that is appropriate to the context of the application, process, and user making the request. External authz can provide only the necessary subset of data pertinent to the context of the access request. Applications- Applications of many flavors – including homegrown, packaged and cloud applications can be secured.Organizations can decouple the evolution of authzpolicies from business logic by externalizing access privileges from applications.
  • The architecture for the use case review consisted of the following OES components:Administration Console: The Administration Console provides a rich Web based UI for policy authoring and management. It can also distribute policy updates to applications. Policy Store: The Policy Store serves as a central persistent store for authorization policies. This helpsin centralized management of security. Applications can get policies directly from the central policy store. Policy Decision Point (PDP): This is the runtime component which includes the core authorization engine (also known as Security Module or SM). When the SM gets an authorization request from a user or application, it evaluates this request against all relevant policies and gives a final authorization result. As part of policy evaluation, the SM can look up information from external data sources such as LDAP systems, databases, Web Services and other data sources. An SM also includes PEPs (Policy Enforcement Points), which can be used to automatically enforce OES authorization decisions in environments such as WebLogic and SharePoint among others.
  • Oracle Entitlements Server (OES) can be used to secure applications of all flavors – homegrown, mainframe, packaged, cloud. It provides authorization for a broad set of ecosystems including Java EE, Java SE, .NET, content management systems and databases. OES provides a rich hierarchical policy model based on the Role Based Access Control (RBAC) and Attribute Based Access Control (ABAC) standards.OES allows both static and dynamic assignment of Applications Roles based on policy. In dynamic role mapping, roles are assigned on an as needed basis depending on the action initiated by the user. For example, the role of Fund Manager should be granted to a person only on certain funds. They come into existence when an authorization request is made and they are destroyed once a decision is computed. OES provides sophisticated facilities to accurately control role assignments based on the contextBusiness roles are often structured hierarchically. Employees in higher positions are automatically granted privileges of people in their reporting hierarchy. To model these real world relationships OES supports role inheritance.OES can also be used to enforce SoD checks. There may be a need to ensure that certain users cannot perform tasks that might establish a conflict of interest (e.g. Financial Analyst making trades on the company they are covering). It also help establish how certain tasks should be given to certain users only (e.g. delegated administration). These policies are intended to make sure that only the correct user is doing the correct thing.OES can also enforce policies based on context or runtime conditions. For example, you may to change what an application allows a user to do based upon time of day or business conditions. Also there may be policies that dictate how an application carries out an activity (e.g. more than just a grant/deny decision for a piece of functionality).And OES integrates easily with LDAP based directories for sourcing identity attributes.
  • In enterprises, most data originates from a database, flows through various service tiers and is finally rendered by the UI. Securing data at the source ensures that information does not leak. OES supports data redaction filters in the data tier as well as in the business tier.Sometimes information stored in a database is extremely sensitive and extensive checks need to be done irrespective of the application. For example, credit card numbers and passwords should only be shared on a need to know basis. In these situations it may be desirable to enforce restrictions from within the Database itself. OES can be used to do Row and Column level filtering based on standards based authorization policies. Because this filtering is done within the database, security policies will be enforced irrespective of the application. This solution is also useful with legacy applications which cannot externalize authorization. And OES integrates easily with most major databases.
  • Content Management Servers such as SharePoint provide excellent facilities for storing, retrieving and sharing documents. They often come with standard facilities to secure documents. OES can extend these simple security models with sophisticated RBAC and ABAC based models. For example, a policy such as “Only employees with clearance level 4 can view confidential documents” can be easily implemented using OES policy constraints. SharePoint serves as both a portal and document repository. OES provides OOTB policy enforcementPoints (PEPs) for securing SharePoint Sites, URLs, Pages, Portlets, Web Parts, page contents and documents. An OES HTTP module secures Web pages and the OES Web Control secures Web Parts. In addition OES provides an authorization tag library which allows conditional execution of code and custom UI rendering.This allows you to gain control of prolific use of SharePoint in your organization. It also allows you to lock down information hosted in SharePoint to a very granular level. It allows you to protect web parts, pages, list items – any user information that can be rendered can protected with OES. It is wellintegrated with Active Directory and can naturally reuse the information stored in AD.
  • OES integrates easily with XML gateways to help simplify and secure connectivity to SOA environments. OES is natively integrated with Oracle Enterprise Gateway, the recently launched Oracle XML Gateway Product. OES Security Modules are embedded within OEG. This can help enforce granular security for SOA environments. For instance, you can now enforce security policies for web services based on the content of SOAP headers and attribute information. This makes it easier to enforce policies based on time of day, client IP etc. Policies can be setup to redact confidential information from web service responses.OES supports most web services message standards including SOAP, REST, and JMS.
  • Oracle is proud to sponsor the Platform Approach seminar series. In this multi-city event series, Derek Brink (research analyst from Aberdeen Group) will discuss how organizations can build a business case for a comprehensive identity and access program. In addition, attendees will learn how to build a roadmap that optimizes the results of large scale Identity Management. Oracle experts and architects will also provide information on how to unlock the potential of the Oracle Identity Platform. Register today at
  • You also have a unique online opportunity to learn from and get questions answered by Oracle customers. These are webcasts but they will also be available on demand as well.Agilent Technologies discusses how they moved from multiple point solutions to consolidate their deployment on OracleCisco discusses their unique approach to consolidate their identity program into a platform On April 11th – ING Bank - will discusshow a platform with integrated administration and governance reduced cost and improved complianceOn May 30th – Toyota Motors – will discuss they leveraged a platform to build a social network for cars.
  • OES integrates easily with XML gateways to help simplify and secure connectivity to SOA environments. OES is natively integrated with Oracle Enterprise Gateway, the recently launched Oracle XML Gateway Product. OES Security Modules are embedded within OEG. This can help enforce granular security for SOA environments. For instance, you can now enforce security policies for web services based on the content of SOAP headers and attribute information. This makes it easier to enforce policies based on time of day, client IP etc. Policies can be setup to redact confidential information from web service responses.OES supports most web services message standards including SOAP, REST, and JMS.
  • Join the Oracle community for regular updates on content and hear about upcoming events and news.
  • SANS Institute Product Review: Oracle Entitlements Server

    1. 1. Demystifying External Authorization: Oracle Entitlements Server Product ReviewTanya Baccam, Senior Instructor and Courseware Author, SANSRoger Wigenstam, Sr. Director of Product Management, Oracle © 2012 The SANS™ Institute -
    2. 2. Speakers Tanya Baccam Roger Wigenstam Senior Instructor Sr. Director SANS Product Management
    3. 3. Agenda • External Authorization Overview • Oracle Entitlements Server • Product Review • Q&A
    4. 4. Defining External Authorization“Managing granular access permissions for applications, middleware and databases by externalizing and centralizing standards-based authorization policies.” Data Applications Web Services PortalsData redaction Fine-grained access to Data filtering for Access control forand filtering for applications based on standards-based web sensitive documentsdata at rest and services stored in portals and roles, entitlements, content managementdata in motion. attributes, runtime systems based on roles context and identity attributes Context-Aware Access Control
    5. 5. Why Is It Important? Regulatory Role ExplosionConsiderations Fragmented SecurityRegulations are Role explosion makes itgetting complex and difficult to secure Authorization policiesoften demand transactions and data are often hardwired intoenforcement of based on roles application businessGranular Access logicPrivileges
    6. 6. Applying External Authorization Content Collaboration Privacy Confidentiality Regulation Audit
    7. 7. Common Use Cases • Web Services (SOA) Security • Web Access Control • Application Transactions • Relational Database Information • Portals (SharePoint, etc)
    8. 8. Entitlements Server Product Overview Roger Wigenstam Sr. Director of Product Management, Oracle©2012 Oracle Corporation
    9. 9. Oracle Entitlements Server (OES)• Unified External Authorization for Applications, Web Services, Portals and Databases• Standards-based Policy Enforcement at Run-time• Declarative Security Model Simplifies Application Lifecycle
    10. 10. Real-Time Authorization Sub-millisecond Authorization Response Time • Massively scalable External Authorization Management • Scales easily to large number of protected resources • Hundreds of millions of users • Thousands of roles • From small workgroups to mission- critical deployments • Authorization checks enforced with real-time latency©2012 Oracle Corporation
    11. 11. Comprehensive Standards Support• Attribute Based Access Control• XACML• OpenAZ• NIST Role Based Access Control• Enterprise RBAC• Java2 / JAAS• Code Based Access Control• JSR 115 / JACC*• Data Security Oracle Confidential
    12. 12. Native & Custom Integrations Identity Management Application Servers Portals & Content Mgmt Development FWK’s SOA Policy Store Data Sources XML Gateways < XML > Oracle Confidential
    13. 13. Oracle Entitlements Server Product Review Tanya Baccam, SANS©2012 Oracle Corporation
    14. 14. Use Cases Application Access Control Data Security SharePoint Web Services Security Security
    15. 15. Architecture PEP Id Store PDP PIPsPEP OES Admin Server Identity Store Policy Store Id Store PDP PIPs PEP Id Store PIPs PDP
    16. 16. Application Access ControlWeb Access Control (URL-based andFine-grained) * Oracle EntitlementsAttribute based Access Control Server can be used to enforce multiple(ABAC/XACML) compliance requirements.Static and Dynamic Role MappingRole InheritanceSeparation of Duties ChecksRuntime Constraint and Context-aware Policy EnforcementIntegration with LDAP-baseddirectories
    17. 17. Data SecuritySelective Data Redaction/Filtering * OES enables - Row-level security management of -Columnar security access policies based on business need.Centralized Authorization PolicyAdministration for DatabasesIntegration with major databases(Oracle, DB2, Sybase, MySQL)
    18. 18. SharePoint SecurityDocument Access Control (based * OES provides a varietyon document tags, attributes, of authorizationlocation, user, role, etc) decisions for different types of applicationsCustom Page Content (FGA checks and users.for ASP.NET pages)Integration with Active Directoryand LDAP-based directories
    19. 19. Web Services Security Integration with XML Gateways * Policies can be set up toSelective Data Redaction/Filtering secure connectivity to SOA and cloud environments..for SOA web servicesSupport for a variety of messagestandards (XML/SOAP/REST/JMS)
    20. 20. Aberdeen Group Event SeriesFeaturing Derek Brink Chicago New York April 10th April 12th San Francisco May 22nd Toronto Boston April 17th April 19th Register at:
    21. 21. Platform Webcast SeriesOracle Customers Discussing Results of PlatformApproach Platform Best Cisco’s Platform Practices Approach Agilent Technologies Cisco Systems Available On-Demand Available On-Demand Platform for Platform Business Compliance Enabler ING Bank Toyota Motors April 11th 2012 May 30th 2012 Register at:
    22. 22. Securing Oracle
    23. 23.©2012 Oracle Corporation
    24. 24. Questions