Sudha Iyer Principal Product Manager Oracle Corporation
Identity Management for Database Applications 40128
Reminder –  please complete the OracleWorld online session survey Thank you.
Agenda <ul><li>Business Drivers for Security </li></ul><ul><li>Identity  and  Security – related? </li></ul><ul><li>Key Be...
Business Drivers for Security Why security?
Business Environment … <ul><li>Increased threat to business continuity </li></ul><ul><ul><li>Internal threats </li></ul></...
Measuring ROI in Security <ul><li>Opportunity Cost </li></ul><ul><ul><li>What does lost business, delayed payments and  cu...
Security & Identity Management Where do they meet?
Critical aspects of Security <ul><li>Privacy </li></ul><ul><ul><li>Consumers vs. Businesses </li></ul></ul><ul><ul><li>Sta...
Identity and Security <ul><li>Identity </li></ul><ul><ul><li>Username, Certificate DN, Global UID </li></ul></ul><ul><li>A...
Identity Management in  Oracle   10 g Oracle Internet Directory Directory Synchronization Provisioning Integration Delegat...
Oracle Security Architecture  Oracle Internet Directory OracleAS Certificate  Authority Directory Integration & Provisioni...
Benefits of Identity Management Valuable with over capacity in technology
Where is the pain? <ul><li>User Administration </li></ul><ul><ul><li>Scalability </li></ul></ul><ul><ul><ul><li>too many a...
Oracle Identity Management… <ul><li>Improve ROI on  administration </li></ul><ul><ul><li>One network identity for a user <...
Database Security for Directory Users Oracle   Databases <ul><li>Apps may rely on </li></ul><ul><li>Database Roles alone <...
Ongoing User Administration Define a group In OID List  Group Access Add User to Group
Directory Users for Legacy Apps Strategies to get more for less
Where to begin? <ul><li>Understand application user model </li></ul><ul><li>Understand access control model </li></ul><ul>...
Application User Model - 1 <ul><li>Every application user is a database user </li></ul><ul><li>Application uses database’s...
Best Practice - 1 <ul><li>Usually, App objects are in an app schema  </li></ul><ul><ul><li>Move the database users to the ...
Application User Model - 2 <ul><li>Application user is a database user  but , </li></ul><ul><ul><li>Some objects are share...
Best Practice - 2 <ul><li>Move the database users to the directory </li></ul><ul><ul><li>Each user has an exclusive schema...
User Management for Model for 1 & 2 Jane <ul><li>Client Server App,  </li></ul><ul><li>Jane logs into the database </li></...
Application User Model - 3 <ul><li>Every application user is a database user </li></ul><ul><li>Application has its access ...
Best Practice - 3 <ul><li>Cost effective to map users to shared schema </li></ul><ul><li>Consider replacing home grown adm...
User Management - 3 Oracle DB APP_SCHEMA Database users are transformed into Enterprise users, mapped to  shared schema  (...
Application User Model - 4 <ul><li>Application has robust user management module </li></ul><ul><li>Application uses applic...
Best Practice - 4 <ul><li>Integrate with AS Single Sign-On </li></ul><ul><ul><li>Provisioning of users handled automatical...
Oracle 10 g
Kerberized Enterprise Users <ul><li>Directory users  </li></ul><ul><ul><li>Use Kerberos credentials to authenticate to the...
Integrated Enterprise User Security <ul><li>Identity Management infrastructure  </li></ul><ul><ul><li>Unified user model (...
Security and Identity Management for GRID <ul><li>Central provisioning of users for database services  </li></ul><ul><li>A...
Security with Usability …  a scenario Oracle Internet Directory New employee Provisioned in AD Microsoft ADS Patient Care ...
Oracle Label Security, OID Integration <ul><li>Centrally administer </li></ul><ul><ul><li>Oracle Label Security policies <...
Summary  Increase Returns on Investment <ul><li>Lower administrative costs </li></ul><ul><li>Simplify user experience </li...
A Q & Q U E S T I O N S A N S W E R S
Next Steps…. <ul><li>Recommended sessions </li></ul><ul><ul><li>Securing J2EE Applications with Oracle Identity Management...
Reminder –  please complete the OracleWorld online session survey Thank you.
 
Upcoming SlideShare
Loading in …5
×

Download presentation/whitepaper

1,163 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,163
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
37
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Benefits EUS is a key component that glues the Identity Management Platform to the database Users can authenticate using passwords or certificates EUS extends the life of your client server apps from the 70s and 80s by allowing you to manage users centrally in the directory. The web based apps and client server apps have one single user administration location EUS users and SSO users are unified and his is a key differentiator for Oracle’s Identity Management solution Lowers TCO as there is a single point for password and privilege management Supports n-tier or proxy authentication Middle tier uses proxy authentication to proxy user X.509 cert or DN to database Database recognizes user as an enterprise user and gets roles from the directory ******* A Scenario to walk through for the advanced audience. Shared Schema: APP_SCHEMA has create session privilege and nothing else Jane and Jill may be mapped to this schema ( App_schema is the shared schema) To the database APP_SCHEMA is another user. N-tier with EUS: Let us say that the application always logs in as the apps_user. Inn order to track the user activity across all tiers, the Apps_User can be made to proxy for either the APP_SCHEMA or the individual user i.e., Jane if she is using exclusive schema
  • Download presentation/whitepaper

    1. 2. Sudha Iyer Principal Product Manager Oracle Corporation
    2. 3. Identity Management for Database Applications 40128
    3. 4. Reminder – please complete the OracleWorld online session survey Thank you.
    4. 5. Agenda <ul><li>Business Drivers for Security </li></ul><ul><li>Identity and Security – related? </li></ul><ul><li>Key Benefits of Identity Management </li></ul><ul><li>Strategies for deployed applications </li></ul><ul><li>Oracle Database 10 g </li></ul><ul><li>Questions </li></ul>
    5. 6. Business Drivers for Security Why security?
    6. 7. Business Environment … <ul><li>Increased threat to business continuity </li></ul><ul><ul><li>Internal threats </li></ul></ul><ul><ul><li>External threats </li></ul></ul><ul><li>Government Regulations (US and Foreign) </li></ul><ul><ul><li>Security Policy </li></ul></ul><ul><ul><li>Security Products </li></ul></ul><ul><li>Manageability and High Availability with Security </li></ul>
    7. 8. Measuring ROI in Security <ul><li>Opportunity Cost </li></ul><ul><ul><li>What does lost business, delayed payments and customer retention mean to your business? </li></ul></ul><ul><li>Lower Administrative Costs </li></ul><ul><ul><li>Patch Management </li></ul></ul><ul><ul><li>User Provisioning </li></ul></ul><ul><ul><li>Eliminate Password Management woes </li></ul></ul>
    8. 9. Security & Identity Management Where do they meet?
    9. 10. Critical aspects of Security <ul><li>Privacy </li></ul><ul><ul><li>Consumers vs. Businesses </li></ul></ul><ul><ul><li>Staying anonymous is expensive </li></ul></ul><ul><li>Authentication </li></ul><ul><ul><li>Critical to establish trust </li></ul></ul><ul><li>Integrity </li></ul><ul><ul><li>Non repudiation </li></ul></ul><ul><li>Audit </li></ul>
    10. 11. Identity and Security <ul><li>Identity </li></ul><ul><ul><li>Username, Certificate DN, Global UID </li></ul></ul><ul><li>Authenticate </li></ul><ul><ul><li>Password (what you know) </li></ul></ul><ul><ul><li>Stronger alternatives (smart card, Certificate, TGT) </li></ul></ul><ul><li>Trust </li></ul><ul><ul><li>Secure the channel </li></ul></ul><ul><ul><li>Evaluate Access Control </li></ul></ul><ul><ul><li>Assist in non repudiation </li></ul></ul>
    11. 12. Identity Management in Oracle 10 g Oracle Internet Directory Directory Synchronization Provisioning Integration Delegated Administration AS 10 g Single Sign-On Oracle Certificate Authority LDAP standard repository for identity information Integration with other directories (e.g. ADS, iPlanet) Automatic provisioning of users in the Oracle environment Self service administration tools for managing identity information across the enterprise Single sign-on to web applications Issue and manage X.509v3 compliant certificates to secure email and network connections
    12. 13. Oracle Security Architecture Oracle Internet Directory OracleAS Certificate Authority Directory Integration & Provisioning OracleAS Single Sign-on Delegated Administration Services OracleAS 10 g JAAS, WS Security Java2 Permissions.. Oracle E-Business Suite Responsibilities, Roles …. Oracle 10g Enterprise users, VPD, Encryption Label Security Oracle Collaboration Suite Secure Mail, Interpersonal Rights … Access Management Directory Services Provisioning Services External Security Services Oracle Identity Management Oracle 10 g Platform Security Bindings OracleAS Portal & Wireless Roles, Privilege Groups … Application Component Security OracleAS 10g JAAS, WS Security Java2 Permissions.. Oracle 10g Enterprise users, VPD, Encryption Label Security OracleAS 10 g JAAS, WS Security Java2 Permissions.. Oracle 10 g Database Enterprise users, VPD, Encryption, Label Security Enterprise Security Infrastructure
    13. 14. Benefits of Identity Management Valuable with over capacity in technology
    14. 15. Where is the pain? <ul><li>User Administration </li></ul><ul><ul><li>Scalability </li></ul></ul><ul><ul><ul><li>too many accounts for additions, deletions, role changes across 100s of databases </li></ul></ul></ul><ul><ul><ul><li>Solution: Directory Integration for Centralized User/Privilege Management </li></ul></ul></ul><ul><li>Ease of Use and Flexibility </li></ul><ul><ul><li>too many passwords to remember/administer </li></ul></ul><ul><ul><ul><li>Solution : Single Sign-On with digital certificates, and Single Password </li></ul></ul></ul>
    15. 16. Oracle Identity Management… <ul><li>Improve ROI on administration </li></ul><ul><ul><li>One network identity for a user </li></ul></ul><ul><ul><li>Eliminates maintaining users across databases </li></ul></ul><ul><li>Enable self service for user management </li></ul><ul><ul><li>Lost Passwords retrieved by end users </li></ul></ul><ul><li>Security with Usability </li></ul><ul><ul><li>SSL and Kerberos with ease of administration </li></ul></ul>
    16. 17. Database Security for Directory Users Oracle Databases <ul><li>Apps may rely on </li></ul><ul><li>Database Roles alone </li></ul><ul><li>Enterprise Roles in the directory </li></ul><ul><li>Single Sign On Users and </li></ul><ul><li>Enterprise users are unified in OID </li></ul>Applications can enforce VPD policies And Label security Audit records, for directory users Jane Surgeon Apps_User Nurse Users, Label Security policies, User Privileges managed in OID Apps_User OID
    17. 18. Ongoing User Administration Define a group In OID List Group Access Add User to Group
    18. 19. Directory Users for Legacy Apps Strategies to get more for less
    19. 20. Where to begin? <ul><li>Understand application user model </li></ul><ul><li>Understand access control model </li></ul><ul><li>Understand security policies </li></ul><ul><li>Decide on new user model </li></ul><ul><li>Strategy </li></ul><ul><ul><li>Centralize users first </li></ul></ul><ul><ul><li>Centralize roles second </li></ul></ul>
    20. 21. Application User Model - 1 <ul><li>Every application user is a database user </li></ul><ul><li>Application uses database’s authentication and authorization capability </li></ul><ul><li>Every user has an “exclusive” schema </li></ul><ul><li>Where are the application objects? </li></ul>
    21. 22. Best Practice - 1 <ul><li>Usually, App objects are in an app schema </li></ul><ul><ul><li>Move the database users to the directory </li></ul></ul><ul><ul><li>Map the user to a shared schema </li></ul></ul><ul><li>Consider using Enterprise Roles </li></ul><ul><ul><li>If app relies entirely on database roles </li></ul></ul>
    22. 23. Application User Model - 2 <ul><li>Application user is a database user but , </li></ul><ul><ul><li>Some objects are shared and others are owned by each user </li></ul></ul><ul><li>Application relies on database roles for access control enforcement </li></ul>
    23. 24. Best Practice - 2 <ul><li>Move the database users to the directory </li></ul><ul><ul><li>Each user has an exclusive schema </li></ul></ul><ul><li>Consider using Virtual Private Database </li></ul><ul><ul><li>Eliminate exclusive schemas; use shared schema </li></ul></ul>
    24. 25. User Management for Model for 1 & 2 Jane <ul><li>Client Server App, </li></ul><ul><li>Jane logs into the database </li></ul><ul><li>One Database Connection </li></ul><ul><li>established </li></ul><ul><li>Apps may rely on </li></ul><ul><li>Database Roles </li></ul><ul><li>Enterprise Roles </li></ul><ul><li>Database users are transformed into Enterprise users </li></ul><ul><li>mapped to shared schema, or </li></ul><ul><li>Have exclusive schema </li></ul>Database looks up user credentials and gets all enterprise roles assigned Oracle DB APP_SCHEMA Guest_Schema OID
    25. 26. Application User Model - 3 <ul><li>Every application user is a database user </li></ul><ul><li>Application has its access control module </li></ul><ul><ul><li>Application may use a pre-seeded “App User” </li></ul></ul><ul><ul><li>Home grown audit module </li></ul></ul><ul><ul><li>Direct access to database objects restricted by PUP * </li></ul></ul><ul><ul><li>* Product user profile </li></ul></ul>
    26. 27. Best Practice - 3 <ul><li>Cost effective to map users to shared schema </li></ul><ul><li>Consider replacing home grown admin module using enterprise roles/database global roles </li></ul>
    27. 28. User Management - 3 Oracle DB APP_SCHEMA Database users are transformed into Enterprise users, mapped to shared schema (APP_SCHEMA). Apps_User proxies directory users. Jane Apps_User Jill Apps_User OID
    28. 29. Application User Model - 4 <ul><li>Application has robust user management module </li></ul><ul><li>Application uses application context to track users </li></ul><ul><li>How can these users leverage an Enterprise Directory? </li></ul>
    29. 30. Best Practice - 4 <ul><li>Integrate with AS Single Sign-On </li></ul><ul><ul><li>Provisioning of users handled automatically by HR </li></ul></ul><ul><ul><li>Password management policies of Oracle Internet Directory enforced </li></ul></ul><ul><ul><li>Eases integration with other applications in the enterprise </li></ul></ul><ul><li>Second stage – delegate access control to DB/OID </li></ul>
    30. 31. Oracle 10 g
    31. 32. Kerberized Enterprise Users <ul><li>Directory users </li></ul><ul><ul><li>Use Kerberos credentials to authenticate to the Oracle Database </li></ul></ul><ul><li>Benefits </li></ul><ul><ul><li>End-to-end security with desktop sign-on </li></ul></ul><ul><ul><li>Virtually no administrative cost </li></ul></ul><ul><ul><li>Centralized administration in heterogeneous environment </li></ul></ul>
    32. 33. Integrated Enterprise User Security <ul><li>Identity Management infrastructure </li></ul><ul><ul><li>Unified user model (one password) </li></ul></ul><ul><li>Simplified configuration </li></ul><ul><ul><li>Provide alternate secure channel for Database Directory communication </li></ul></ul><ul><li>Benefits </li></ul><ul><ul><li>Easy, low cost administration of users </li></ul></ul><ul><ul><li>Identity flows end-to-end aiding accountability </li></ul></ul><ul><ul><li>Database security for web application users </li></ul></ul><ul><ul><li>Rapid prototype </li></ul></ul>
    33. 34. Security and Identity Management for GRID <ul><li>Central provisioning of users for database services </li></ul><ul><li>Apply database security features for GRID users </li></ul><ul><li>Central administration of security policies for GRID users </li></ul>
    34. 35. Security with Usability … a scenario Oracle Internet Directory New employee Provisioned in AD Microsoft ADS Patient Care Patient Profile Surgeon KDC MIT v5 / MSKDC Unix Windows Krb TGT AD Connector
    35. 36. Oracle Label Security, OID Integration <ul><li>Centrally administer </li></ul><ul><ul><li>Oracle Label Security policies </li></ul></ul><ul><ul><li>sensitivity labels </li></ul></ul><ul><ul><li>user label authorizations </li></ul></ul><ul><li>Benefit </li></ul><ul><ul><li>Label authorizations enforced for directory users </li></ul></ul><ul><ul><li>Enforce uniform policies centrally </li></ul></ul><ul><ul><ul><li>Aids GRID computing </li></ul></ul></ul><ul><ul><li>Eases administration </li></ul></ul>
    36. 37. Summary Increase Returns on Investment <ul><li>Lower administrative costs </li></ul><ul><li>Simplify user experience </li></ul><ul><ul><li>Password resets, single password </li></ul></ul><ul><li>Strong authentication alternatives </li></ul><ul><ul><li>SSL, Kerberos </li></ul></ul><ul><li>Assist Audit Compliance </li></ul><ul><li>Integrate with Database Security </li></ul><ul><ul><li>Oracle Label Security, Virtual Private Database </li></ul></ul>
    37. 38. A Q & Q U E S T I O N S A N S W E R S
    38. 39. Next Steps…. <ul><li>Recommended sessions </li></ul><ul><ul><li>Securing J2EE Applications with Oracle Identity Management </li></ul></ul><ul><ul><li>Planning your Identity Management Deployment (40207) </li></ul></ul><ul><ul><li>Oracle and Thor: Identity Management Provisioning (40017) </li></ul></ul><ul><li>Recommended demos and/or hands-on labs </li></ul><ul><ul><li>Security and Identity Management Demo Pods </li></ul></ul><ul><ul><li>Oracle Security Command Center - Booth 1736 </li></ul></ul><ul><li>See Your Business in Our Software </li></ul><ul><ul><li>Visit the DEMOgrounds for a customized architectural review, see a customized demo with Solutions Factory, or receive a personalized proposal. </li></ul></ul>
    39. 40. Reminder – please complete the OracleWorld online session survey Thank you.

    ×