Con8813 securing privileged accounts with an integrated idm solution - final

1,275 views

Published on

Olaf Stullich & Mike Laramie's OOW2013 presentation

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Con8813 securing privileged accounts with an integrated idm solution - final

  1. 1. 1 Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
  2. 2. Securing Privileged Accounts with an Integrated IDM Solution Olaf Stullich Product Manager, Oracle Mike Laramie Oracle Cloud for Industry Architecture Team
  3. 3. Safe Harbor Statement The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decision. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle. 3 Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
  4. 4. Program Agenda  Introduction  What is Oracle Privileged Account Manager?  OPAM Integration with Oracle Identity Governance and Database Security  Use Case: Oracle Cloud for Industry and OPAM  Demo 4 Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
  5. 5. Introduction 5 Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
  6. 6. What do have these two in Common? • Privileged account access • Excessive access privileges • Difficult to monitor shared accounts across multiple administrators 6 Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
  7. 7. IDM – Overcome Threats and Regulations to Unlock Opportunities Threats  Increased Online Threat  Costly Insider Fraud Compliance  Tougher Regulations  Greater Focus on Risk  Stronger Governance Opportunities 76% Data Stolen From Servers 86% Hacking Involve Stolen Credentials 48% Caused by Insiders 17% Involved Privilege Misuse  Social Media  Cloud Computing  Mobile Access 2011 Data Breach Investigations Report 7 Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
  8. 8. Managing Privilege Access Is Not Well Defined SCALE Manual solutions don’t scale (like managing privileged access via spreadsheets) 8 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. RISK Using default system passwords is prone to risk COST Deploying point solutions can increase integration costs
  9. 9. Two Big Management Problems IDENTIFYING PRIVILEGED ACCOUNTS TRACKING PRIVILEGED ACCOUNTS 9 Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
  10. 10. The Right Approach is Self-Reinforcing Access Request Reporting & Certification SelfReinfor cing Remediation 10 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. AutoProvisioning VISIBILITY ACROSS COMPLETE USER ACCESS IS KEY
  11. 11. Privileged Account Management A Platform Approach Shared Connectors Centralized Policies Workflow Integration Common Reporting 11 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Reduce Risk Improve Compliance
  12. 12. What is Oracle Privileged Account Manager 12 Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
  13. 13. Oracle Fusion Middleware Business Innovation Platform for the Enterprise and Cloud  Complete and Integrated Web Social Mobile  Best-in-class User Engagement Business Process Management  Open standards Content Management Service Integration Business Intelligence Data Integration Identity Management Development Tools 13 Cloud Application Foundation Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Enterprise Management  On-premise and Cloud  Foundation for Oracle Fusion Applications and Oracle Cloud
  14. 14. Identity Management Securing the Social Enterprise  Simplified Identity Governance – Access Request Portal with Catalog and Shopping cart UI – In product, durable customization of UIs, forms and work flows – Privileged Account Management – leverage Identity connectors, workflows, audit  Complete Access Management – Integrated SSO, Federation, API Management, Token Management, Granular Authorization – Mobile application security with SSO, device finger printing and step up authentication – Social identity log-in from popular social media sites – REST, OAuth, XACML  Directories that Scale – 14 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. OUD optimized on T4 hardware delivering 3x performance gain and 15% of set up time
  15. 15. Privileged Account Manager Definition of Terms  Privileged Account –  A “human” accessible accounts with elevated permissions (root for UNIX, Linux, or SYS for DB) Service Account – – Some customers use the term “service accounts” when they refer to Application Accounts –  Most customers use the term “service accounts” when they refer to Privileged Accounts OPAM uses “services accounts” in the connector configuration End User –  An administrator who is accessing OPAM to check-out an account Administrator – –  The OPAM server Administrator An Administrator who is accessing OPAM to checkout an account Application accounts –  Target – 15 Accounts that are used by application (stored in applications) to access e.g. a database OPAM manages account access on “Targets” Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
  16. 16. Privileged Account Manager Overview of Product Capabilities  Secure password vault to centrally manage passwords for privileged accounts –  OPAM uses an Oracle DB EE instance with limited use license to TDE to encrypt passwords Session Management and Auditing – –  Session control without revealing a privileged account password Session History and searchable Session Recording Extensible Framework –  JAVA based for customized solutions Audit Reporting – – 16 Customizable audit reports through BI Publisher Real time status available via the OPAM dashboard (charts, tables, etc.) Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
  17. 17. Privileged Account Manager Overview of Product Capabilities  Integrated with Identity Governance Platform – –  Shared Connectors and Workflow integration with OIM Centralized Policies Management via OIM and OIA Using out-of-the-box connectors, OPAM Targets can be configured for –  Databases, Operating Systems and LDAP Directories, and Oracle FMW applications Policy-based access to privileged accounts via “grants” – – Grants are represented as OPAM Usage Policies. –  Grants control if and when a given administrator has access to a privileged account Grants are typically assigned through LDAP Group Membership in the identity store Flexible Password Policies – 17 Mirror corporate password standards Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
  18. 18. Supported Clients / Targets Generic UNIX Systems UNIX 18 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Generic Database Servers MS SQLServer Sybase 15 Generic LDAP Directories
  19. 19. Typical OPAM Use-Case • User logs in as SYSTEM • Adds Table to DB • System out of space HR Application OPAM sets the SYSTEM password for Database HR App Database, based on the password policy for HR App Database Return SYSTEM password Request SYSTEM password Verify the OPAM User, Joe, is in the “HR DBA” Role Return root password Request root password User checks in passwords Database and Unix Admin (Joe) Oracle Privileged Account Manager OPAM sets the root password for the Unix Server, based on the password policy for Unix Server. • User logs in as root • Adds disk space Unix Server 19 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. LDAP Server
  20. 20. OPAM Integration with Oracle Identity Governance and Database Security 20 Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
  21. 21. OPAM and OIM - a Complete Governance Platform Request for Privileged Account Access  Leverage OIM policy/role based provisioning  A system admin may be provisioned to specific LDAP groups that OPAM uses for privileged account access  Workflow and approval will be followed as defined 22 Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
  22. 22. OPAM and OIM - a Complete Governance Platform Request for Privileged Account Access  OIM to publish privileged account entitlements in request catalog  An admin user uses access request self service, search the catalog, pick the privileged accounts he needs and submit for approval  The request kicks off workflow and approval as defined  The user is provisioned with group membership after approval  The user can access OPAM for privileged password checkout and checkin 23 Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
  23. 23. OPAM and OIM - a Complete Governance Platform Risk based certification  Through existing OIM OIA integration and OIM OPAM integration, privileged access info is made available to OIA for certification.  Risk can be calculated based on its privilege status and other data such as provisioning method etc  If access violation is found, it can be revoked based on OIM OIA close-loop remediation 24 Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
  24. 24. Use Case: Oracle Cloud for Industry and OPAM 25 Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
  25. 25. Oracle Cloud for Industry Overview  What is OCI? – An internal provider of cloud-based IaaS and PaaS services available to Oracle Global Business Units (GBUs) for the packaging of Oracle Industry Solutions to end customers.  E.g. Financial Services, Healthcare, Retail – http://www.oracle.com/us/industries/index.html 26 Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
  26. 26. Oracle Cloud for Industry Problems  Disparate privileged account practices between multiple operational roles – Password vault utilities – Spreadsheets  Minimal auditing/reporting on privileged account usage  Difficulty of access – “Which vault is that stored in?”  Additional requirements driven by regulatory compliance – PCI – HIPAA/HITECH 27 Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
  27. 27. Oracle Cloud for Industry Solution  Implement password solution that – Easy to use – Supports privileged accounts from multiple teams with differing requirements – Reliable – Secure – Auditable – Meets or exceeds regulatory compliance  Solution – OPAM 28 Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
  28. 28. Oracle Cloud for Industry OCI & OPAM  How did OPAM help? – Role based access to privileged accounts:  LDAP group membership determines which privileged accounts users can access – Convenient, accessible BUI – Automated reporting of privileged account access and usage – Centralized, secure repository – Automated password management – Unique passwords for each system 29 Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
  29. 29. Oracle Cloud for Industry PCI & OPAM  How did OPAM help with PCI Compliance?  Addressed PCI DSS 2.0 Requirements: – 2.1 » “Always change vendor supplied passwords before installing a system…” – 8.5.8 » “Do not use group, shared, or generic accounts and passwords…” – 8.5.9 » “Change user passwords at least every 90 days.” 30 Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
  30. 30. Oracle Cloud for Industry OPAM Flexibility  Customized scripts for password aging reporting – Required for 8.5.9 – Wrote custom script to retrieve data from OPAM and email admins as necessary  RFE submitted to include functionality in future release’s BUI  Daily reports of check-in/check-out activity – Currently done through BI Publisher  Emailed to security team nightly – On-Demand reporting will be in future release 31 Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
  31. 31. Case Study Overview Solution  Securely stores local privileged account information in a central location  Access to accounts is limited by LDAP group membership (RBAC)  Reportable audit trail on account usage 32 Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
  32. 32. OPAM Privileged Account Manager in Action 33 Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
  33. 33. Oracle Privileged Account Manager in Action Demo Overview  How OPAM “lockbox” is used by Oracle Cloud for Industry  How does OPAM Session Management and Auditing enhances the “lockbox” concept to provide additional compliance data  How to extend OPAM operations to enable emergency access  How can emergency access be integrated with physical access security using the Lockitron lock 34 Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
  34. 34. Summary 35 Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
  35. 35. OPAM Benefits  Enforce internal security policies and eliminate potential security threats from privileged users  Cost-effectively enforce and attest to regulatory requirements  Reduce IT costs through efficient self service and common security infrastructure  Real time usage reports  Customizable audit reports with BI Publisher 36 Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
  36. 36. Demo Pods Moscone South Moscone South Oracle Identity Governance Suite: Managing Privileged Accounts from Your Identity Platform 37 Oracle Identity Governance Suite: Complete Identity Lifecycle Management Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Moscone South Identity Management Monitoring with Oracle Enterprise Manager
  37. 37. Sessions not to miss CON8823 Wednesday 09/25, 5:00PM CON8826 Thursday, 09/26, 3:30PM CON8902 Thursday, 09/26 2:00PM CON8836 Thursday 09/26, 11:00AM CON 4342 Thursday 09/26, 12:30PM CON9024 Thursday 09/26, 2:00PM 38 Moscone West, Room 2018 Moscone West, Room 2018 Marriot Marquis – Golden Gate C3 Moscone West, Room 2018 Moscone West, Room 2018 Moscone West, Room 2018 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Access Management for the Internet of Things Kanishk Mahajan, Oracle Zero Capital Investment by leveraging Identity Management as a Service Mike Neuenschwander, Oracle Developing Secure Mobile Applications Mark Wilcox, Oracle Leveraging the Cloud to simplify your Identity Management implementation Guru Shashikumar, Oracle Identity Services in the New GM IT GM Next Generation Optimized Directory Oracle Unified Directory Etienne Remillon, Oracle
  38. 38. Join the Oracle Community Twitter twitter.com/OracleIDM Facebook facebook.com/OracleIDM Oracle Blogs Blogs.oracle.com/OracleIDM Oracle.com/Identity 39 Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
  39. 39. 40 Copyright © 2013, Oracle and/or its affiliates. All rights reserved.
  40. 40. 41 Copyright © 2013, Oracle and/or its affiliates. All rights reserved.

×