centralized database user - rainfocus...• simplified centralized directory services integration...

Copyright © 2017, Oracle and/or its affiliates. All rights reserved.

Centralized Database User Management Using Active DirectoryCON6574

Alan WilliamsProduct ManagementOracle Database SecurityOctober 2017

Presented with


Safe Harbor StatementThe following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.

3


Centrally Managed Users

Customer Requirements by Epsilon

Oracle Database Authentication and Authorization

Enterprise User Security (EUS) and Directory Services

New – Centrally Managed Users (CMU)

Comparison Between EUS and CMU

1

2

4

3

4

5


• Keith Wilcox– Vice President Database Administration,

Epsilon

Oracle Database Integration with Active Directory Requirements

5

6

Copyright ©

Epsilon 2017 Epsilon Data M

anagement, LLC

. All rights reserved.

We are marketing pioneershelping our clients grow

Copyright ©


anagement, LLC


7

Copyright ©


anagement, LLC


We fuse data, technology, creative and media to connect with your customers in the moments

that matter and get the results our clients need

Copyright ©


anagement, LLC


Copyright ©


anagement, LLC


8

We deliver personalized connections, build loyalty and drive business for brands around the world

DataKnow each of your customers on a meaningful level with Agility Audience, our premier solution offering unrivaled customer information, data resources and tools.

LoyaltyCreate a one-of-a-kind loyalty program and grow long-lasting customer relationships with Agility Loyalty® and our full suite of loyalty capabilities and services.

Digital Messaging

Orchestrate personalized conversations taking your marketing where it needs to go with Agility Harmony®, the first platform built to be omnichannel from the ground up.

Media Reach

Optimize your media mix with the customer data, marketing technology and channels expertise that Epsilon and Conversant provide. We deliver personalized content that gets results.

Copyright ©


anagement, LLC


9

Delivering globally with a local focus

8,000associates globally

70+ offices

4,000+ marketing databases managed

1.5Bindividual records

278M+ device IDs

53B+ email messages per year

50B+bid requests per day

600M+ memberships managed

10 10

Copyright ©


anagement, LLC


Password Authenticated Users

Works well with few databases

Client AProd

Client AUAT

Client ATest

Client ADev

Starts getting more complicated as more databases added

11 11

Copyright ©


anagement, LLC



When multiple clients are added the password management can really become burdensome

Client AProd

Client BUAT

Client BTest

Client BDev

Client BProd

Client AUAT

Client ATest

Client ADev

Hmm password for Client B

UAT?

12 12

Copyright ©


anagement, LLC



Some challenges with password authentication

• Passwords potentially different across databases• User confusion• Requests to DBA/Security team for reset pw

• Need to have a process for terminated users (terminated users could potentially still login to the database notwithstanding other network measures)

• Effort of changing passwords (200 users * 2000 databases 4x yearly = 1.6 Million potential password change events yearly

• Audit challenges• Ensure password validate function across all

databases• Profile settings consistent and enforced on all

databases

13

Copyright ©


anagement, LLC


We need centralized password management included as part of the database & Active Directory is the corporate standard!!!

Conclusion

14 14

Copyright ©


anagement, LLC


Need For Active Directory Integration

Centralized authentication

MicrosoftActive DirectoryCorp/kwilcox

DBAGroupClientA_DBAClientB_DBA

Client A

Database RolesDBA_Role

Oracle

Corp/bsa1 ClientA_BSAClientB_BSAClientC_BSA

BSA_Role

&

Centralized authorization

15

Copyright ©


anagement, LLC


Once you connect to Active Directory why not take advantage of additional info (groups) to map those to role in the database to provide centralized management of roles.

Observation


• Alan Williams– Oracle Database Security – Product Management


16

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 17


Oracle Database

Password / Kerberos / PKICMU

Active Directory

Oracle Directory Services

EUS

Future


Centrally Managed Users Agenda






1

2

18

3

4

5



Method Authentication Authorization

Password Password verifier Database Built-In (privileges and roles)

Kerberos Kerberos ticket Database Built-In

PKI Certificate PKI certificate Database Built-In

Operating system Operating system OS Groups, Database Built-In

RADIUS RADIUS RADIUS, Database Built-In

Enterprise User Security – directory services Password, Kerberos, certificate Directory sub-tree, enterprise roles,

Database Built-In

19



Method Authentication Authorization

Password Password verifier Database Built-In (privileges and roles)

Kerberos Kerberos ticket Database Built-In

PKI Certificate PKI certificate Database Built-In

OS OS OS Groups, Database Built-In

RADIUS RADIUS RADIUS, Database Built-In

Enterprise User Security – directory services Password, Kerberos, certificate Directory sub-tree, enterprise

roles, Database Built-In

20


Current Active Directory Services Integration Using EUS

Oracle Database

EUS

Microsoft Active DirectoryOracle Directory Services


• Authentication– Password, Kerberos, PKI certificates– Enforce centralized directory account

policies

• Authorization– Map DB user to directory user– Map shared DB schema to directory

sub-tree– Support administrative users

• Enterprise Domains– Enterprise Roles– Current User trusted DB link– Integrated with Oracle Label Security

and XDB– Consolidated reporting and

management of data access

22

Enterprise User Security (EUS)


Current Integration Challenges with Active Directory• Extra architecture elements to design and implement• Multiple components to configure and maintain• Complexity and cost deters customers from integrating with AD

23


Centrally Managed Users - Agenda






1

2

24

3

4

5


Centrally Managed Users Concept

Oracle Database

Oracle Database Release 18cEnterprise Edition

Microsoft Active Directory

Future


Centrally Managed Users – Authentication

Oracle DatabasePasswordKerberos

PKI Certificate

Microsoft Active Directory

Future


Centrally Managed Users – Authentication• Kerberos

• AD includes Kerberos Key Distribution Center

• PKI certificates• AD verifies client DN• May act as Certificate Authority

• Password• AD stores user database

password verifiers27

KDC

DatabasePasswordVerifiers

CA

Future


Centrally Managed Users – Oracle Password Filter

MicrosoftActive Directory

Oracle database passwordfilter generates database

verifiers

• Oracle tool• Installs Oracle database password

filter• Extend AD schema

• Oracle database password filter• Generates database user verifiers

when user changes AD password• AD groups dictate which type of

database user verifiers are generated

Future


Supports Active Directory Account Policies

Oracle Database Microsoft Active Directory

• Password Policy• Kerberos Policy• Lockout Policy

Future


Centrally Managed Users - Authorization

Oracle Database Active Directory

Oracle Database Users and Groups

Active DirectoryUser and Groups

• Exclusive User Mapping• Shared Schema Mapping• Role Mapping• Administrative Users

Future



1:1 Exclusive Mapping

Oracle DatabaseExclusive User Mapping

Active Directory

Database User Active Directory User

Future



Shared Schema:Group

Oracle DatabaseShared Schema Mapping

Active Directory

Active Directory GroupShared Schema

Future



Role:Group Mapping

Oracle DatabaseRole Mapping

Active Directory

Active Directory GroupGlobal Role

Future


Exclusive Global User

34


Oracle DatabaseAdministrative Users

Active Directory

DatabaseAdministrator

Granted Privilege: e.g. SYSOPER

Active Directory User

Active Directory Group

Shared Schema

Future


CREATE USER HR_RUNTIME IDENTIFIED GLOBALLY AS ‘cn=hr-rep,ou=hr,dc=examplecorp,dc=com’;

Groups: - hr-rep {Susan, Diana, Jennifer }Groups: - hr-rep {Susan, Diana, Jennifer }

35

Authorization using Active Directory Groups and DB Roles

Database

Global user: HR_RUNTIME

Map:Global user HR_RUNTIME to AD Group hr-rep

Domain (dc=examplecorp, dc=com)

Directory

cn = Users

Users:Susan, Diana, Jennifer

- hr-mgr {Susan }

Global Role: HR_MGR

Global role HR_MGR to AD Group hr-mgr

Global user: HR_RUNTIME

CREATE ROLE HR_MGR IDENTIFIED GLOBALLY AS‘cn=hr-mgr,ou=hr,dc=examplecorp,dc=com’;

Users:Susan, Diana, Jennifer

Map:Global user HR_RUNTIME to AD Group hr-rep

Future

Screenshot: DB Authentication and Authorization using AD

36

Login as Susan with password

Example of Susan’s LoginFuture


37




38




39




40




41




Active Directory Forest

42

Connecting Oracle Database to Active Directory

Centrally Managed

Users

Net Naming Services

Future


Active Directory Forest

43

Connecting Oracle Database to Active Directory

Centrally Managed

Users

Net Naming Services

OracleDirectory Services

Future


Centrally Managed Users - Agenda






1

2

44

3

4

5


Choosing between EUS and CMUEUS CMU

Simplified Implementation

Authentication Password, Kerberos, PKI certificates

Enforce directory account policies

Authorization Role authorization

Administrative users

Shared DB schema mapping

Exclusive user mapping

Enterprise Domains Current User trusted DB link

Integrated with Oracle Label Security, XDB

Consolidated reporting and management of data access

Future


Centrally Managed Users - Summary• Simplified centralized directory services integration with less cost and

complexity– Authentication in Active Directory for password, Kerberos and PKI– Map Active Directory Groups to shared database accounts and roles– Map database user to exclusive Active Directory user– Support Active Directory account policies

• No client update required• Support all Oracle Database clients 10g and onwards• EUS and Oracle Directory Services authentication and authorization works

as before

46

Future


Database Security at Oracle Open World 2017Session Title Speaker Location Date & Time

CON6571 Cybersecurity and Compliance in 2017: Database Security Is Business-Critical Vipin Samar, SVP, Oracle Moscone West -Room 3011 Mon., 1:15-2:00 PM

CON6574 NEW FEATURE! Centralized Database User Management Using Active Directory Alan Williams, OracleKeith Wilcox, Epsilon

Moscone West -Room 3011 Mon., 3:15-4:00 PM

CON6575 NEW! Database Security Assessment Tool Discovers Top Security Risks Pedro Lopes, Oracle Moscone West -Room 3011 Mon., 5:45-6:30 PM

CON6573 Data Management and Security in the GDPR EraRuss Lowenthal, OracleFranck Hourdin, OracleMike Turner, Capgemini

Moscone West -Room 3011 Tues., 3:45-4:30 PM

CON6580 Encrypt Your Crown Jewels and Manage Keys Efficiently with Oracle Key Vault Saikat Saha, OracleHamid Habet, Allianz

Moscone West -Room 3011 Tues.,4:45-5:30 PM

CON6576 Accelerate Your Compliance Program with Oracle Audit Vault and Database FirewallRam Subramanian, SymantecRohit Muttepawar, Symantec

George Csaba, Oracle

Moscone West -Room 3011 Tues., 5:45-6:30 PM

CON6572 Inside the Head of a Database Hacker Mark Fallon, Oracle Moscone West -Room 3014

Wed., 11:00-11:45 AM

CON6618 Sneak Preview: Oracle Data Security Cloud Service Vikram Pesati, OracleMichael Mesaros, Oracle

Moscone West -Room 3011 Wed.,2:00-2:45 PM

47


Moscone West49


Visit Us in the Oracle Database Security Demo Grounds

Demo Booth Title Featured Solutions

Authentication & Authorization Centrally Managed Users, Database Vault, Real Application Security, Label Security

Encryption & Key Management Transparent Data Encryption, Key Vault, Data Redaction

Auditing and Activity Monitoring Database Auditing, Audit Vault and Database Firewall, Data Security Cloud Service - Auditing

Database Security for Application Developers Database Security Assessment Tool, Data Masking and Subsetting, Data Discovery and Data Security Cloud Service - Masking

50


Connect With Us

http://oracle.com/database/securityhttp://oracle.com/technetwork/database/security

/OracleDatabase /OracleSecurity blogs.oracle.com/SecurityInsideOut

Oracle Database Insider /Oracle Database Security

/Oracle Cloud

52


Safe Harbor StatementThe preceding is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.

53

centralized database user - rainfocus...• simplified centralized directory services integration...

Documents