centralized database user - rainfocus...• simplified centralized directory services integration...
TRANSCRIPT
Copyright © 2017, Oracle and/or its affiliates. All rights reserved.
Centralized Database User Management Using Active DirectoryCON6574
Alan WilliamsProduct ManagementOracle Database SecurityOctober 2017
Presented with
Copyright © 2017, Oracle and/or its affiliates. All rights reserved.
Safe Harbor StatementThe following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
3
Copyright © 2017, Oracle and/or its affiliates. All rights reserved.
Centrally Managed Users
Customer Requirements by Epsilon
Oracle Database Authentication and Authorization
Enterprise User Security (EUS) and Directory Services
New – Centrally Managed Users (CMU)
Comparison Between EUS and CMU
1
2
4
3
4
5
Copyright © 2017, Oracle and/or its affiliates. All rights reserved.
• Keith Wilcox– Vice President Database Administration,
Epsilon
Oracle Database Integration with Active Directory Requirements
5
6
Copyright ©
Epsilon 2017 Epsilon Data M
anagement, LLC
. All rights reserved.
We are marketing pioneershelping our clients grow
Copyright ©
Epsilon 2017 Epsilon Data M
anagement, LLC
. All rights reserved.
7
Copyright ©
Epsilon 2017 Epsilon Data M
anagement, LLC
. All rights reserved.
We fuse data, technology, creative and media to connect with your customers in the moments
that matter and get the results our clients need
Copyright ©
Epsilon 2017 Epsilon Data M
anagement, LLC
. All rights reserved.
Copyright ©
Epsilon 2017 Epsilon Data M
anagement, LLC
. All rights reserved.
8
We deliver personalized connections, build loyalty and drive business for brands around the world
DataKnow each of your customers on a meaningful level with Agility Audience, our premier solution offering unrivaled customer information, data resources and tools.
LoyaltyCreate a one-of-a-kind loyalty program and grow long-lasting customer relationships with Agility Loyalty® and our full suite of loyalty capabilities and services.
Digital Messaging
Orchestrate personalized conversations taking your marketing where it needs to go with Agility Harmony®, the first platform built to be omnichannel from the ground up.
Media Reach
Optimize your media mix with the customer data, marketing technology and channels expertise that Epsilon and Conversant provide. We deliver personalized content that gets results.
Copyright ©
Epsilon 2017 Epsilon Data M
anagement, LLC
. All rights reserved.
9
Delivering globally with a local focus
8,000associates globally
70+ offices
4,000+ marketing databases managed
1.5Bindividual records
278M+ device IDs
53B+ email messages per year
50B+bid requests per day
600M+ memberships managed
10 10
Copyright ©
Epsilon 2017 Epsilon Data M
anagement, LLC
. All rights reserved.
Password Authenticated Users
Works well with few databases
Client AProd
Client AUAT
Client ATest
Client ADev
Starts getting more complicated as more databases added
11 11
Copyright ©
Epsilon 2017 Epsilon Data M
anagement, LLC
. All rights reserved.
Password Authenticated Users
When multiple clients are added the password management can really become burdensome
Client AProd
Client BUAT
Client BTest
Client BDev
Client BProd
Client AUAT
Client ATest
Client ADev
Hmm password for Client B
UAT?
12 12
Copyright ©
Epsilon 2017 Epsilon Data M
anagement, LLC
. All rights reserved.
Password Authenticated Users
Some challenges with password authentication
• Passwords potentially different across databases• User confusion• Requests to DBA/Security team for reset pw
• Need to have a process for terminated users (terminated users could potentially still login to the database notwithstanding other network measures)
• Effort of changing passwords (200 users * 2000 databases 4x yearly = 1.6 Million potential password change events yearly
• Audit challenges• Ensure password validate function across all
databases• Profile settings consistent and enforced on all
databases
13
Copyright ©
Epsilon 2017 Epsilon Data M
anagement, LLC
. All rights reserved.
We need centralized password management included as part of the database & Active Directory is the corporate standard!!!
Conclusion
14 14
Copyright ©
Epsilon 2017 Epsilon Data M
anagement, LLC
. All rights reserved.
Need For Active Directory Integration
Centralized authentication
MicrosoftActive DirectoryCorp/kwilcox
DBAGroupClientA_DBAClientB_DBA
Client A
Database RolesDBA_Role
Oracle
Corp/bsa1 ClientA_BSAClientB_BSAClientC_BSA
BSA_Role
&
Centralized authorization
15
Copyright ©
Epsilon 2017 Epsilon Data M
anagement, LLC
. All rights reserved.
Once you connect to Active Directory why not take advantage of additional info (groups) to map those to role in the database to provide centralized management of roles.
Observation
Copyright © 2017, Oracle and/or its affiliates. All rights reserved.
• Alan Williams– Oracle Database Security – Product Management
Centrally Managed Users
16
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 17
Centrally Managed Users
Oracle Database
Password / Kerberos / PKICMU
Active Directory
Oracle Directory Services
EUS
Future
Copyright © 2017, Oracle and/or its affiliates. All rights reserved.
Centrally Managed Users Agenda
Customer Requirements by Epsilon
Oracle Database Authentication and Authorization
Enterprise User Security (EUS) and Directory Services
New – Centrally Managed Users (CMU)
Comparison Between EUS and CMU
1
2
18
3
4
5
Copyright © 2017, Oracle and/or its affiliates. All rights reserved.
Oracle Database Authentication and Authorization
Method Authentication Authorization
Password Password verifier Database Built-In (privileges and roles)
Kerberos Kerberos ticket Database Built-In
PKI Certificate PKI certificate Database Built-In
Operating system Operating system OS Groups, Database Built-In
RADIUS RADIUS RADIUS, Database Built-In
Enterprise User Security – directory services Password, Kerberos, certificate Directory sub-tree, enterprise roles,
Database Built-In
19
Copyright © 2017, Oracle and/or its affiliates. All rights reserved.
Oracle Database Authentication and Authorization
Method Authentication Authorization
Password Password verifier Database Built-In (privileges and roles)
Kerberos Kerberos ticket Database Built-In
PKI Certificate PKI certificate Database Built-In
OS OS OS Groups, Database Built-In
RADIUS RADIUS RADIUS, Database Built-In
Enterprise User Security – directory services Password, Kerberos, certificate Directory sub-tree, enterprise
roles, Database Built-In
20
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 21
Current Active Directory Services Integration Using EUS
Oracle Database
EUS
Microsoft Active DirectoryOracle Directory Services
Copyright © 2017, Oracle and/or its affiliates. All rights reserved.
• Authentication– Password, Kerberos, PKI certificates– Enforce centralized directory account
policies
• Authorization– Map DB user to directory user– Map shared DB schema to directory
sub-tree– Support administrative users
• Enterprise Domains– Enterprise Roles– Current User trusted DB link– Integrated with Oracle Label Security
and XDB– Consolidated reporting and
management of data access
22
Enterprise User Security (EUS)
Copyright © 2017, Oracle and/or its affiliates. All rights reserved.
Current Integration Challenges with Active Directory• Extra architecture elements to design and implement• Multiple components to configure and maintain• Complexity and cost deters customers from integrating with AD
23
Copyright © 2017, Oracle and/or its affiliates. All rights reserved.
Centrally Managed Users - Agenda
Customer Requirements by Epsilon
Oracle Database Authentication and Authorization
Enterprise User Security (EUS) and Directory Services
New – Centrally Managed Users (CMU)
Comparison Between EUS and CMU
1
2
24
3
4
5
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 25
Centrally Managed Users Concept
Oracle Database
Oracle Database Release 18cEnterprise Edition
Microsoft Active Directory
Future
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 26
Centrally Managed Users – Authentication
Oracle DatabasePasswordKerberos
PKI Certificate
Microsoft Active Directory
Future
Copyright © 2017, Oracle and/or its affiliates. All rights reserved.
Centrally Managed Users – Authentication• Kerberos
• AD includes Kerberos Key Distribution Center
• PKI certificates• AD verifies client DN• May act as Certificate Authority
• Password• AD stores user database
password verifiers27
KDC
DatabasePasswordVerifiers
CA
Future
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 28
Centrally Managed Users – Oracle Password Filter
MicrosoftActive Directory
Oracle database passwordfilter generates database
verifiers
• Oracle tool• Installs Oracle database password
filter• Extend AD schema
• Oracle database password filter• Generates database user verifiers
when user changes AD password• AD groups dictate which type of
database user verifiers are generated
Future
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 29
Supports Active Directory Account Policies
Oracle Database Microsoft Active Directory
• Password Policy• Kerberos Policy• Lockout Policy
Future
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 30
Centrally Managed Users - Authorization
Oracle Database Active Directory
Oracle Database Users and Groups
Active DirectoryUser and Groups
• Exclusive User Mapping• Shared Schema Mapping• Role Mapping• Administrative Users
Future
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 31
Centrally Managed Users - Authorization
1:1 Exclusive Mapping
Oracle DatabaseExclusive User Mapping
Active Directory
Database User Active Directory User
Future
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 32
Centrally Managed Users - Authorization
Shared Schema:Group
Oracle DatabaseShared Schema Mapping
Active Directory
Active Directory GroupShared Schema
Future
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 33
Centrally Managed Users - Authorization
Role:Group Mapping
Oracle DatabaseRole Mapping
Active Directory
Active Directory GroupGlobal Role
Future
Copyright © 2017, Oracle and/or its affiliates. All rights reserved.
Exclusive Global User
34
Centrally Managed Users - Authorization
Oracle DatabaseAdministrative Users
Active Directory
DatabaseAdministrator
Granted Privilege: e.g. SYSOPER
Active Directory User
Active Directory Group
Shared Schema
Future
Copyright © 2017, Oracle and/or its affiliates. All rights reserved.
CREATE USER HR_RUNTIME IDENTIFIED GLOBALLY AS ‘cn=hr-rep,ou=hr,dc=examplecorp,dc=com’;
Groups: - hr-rep {Susan, Diana, Jennifer }Groups: - hr-rep {Susan, Diana, Jennifer }
35
Authorization using Active Directory Groups and DB Roles
Database
Global user: HR_RUNTIME
Map:Global user HR_RUNTIME to AD Group hr-rep
Domain (dc=examplecorp, dc=com)
Directory
cn = Users
Users:Susan, Diana, Jennifer
- hr-mgr {Susan }
Global Role: HR_MGR
Global role HR_MGR to AD Group hr-mgr
Global user: HR_RUNTIME
CREATE ROLE HR_MGR IDENTIFIED GLOBALLY AS‘cn=hr-mgr,ou=hr,dc=examplecorp,dc=com’;
Users:Susan, Diana, Jennifer
Map:Global user HR_RUNTIME to AD Group hr-rep
Future
Screenshot: DB Authentication and Authorization using AD
36
Login as Susan with password
Example of Susan’s LoginFuture
Screenshot: DB Authentication and Authorization using AD
37
Login as Susan with password
Example of Susan’s LoginFuture
Screenshot: DB Authentication and Authorization using AD
38
Login as Susan with password
Example of Susan’s LoginFuture
Screenshot: DB Authentication and Authorization using AD
39
Login as Susan with password
Example of Susan’s LoginFuture
Screenshot: DB Authentication and Authorization using AD
40
Login as Susan with password
Example of Susan’s LoginFuture
Screenshot: DB Authentication and Authorization using AD
41
Login as Susan with password
Example of Susan’s LoginFuture
Copyright © 2017, Oracle and/or its affiliates. All rights reserved.
Active Directory Forest
42
Connecting Oracle Database to Active Directory
Centrally Managed
Users
Net Naming Services
Future
Copyright © 2017, Oracle and/or its affiliates. All rights reserved.
Active Directory Forest
43
Connecting Oracle Database to Active Directory
Centrally Managed
Users
Net Naming Services
OracleDirectory Services
Future
Copyright © 2017, Oracle and/or its affiliates. All rights reserved.
Centrally Managed Users - Agenda
Customer Requirements by Epsilon
Oracle Database Authentication and Authorization
Enterprise User Security (EUS) and Directory Services
New – Centrally Managed Users (CMU)
Comparison Between EUS and CMU
1
2
44
3
4
5
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 45
Choosing between EUS and CMUEUS CMU
Simplified Implementation
Authentication Password, Kerberos, PKI certificates
Enforce directory account policies
Authorization Role authorization
Administrative users
Shared DB schema mapping
Exclusive user mapping
Enterprise Domains Current User trusted DB link
Integrated with Oracle Label Security, XDB
Consolidated reporting and management of data access
Future
Copyright © 2017, Oracle and/or its affiliates. All rights reserved.
Centrally Managed Users - Summary• Simplified centralized directory services integration with less cost and
complexity– Authentication in Active Directory for password, Kerberos and PKI– Map Active Directory Groups to shared database accounts and roles– Map database user to exclusive Active Directory user– Support Active Directory account policies
• No client update required• Support all Oracle Database clients 10g and onwards• EUS and Oracle Directory Services authentication and authorization works
as before
46
Future
Copyright © 2017, Oracle and/or its affiliates. All rights reserved.
Database Security at Oracle Open World 2017Session Title Speaker Location Date & Time
CON6571 Cybersecurity and Compliance in 2017: Database Security Is Business-Critical Vipin Samar, SVP, Oracle Moscone West -Room 3011 Mon., 1:15-2:00 PM
CON6574 NEW FEATURE! Centralized Database User Management Using Active Directory Alan Williams, OracleKeith Wilcox, Epsilon
Moscone West -Room 3011 Mon., 3:15-4:00 PM
CON6575 NEW! Database Security Assessment Tool Discovers Top Security Risks Pedro Lopes, Oracle Moscone West -Room 3011 Mon., 5:45-6:30 PM
CON6573 Data Management and Security in the GDPR EraRuss Lowenthal, OracleFranck Hourdin, OracleMike Turner, Capgemini
Moscone West -Room 3011 Tues., 3:45-4:30 PM
CON6580 Encrypt Your Crown Jewels and Manage Keys Efficiently with Oracle Key Vault Saikat Saha, OracleHamid Habet, Allianz
Moscone West -Room 3011 Tues.,4:45-5:30 PM
CON6576 Accelerate Your Compliance Program with Oracle Audit Vault and Database FirewallRam Subramanian, SymantecRohit Muttepawar, Symantec
George Csaba, Oracle
Moscone West -Room 3011 Tues., 5:45-6:30 PM
CON6572 Inside the Head of a Database Hacker Mark Fallon, Oracle Moscone West -Room 3014
Wed., 11:00-11:45 AM
CON6618 Sneak Preview: Oracle Data Security Cloud Service Vikram Pesati, OracleMichael Mesaros, Oracle
Moscone West -Room 3011 Wed.,2:00-2:45 PM
47
Copyright © 2017, Oracle and/or its affiliates. All rights reserved.
Moscone West49
Copyright © 2017, Oracle and/or its affiliates. All rights reserved.
Visit Us in the Oracle Database Security Demo Grounds
Demo Booth Title Featured Solutions
Authentication & Authorization Centrally Managed Users, Database Vault, Real Application Security, Label Security
Encryption & Key Management Transparent Data Encryption, Key Vault, Data Redaction
Auditing and Activity Monitoring Database Auditing, Audit Vault and Database Firewall, Data Security Cloud Service - Auditing
Database Security for Application Developers Database Security Assessment Tool, Data Masking and Subsetting, Data Discovery and Data Security Cloud Service - Masking
50
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 51
Copyright © 2017, Oracle and/or its affiliates. All rights reserved.
Connect With Us
http://oracle.com/database/securityhttp://oracle.com/technetwork/database/security
/OracleDatabase /OracleSecurity blogs.oracle.com/SecurityInsideOut
Oracle Database Insider /Oracle Database Security
/Oracle Cloud
52
Copyright © 2017, Oracle and/or its affiliates. All rights reserved.
Safe Harbor StatementThe preceding is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
53
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 54