con8813 securing privileged accounts with an integrated idm solution - final
DESCRIPTION
Olaf Stullich & Mike Laramie's OOW2013 presentationTRANSCRIPT
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.1
Securing Privileged Accounts with an Integrated IDM Solution
Olaf StullichProduct Manager, Oracle
Mike LaramieOracle Cloud for Industry Architecture Team
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.3
The following is intended to outline our general product direction. It is
intended for information purposes only, and may not be incorporated
into any contract. It is not a commitment to deliver any material, code,
or functionality, and should not be relied upon in making purchasing
decision. The development, release, and timing of any features or
functionality described for Oracle’s products remains at the sole
discretion of Oracle.
Safe Harbor Statement
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.4
Program Agenda
Introduction
What is Oracle Privileged Account Manager?
OPAM Integration with Oracle Identity Governance and
Database Security
Use Case: Oracle Cloud for Industry and OPAM
Demo
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.5
Introduction
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.6
What do have these two in Common?
• Privileged account access
• Excessive access privileges
• Difficult to monitor shared accounts across multiple administrators
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.7
2011 Data Breach Investigations Report
IDM – Overcome Threats and Regulations to Unlock Opportunities
76% Data Stolen From Servers 86% Hacking Involve Stolen Credentials48% Caused by Insiders17% Involved Privilege Misuse
Threats
Compliance
Opportunities
Increased Online Threat Costly Insider Fraud
Tougher Regulations Greater Focus on Risk Stronger Governance
Social Media Cloud Computing Mobile Access
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.8
Managing Privilege Access Is Not Well Defined
Deploying point solutions can increase integration costs
RISKSCALEManual solutions don’t scale (like managing privileged access via
spreadsheets)
Using default system passwords is prone to risk
COST
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.9
IDENTIFYING PRIVILEGED ACCOUNTS
TRACKINGPRIVILEGED ACCOUNTS
Two Big Management Problems
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.10
The Right Approach is Self-Reinforcing
Reporting & Certification
Access Request
Auto-Provisioning
Remediation
Self-Reinfor
cing
VISIBILITY ACROSS COMPLETE USER ACCESS IS KEY
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.11
Shared Connectors
Centralized Policies
Workflow Integration
Common Reporting
Privileged Account ManagementA Platform Approach
Reduce Risk
Improve Compliance
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.12
What is Oracle Privileged Account Manager
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.13
Oracle Fusion MiddlewareBusiness Innovation Platform for the Enterprise and Cloud
Complete and Integrated
Best-in-class
Open standards
On-premise and Cloud Foundation for Oracle Fusion
Applications and Oracle Cloud
User Engagement
Identity Management
Business Process
Management
Content Management
Business Intelligence
Service Integration Data Integration
Development Tools
Cloud Application Foundation
Enterprise Management
Web Social Mobile
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.14
Identity ManagementSecuring the Social Enterprise
Simplified Identity Governance– Access Request Portal with Catalog and Shopping cart UI
– In product, durable customization of UIs, forms and work flows
– Privileged Account Management – leverage Identity connectors, workflows, audit
Complete Access Management– Integrated SSO, Federation, API Management, Token Management,
Granular Authorization
– Mobile application security with SSO, device finger printing and step up authentication
– Social identity log-in from popular social media sites
– REST, OAuth, XACML
Directories that Scale– OUD optimized on T4 hardware delivering 3x performance gain and
15% of set up time
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.15
Privileged Account
– A “human” accessible accounts with elevated permissions (root for UNIX, Linux, or SYS for DB)
Service Account
– Most customers use the term “service accounts” when they refer to Privileged Accounts
– Some customers use the term “service accounts” when they refer to Application Accounts
– OPAM uses “services accounts” in the connector configuration
End User
– An administrator who is accessing OPAM to check-out an account
Administrator
– The OPAM server Administrator
– An Administrator who is accessing OPAM to checkout an account
Application accounts
– Accounts that are used by application (stored in applications) to access e.g. a database
Target
– OPAM manages account access on “Targets”
Privileged Account ManagerDefinition of Terms
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.16
Secure password vault to centrally manage passwords for privileged accounts– OPAM uses an Oracle DB EE instance with limited use license to TDE to encrypt passwords
Session Management and Auditing– Session control without revealing a privileged account password
– Session History and searchable Session Recording
Extensible Framework – JAVA based for customized solutions
Audit Reporting– Customizable audit reports through BI Publisher
– Real time status available via the OPAM dashboard (charts, tables, etc.)
Privileged Account ManagerOverview of Product Capabilities
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.17
Integrated with Identity Governance Platform– Shared Connectors and Workflow integration with OIM
– Centralized Policies Management via OIM and OIA
Using out-of-the-box connectors, OPAM Targets can be configured for– Databases, Operating Systems and LDAP Directories, and Oracle FMW applications
Policy-based access to privileged accounts via “grants”– Grants control if and when a given administrator has access to a privileged account
– Grants are represented as OPAM Usage Policies.
– Grants are typically assigned through LDAP Group Membership in the identity store
Flexible Password Policies– Mirror corporate password standards
Privileged Account ManagerOverview of Product Capabilities
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.18
Supported Clients / Targets
Generic Database Servers Generic LDAP DirectoriesGeneric UNIX Systems
UNIX MS SQLServer
Sybase 15
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.19
LDAP Server
Databaseand Unix
Admin(Joe)
HR Application Database
• User logs in as SYSTEM• Adds Table to DB• System out of space
Verify the OPAM User, Joe, is in the “HR DBA”
Role
OPAM sets the SYSTEM password for HR App Database, based on the
password policy for HR App Database
User checks in passwords
Oracle Privileged Account Manager
• User logs in as root• Adds disk space
Unix Server
Return SYSTEM password
Request SYSTEM password
Return root password
Request root password
Typical OPAM Use-Case
OPAM sets the root password for the Unix Server, based on the password
policy for Unix Server.
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.20
OPAM Integration with Oracle Identity Governance and Database Security
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.22
Leverage OIM policy/role based provisioning A system admin may be provisioned to specific LDAP groups that OPAM uses for
privileged account access Workflow and approval will be followed as defined
OPAM and OIM - a Complete Governance PlatformRequest for Privileged Account Access
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.23
OIM to publish privileged account entitlements in request catalog An admin user uses access request self service, search the catalog, pick the
privileged accounts he needs and submit for approval The request kicks off workflow and approval as defined The user is provisioned with group membership after approval The user can access OPAM for privileged password checkout and checkin
OPAM and OIM - a Complete Governance PlatformRequest for Privileged Account Access
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.24
Through existing OIM OIA integration and OIM OPAM integration, privileged access info is made available to OIA for certification.
Risk can be calculated based on its privilege status and other data such as provisioning method etc
If access violation is found, it can be revoked based on OIM OIA close-loop remediation
OPAM and OIM - a Complete Governance PlatformRisk based certification
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.25
Use Case: Oracle Cloud for Industry and OPAM
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.26
Oracle Cloud for Industry
What is OCI?– An internal provider of cloud-based IaaS and PaaS services available to
Oracle Global Business Units (GBUs) for the packaging of Oracle Industry Solutions to end customers.
E.g. Financial Services, Healthcare, Retail
– http://www.oracle.com/us/industries/index.html
Overview
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.27
Oracle Cloud for Industry
Disparate privileged account practices between multiple operational roles
– Password vault utilities
– Spreadsheets
Minimal auditing/reporting on privileged account usage Difficulty of access
– “Which vault is that stored in?”
Additional requirements driven by regulatory compliance– PCI
– HIPAA/HITECH
Problems
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.28
Oracle Cloud for Industry
Implement password solution that– Easy to use
– Supports privileged accounts from multiple teams with differing requirements
– Reliable
– Secure
– Auditable
– Meets or exceeds regulatory compliance
Solution– OPAM
Solution
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.29
Oracle Cloud for Industry
How did OPAM help?– Role based access to privileged accounts:
LDAP group membership determines which privileged accounts users can access
– Convenient, accessible BUI
– Automated reporting of privileged account access and usage
– Centralized, secure repository
– Automated password management
– Unique passwords for each system
OCI & OPAM
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.30
Oracle Cloud for Industry
How did OPAM help with PCI Compliance? Addressed PCI DSS 2.0 Requirements:
– 2.1» “Always change vendor supplied passwords before installing a system…”
– 8.5.8» “Do not use group, shared, or generic accounts and passwords…”
– 8.5.9» “Change user passwords at least every 90 days.”
PCI & OPAM
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.31
Oracle Cloud for Industry
Customized scripts for password aging reporting– Required for 8.5.9
– Wrote custom script to retrieve data from OPAM and email admins as necessary
RFE submitted to include functionality in future release’s BUI
Daily reports of check-in/check-out activity– Currently done through BI Publisher
Emailed to security team nightly
– On-Demand reporting will be in future release
OPAM Flexibility
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.32
Securely stores local privileged account information in a central location
Access to accounts is limited by LDAP group membership (RBAC)
Reportable audit trail on account usage
Case Study Overview
Solution
Insert Picture Here
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.33
OPAM Privileged Account Manager in Action
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.34
Oracle Privileged Account Manager in Action
How OPAM “lockbox” is used by Oracle Cloud for Industry How does OPAM Session Management and Auditing enhances the
“lockbox” concept to provide additional compliance data How to extend OPAM operations to enable emergency access How can emergency access be integrated with physical access
security using the Lockitron lock
Demo Overview
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.35
Summary
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.36
OPAM Benefits
Enforce internal security policies and eliminate potential security threats from privileged users
Cost-effectively enforce and attest to regulatory requirements Reduce IT costs through efficient self service and common security
infrastructure Real time usage reports Customizable audit reports
with BI Publisher
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.37
Moscone South
Oracle Identity Governance Suite:
Managing Privileged Accounts from Your
Identity Platform
Demo Pods
Moscone South
Identity Management Monitoring with Oracle Enterprise Manager
Moscone South
Oracle Identity Governance Suite:
Complete Identity Lifecycle
Management
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.38
Sessions not to miss
CON8823 Wednesday 09/25, 5:00PM Moscone West,
Room 2018
Access Management for the Internet of Things
Kanishk Mahajan, Oracle
CON8826 Thursday, 09/26, 3:30PM Moscone West,
Room 2018
Zero Capital Investment by leveraging Identity Management as a Service
Mike Neuenschwander, Oracle
CON8902 Thursday, 09/26 2:00PM Marriot Marquis –
Golden Gate C3
Developing Secure Mobile Applications Mark Wilcox, Oracle
CON8836 Thursday 09/26, 11:00AM Moscone West,
Room 2018
Leveraging the Cloud to simplify your Identity Management implementation
Guru Shashikumar, Oracle
CON 4342 Thursday 09/26, 12:30PM Moscone West,
Room 2018
Identity Services in the New GM IT GM
CON9024 Thursday 09/26, 2:00PM Moscone West,
Room 2018
Next Generation Optimized Directory - Oracle Unified Directory
Etienne Remillon, Oracle
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.39
Join the Oracle Community
Oracle.com/Identity
Twittertwitter.com/OracleIDM
Facebookfacebook.com/OracleIDM
Oracle Blogs
Blogs.oracle.com/OracleIDM
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.40
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.41