<Insert Picture Here>
Oracle’s Platform Approach to Security Services
This document is for informational purposes. It is not a
commitment to deliver any material, code, or
functionality, and should not be relied upon in making
purchasing decisions. The development, release, and
timing of any features or functionality described in this
document remains at the sole discretion of
Oracle. This document in any form, software or printed
matter, contains proprietary information that is the
exclusive property of Oracle. This document and
information contained herein may not be disclosed,
copied, reproduced or distributed to anyone outside
Oracle without prior written consent of Oracle. This
document is not part of your license agreement nor can
it be incorporated into any contractual agreement with
Oracle or its subsidiaries or affiliates.
2 Copyright © 2012, Oracle and/or its affiliates. All rights
reserved.
• Security Threats and Trends
• End-to-End Application Security Development
Lifecycle
• Oracle Platform Security Services
– Overview & Strategy
– Design Pattern & Deployment Examples
– Security Platform for Fusion Applications
Agenda
3 Copyright © 2012, Oracle and/or its affiliates. All rights
reserved.
Security Threats & Trends
Threats
• Attacks
• Improper Access
• Infrastructure Scaling
Compliance
• Tougher Regulations
• Intrusive Audits
• Costly Burdensome Reporting
Opportunities
• Mobile Access
• Social Identity
• Cloud Computing
What Keeps You Awake?
5 Copyright © 2012, Oracle and/or its affiliates. All rights
reserved.
The Trend is Set to Continue The Root Cause Of All Breaches Is Poor Access Control
1990 1995 2000 2005 2008
2004 2009 2011
Hacking for Fame
Total # of records compromised by breaches
Hacking for Fun
• Social Engineering Attacks (11% of all breaches)
• Hacking (up 10% from 2010)
• Privilege Abuse (17% of all breaches)
361 M
4 M
< 1M
Source: Verizon Data Breach Report 2011
6 Copyright © 2012, Oracle and/or its affiliates. All rights
reserved.
Current Approach is Fragmented Hurts Transparency & Business Agility
• Disconnected Security Policy
• Poor Correlation for Forensics
• Fragmented View of User
• Costly Integration
Fragmentation causes Latency
• Removing separated users
• Detecting user job role change
• Restricting data access quickly
Source: The Value of Corporate Secrets by Forrester Consulting (March 2010)
7 Copyright © 2012, Oracle and/or its affiliates. All rights
reserved.
E2E Application Lifecycle
Develop
Design
Migrate & Patch
Package
Administer &
Monitor
Deploy
E2E Application Lifecycle Problem Statement
Develop
Deploy
Enforce
Monitor
Design
• Insufficient and non
standard security
libraries
• Poor tooling & IDE
integration
• Results in brittle,
hardcoded solutions
Package
9 Copyright © 2012, Oracle and/or its affiliates. All rights
reserved.
Develop Package
Deploy
Enforce
Monitor
Design
• Manual & error prone
deployment and migration
process
• Ad hoc security
configuration &
integration
• Affects application
delivery and downtime
E2E Application Lifecycle Problem Statement
10 Copyright © 2012, Oracle and/or its affiliates. All rights
reserved.
Develop Package
Deploy
Enforce
Monitor
Design
• Lack of centralized
policy management &
monitoring
• Insufficient visibility
across key enterprise
security metrics
• Impacts corporate
compliance and
ongoing business
agility
E2E Application Lifecycle Problem Statement
11 Copyright © 2012, Oracle and/or its affiliates. All rights
reserved.
Today We Are Reactive
Harden Perimeter
Secure End-Point
Invest in Monitoring
We react...
Social Engineering Attacks
Attacks on Servers
Privileged Account Abuse
But criminals get wiser
Most traditional security solutions get
breached eventually
12 Copyright © 2012, Oracle and/or its affiliates. All rights
reserved.
We Need to Change Our Thinking
Security should be proactive just like the body’s
immune system prevents diseases
13 Copyright © 2012, Oracle and/or its affiliates. All rights
reserved.
Oracle Platform Security Services Overview & Strategy
Oracle Identity Management 11g Service-Oriented Security
• Introducing Oracle Platform Security Services
• Library of security services including authentication, authorization, ID
profile, encryption, common auditing and logging etc.
• Integrated with JDeveloper for design time security development
• Services exposed through pluggable abstraction layers
• Decouple and externalize security from applications
• The security platform for Oracle’s Fusion Middleware and packaged Applications
• Available to the java development community, ISV’s, and customers
15 Copyright © 2012, Oracle and/or its affiliates. All rights
reserved.
Oracle Platform Security Services Security Platform for Applications, Middleware & Data
AuthN AuthZ IdM
Int.
SOA
Authn Authz Creds & Keys
Audit ID Profile Trust XML Security Crypto, SSL
WebCenter ECM EPM BI RDBMS IDM
Fusion Applications Vertical Applications ISV Applications Customer Apps
OAM OES OAAM* OID, OVD ODSEE
STS OIM* OWSM
Oracle Platform Security Services
Security Service Providers
LDAP Database File Identity, Policy, Credential Store Providers
16 Copyright © 2012, Oracle and/or its affiliates. All rights
reserved.
Platform Reduces Cost vs. Point Solutions
46%
Cost Savings
Source: Aberdeen “Analyzing point solutions vs. platform” 2011
Benefits Oracle IAM Suite
Advantage
Increased End-
User Productivity • Emergency Access
• End-user Self Service
• 11% faster
• 30% faster
Reduced Risk • Suspend/revoke/de-provision
end user access • 46% faster
Enhanced Agility • Integrate a new app faster
with the IAM infrastructure
• Integrate a new end user
role faster into the solution
• 64% faster
• 73% faster
Enhanced Security
and Compliance • Reduces unauthorized
access
• Reduces audit deficiencies
• 14% fewer
• 35% fewer
Reduced Total
Cost
• Reduces total cost of IAM
initiatives • 48% lower
48%
More
Responsive
35% Fewer Audit
Deficiencies
17 Copyright © 2012, Oracle and/or its affiliates. All rights
reserved.
Oracle Platform Security Services Design Pattern & Deployment Examples
E2E Application Lifecycle OPSS & Oracle Entitlements Server solution
• Rich set of standards based
security services, enabling
declarative development
• Pre-integrated with
enterprise IDM systems and
IDE tools
• Support for each phase of
the application lifecycle
• Decouples and externalizes
security from applications
Develop Package
Deploy
Enforce
Monitor
Design
19 Copyright © 2012, Oracle and/or its affiliates. All rights
reserved.
Oracle Platform Security Services Example: Authentication, Authorization, Identity Profiles
Develop : JDeveloper
WLS Embedded LDAP
ID Store
Authentication
Form Based Authn
Test : Integrated WLS Design Time
• login()
• logout()
• getUserProfile()
• getUserGroups()
• isAuthorized()
• etc...
OPSS
• Declarative Development
• Security Wizards
• Policies packaged w. App File based
Policy Store
20 Copyright © 2012, Oracle and/or its affiliates. All rights
reserved.
Oracle Platform Security Services Example: Authentication, Authorization, Identity Profiles
Develop : JDeveloper
Design Time
Deploy & Config : EM
Production
Oracle or 3rd Party LDAP
ID Store
Authentication
OAM or 3rd Party SSO
• Declarative Development
• Security Wizards
• Policies packaged w. App
• Deploy & Config Wizards
• Runtime Monitoring & Audit
• Automatic Policy Migration
WLS Embedded LDAP
ID Store
Authentication
Form Based Authn
File based
Policy Store
Oracle or 3rd Party DB
Policy Store
Test : Integrated WLS
• login()
• logout()
• getUserProfile()
• getUserGroups()
• isAuthorized()
• etc...
OPSS
Runtime : WLS, WAS, JBoss
OPSS
• login()
• logout()
• getUserProfile()
• getUserGroups()
• isAuthorized()
• etc...
21 Copyright © 2012, Oracle and/or its affiliates. All rights
reserved.
Oracle Platform Security Services Example: Authentication, Authorization, Identity Profiles
Develop : JDeveloper
Design Time
Deploy & Config : EM Runtime : WLS, WAS, JBoss
Production
OPSS
• login()
• logout()
• getUserProfile()
• getUserGroups()
• isAuthorized()
• etc...
• Declarative Development
• Security Wizards
• Policies packaged w. App
• Deploy & Config Wizards
• Runtime Monitoring & Audit
• Automatic Policy Migration
WLS Embedded LDAP
ID Store
Authentication
Form Based Authn
File based
Policy Store
Oracle or 3rd Party LDAP
ID Store
Authentication
OAM or 3rd Party SSO
Oracle or 3rd Party DB
Policy Store
Test : Integrated WLS
• login()
• logout()
• getUserProfile()
• getUserGroups()
• isAuthorized()
• etc...
OPSS
22 Copyright © 2012, Oracle and/or its affiliates. All rights
reserved.
OPSS & OES E2E Application Lifecycle
• Declarative Security Development
• Integrated Security Wizards
• Authz policies packaged w. the App
JDeveloper IDE
23 Copyright © 2012, Oracle and/or its affiliates. All rights
reserved.
Java Application Example
• Create a JAAS subject – Principal p = new WLSUserImpl("weblogic");
– Subject user = new Subject();
– user.getPrincipals().add(p);
– In real world you actually need to authenticate the user
• The resource user is trying to Access – String resourceString = "HelloOESworld/MyResourceType/MyResource";
– It is just a string!
• Action user is trying to perform – String action = "write";
24 Copyright © 2012, Oracle and/or its affiliates. All rights
reserved.
Anatomy of a Java SM Application
• The actual authorization request
PepResponse response = PepRequestFactoryImpl.getPepRequestFactory()
.newPepRequest(
user,
action,
resourceString,
null).decide();
• The Authorization result
– response.allowed()
25 Copyright © 2012, Oracle and/or its affiliates. All rights
reserved.
OPSS & OES E2E Application Lifecycle
• Deploy, Configure, Migrate
• Runtime Monitoring & Audit
• Automatic Policy Migration
Enterprise Manager
26 Copyright © 2012, Oracle and/or its affiliates. All rights
reserved.
OPSS & OES E2E Application Lifecycle
• Centralized Policy Management
• Drag & Drop Policy Authoring
• Resource Catalog
• Role Catalog & Mapping
• Delegated Administration
OES Admin Server
27 Copyright © 2012, Oracle and/or its affiliates. All rights
reserved.
OPSS & OES E2E Application Lifecycle
• Advanced Lifecycle Management
• Policy Patching: 3-way diff / merge
OES Admin Server
28 Copyright © 2012, Oracle and/or its affiliates. All rights
reserved.
OPSS & OES Policy Example
29 Copyright © 2012, Oracle and/or its affiliates. All rights
reserved.
30 Copyright © 2012, Oracle and/or its affiliates. All rights
reserved.
31 Copyright © 2012, Oracle and/or its affiliates. All rights
reserved.
Externalizing Authorization from Apps Distributed Fine-Grained Security Enforcement for Applications
Fine-Grained Authorization Policy Enforcement
Portal Users
User Provisioning
Service
Role Mgmt Service
Directory
Service
Authentication
Service Authorization
Service
Federation
Service
Oracle Platform Security Services
Policies
Oracle WebLogic Suite-based Application Grid
Ora
cle
SO
A S
uite
Ora
cle
BP
M S
uite
Ora
cle
WebC
en
ter
Shared Services Apps
• Modify Policies in response to evolving security mandates without any code changes
• Centralize Enforcement of Policies across all Apps with Centralized Admin UI
IT / Security
Deploy Application
Externalize Authorization Controls from App into XACML policies using OPSS API
App Owner • Build application
App Owner
Oracle Platform Security Services Security Platform for Fusion Applications
Identity Manager Entitlements Server Access Manager
Fusion Applications OOTB Security Architecture
Oracle RDBMS
Single Sign-On Fine Grained Authorization Identity & Enterprise Role Mgmt
OES Policy Store OID ID Store
Fusion Applications
OPSS
ADF, SOA, BI, WebCenter, etc
Web Services Mgr
Web Service Security
WebLogic
33 Copyright © 2012, Oracle and/or its affiliates. All rights
reserved.
Oracle Platform Security Services Security Platform for Applications, Middleware & Data
AuthN AuthZ IdM
Int.
SOA
Authn Authz Creds & Keys
Audit ID Profile Trust XML Security Crypto, SSL
WebCenter ECM EPM BI RDBMS IDM
Fusion Applications Vertical Applications ISV Applications Customer Apps
OAM OES OAAM* OID, OVD ODSEE
STS OIM* OWSM
Oracle Platform Security Services
Security Service Providers
LDAP Database File Identity, Policy, Credential Store Providers
34 Copyright © 2012, Oracle and/or its affiliates. All rights
reserved.
Oracle Platform Security Services Summary
Portable across development frameworks
and J2EE containers
Supports the full application life cycle
• Development, Packaging, Deployment,
Runtime, Administration
• Consistent experience for developers and
administrators through JDeveloper, Enterprise
Manager, Authorization Policy Manager
Scale up from lightweight development
environments to heterogeneous enterprise
IDM deployments
Proven technology, used by a very large # of
Oracle products
35 Copyright © 2012, Oracle and/or its affiliates. All rights
reserved.
Questions
36 Copyright © 2012, Oracle and/or its affiliates. All rights
reserved.
For More Information
oracle.com/identity
search.oracle.com
or
Oracle Platform Security Services
37 Copyright © 2012, Oracle and/or its affiliates. All rights
reserved.
BACKUP SLIDES
• If Required, To Get More Background Information
Oracle Platform Security Services Authentication
• JAAS / JSR 196 based framework to authenticate against
various identity stores & SSO systems
• OOTB integration with Oracle Access Manager (OAM) for Single Sign On
• Supports many 3rd party SSO solutions
• Oracle provided login modules include:
• LDAP Server authentication, RDBMS Login Module, SAML token authentication,
SPNEGO/Kerberos authentication, X.509 certificates
• Custom authentication plug-in support
• Also supports “anonymous” user/role and “authenticated” roles
• Logged in user and their Enterprise & Application roles set in the “JAAS
Subject”
Oracle Platform Security Services ID Profile
• Enterprise User and Roles are stored in central Identity Stores
such as corporate LDAP servers and RDBMS systems
• Shared across many applications
• OPSS certified with Oracle Internet Directory, Oracle Virtual Directory, Oracle
Directory Server Enterprise Edition, MS Active Directory, Tivoli Directory
Server, Novell eDirectory, OpenLDAP
• Aris ID - Identity Governance Framework
• Abstraction layer for applications to query identity and enterprise roles from
various identity stores
• Developer declare what attributes they are interested in through metadata,
generate and leverage simple java objects for CRUD operations
• Applications get user and roles profiles in implementation/deployment neutral
format, independent of what Identity Store is used
• Ability to plug in custom providers
• Includes LibOVD for virtualization & mapping capabilities
Oracle Platform Security Services Authorization
• Abstraction and integration layer for fine grained Authorization
• Supports Java2 / JAAS permissions, OpenAZ, JSR 115
• Registers with the container as a Java2 security provider for code
based security
• What resources (ex: files on local host and network ports) does a given
set of code have access to?
• OES 11g is the authorization provider, provides backend
implementation
• Automated Lifecycle management
• Complete application lifecycle tooling support for security policies
(design, development, deployment, patching, and administration)
43 Copyright © 2010, Oracle. All rights reserved Oracle Confidential
Oracle Platform Security Services User Provisioning
• Enterprise Users & Roles are often administered through Oracle Identity
Manager or similar products • Can provision and reconcile users & roles to/from any number of target systems based on
provisioning policies
• OIM provides multiple integration options • Users and Enterprise Roles externalized to LDAP recommended approach (Fusion Apps)
• Use SPML interfaces for provisioning users and enterprise roles
• OIM directly manages the users and roles in the Identity Store, notifies application of
changes (if required)
• Users and Enterprise Roles externalized to LDAP, application integrated through connectors
• Application registered as a Target System in OIM
• Use the OIM LDAP connector to provision users and roles/groups in LDAP
• Shadow copy of Users and Roles in a proprietary applications repository
• Application registered as a Target System in OIM
• Develop a connector to provision users and roles in the application’s proprietary
repository
• IGF SPML adapter planned to further simplify integration
44 Copyright © 2010, Oracle. All rights reserved Oracle Confidential
Oracle Platform Security Services Key Store Service
• Secure storage of keys, credentials, and certificates
• Provider model with support for Wallet, LDAP, RDBMS, JKS, and
commercial key management servers / hardware security modules
• Used to store certificates, DB schema passwords, LDAP server
access credentials, bootstrap credentials, store secure connection
information etc.
• Central UI for keystore import/export, backup across the domain
• Centralized trust management and policy enforcement (on key
strength/size etc.)
• Alerts on expiring certificates
• Audit of key usage
• FIPS compliant storage of Keys & Credentials
45 Copyright © 2010, Oracle. All rights reserved Oracle Confidential
Oracle Platform Security Services Audit
• Extensible framework for applications to record audit events
• Centralized audit across multiple applications
• Audit events & context registered through metadata
• Metadata packaged in application archive, automatically
registered at time of deployment
• Provides audit data correlation for user activities across all layers
through the Execution Context ID (ECID)
• OOTB BI Publisher based audit reports for:
• Authentication, authorization policy changes, credential access,
web services policy mgmt changes, etc etc
46 Copyright © 2010, Oracle. All rights reserved Oracle Confidential
Oracle Platform Security Services Trust Service
• Trust brokering and ID propagation for end-to-end security enforcement
• Centralized trust policy framework to manage and control ID propagation
• Consistent and comprehensive bindings (API and protocol) for token acquisition, token propagation and validation
• Supports standard & custom tokens
• SAML, Kerberos, etc
• Bindings to integrate existing platforms with the framework
• APIs for integrating existing platforms
• Integrates with Oracle & 3rd party Security Token Services
• Embedded token generation, validation capabilities for simple use cases
47 Copyright © 2010, Oracle. All rights reserved Oracle Confidential
Oracle Platform Security Services Oracle Security Developers Toolkit
• Libraries to handle SSL, PKI, digital signatures, encryption, XML
security, SAML, OAuth, WS-Security, SwA, S/MIME, Liberty, etc.
• Based on many industry standards, including but not limited to
• JCE, JCA, JSSE
• PKCS #11, #12, #7, XKMS, OCSP, CMS, CMP/CRMF, TSP
• and more….
• Also includes C based Crypto, SSL, SASL, GSSAPI/Kerberos toolkits
• FIPS 140-2 compliant with support for Hardware Security Modules
48