enterprise security architecture: from access to audit

<Insert Picture Here>

Enterprise Security Architecture:

From access to audit

Paul Andres

Director, Enterprise Architecture

Why Security?

Changing Business ClimateChallenges Our Customers Face…

"In a time of accelerating turbulence, the valuation of a company will be strongly affected by how it executes change."

Today’s IT Challenges

More Agile Business• More accessibility for employees,

customers and partners

• Higher level of B2B integrations

• Faster reaction to changing requirements

More Secured Business• Organized crime

• Identity theft

• Intellectual property theft

• Constant global threats

More Compliant Business• Increasing regulatory demands

• Increasing privacy concerns

• Business viability concerns

IT Governance

Supply ChainSupply ChainTraceabilityTraceability

Service LevelService LevelComplianceCompliance

FinancialReportingCompliance

Compliance &Compliance &Ethics ProgramsEthics Programs

Audit Audit ManagementManagement

Data Privacy

RecordsRetention

LegalLegalDiscoveryDiscovery

AntiAnti--MoneyMoneyLaunderingLaundering

Apps Server

Data Warehouse

Database Mainframes Mobile DevicesEnterpriseApplications

Systems

Globalization

Users

LegalFinance HRSalesSuppliers CustomersR&D Mfg

Mandates SOXSOX JSOXJSOX FDAFDA Basel IIBasel IIEU Directives

EU Directives HIPAAHIPAA GLBAGLBA PCI…PCI…Patriot

ActPatriotAct SB1386SB1386

Today’s “New Normal”Users, Systems, Globalization and Compliance Forced Complexity

Oracle Applications

HCM FinanceCRM

End-to-End Industry Processes

Unified UserExperience

ActionableAnalytics

The Business Platform

Existing

Tools &

Infrastructure

Non-Oracle

3rd Party Custom

The Right Information to the Right People in the Right Format at the Right Time!

Oracle Platform

Agile Process Orchestration

Consistent + Scalable Data

ComprehensiveSecurity

CentralizedDevelopment

Pervasive Business Intelligence

ContentManagement

Oracle is ‘Information Driven’

• Manage It…

• Use It…

• Share It…

• Protect It…

Copyright © 2008, Oracle and/or its affiliates. All rights reserved. 9

Database andInfrastructure

FusionMiddleware

Applications

Monitorin

g and Configuration

Monitorin

g and Configuration

Enterprise Visibility

Enterprise Visibility

Automated ControlsAutomated Controls

Access to Business ServicesAccess to Business Services

Lower Cost of User LifecycleLower Cost of User Lifecycle

Data Protection and PrivacyData Protection and Privacy

Unbreakable LinuxUnbreakable Linux

Security for Apps, Middleware, Data and InfrastructureComprehensive ‘Defense in Depth’ Approach

Industry Frameworks

Business Architecture

Applications Architecture

Information Architecture

Technology Architecture

Methodology GovernanceMotivation Function Organization

Drivers Goals Objectives

Models Strategy

Products Services Processes

Mission Roles People

Finance

Reference Architectures Functional Services

General Industry

General Industry

Components Cost

Products

Strategy Principles

Reference Architectures Entities Structures

Strategy Principles Standards

ComponentsModels Structures

Reference Architectures Platform Services Products


Components Cost

Oracle Enterprise Architecture Framework

Reference Architectures


Capabilities

StandardsRequirements Design Development Test Production

EA Governance

Performance

Risk Security Policy Integrity Business Continuity

Compliance

Portfolio Management

Data Quality

SLA’s

General Industry

SOA/ EDA

General Services

Data Management

Security

Infrastructure

Development

Management

Version 2 (Draft)

Security Domains

Data Integrity Confidentiality Security Assurance

Cost Effective Solutions

Safeguards Counter Measures

Legal LiabilitiesSecurity

AwarenessSystem

ReliabilityPolicy &

Procedures

Protection Requirements

Quantitative & Qualitative Risk

Assessment

Data Classification

Risk Analysis

Functionality Evaluation

Define Risks & Threats

Penetration TestingVulnerability Assessment

Enterprise Architecture Security Model

Assess Business Objectives

Access Control Systems & Methodology

Telecommunications & Network Security

Security Management Practices

App and Systems Development Security

Cryptography

Security Architecture & Models

Operations Security

Business Continuity & Disaster Recovery

Laws, Investigations, & Ethics

Physical Security

* CISSP, Shone Harris

GRC, Security Policy

Data Protection &

Privacy

Access ControlSecurity

Management

TOGAF to Oracle

Security Mapping

TOGAF 9

TOGAF 9 Capability Framework

Burton Group Security Framework

Oracle Security Solutions

Enterprise Security Reference Architecture

Oracle Security Components

Access

Manager

Identity Manager

Directory Services

Advanced Security Option

Audit VaultDatabase Vault

ApplicationsE-Business Suite, PeopleSoft, Siebel, Hyperion, JDE

SAP, Custom, LegacyEnterprise

Manager

Identity and

Access Management

Data Security

Identity

Federation

Web Service

Manager

Label Security

Information Rights Management

GRC Manager

Policy

Map Risks-Policy-Controls

Test & Gather Evidence

Track Issues + Remediate

Track• By Standard• By Cycle• By Application• By Process

EmbeddedApp Controls

• Embedded and Enterprise-Wide Controls

• Oracle and Non-Oracle

Set Control Rules

Handle Exceptions

Low-Level Detail

Controls

AccessManagement

InformationRights Mgmt

IdentityManagement

DatabaseControls

ConfigurationManagement

Oracle’s “Top to Bottom” GRC StrategyDefine Your Policy…Connect to IT Controls…Analyze Your Results!

Connect Policies to Controls

• Real-time visibility

• Pre-Made reports and dashboards

Leveraged Output and Compliance Visibility

Analytics

Analyze Policy and Controls

Oracle Role ManagerOracle Role Manager

Oracle Access Manager - IdentityOracle Access Manager - Identity

Oracle Identity ManagerOracle Identity Manager

Oracle Internet (Meta) DirectoryOracle Internet (Meta) Directory

Oracle Role ManagerOracle Role Manager

Oracle Virtual DirectoryOracle Virtual Directory

Oracle Identity ManagerOracle Identity Manager

Basic Authentication / Course-Grained

Authorization / Audit / User Administration

Orace Identity Management Components

Enterprise Applications

BusinessApps

PortalsEmailCustomApps

Helpdesk

Data and User Stores

Directories Operating

SystemsDatabases

EmployeesCustomersSuppliers

A Typical Environment…

Presentation Tier

DataTier

Logic (Business)

Tier

Identity and Access ChallengesProblems

• No Ability to Establish User Roles

• Manual User Administration (Int + Ext)

• No knowledge of “Who has access to what?”

• Multiple Sign-Ons + Forgotten Passwords

Problems

• No Self Service or Password Management

• Unstructured Content is not controlled

• Access to sensitive DB data is not controlled

• Difficult to Manage Environment

Solution: Centralize and Simplify Access

SSO Enabled Applications

Solution: Simplify Access to Multiple Datastores…

Solution: Simplify Employee to Business Partner Login

SSO + Federation-Enabled Apps

Oracle IAM Suite with Identity Services Framework

Identity ProviderProvisioningAuthentication

Virtualization & User Store

WS-*, SPML, SAML, XACML, CARML

Audit

Legacy Integration InterfaceConnectors, Agents

Federation & Trust

Policy & Orchestration

OracleFusion

Applications& Middleware

3rd PartyISF AwareApplications

Legacy Applications

UserManagement

AuthenticationAuthorizationFederation

Business Functions

BusinessFunctions

BusinessFunctions

CustomDevelopedISF AwareApplications

BusinessFunctions

FMW Security as a Service

AdministrationAuthorization Role Provider

Identity Services

Enterprise Identity Management Infrastructure

Service Interfaces

Fusion Security Architecture

Enterprise Identity Store

(LDAP)

Operational Interaction using JDBC

Account + Role Provisioning & Reconciliation

Authentication

Authentication

OAM

Federation Services (OIF)Federation Services (OIF)

Single SignSingle Sign--OnOn

RDBMS

OC4J

Extensible Security (XS)

Fusion ApplicationsFusion Applications

ADF

JAAS+

ATG

Security

FIDM

Identity ProvisioningIdentity Provisioning

Identity AdministrationIdentity Administration

Account ProvisioningAccount Provisioning

Account AdministrationAccount Administration

Enterprise Role MgmtEnterprise Role Mgmt

Identity Provisioning & Reconciliation

LUS (Extensible Security)

FIDM Operational Store

FRONT OFFICE

Legacy

CRM

INTEGRATION SERVICES BACK OFFICE

J2EE logic

.NET logic CICS wrap

TIBX logic App logic

portal

B2Bi logic

Architects Security Operations

Customers

TradingPartners

B2B Exchanges

WSM PEP

WSM PEP

WSM PEP

WSM PEP

WSM PEP WSM PEP

WSM PEP

Oracle WSM Policy

ManagerOracle WSM Monitor

OracleIdentity Services

Policy-Driven Security & Identity ManagementPolicy-Driven Security & Identity Management

AD / ExchangeIIS/ASPApps

Portals

`

CustomersPartners , Vendors

Employees

Portals using

Web Services

Web ServicesManager

Apps w / Web Service

Partner PortalOutsourcedProvider

Access ManagerWeb SSO &Web IdMgt

Mainframe (RACF/ACF2/TS Environment)

VirtualDirectory

| Peoplesoft

HR

Business Users

Packaged Applicationsusing Sun

or Apache

UnixLinux

Auditor IT AdminSecurity

Expose, Secure and Manage Web Services…

Oracle Database Security Components

Securely Backup Data To Tape with Secure Backup

Protect Data in Motion with

Network Encryption using Advanced Security

Option

��5

Protect User and Sensitive Data at Rest by Encrypting Database

Columns using Advanced Security Option

Select SALARY from USERS;

Protect Data from View and Alteration as well as Insider Threat using

Database Vault

Alter table ….Operational

DBA

SMITH 345-67-8912SCOTT 987-65-4321KING 123-45-6789

$ 53,700$229,500$125,000

LNAME SSN SALARY

��

��

��

��

��!��"

Select SALARY from users;

Alter system.

Alter table..

X

Operational

DBA

Database

Vault

X

Data DBA /

Manager

* Example roles and privsConsolidate Audit Data &

Show Reports using Audit Vault

SMITH 9876-5432-1987SCOTT 2345-6789-4321KING 1234-5678-9123

01-201109-201204-2010

LNAME CREDIT_CARD EXP_DATE

Enterprise Applications

BusinessApps

PortalsEmailCustomApps

Helpdesk

Protect Data at RestTransparently Encrypt Database Columns with Advance Security Option

Encrypt Backup of Database and Flat Files

to Tape with

Operational DBA

Consolidate & Report on Audit Data

with Audit VaultAudit Data Warehouse

Securing

the Database…

SMITH 17170SCOTT 14220KING 18031

��#$�#$�#$�#$� ��

SMITH 17170SCOTT 14220KING 18031

��#$�#$�#$�#$� ��

Select ssn from cust;

Separation of Duties with

Database VaultProtects Against Insider Threats

Alter table ….

X

Operational

DBA

Select SSN from

cust;

Alter system..

Alter table ….

Database

Vault

X

Data DBA /

Manager

* Example roles and privs

KING, 18031, $1,800

KING, 18031, $1,800

Protect Data in Motion with Network EncryptionAdvance Security Option

��5�0��

��5�0��

IT AdminIT Security DBA Manager

Manage Database Identities / Roles with

enterprise security architecture: from access to audit

Technology

driven security

amp

security

oracle

access

time

users

policy