Transcript Document
Oracle Identity Management
[email protected]
Senior Technical Sales Consultant
NCAR/UCAR 20 June 2005
Agenda
Security/IdM business drivers
Oracle Identity Management
–
Oblix
Demonstration of IdM
Oracle Database 10g
Where to go for more information
3
NCAR/UCAR 20 June 2005
Security and Identity
Management Business Drivers
4
NCAR/UCAR 20 June 2005
State of Security – United
States
90% of respondents* detected computer security
breaches within the last twelve months.
80% of respondents acknowledged financial losses
due to computer breaches.
–
–
–
$455,848,000 in quantifiable losses
$170,827,000 theft of proprietary information
$115,753,000 in financial fraud
74% cited their Internet connection as a frequent point
of attack
33% cited internal systems as a frequent point of
attack
* Source: 2002 CSI/FBI Computer Crime and Security Survey
6
NCAR/UCAR 20 June 2005
10 x
Cost for compliance by taking one-off versus
integrated approach to compliance projects
7
NCAR/UCAR 20 June 2005
15-30%
Percentage of support calls relating to
forgotten passwords
8
NCAR/UCAR 20 June 2005
20%
Percentage of active accounts belonging to
employees or contractors that no longer work
for the organization
9
NCAR/UCAR 20 June 2005
16 min
Time per day, on average, signing into
systems and being authenticated. This
equals 2,666 employee hours in a typical
10,000 employee organization
10
NCAR/UCAR 20 June 2005
“If you spend more on coffee than on IT
security, then you will be hacked
…what's more, you deserve to be
hacked!”
Richard Clarke, 2002
Special Advisor to the President
Cyberspace Security
11
NCAR/UCAR 20 June 2005
Security Drivers
Government Regulations
–
Compliance Drivers
Shortened Supply-Chain
–
Everything is Online, Everybody is Online
Business Continuity
–
24x7 availability
Risk Mitigation
–
Assess what is at risk
Ask your analysts to do a security TCO!
12
NCAR/UCAR 20 June 2005
Oracle’s Response
Product and Process Security
–
–
–
Secure Installation & Configuration
Independent Evaluations
Secure Product Development Life Cycle
Oracle Platform Security
–
–
Oracle Database Security
Oracle Application Server Security
J2EE Security, Best practices for deployment
–
Oracle Identity Management
LDAP Server, Single Sign On, Provisioning
Solutions and Certificate Authority, Federation
Oracle Identity Management
15
NCAR/UCAR 20 June 2005
LDAP and OID
LDAP
Data model, Naming model, functional model, security model
LDAP protocol itself (connection oriented protocol)
API for developing directory enabled applications
LDIF – standard interchange format for directory data
HTTP (lock step) vs. LDAP (in flight)
LDAP standards define the wire protocol and the data model, but do not
specify implementations considerations – many details are left up to
directory vendors.
Oracle Identity Management
Includes LDAP v3 Directory
Includes other pieces: Provisioning framework, Single-Sign on,
Directory Integration, Certificate Authority, Oblix components
16
NCAR/UCAR 20 June 2005
Where does it all fit?
17
NCAR/UCAR 20 June 2005
Oracle Application Server 10g
NCAR/UCAR 20 June 2005
Identity Management
NCAR/UCAR 20 June 2005
Identity Management
Components
NCAR/UCAR 20 June 2005
Oracle Internet Directory
Scalability
–
–
Millions of users
1000’s of simultaneous clients
High availability
–
–
LDAP
Clients
Multimaster replication
Hot backup/recovery, RAC, etc.
OID
Server
Manageability
–
Multi-node monitoring
Security
–
–
–
Comprehensive password policy
Role / policy based access control
Audit
Extensibility (Plug-in framework)
–
–
–
Directory
Admin
Console
Oracle
Database
Virtual attributes
External authentication
Custom password policies
21
NCAR/UCAR 20 June 2005
Directory Integration Service
External
Directories
Sun1(iPlanet)
Active Directory
Oracle
Internet
Directory
Directory
Integration
Service
Oracle HR
Oracle DB
OpenLDAP
eDirectory
Connectors
NCAR/UCAR 20 June 2005
Provisioning Integration Service
Corporate HR
ERP,CRM,…
OID
Helpdesk
Admin
Event
Notification
Engine
Policy &
Workflow
Engine
Portal
Admin
eMail
Admin
Provisioning Connectors
(Employee Enrollment)
Oracle Provisioning
Integration Service
Delegated Admin Service
(Pswds, preferences)
NCAR/UCAR 20 June 2005
Partner
Provisioning
System
eMail
Porta
l
Delegated Administration Services
Admin console w/ role-based
customization
–
–
–
User / group management
End-user vs Admin views
Admin delegation
End-user self-service
–
–
–
Self service provisioning
Set preferences, Org-chart
Pswd reset
Embeddable admin components
–
For integration with Apps
Extensively configurable
–
–
Accommodate new applications
Customize UI views
NCAR/UCAR 20 June 2005
OracleAS Single Sign-On
OracleAS Enabled
Environment
ERP,
CRM,
…
eMail
Portal
PKI, pwd,
Win2K Native Auth…
OracleAS
Single Sign-on
Partner SSO (Netegrity,
RSA, Oblix)
SecureID, Biokey
Integrates Oracle and
partner-SSO enabled apps
Federation /
Liberty
Extranet
OID
NCAR/UCAR 20 June 2005
Partner SSO Enabled
Environment
OracleAS Certificate Authority
Allows Oracle customers
to secure their
deployments
Out-of-the-box PKI
solution
Easy provisioning of
X.509v3 digital
certificates for end users
Web Based certificate
management and
administration
Seamless integration
with Oracle Application
Server Single Sign-On &
OID
NCAR/UCAR 20 June 2005
User
Oracle
Single
Sign-On
Oracle
Internet
Directory
Oracle
Certificate
Authority
Secure IT Facility
Infrastructure
Database
Oracle and Oblix
COREid Access
COREid Provisioning
Web Single Sign-On
Template-based workflow
Flexible Authentication Methods
Policy-based Authorization
Agent and Agentless account
provisioning
Metadirectory synchronization
Password synchronization
Cross-platform connectivity
COREid Identity
User, Group, and Organization
Management
Delegated Administration
Self Service and Self
Registration
Unified Workflow
Identity Web Services Controls
Password Management
Benefits
Increased Security
Integrated solution
Define and enforce security, administrative,
and access control policies consistently
across enterprise applications
Increased Compliance
Audit events across entire enterprise
Who has access to which applications
Access control managed per attribute
Meet Sarbanes-Oxley, HIPAA, and GrammLeach-Bliley compliance
COREid Reporting
Increased Governance
COREid Integration
Pre-built Connectors – to
leading application servers,
web servers, portal servers,
and directory servers
“Data Anywhere” Configuration
NCAR/UCAR 20 June 2005
Centralized auditing
Pre-built identity and security
reports
Global View user access
Robust logging framework
Centralized policy definition with localized
enforcement
27
Demonstration
28
NCAR/UCAR 20 June 2005
Oracle Database 10gR2
29
NCAR/UCAR 20 June 2005
Grid Computing Components
Storage
Database Servers
Application Servers
Provisioning and
Management Tools
30
NCAR/UCAR 20 June 2005
Grid Roadmap
Leverage Grid
•Grid Control
•Services
ROI & TCO
High ROI
Low ROI
Many application servers
• Many servers
• Many app server vendors
• Many app server versions
Leverage Clustering
• RAC
• OC4J clusters
• ASM
Consolidate schemas
• Customer data hub
• Oracle Fusion
• Streams
Upgrade to 9i/10g
• Leverage TAF/FAN
All Oracle
• Standardize
• Choose Grid platform servers
Many databases
• Many servers
• Many database vendors
• Many database versions
Adaptable Infrastructure
Reactive
Managed
Agile
31
Axes are for illustrative purposes only
NCAR/UCAR 20 June 2005
Oracle 10g
Real Application Clusters
Many small servers act as one
Capacity on demand
–
–
Add/remove servers online
Auto server allocation on failure
Mission critical QoS on standard, low
cost servers
Scalable AND highly available
Start small, grow incrementally
Proven technology
–
–
–
Thousands of customers
Supported by leading ISVs
Runs on all platforms
32
NCAR/UCAR 20 June 2005
Oracle 10g
Real Application Clusters
Automatic Storage Management
–
–
Database file system providing clustered volume
management
Integrated into the Oracle kernel
Workload Management
–
Dynamic load balancing to meet service level
policies
Integrated clusterware stack
–
–
–
–
–
Easy to install and manage
Lower cost, single vendor support
Common features on all platforms, improved single
system image
Open to 3rd party clusterware
Clusterware API
33
NCAR/UCAR 20 June 2005
Oracle Label Security
Pre-enabled row level security
–
–
–
–
Built on Virtual Private Database
Label Based Access Control (LBAC) framework
Based on stringent government and commercial
requirements for row level security
Data access is based on sensitivity labels and
customizable enforcement options
Leverages Identity Management for …
–
–
–
Labels
Identities and roles
Policy information
34
Other Oracle 10gR2 new features
DBMS_Crypto package
Upgrade Improvements DBUA
Auditing Improvements
Multiple EM improvements
Database Backup to tape option
Flashback Improvements:
– Flashback Recovery Area (space quota) / RMAN
– Database, Table and Row level
Online Transportable Tablespace
– Enables a DBA to copy or move a tablespace of
data using the transportable tablespaces feature
without making the tablespace read-only in the
source database.
35
Oracle - Delivering Better
Security Technology
for > 25 years
Identity Management
On going Security Evaluations
Fine Grained Auditing
Oracle9iAS JAAS
Oracle9iAS Single Sign-On
Common Criteria (EAL4)
Advanced Security FIPS 140
Oracle Label Security (2000)
Virtual Private Database (1998)
Enterprise User Security
Oracle Internet Directory
Database Encryption API
Kerberos framework
Support for PKI
Radius Authentication
Network Encryption
Oracle Advanced Security introduced
First Orange Book B1 evaluation (1993)
Trusted Oracle7 Multilevel Secure Database (1992)
Stored procedures and database roles (1992)
Paranoid Customer
1977
NCAR/UCAR 20 June 2005
Commercial
2003
Need help? More Information?
[email protected] 303.334.6684
http://www.oracle.com/technology/products/id
_mgmt/index.html
Oracle by Example Series: Oracle Application
Server 10g (9.0.4):
http://www.oracle.com/technology/obe/obe_as
_10g/im/index.html
Deploying Oracle Identity Management with
Multi-Master Replication (white paper)
37
NCAR/UCAR 20 June 2005
38
NCAR/UCAR 20 June 2005
Supporting Slides
NCAR/UCAR 20 June 2005
Platform Security Architecture
3rd Party
Applications
E-Business
Suite
Collaboration
Suite
OracleAS
Portal /Wireless
Authorization,
Privacy, audit,
….
Responsibilities,
Roles ….
S-MIME,
Interpersonal
Rights …
Roles, Privilege
Groups …
Oracle Application Server
External
Security
Services
Access
Management
Directory
Services
Provisioning
Services
NCAR/UCAR 20 June 2005
JAAS, JACC,
WS Security, …
Oracle Database
Enterprise users,
VPD, Label Security
Encryption, DB Audit
Oracle Identity Management
OracleAS
Certificate
Authority
Delegated
Administration
Services
Application
Security
OracleAS
Single
Sign-on
Directory
Integration &
Provisioning
Oracle Internet Directory
Oracle
Platform
Security
Oracle E-Business / IdM
Integration
Oracle E-Business
Suite Release 11i
Instances
User
Enrollment
(Oracle) HR
Account
Provisioning
Integration
Oracle HR
Sync Agent
OracleAS
Portal
Partner
Web
App.
User
Browser
OracleAS
SSO
OID & DIP
Delegated
Admin.
NCAR/UCAR 20 June 2005
Identity Federation
Enabling identities to be shared and
propagated between different systems
Allows individuals to “log-in” once to access
resources on networks of different enterprises
No need for central storage of personal
information
Organization authenticates its respective
users and vouches for their access to third
party organization’s services
43
NCAR/UCAR 20 June 2005
Federation Standards - Liberty
Alliance
Consortium of 150+ organizations developing open
standards for federated network identity
–
includes technology, business guidelines, and best practices
Oracle is a Sponsor Member of Liberty Alliance
Liberty protocol defines two key functions
–
–
Identity Provider(IDP): an entity that receives security-related
requests and generates security assertions
Service Provider(SP): an entity that generates security-related
requests and consumes security assertions (that provides useful
content to its clients)
44
NCAR/UCAR 20 June 2005
Federation Usage Scenario
Financial services company
–
–
–
Retirement funds management
1,000+ partner companies
Millions of end-user accounts
Need to be able to keep up with employment
status changes in real time with partner
companies
Want to provide users with transparent access
to financial services through company portal
45
NCAR/UCAR 20 June 2005
Way it is Done Today
2. Click on Partner
401K link
Company
HR
Database
Batch Mode
Data
Transfer
Partner
Account
Database
46
NCAR/UCAR 20 June 2005
Implementation Using
Federated Identity Standards
2. Click on Partner
401K link
4. Federation Protocol Between
Oracle SSO & Partner Web Site
Partner website
• Explicit login
• Provision and manage
customer employee
account
47
NCAR/UCAR 20 June 2005
Oracle Consulting Services
Identity management specialists
–
–
Field sales
Consulting services
Benefits assessments
Architectural assessments
Implementation services
48
NCAR/UCAR 20 June 2005
Grid computing model
Topology
Manager
Policy
Manager
Workload &
QOS
Manager
Resource
Manager
Cross-Tier
Routing
BLADE FARM
(Local Grid)
High Speed
Interconnect
Dynamically
Provisioned &
Registered
BLADES
Identity Management Infrastructure
NCAR/UCAR 20 June 2005
Oracle Security Platform
Key component of Oracle’s overall security
strategy
Provides an integrated identity management
infrastructure built upon Oracle’s
“unbreakable” technology
Centralizes security management of Oracle
applications across the enterprise
Provides a robust, standards-based platform
for security services to the entire enterprise
NCAR/UCAR 20 June 2005
Oracle Database
Advanced Security Option
Privacy Solutions
–
Data Protection over the wire
Client to Server
Mid tier to Server
Dataguard (Primary to Standby)
–
JDBC (thick and thin), OCI
Strong Authentication
–
–
Strong alternatives to passwords
Industry Standard Solutions
PKI, Kerberos, RADIUS
51
NCAR/UCAR 20 June 2005
How Customers are Leveraging
the Oracle Security Platform
52
NCAR/UCAR 20 June 2005
Customer Case Study Wireless Carrier
Problem
–
–
Subscriber directory for 25M cellular phone customers and phone
number entries worldwide
Plans to scale to 100M numbers
Continuous availability required during frequent bulk updates
Solution
–
Two Oracle Internet Directory instances with multi-master replication
Why they chose Oracle
–
–
Reliable, multi-master replication
Continuous service availability during bulk provisioning operations
53
NCAR/UCAR 20 June 2005
Customer Case Study Government Lab
Problem
–
–
–
Proliferation of web applications without any centralized
management of security and identities
Lots of Oracle Forms and Reports applications
Semi-independent departments without any central IT
organization
Local privilege groups not to be visible outside department
Solution
–
–
–
–
Unified authentication for 5000 users across all web applications
Centralized user enrollment
Autonomous administration for department application security
Local Identity Management instances for fail-over
Why did they choose Oracle?
–
–
Support for autonomous fan-out Identity Management instances
Identity Management enablement for existing applications
NCAR/UCAR 20 June 2005
54
Customer Case Study –
Large Insurance Company
Problem
–
–
–
–
Over 80,000 employees, multi-million customers
A mixed environment: MS desktops, BEA, Oracle & in-house
Require single password for desktop as well as other apps
Availability is critical
Solution
–
–
Oracle Internet Directory as directory hub
AD integration, Transparent BEA based apps and custom apps
Why did they choose Oracle?
–
–
–
Support for heterogeneous environment
Scalability, high availability solutions
Deployment on Linux
55
NCAR/UCAR 20 June 2005
Oracle Database 10g
Virtual Private Database
Column Relevant Policies
–
–
Policy enforced only if specific columns are referenced
Increases row level security granularity
Select store_id, revenue…
(enforce)
NCAR/UCAR 20 June 2005
Store ID
Revenue
Inventory($M)
AX703
10200.34
100
B789C
18020.34
150
JFS845
12341.34
200
SF78SD
13243.34
88
OK
56
Oracle Database 10g
Virtual Private Database
Column Filtering
–
Optional VPD configuration to return all rows but filter out
column values in rows which don’t meet criteria
Select revenue…..(enforce)
NCAR/UCAR 20 June 2005
Store ID
Revenue
Inventory($M)
AX703
10200.34
100
OK
B789C
18020.34
150
OK
JFS845
12341.34
200
OK
SF78SD
13243.34
88
OK57
Oracle 10g
Automatic Storage Management
Dynamically allocates Database storage
–
Load balances database files across disks Rebalanced when
storage configuration changes (with an optional WAIT)
Capacity on demand
–
–
Add/remove storage online
Automatic i/o load balancing
Enhanced data provisioning
–
–
Support transportable tablespaces
Eliminates storage fragmentation
Fault tolerant, high performance
–
Automatically mirrors and stripes
Low cost
–
–
–
–
Less DBA work: no i/o tuning to do
No volume manager or file system
Better disk utilization
Solved a lot of CW and 9i RAC issues
58
NCAR/UCAR 20 June 2005
ASM – How it Works
No volumes: just a pool of
storage
–
–
Simplifies layout of datafiles,
control files, redo log files and
flash recovery area
Single instance and RAC
Partitions total disk space
into uniform sized
megabyte units
Automatic Storage
Management
59
NCAR/UCAR 20 June 2005
ASM – How it Works
No volumes: just a pool of
storage
Partitions total disk space
into uniform sized
megabyte units
Efficient, online add/remove
of disk with automatic
rebalancing
–
–
ASM Wait on Rebalance
Eliminates Storage
Fragmentation
Automatic Storage
Management
60
NCAR/UCAR 20 June 2005
More on ASM
ASM provides (platform independent):
–
–
–
–
Services of a Filesystem
Services of a Logical Volume Manager (LVM)
Integrated into the Oracle kernel
Provides software RAID in a platform-independent manner
ASM can stripe and mirror your disks with a choice of
redundancy
Allows disks to be added or removed while the database is
under load
Automatically balances I/O to remove "hot spots“
Supports direct and asynchronous I/O
Uses the Oracle Data Manager API (simplified I/O system call
interface) introduced in Oracle9i
61
NCAR/UCAR 20 June 2005
More on ASM
ASM can ONLY be used only for:
–
–
–
–
Oracle Data Files
Redo Logs
Control Files
Flash Recovery Area
Files in ASM can be created and named automatically by the database or manually
by the DBA.
Files in ASM are not accessible to the O/S; Only way to perform backup and
recovery on databases that use ASM files is through Recovery Manager (RMAN).
Memory requirements for ASM are light: only 64 MB for most systems.
Support for multiple Oracle database versions
In RAC environments, an ASM instance must be running on each cluster node.
Choice of Redundancy:
–
–
–
HIGH – when files are mirrored ASM makes 2 copies instead of the usual 1 copy.
NORMAL – ASM provides an additional 1 copy of each file (conventional mirroring)
EXTERNAL – we rely on external storage to provide any redundancy
62
NCAR/UCAR 20 June 2005
Automatic Workload Management
Application workloads can be defined as
Services
–
–
–
–
–
–
Individually managed and controlled
Assigned to instances during normal startup
On instance failure, automatic re-assignment
Service performance individually tracked
Fine grained control with Resource Manager
Rules can be defined dynamically
63
NCAR/UCAR 20 June 2005
Integrated Clusterware (CRS)
Complete Oracle cluster software
solution
Single-vendor support
Low Cost
–
–
No need to purchase additional software
Easy to install, manage
Single Instance or RAC installs
–
CRS CD
Common event and management API’s
Support for third-party clusterware
CRS requires two files to be shared
among all of the hosts in the cluster:
–
–
Services Framework
Cluster Control/Recovery
Messaging and Locking
Connectivity
Oracle Cluster Registry (100 MB)
CRS Voting Disk (20 MB)
64
NCAR/UCAR 20 June 2005
Oracle Database Backup – Low
Cost Tape Backup
Oracle
Backup
ASM,
Database
Files,
Recovery
Areas and
OS Files
Performant,
Low Cost
Tape
Backup
NCAR/UCAR 20 June 2005
Low cost alternative to
complex backup products
Best integrated end-to-end
backup of Oracle Databases
Scalable to low 100’s of
servers, 10’s of millions of
files
Easy to manage – EM 10g
and RMAN
Bundled with Oracle
Database - Single vendor
support
Block Change Tracking –
incremental backups
65
Flashback Database
Accessible via RMAN & SQL*Plus
SQL> FLASHBACK DATABASE to
‘2:05 PM’
Disk Write
Flash Recovery Area
–
New Block
Version
Old Block
Version
Data
Files
Flash Recovery
Holds old block contents
Unified storage location for recovery
related files
Flashback Database logs
Redo Archive logs
RMAN backups
Restores just changed blocks
“Rewind” button for the Database
66
NCAR/UCAR 20 June 2005
Flashback Time Navigation
Flashback Query – see data at a point in time
Select * from Emp AS OF ‘2:00 P.M.’ where …
Flashback Transaction Query – see
all changes made by a transaction
Tx 3
Select * from DBA_TRANSACTION_QUERY
where xid = ‘000200030000002D’;
Tx 2
Tx 1
Flashback Row Versions - see all versions
of a row between two times, and the
transactions that changed the row
Select * from Emp VERSIONS BETWEEN
‘2:00 PM’ and ‘3:00 PM’ where …
67
NCAR/UCAR 20 June 2005
Enterprise Manager Grid Control
Monitor and manage
Grid-wide view
End-to-end
Top-to-bottom
Manage from
a Browser
EM2Go
From anywhere
… or a PDA
68
NCAR/UCAR 20 June 2005
Manage Groups as One
Single-view management
and monitoring across
components
Standardize policies
Applications
– Configuration
– Performance
– Security
Automate processes
Sets of Systems
Automated patch
management
69
NCAR/UCAR 20 June 2005
Managing the Software Life Cycle
Oracle
Inventory
Software
Configurations
View/Search
Enterprise
Manager
Grid Control
Hardware
Configurations
Compare/Diff
Change Tracking
Reference
Configurations
Install/Clone
Oracle.com
Configure
Product Updates
Patch
Secure
Over 20% of downtime
attributable to human
configuration errors
Patches
Product
Configuration
70
NCAR/UCAR 20 June 2005
Service Level Management
Monitor End-user
Experience
Availability
Performance
External
Network
Internal
Network
Monitor
Application
Click-to-EJB
J2EE Activity
App
Content
App
Server
Monitor
Database
Click-to-SQL
Drilldowns
Database
71
NCAR/UCAR 20 June 2005
Self-Managing Database 10g
ASM
Alerts &
Advisories
Automatic
Tasks
Built-in intelligent infrastructure
–
–
–
Workload
Repository
Self-aware performance analysis
Proactive server alerts
Automatic tasks
Automatic Database
Diagnostic Monitor
–
Expert engine in the database
Automatic SQL tuning
–
Optimize packaged and
custom applications
72
NCAR/UCAR 20 June 2005
Self-Optimizing SQL
Packaged
& Custom
Applications
Customizable
Applications
Proven Cost-Based Optimizer
Self-Optimizing SQL
Packaged
& Custom
Applications
Customizable
Applications
High-load
SQL
Proven Cost-Based Optimizer
Access
Advisor
Suggested
Indexes
& MVs
Better
Performance
Self-Optimizing SQL
Packaged
& Custom
Applications
Customizable
Applications
High-load
SQL
Proven Cost-Based Optimizer
Auto SQL
Analysis
SQL Advice
-> Better
SQL
Access
Advisor
Suggested
Indexes
& MVs
Better
Performance
Self-Optimizing SQL
Packaged
& Custom
Applications
Customizable
Applications
High-load
SQL
Proven Cost-Based Optimizer
Auto SQL
Tuning
SQL Profile
-> Improved
Plan
Auto SQL
Analysis
SQL Advice
-> Better
SQL
Access
Advisor
Suggested
Indexes
& MVs
Better
Performance
Flashback Error Correction
Database
Customer
Database Level
–
Flashback Database restores the
whole database to time
Uses Flashback Logs
Table Level
–
–
Order
Flashback Table restores rows in a
set of tables to time
UNDO_RETENTION
Maintains data integrity and
constraints
Flashback Drop restores a
dropped table or a index
Recycle bin for DROPs
Row Level
–
Flashback Rows restores rows to
time
Uses Flashback Query
Select * from Emp AS OF ‘2:00 P.M.’ where …
77
NCAR/UCAR 20 June 2005