Transcript Document
Oracle Identity Management [email protected] Senior Technical Sales Consultant NCAR/UCAR 20 June 2005 Agenda Security/IdM business drivers Oracle Identity Management – Oblix Demonstration of IdM Oracle Database 10g Where to go for more information 3 NCAR/UCAR 20 June 2005 Security and Identity Management Business Drivers 4 NCAR/UCAR 20 June 2005 State of Security – United States 90% of respondents* detected computer security breaches within the last twelve months. 80% of respondents acknowledged financial losses due to computer breaches. – – – $455,848,000 in quantifiable losses $170,827,000 theft of proprietary information $115,753,000 in financial fraud 74% cited their Internet connection as a frequent point of attack 33% cited internal systems as a frequent point of attack * Source: 2002 CSI/FBI Computer Crime and Security Survey 6 NCAR/UCAR 20 June 2005 10 x Cost for compliance by taking one-off versus integrated approach to compliance projects 7 NCAR/UCAR 20 June 2005 15-30% Percentage of support calls relating to forgotten passwords 8 NCAR/UCAR 20 June 2005 20% Percentage of active accounts belonging to employees or contractors that no longer work for the organization 9 NCAR/UCAR 20 June 2005 16 min Time per day, on average, signing into systems and being authenticated. This equals 2,666 employee hours in a typical 10,000 employee organization 10 NCAR/UCAR 20 June 2005 “If you spend more on coffee than on IT security, then you will be hacked …what's more, you deserve to be hacked!” Richard Clarke, 2002 Special Advisor to the President Cyberspace Security 11 NCAR/UCAR 20 June 2005 Security Drivers Government Regulations – Compliance Drivers Shortened Supply-Chain – Everything is Online, Everybody is Online Business Continuity – 24x7 availability Risk Mitigation – Assess what is at risk Ask your analysts to do a security TCO! 12 NCAR/UCAR 20 June 2005 Oracle’s Response Product and Process Security – – – Secure Installation & Configuration Independent Evaluations Secure Product Development Life Cycle Oracle Platform Security – – Oracle Database Security Oracle Application Server Security J2EE Security, Best practices for deployment – Oracle Identity Management LDAP Server, Single Sign On, Provisioning Solutions and Certificate Authority, Federation Oracle Identity Management 15 NCAR/UCAR 20 June 2005 LDAP and OID LDAP Data model, Naming model, functional model, security model LDAP protocol itself (connection oriented protocol) API for developing directory enabled applications LDIF – standard interchange format for directory data HTTP (lock step) vs. LDAP (in flight) LDAP standards define the wire protocol and the data model, but do not specify implementations considerations – many details are left up to directory vendors. Oracle Identity Management Includes LDAP v3 Directory Includes other pieces: Provisioning framework, Single-Sign on, Directory Integration, Certificate Authority, Oblix components 16 NCAR/UCAR 20 June 2005 Where does it all fit? 17 NCAR/UCAR 20 June 2005 Oracle Application Server 10g NCAR/UCAR 20 June 2005 Identity Management NCAR/UCAR 20 June 2005 Identity Management Components NCAR/UCAR 20 June 2005 Oracle Internet Directory Scalability – – Millions of users 1000’s of simultaneous clients High availability – – LDAP Clients Multimaster replication Hot backup/recovery, RAC, etc. OID Server Manageability – Multi-node monitoring Security – – – Comprehensive password policy Role / policy based access control Audit Extensibility (Plug-in framework) – – – Directory Admin Console Oracle Database Virtual attributes External authentication Custom password policies 21 NCAR/UCAR 20 June 2005 Directory Integration Service External Directories Sun1(iPlanet) Active Directory Oracle Internet Directory Directory Integration Service Oracle HR Oracle DB OpenLDAP eDirectory Connectors NCAR/UCAR 20 June 2005 Provisioning Integration Service Corporate HR ERP,CRM,… OID Helpdesk Admin Event Notification Engine Policy & Workflow Engine Portal Admin eMail Admin Provisioning Connectors (Employee Enrollment) Oracle Provisioning Integration Service Delegated Admin Service (Pswds, preferences) NCAR/UCAR 20 June 2005 Partner Provisioning System eMail Porta l Delegated Administration Services Admin console w/ role-based customization – – – User / group management End-user vs Admin views Admin delegation End-user self-service – – – Self service provisioning Set preferences, Org-chart Pswd reset Embeddable admin components – For integration with Apps Extensively configurable – – Accommodate new applications Customize UI views NCAR/UCAR 20 June 2005 OracleAS Single Sign-On OracleAS Enabled Environment ERP, CRM, … eMail Portal PKI, pwd, Win2K Native Auth… OracleAS Single Sign-on Partner SSO (Netegrity, RSA, Oblix) SecureID, Biokey Integrates Oracle and partner-SSO enabled apps Federation / Liberty Extranet OID NCAR/UCAR 20 June 2005 Partner SSO Enabled Environment OracleAS Certificate Authority Allows Oracle customers to secure their deployments Out-of-the-box PKI solution Easy provisioning of X.509v3 digital certificates for end users Web Based certificate management and administration Seamless integration with Oracle Application Server Single Sign-On & OID NCAR/UCAR 20 June 2005 User Oracle Single Sign-On Oracle Internet Directory Oracle Certificate Authority Secure IT Facility Infrastructure Database Oracle and Oblix COREid Access COREid Provisioning Web Single Sign-On Template-based workflow Flexible Authentication Methods Policy-based Authorization Agent and Agentless account provisioning Metadirectory synchronization Password synchronization Cross-platform connectivity COREid Identity User, Group, and Organization Management Delegated Administration Self Service and Self Registration Unified Workflow Identity Web Services Controls Password Management Benefits Increased Security Integrated solution Define and enforce security, administrative, and access control policies consistently across enterprise applications Increased Compliance Audit events across entire enterprise Who has access to which applications Access control managed per attribute Meet Sarbanes-Oxley, HIPAA, and GrammLeach-Bliley compliance COREid Reporting Increased Governance COREid Integration Pre-built Connectors – to leading application servers, web servers, portal servers, and directory servers “Data Anywhere” Configuration NCAR/UCAR 20 June 2005 Centralized auditing Pre-built identity and security reports Global View user access Robust logging framework Centralized policy definition with localized enforcement 27 Demonstration 28 NCAR/UCAR 20 June 2005 Oracle Database 10gR2 29 NCAR/UCAR 20 June 2005 Grid Computing Components Storage Database Servers Application Servers Provisioning and Management Tools 30 NCAR/UCAR 20 June 2005 Grid Roadmap Leverage Grid •Grid Control •Services ROI & TCO High ROI Low ROI Many application servers • Many servers • Many app server vendors • Many app server versions Leverage Clustering • RAC • OC4J clusters • ASM Consolidate schemas • Customer data hub • Oracle Fusion • Streams Upgrade to 9i/10g • Leverage TAF/FAN All Oracle • Standardize • Choose Grid platform servers Many databases • Many servers • Many database vendors • Many database versions Adaptable Infrastructure Reactive Managed Agile 31 Axes are for illustrative purposes only NCAR/UCAR 20 June 2005 Oracle 10g Real Application Clusters Many small servers act as one Capacity on demand – – Add/remove servers online Auto server allocation on failure Mission critical QoS on standard, low cost servers Scalable AND highly available Start small, grow incrementally Proven technology – – – Thousands of customers Supported by leading ISVs Runs on all platforms 32 NCAR/UCAR 20 June 2005 Oracle 10g Real Application Clusters Automatic Storage Management – – Database file system providing clustered volume management Integrated into the Oracle kernel Workload Management – Dynamic load balancing to meet service level policies Integrated clusterware stack – – – – – Easy to install and manage Lower cost, single vendor support Common features on all platforms, improved single system image Open to 3rd party clusterware Clusterware API 33 NCAR/UCAR 20 June 2005 Oracle Label Security Pre-enabled row level security – – – – Built on Virtual Private Database Label Based Access Control (LBAC) framework Based on stringent government and commercial requirements for row level security Data access is based on sensitivity labels and customizable enforcement options Leverages Identity Management for … – – – Labels Identities and roles Policy information 34 Other Oracle 10gR2 new features DBMS_Crypto package Upgrade Improvements DBUA Auditing Improvements Multiple EM improvements Database Backup to tape option Flashback Improvements: – Flashback Recovery Area (space quota) / RMAN – Database, Table and Row level Online Transportable Tablespace – Enables a DBA to copy or move a tablespace of data using the transportable tablespaces feature without making the tablespace read-only in the source database. 35 Oracle - Delivering Better Security Technology for > 25 years Identity Management On going Security Evaluations Fine Grained Auditing Oracle9iAS JAAS Oracle9iAS Single Sign-On Common Criteria (EAL4) Advanced Security FIPS 140 Oracle Label Security (2000) Virtual Private Database (1998) Enterprise User Security Oracle Internet Directory Database Encryption API Kerberos framework Support for PKI Radius Authentication Network Encryption Oracle Advanced Security introduced First Orange Book B1 evaluation (1993) Trusted Oracle7 Multilevel Secure Database (1992) Stored procedures and database roles (1992) Paranoid Customer 1977 NCAR/UCAR 20 June 2005 Commercial 2003 Need help? More Information? [email protected] 303.334.6684 http://www.oracle.com/technology/products/id _mgmt/index.html Oracle by Example Series: Oracle Application Server 10g (9.0.4): http://www.oracle.com/technology/obe/obe_as _10g/im/index.html Deploying Oracle Identity Management with Multi-Master Replication (white paper) 37 NCAR/UCAR 20 June 2005 38 NCAR/UCAR 20 June 2005 Supporting Slides NCAR/UCAR 20 June 2005 Platform Security Architecture 3rd Party Applications E-Business Suite Collaboration Suite OracleAS Portal /Wireless Authorization, Privacy, audit, …. Responsibilities, Roles …. S-MIME, Interpersonal Rights … Roles, Privilege Groups … Oracle Application Server External Security Services Access Management Directory Services Provisioning Services NCAR/UCAR 20 June 2005 JAAS, JACC, WS Security, … Oracle Database Enterprise users, VPD, Label Security Encryption, DB Audit Oracle Identity Management OracleAS Certificate Authority Delegated Administration Services Application Security OracleAS Single Sign-on Directory Integration & Provisioning Oracle Internet Directory Oracle Platform Security Oracle E-Business / IdM Integration Oracle E-Business Suite Release 11i Instances User Enrollment (Oracle) HR Account Provisioning Integration Oracle HR Sync Agent OracleAS Portal Partner Web App. User Browser OracleAS SSO OID & DIP Delegated Admin. NCAR/UCAR 20 June 2005 Identity Federation Enabling identities to be shared and propagated between different systems Allows individuals to “log-in” once to access resources on networks of different enterprises No need for central storage of personal information Organization authenticates its respective users and vouches for their access to third party organization’s services 43 NCAR/UCAR 20 June 2005 Federation Standards - Liberty Alliance Consortium of 150+ organizations developing open standards for federated network identity – includes technology, business guidelines, and best practices Oracle is a Sponsor Member of Liberty Alliance Liberty protocol defines two key functions – – Identity Provider(IDP): an entity that receives security-related requests and generates security assertions Service Provider(SP): an entity that generates security-related requests and consumes security assertions (that provides useful content to its clients) 44 NCAR/UCAR 20 June 2005 Federation Usage Scenario Financial services company – – – Retirement funds management 1,000+ partner companies Millions of end-user accounts Need to be able to keep up with employment status changes in real time with partner companies Want to provide users with transparent access to financial services through company portal 45 NCAR/UCAR 20 June 2005 Way it is Done Today 2. Click on Partner 401K link Company HR Database Batch Mode Data Transfer Partner Account Database 46 NCAR/UCAR 20 June 2005 Implementation Using Federated Identity Standards 2. Click on Partner 401K link 4. Federation Protocol Between Oracle SSO & Partner Web Site Partner website • Explicit login • Provision and manage customer employee account 47 NCAR/UCAR 20 June 2005 Oracle Consulting Services Identity management specialists – – Field sales Consulting services Benefits assessments Architectural assessments Implementation services 48 NCAR/UCAR 20 June 2005 Grid computing model Topology Manager Policy Manager Workload & QOS Manager Resource Manager Cross-Tier Routing BLADE FARM (Local Grid) High Speed Interconnect Dynamically Provisioned & Registered BLADES Identity Management Infrastructure NCAR/UCAR 20 June 2005 Oracle Security Platform Key component of Oracle’s overall security strategy Provides an integrated identity management infrastructure built upon Oracle’s “unbreakable” technology Centralizes security management of Oracle applications across the enterprise Provides a robust, standards-based platform for security services to the entire enterprise NCAR/UCAR 20 June 2005 Oracle Database Advanced Security Option Privacy Solutions – Data Protection over the wire Client to Server Mid tier to Server Dataguard (Primary to Standby) – JDBC (thick and thin), OCI Strong Authentication – – Strong alternatives to passwords Industry Standard Solutions PKI, Kerberos, RADIUS 51 NCAR/UCAR 20 June 2005 How Customers are Leveraging the Oracle Security Platform 52 NCAR/UCAR 20 June 2005 Customer Case Study Wireless Carrier Problem – – Subscriber directory for 25M cellular phone customers and phone number entries worldwide Plans to scale to 100M numbers Continuous availability required during frequent bulk updates Solution – Two Oracle Internet Directory instances with multi-master replication Why they chose Oracle – – Reliable, multi-master replication Continuous service availability during bulk provisioning operations 53 NCAR/UCAR 20 June 2005 Customer Case Study Government Lab Problem – – – Proliferation of web applications without any centralized management of security and identities Lots of Oracle Forms and Reports applications Semi-independent departments without any central IT organization Local privilege groups not to be visible outside department Solution – – – – Unified authentication for 5000 users across all web applications Centralized user enrollment Autonomous administration for department application security Local Identity Management instances for fail-over Why did they choose Oracle? – – Support for autonomous fan-out Identity Management instances Identity Management enablement for existing applications NCAR/UCAR 20 June 2005 54 Customer Case Study – Large Insurance Company Problem – – – – Over 80,000 employees, multi-million customers A mixed environment: MS desktops, BEA, Oracle & in-house Require single password for desktop as well as other apps Availability is critical Solution – – Oracle Internet Directory as directory hub AD integration, Transparent BEA based apps and custom apps Why did they choose Oracle? – – – Support for heterogeneous environment Scalability, high availability solutions Deployment on Linux 55 NCAR/UCAR 20 June 2005 Oracle Database 10g Virtual Private Database Column Relevant Policies – – Policy enforced only if specific columns are referenced Increases row level security granularity Select store_id, revenue… (enforce) NCAR/UCAR 20 June 2005 Store ID Revenue Inventory($M) AX703 10200.34 100 B789C 18020.34 150 JFS845 12341.34 200 SF78SD 13243.34 88 OK 56 Oracle Database 10g Virtual Private Database Column Filtering – Optional VPD configuration to return all rows but filter out column values in rows which don’t meet criteria Select revenue…..(enforce) NCAR/UCAR 20 June 2005 Store ID Revenue Inventory($M) AX703 10200.34 100 OK B789C 18020.34 150 OK JFS845 12341.34 200 OK SF78SD 13243.34 88 OK57 Oracle 10g Automatic Storage Management Dynamically allocates Database storage – Load balances database files across disks Rebalanced when storage configuration changes (with an optional WAIT) Capacity on demand – – Add/remove storage online Automatic i/o load balancing Enhanced data provisioning – – Support transportable tablespaces Eliminates storage fragmentation Fault tolerant, high performance – Automatically mirrors and stripes Low cost – – – – Less DBA work: no i/o tuning to do No volume manager or file system Better disk utilization Solved a lot of CW and 9i RAC issues 58 NCAR/UCAR 20 June 2005 ASM – How it Works No volumes: just a pool of storage – – Simplifies layout of datafiles, control files, redo log files and flash recovery area Single instance and RAC Partitions total disk space into uniform sized megabyte units Automatic Storage Management 59 NCAR/UCAR 20 June 2005 ASM – How it Works No volumes: just a pool of storage Partitions total disk space into uniform sized megabyte units Efficient, online add/remove of disk with automatic rebalancing – – ASM Wait on Rebalance Eliminates Storage Fragmentation Automatic Storage Management 60 NCAR/UCAR 20 June 2005 More on ASM ASM provides (platform independent): – – – – Services of a Filesystem Services of a Logical Volume Manager (LVM) Integrated into the Oracle kernel Provides software RAID in a platform-independent manner ASM can stripe and mirror your disks with a choice of redundancy Allows disks to be added or removed while the database is under load Automatically balances I/O to remove "hot spots“ Supports direct and asynchronous I/O Uses the Oracle Data Manager API (simplified I/O system call interface) introduced in Oracle9i 61 NCAR/UCAR 20 June 2005 More on ASM ASM can ONLY be used only for: – – – – Oracle Data Files Redo Logs Control Files Flash Recovery Area Files in ASM can be created and named automatically by the database or manually by the DBA. Files in ASM are not accessible to the O/S; Only way to perform backup and recovery on databases that use ASM files is through Recovery Manager (RMAN). Memory requirements for ASM are light: only 64 MB for most systems. Support for multiple Oracle database versions In RAC environments, an ASM instance must be running on each cluster node. Choice of Redundancy: – – – HIGH – when files are mirrored ASM makes 2 copies instead of the usual 1 copy. NORMAL – ASM provides an additional 1 copy of each file (conventional mirroring) EXTERNAL – we rely on external storage to provide any redundancy 62 NCAR/UCAR 20 June 2005 Automatic Workload Management Application workloads can be defined as Services – – – – – – Individually managed and controlled Assigned to instances during normal startup On instance failure, automatic re-assignment Service performance individually tracked Fine grained control with Resource Manager Rules can be defined dynamically 63 NCAR/UCAR 20 June 2005 Integrated Clusterware (CRS) Complete Oracle cluster software solution Single-vendor support Low Cost – – No need to purchase additional software Easy to install, manage Single Instance or RAC installs – CRS CD Common event and management API’s Support for third-party clusterware CRS requires two files to be shared among all of the hosts in the cluster: – – Services Framework Cluster Control/Recovery Messaging and Locking Connectivity Oracle Cluster Registry (100 MB) CRS Voting Disk (20 MB) 64 NCAR/UCAR 20 June 2005 Oracle Database Backup – Low Cost Tape Backup Oracle Backup ASM, Database Files, Recovery Areas and OS Files Performant, Low Cost Tape Backup NCAR/UCAR 20 June 2005 Low cost alternative to complex backup products Best integrated end-to-end backup of Oracle Databases Scalable to low 100’s of servers, 10’s of millions of files Easy to manage – EM 10g and RMAN Bundled with Oracle Database - Single vendor support Block Change Tracking – incremental backups 65 Flashback Database Accessible via RMAN & SQL*Plus SQL> FLASHBACK DATABASE to ‘2:05 PM’ Disk Write Flash Recovery Area – New Block Version Old Block Version Data Files Flash Recovery Holds old block contents Unified storage location for recovery related files Flashback Database logs Redo Archive logs RMAN backups Restores just changed blocks “Rewind” button for the Database 66 NCAR/UCAR 20 June 2005 Flashback Time Navigation Flashback Query – see data at a point in time Select * from Emp AS OF ‘2:00 P.M.’ where … Flashback Transaction Query – see all changes made by a transaction Tx 3 Select * from DBA_TRANSACTION_QUERY where xid = ‘000200030000002D’; Tx 2 Tx 1 Flashback Row Versions - see all versions of a row between two times, and the transactions that changed the row Select * from Emp VERSIONS BETWEEN ‘2:00 PM’ and ‘3:00 PM’ where … 67 NCAR/UCAR 20 June 2005 Enterprise Manager Grid Control Monitor and manage Grid-wide view End-to-end Top-to-bottom Manage from a Browser EM2Go From anywhere … or a PDA 68 NCAR/UCAR 20 June 2005 Manage Groups as One Single-view management and monitoring across components Standardize policies Applications – Configuration – Performance – Security Automate processes Sets of Systems Automated patch management 69 NCAR/UCAR 20 June 2005 Managing the Software Life Cycle Oracle Inventory Software Configurations View/Search Enterprise Manager Grid Control Hardware Configurations Compare/Diff Change Tracking Reference Configurations Install/Clone Oracle.com Configure Product Updates Patch Secure Over 20% of downtime attributable to human configuration errors Patches Product Configuration 70 NCAR/UCAR 20 June 2005 Service Level Management Monitor End-user Experience Availability Performance External Network Internal Network Monitor Application Click-to-EJB J2EE Activity App Content App Server Monitor Database Click-to-SQL Drilldowns Database 71 NCAR/UCAR 20 June 2005 Self-Managing Database 10g ASM Alerts & Advisories Automatic Tasks Built-in intelligent infrastructure – – – Workload Repository Self-aware performance analysis Proactive server alerts Automatic tasks Automatic Database Diagnostic Monitor – Expert engine in the database Automatic SQL tuning – Optimize packaged and custom applications 72 NCAR/UCAR 20 June 2005 Self-Optimizing SQL Packaged & Custom Applications Customizable Applications Proven Cost-Based Optimizer Self-Optimizing SQL Packaged & Custom Applications Customizable Applications High-load SQL Proven Cost-Based Optimizer Access Advisor Suggested Indexes & MVs Better Performance Self-Optimizing SQL Packaged & Custom Applications Customizable Applications High-load SQL Proven Cost-Based Optimizer Auto SQL Analysis SQL Advice -> Better SQL Access Advisor Suggested Indexes & MVs Better Performance Self-Optimizing SQL Packaged & Custom Applications Customizable Applications High-load SQL Proven Cost-Based Optimizer Auto SQL Tuning SQL Profile -> Improved Plan Auto SQL Analysis SQL Advice -> Better SQL Access Advisor Suggested Indexes & MVs Better Performance Flashback Error Correction Database Customer Database Level – Flashback Database restores the whole database to time Uses Flashback Logs Table Level – – Order Flashback Table restores rows in a set of tables to time UNDO_RETENTION Maintains data integrity and constraints Flashback Drop restores a dropped table or a index Recycle bin for DROPs Row Level – Flashback Rows restores rows to time Uses Flashback Query Select * from Emp AS OF ‘2:00 P.M.’ where … 77 NCAR/UCAR 20 June 2005