Upload
ahmedsft
View
1
Download
0
Embed Size (px)
Citation preview
7/17/2019 WRC07028.pps
http://slidepdf.com/reader/full/wrc07028pps 1/30
<Insert Picture Here>
Securing Universities from Internal and External Threats:
An Introduction to Oracle Identit !anagement
Kwesi Edwards Raanan Dagan
Principal Security Architect Senior Solution Architect
Oracle Higher Education Identity Management and Security Products
Educause "est #$$%
7/17/2019 WRC07028.pps
http://slidepdf.com/reader/full/wrc07028pps 2/30
&isclaimer'(
• his wor! is the intellectual property o" Oracle #orp$$
Permission is granted "or this material to %e shared
"or non&commercial' educational purposes' pro(ided
that this copyright statement appears on the
reproduced materials and notice is gi(en that thecopying is %y permission o" Oracle #orp$ o
disseminate otherwise or to repu%lish re)uires written
permission "rom the author$
7/17/2019 WRC07028.pps
http://slidepdf.com/reader/full/wrc07028pps 3/30
Agenda
• *ni(ersity #hallenges
• Identity Management De"ined
• Oracle solutions
• +,A
7/17/2019 WRC07028.pps
http://slidepdf.com/reader/full/wrc07028pps 4/30
"h is Securit and )om*liance
im*ortant in Higher Education toda+
-$ Educause says it is. /- issue in #urrent Issues 0112 sur(ey
0$ *S 3o(ernment says it is. 45ERPA' HIPAA' 367' Patriot
A#' #ali"ornia S7 -892:
8$ he Student 6i"ecycle & On&%oarding' pro(isioning' alumni• Research• ;Spirit o" Sharing In"ormation<
=$ Hac!ers ma!e it so
7/17/2019 WRC07028.pps
http://slidepdf.com/reader/full/wrc07028pps 5/30
,ame T*e I&-s Im*acted
*# 7er!eley Stolen asset >9'=11
7oston #ollege Hac!ing -01'111
?orthwestern Hac!ing 0-'111
* o" *tah Hac!ing -11'111
#al State Hac!ing @>'111
* o" #olorado Hac!ing =>'111
*ni( o" #hicago Insider *n!nown
u"ts *ni( Hac!ing -12'111
#arnegie Mellon Hac!ing ->'111
3eorgia Southern Hac!ing -1'111s
OS* Stolen asset 8B'111
Kent State Hac!ing -11'111
* o" Iowa Hac!ing 81'111
* o" Hawaii Insider -@1'111
#$$. Exam*les
,ame T*e I&-s Im*acted
3eorgetown Hac!ing =-'111
Cermont State Hac!ing -='111
* o" Alas!a Hac!ing 8>'111
* o" eas Hac!ing ->B'111
Ohio *ni(ersity Hac!ing 811'111
Ohio *ni(ersity Hac!ing 21'111
estern Ill *ni( Hac!ing -91'111
* o" enn Hac!ing 82'111
?orthwestern Hac!ing -B'111
*#6A Hac!ing 911'111
3eorgetown Hosp Hac!ing 81'111
#$$/ Exam*les
Plus an additional• 8- schools in 011@ and• 81 schools in 0112
Source: Privacy Rights Clearing House August 5, 2006
Higher Education Identity 7reach Statistics.5e% 011@ & Fuly 0112
,um0er of Incidents: 12
Several )IOs 3re4assigned5
,um0er of Identities: #617767%.
,ame T*e I&-s Im*acted
*# San 5rancisco Hac!ing =2'111
#$$% Exam*les
7/17/2019 WRC07028.pps
http://slidepdf.com/reader/full/wrc07028pps 6/30
#ampus #omputing 011@ I Sur(ey
One-Third of Universities report Network and data security as the /-
most important I issue 481$=G in 011@' 0-$0 G in 011=:
Highest concern for public four year colleges' where ==$-G identi"y I
security as /- issue
Over half of Universities report Network Hacks or attacks: @1$BGeperienced hac!s or attac!s on campus in 011@
One fifth of schools 829(/; re*ort maor securit incidents involving
identit management(
T=o4Thirds 8/7(/; of Universities re*ort gains in IT securit 0udgets
4up "rom @>$@G in 011=:$
Source: Capus Coputing !""# National Survey of $nforation Technology on US Higher %ducation
7/17/2019 WRC07028.pps
http://slidepdf.com/reader/full/wrc07028pps 7/30
3e "ound that' despite challenges in(ol(ingresourcesresponding institutions are deeply engaged
in IdM acti(itiesand nearly all said they were at least
considering implementingat the same time we "ound
"ully operational IdM technologies was relati(ely rare$
in e(ery case' capa%ility to deli(er rated lower
Eistence o" this capa%ility gap%ecause the political
or "inancial costs o" optimiJing are too high5
$dentity &anageent in Higher %ducation: ' (aseline Study )onald *anosky+ with ,ail Salaway
E)A Significant ?indings
7/17/2019 WRC07028.pps
http://slidepdf.com/reader/full/wrc07028pps 8/30
Higher Education )hallenges:
Coon Control eficiencies
-$ Delays in terminating access
0$ 7uilt up pri(ileges o(er time
8$ Di""iculty managing groups and roles
=$ Managing access authoriJation is o"tentimesmanual 4paper %ased or email:
@$ Password policies not en"orced across all systems
7/17/2019 WRC07028.pps
http://slidepdf.com/reader/full/wrc07028pps 9/30
<Insert Picture Here>
Identit !anagement Solution
7/17/2019 WRC07028.pps
http://slidepdf.com/reader/full/wrc07028pps 10/30
Oracle-s Securit Strateg
• #omplete' uni"ied security solution
• ?o point product integration re)uired
• #ommon security across applications and data
• Protecting %usiness processes and we% ser(ices 4SOA:
• Protecting data in transit and at rest
• Internal and eternal threats
• Hot&plugga%le
• Standards&%ased
• or!s across leading applications' we% ser(ers' application
ser(ers' portals' data%ases' and other I systems
7/17/2019 WRC07028.pps
http://slidepdf.com/reader/full/wrc07028pps 11/30
Access )ontrol Products
Oracle AccessOracle Access!anager!anager 8"e0;8"e0;
AuthenticationAuthentication@@
AuthoriationAuthoriation
Oracle eSSO SuiteOracle eSSO Suite8&esBto*CDegac;8&esBto*CDegac;
Single4Sign4OnSingle4Sign4On ?ederation?ederation
OracleOracleIdentitIdentit
?ederation?ederation
"e0 Services"e0 ServicesSecuritSecurit
OracleOracle"e0"e0
ServicesServices!anager !anager
7/17/2019 WRC07028.pps
http://slidepdf.com/reader/full/wrc07028pps 12/30
Oracle Access !anager
• ?eatures• Multi&le(el' multi&"actor authentication• e% and App ser(er le(el authoriJation• or!"low dri(en Sel"&ser(ice ,
Delegated administration• Ser(ices&%ased architecture eases
integration with eisting Iin"rastructure
• enefits• Policy&%ased access management• #entraliJed and consistent security
across heterogeneous en(ironments
• Reduced administration cost• Increased I go(ernance and
compliance readiness
Authentication
Authoriation
Identit Admin
7/17/2019 WRC07028.pps
http://slidepdf.com/reader/full/wrc07028pps 13/30
Oracle Identit ?ederation
• ?eatures• Identity and trust sharing across
%usiness partners' %oth as Ser(icePro(ider 4Hu%: or Identity Pro(ider4Spo!e:
• 6ightweight' multi&protocol gateway
SAM6' 6i%erty' S&5ederation• Integrates with leading IdentityManagement plat"orms
• enefits• Reduced cost o" interaction %etween
%usiness partners•
Reduce administration cost• Deli(er impro(ed end user eperience
7/17/2019 WRC07028.pps
http://slidepdf.com/reader/full/wrc07028pps 14/30
Oracle
eSSO
• ?eatures• Identi"ies users when they need to
access a networ! or system
• Separately' authoriJes their accessto indi(idual applications
• Sits %etween users and e(erythingthey want to access
• enefits• Eliminates "orgotten passwords "or
%oth indows des!top and all o"your applications
• Impro(es security while impro(inguser eperience
• Meet regulatory compliance
• Etends strong authentication toe(ery application
Oracle Enter*rise Single Sign4On
7/17/2019 WRC07028.pps
http://slidepdf.com/reader/full/wrc07028pps 15/30
Oracle "e0 Services !anager
• ?eatures• Rich li%rary o" pre&%uilt policies
• #entraliJed policy managementwith local en"orcement
• Standards support. FAAS' FA##'S&Security
• Supports $?et , F0EE e% Ser(ices
• enefits• Impro(ed (isi%ility and policy
administration at lower cost
• #ross&plat"orm monitoring and
ser(ice le(el 4S6A: en"orcement• Reduced #ompliance Ris!
7/17/2019 WRC07028.pps
http://slidepdf.com/reader/full/wrc07028pps 16/30
Identit Administration Product
DifeccleDifeccleAdministrationAdministration
ole @ole @!em0ershi*!em0ershi*
AdministrationAdministration
ProvisioningProvisioning@@
econciliationeconciliation
)om*liance)om*lianceAutomationAutomation
Oracle IdentitOracle Identit!anager !anager
7/17/2019 WRC07028.pps
http://slidepdf.com/reader/full/wrc07028pps 17/30
Oracle Identit !anager
• ?eatures• Automated user pro(isioning and
de&pro(isioning• Rich' "lei%le connector "ramewor!• *ser&"riendly re)uest , policy wiJards• Sophisticated wor!"low , reconciliation
engines
• *ni)ue compliance automation , reporting• enefits
• Reduced administration cost• Impro(ed end user eperience• #ritical "or regulatory compliance• Impro(ed security
H!S
*ser
created or
remo(ed in
HR system
usinessA**lications
"orBflo=F
Assign or
re(o!e
roles'
pri(ileges
A**lication
&riven Identit
Sstem
Pro(ision
accounts and
access rights
7/17/2019 WRC07028.pps
http://slidepdf.com/reader/full/wrc07028pps 18/30
Oracle Identit !anager Overvie=
OracleIdentityManager
PSFTHR / SISBanner
Oracle,MSQL
Dinux6 Unix6
HP
Access!anagement
Sstems
LDAP
FamisBlackBard
Oracle Identit !anager
Enterprise Provisioning solution
optimie! "or #!entity $anagement
7/17/2019 WRC07028.pps
http://slidepdf.com/reader/full/wrc07028pps 19/30
&irector Services Products
GirtualiationGirtualiation SnchroniationSnchroniation StorageStorage
OracleOracleGirtualGirtual
&irector&irector
OracleOracle&irector&irector
IntegrationIntegration
PlatformPlatform
OracleOracleInternetInternet
&irector&irector
7/17/2019 WRC07028.pps
http://slidepdf.com/reader/full/wrc07028pps 20/30
Oracle Internet &irector
• ?eatures
• 5ull "eature 6DAP ser(er with a
RD7MS data&store
• Industry leading scala%ility and
HA capa%ilities
• Strong Oracle Plat"orm integration
• CS6DAP certi"ied and EA6= compliant
• enefits
• Reduced operational cost with
Oracle 3rid support
• Seamless integration with Oracle
Applications and Products
7/17/2019 WRC07028.pps
http://slidepdf.com/reader/full/wrc07028pps 21/30
Oracle Girtual &irector
• ?eatures• CirtualiJation' Proy' Foin ,
Routing capa%ilities• Modern Fa(a , e% Ser(ices
technology• Superior etensi%ility
• Scala%le multi&site administration• Direct data access
• enefits• Per"orm Real&time directory integration• Accelerate application deployment• 6ower de(elopment costs
LDAP
VDE DIRECTORY ENGINE
WEB GATEWAYWEB SERVICES WEB GATEWAY
JOIN VIEW
Local
StoreLDAP DB NT
Custom
Girtual &irector Product Architecture
7/17/2019 WRC07028.pps
http://slidepdf.com/reader/full/wrc07028pps 22/30
Enter*rise Identit !anagement
,OSC&irectoriesOS 8Unix;
Sstems @ e*ositoriesA**lications
EP )! H !ainframe
Auditing
and
e*ortingPolic and "orBflo=
Em*loeesIT Staff SOA
A**lications
Partners
External
&elegated
Admin
SOA
A**lications
)ustomers
Internal
Identit !anagement Service
Access !anagement•Authentication @ SSO
•Authoriation @ A)• Identit ?ederation
Identit Administration•&elegated Administration
•Self4egistration @ Self4Service•User @ rou* !anagement
&irector Services•D&AP &irector•!eta4&irector•Girtual &irector
Identit Provisioning•Agent40ased•Agentless•Pass=ord Snchroniation
!onitoring
and
!anagement
7/17/2019 WRC07028.pps
http://slidepdf.com/reader/full/wrc07028pps 23/30
Audit and )om*liance Throughout
• ?eatures
• ho hasLhad what' when'how and why
• Periodic attestation o" userpri(ileges
• 6e(erages Oracles core datamanagement and reporting
competencies• Pre&%uilt Reports
• enefits• Reduced cost o" compliance
• Impro(ed process (isi%ility
• 7etter eception monitoringand management
7/17/2019 WRC07028.pps
http://slidepdf.com/reader/full/wrc07028pps 24/30
Attestation Process ?rame=orB
Delegate
Re(iewer re(iews data
and ta!es actions
Scheduled or on&demand
re)uest generation
7uild data snapshot
at re)uest time
#on"igura%le wor!"lows
%ased on re(iewer action
?oti"y re(iewer o"
attestation re)uest
Archi(e attestation actions
Archi(e data to %e attested
to
RejectCert!" Decl#e
?oti"y
process
owner Eception handling
wor!"lows
+uery operational data
Re(iewer
actions
Archi(e delegation path
?oti"y
delegated
re(iewer
7/17/2019 WRC07028.pps
http://slidepdf.com/reader/full/wrc07028pps 25/30
Protecting our most sensitive data: PII Gault SS, securit
Em*loee
& a t a
0 a
s e
s
A * * l i c a
t i o n s
Student
H
?inancial
Alumni
&e*t(
E4!ail
Degac
Portal
Student
uest C Gisitor
State
@
?ederal
Agencies
Identit
!anagement
"e0
Service
S S ,
E n
c r *
t i o
n
A u t h
e n t i c
a t e
Entr ?orm
S S D
Uniue Alt4SS,
e*orting
7/17/2019 WRC07028.pps
http://slidepdf.com/reader/full/wrc07028pps 26/30
!ost )om*rehensive6 est4In4)lass Suite
Area Oracle Offering
Web Access Oracle Access Manager
Provisioning Oracle Identity Manager
Federation Oracle Identity Federation
Delegated Administration Oracle Access Manager
Password Synchronization Oracle Identity Manager
Virtual Directory Oracle Virtual Directory
Meta-Directory Directory Integration Platform
Directory Oracle Internet Directory
Authentication/P! Oracle Certificate Authority
Web Services Oracle Web Services Manager
"nter#rise SS$ Oracle nter!rise Single Sign On
7/17/2019 WRC07028.pps
http://slidepdf.com/reader/full/wrc07028pps 27/30
?or !ore Information
http.LLsearch$oracle$com
or
htt*:CC===(oracle(comC
Oracle Identit !anagement
7/17/2019 WRC07028.pps
http://slidepdf.com/reader/full/wrc07028pps 29/30
)ontact information
• Kwesi Edwards
• Kwesi$edwardsNoracle$com