7/17/2019 WRC07028.pps

http://slidepdf.com/reader/full/wrc07028pps 1/30

<Insert Picture Here>

Securing Universities from Internal and External Threats:

An Introduction to Oracle Identit !anagement

Kwesi Edwards Raanan Dagan

Principal Security Architect Senior Solution Architect

Oracle Higher Education Identity Management and Security Products

Educause "est #$$%

7/17/2019 WRC07028.pps

http://slidepdf.com/reader/full/wrc07028pps 2/30

&isclaimer'(

• his wor! is the intellectual property o" Oracle #orp$$

Permission is granted "or this material to %e shared

"or non&commercial' educational purposes' pro(ided

that this copyright statement appears on the

reproduced materials and notice is gi(en that thecopying is %y permission o" Oracle #orp$ o

disseminate otherwise or to repu%lish re)uires written

permission "rom the author$

7/17/2019 WRC07028.pps

http://slidepdf.com/reader/full/wrc07028pps 3/30

Agenda

• *ni(ersity #hallenges

• Identity Management De"ined

• Oracle solutions

• +,A

7/17/2019 WRC07028.pps

http://slidepdf.com/reader/full/wrc07028pps 4/30

"h is Securit and )om*liance

im*ortant in Higher Education toda+

-$ Educause says it is. /- issue in #urrent Issues 0112 sur(ey

0$ *S 3o(ernment says it is. 45ERPA' HIPAA' 367' Patriot

 A#' #ali"ornia S7 -892:

8$ he Student 6i"ecycle & On&%oarding' pro(isioning' alumni• Research• ;Spirit o" Sharing In"ormation<

=$ Hac!ers ma!e it so

7/17/2019 WRC07028.pps

http://slidepdf.com/reader/full/wrc07028pps 5/30

,ame T*e I&-s Im*acted

*# 7er!eley Stolen asset >9'=11

7oston #ollege Hac!ing -01'111

?orthwestern Hac!ing 0-'111

* o" *tah Hac!ing -11'111

#al State Hac!ing @>'111

* o" #olorado Hac!ing =>'111

*ni( o" #hicago Insider *n!nown

u"ts *ni( Hac!ing -12'111

#arnegie Mellon Hac!ing ->'111

3eorgia Southern Hac!ing -1'111s

OS* Stolen asset 8B'111

Kent State Hac!ing -11'111

* o" Iowa Hac!ing 81'111

* o" Hawaii Insider -@1'111

#$$. Exam*les

,ame T*e I&-s Im*acted

3eorgetown Hac!ing =-'111

Cermont State Hac!ing -='111

* o" Alas!a Hac!ing 8>'111

* o" eas Hac!ing ->B'111

Ohio *ni(ersity Hac!ing 811'111

Ohio *ni(ersity Hac!ing 21'111

estern Ill *ni( Hac!ing -91'111

* o" enn Hac!ing 82'111

?orthwestern Hac!ing -B'111

*#6A Hac!ing 911'111

3eorgetown Hosp Hac!ing 81'111

#$$/ Exam*les

Plus an additional• 8- schools in 011@ and• 81 schools in 0112

Source: Privacy Rights Clearing House August 5, 2006 

Higher Education Identity 7reach Statistics.5e% 011@ & Fuly 0112

,um0er of Incidents: 12

Several )IOs 3re4assigned5

,um0er of Identities: #617767%.

,ame T*e I&-s Im*acted

*# San 5rancisco Hac!ing =2'111

#$$% Exam*les

7/17/2019 WRC07028.pps

http://slidepdf.com/reader/full/wrc07028pps 6/30

#ampus #omputing 011@ I Sur(ey 

One-Third of Universities report Network and data security  as the /-

most important I issue 481$=G in 011@' 0-$0 G in 011=:

Highest concern for public four year colleges' where ==$-G identi"y I

security as /- issue

Over half of Universities report Network Hacks or attacks: @1$BGeperienced hac!s or attac!s on campus in 011@

One fifth of schools 829(/; re*ort maor securit incidents involving

identit management( 

T=o4Thirds 8/7(/; of Universities re*ort gains in IT securit 0udgets 

4up "rom @>$@G in 011=:$

Source: Capus Coputing !""# National Survey of $nforation Technology on US Higher %ducation

7/17/2019 WRC07028.pps

http://slidepdf.com/reader/full/wrc07028pps 7/30

3e "ound that' despite challenges in(ol(ingresourcesresponding institutions are deeply engaged

in IdM acti(itiesand nearly all said they were at least

considering implementingat the same time we "ound

"ully operational IdM technologies was relati(ely rare$

in e(ery case' capa%ility to deli(er rated lower

Eistence o" this capa%ility gap%ecause the political

or "inancial costs o" optimiJing are too high5

$dentity &anageent in Higher %ducation: ' (aseline Study )onald *anosky+ with ,ail Salaway 

E)A Significant ?indings

7/17/2019 WRC07028.pps

http://slidepdf.com/reader/full/wrc07028pps 8/30

Higher Education )hallenges:

Coon Control eficiencies

-$ Delays in terminating access

0$ 7uilt up pri(ileges o(er time

8$ Di""iculty managing groups and roles

=$ Managing access authoriJation is o"tentimesmanual 4paper %ased or email:

@$ Password policies not en"orced across all systems

7/17/2019 WRC07028.pps

http://slidepdf.com/reader/full/wrc07028pps 9/30

<Insert Picture Here>

Identit !anagement Solution

7/17/2019 WRC07028.pps

http://slidepdf.com/reader/full/wrc07028pps 10/30

Oracle-s Securit Strateg

• #omplete' uni"ied security solution

• ?o point product integration re)uired

• #ommon security across applications and data

• Protecting %usiness processes and we% ser(ices 4SOA:

• Protecting data in transit and at rest

• Internal and eternal threats

• Hot&plugga%le

• Standards&%ased

• or!s across leading applications' we% ser(ers' application

ser(ers' portals' data%ases' and other I systems

7/17/2019 WRC07028.pps

http://slidepdf.com/reader/full/wrc07028pps 11/30

Access )ontrol Products

Oracle AccessOracle Access!anager!anager 8"e0;8"e0;

AuthenticationAuthentication@@

AuthoriationAuthoriation

Oracle eSSO SuiteOracle eSSO Suite8&esBto*CDegac;8&esBto*CDegac;

Single4Sign4OnSingle4Sign4On ?ederation?ederation

OracleOracleIdentitIdentit

?ederation?ederation

"e0 Services"e0 ServicesSecuritSecurit

OracleOracle"e0"e0

ServicesServices!anager !anager 

7/17/2019 WRC07028.pps

http://slidepdf.com/reader/full/wrc07028pps 12/30

Oracle Access !anager 

• ?eatures• Multi&le(el' multi&"actor authentication• e% and App ser(er le(el authoriJation• or!"low dri(en Sel"&ser(ice ,

Delegated administration• Ser(ices&%ased architecture eases

integration with eisting Iin"rastructure

• enefits• Policy&%ased access management• #entraliJed and consistent security

across heterogeneous en(ironments

• Reduced administration cost• Increased I go(ernance and

compliance readiness

Authentication

Authoriation

Identit Admin

7/17/2019 WRC07028.pps

http://slidepdf.com/reader/full/wrc07028pps 13/30

Oracle Identit ?ederation

• ?eatures• Identity and trust sharing across

%usiness partners' %oth as Ser(icePro(ider 4Hu%: or Identity Pro(ider4Spo!e:

• 6ightweight' multi&protocol gateway

SAM6' 6i%erty' S&5ederation• Integrates with leading IdentityManagement plat"orms

• enefits• Reduced cost o" interaction %etween

%usiness partners•

Reduce administration cost• Deli(er impro(ed end user eperience

7/17/2019 WRC07028.pps

http://slidepdf.com/reader/full/wrc07028pps 14/30

Oracle

eSSO

• ?eatures• Identi"ies users when they need to

access a networ! or system

• Separately' authoriJes their accessto indi(idual applications

• Sits %etween users and e(erythingthey want to access

• enefits• Eliminates "orgotten passwords "or

%oth indows des!top and all o"your applications

• Impro(es security while impro(inguser eperience

• Meet regulatory compliance

• Etends strong authentication toe(ery application

Oracle Enter*rise Single Sign4On

7/17/2019 WRC07028.pps

http://slidepdf.com/reader/full/wrc07028pps 15/30

Oracle "e0 Services !anager 

• ?eatures• Rich li%rary o" pre&%uilt policies

• #entraliJed policy managementwith local en"orcement

• Standards support. FAAS' FA##'S&Security

• Supports $?et , F0EE e% Ser(ices

• enefits• Impro(ed (isi%ility and policy

administration at lower cost

• #ross&plat"orm monitoring and

ser(ice le(el 4S6A: en"orcement• Reduced #ompliance Ris!

7/17/2019 WRC07028.pps

http://slidepdf.com/reader/full/wrc07028pps 16/30

Identit Administration Product

DifeccleDifeccleAdministrationAdministration

ole @ole @!em0ershi*!em0ershi*

AdministrationAdministration

ProvisioningProvisioning@@

econciliationeconciliation

)om*liance)om*lianceAutomationAutomation

Oracle IdentitOracle Identit!anager !anager 

7/17/2019 WRC07028.pps

http://slidepdf.com/reader/full/wrc07028pps 17/30

Oracle Identit !anager 

• ?eatures•  Automated user pro(isioning and

de&pro(isioning• Rich' "lei%le connector "ramewor!• *ser&"riendly re)uest , policy wiJards• Sophisticated wor!"low , reconciliation

engines

• *ni)ue compliance automation , reporting• enefits

• Reduced administration cost• Impro(ed end user eperience• #ritical "or regulatory compliance• Impro(ed security

H!S

*ser

created or

remo(ed in

HR system

usinessA**lications

"orBflo=F

 Assign or

re(o!e

roles'

pri(ileges

A**lication

&riven Identit

Sstem

Pro(ision

accounts and

access rights

7/17/2019 WRC07028.pps

http://slidepdf.com/reader/full/wrc07028pps 18/30

Oracle Identit !anager Overvie=

OracleIdentityManager

PSFTHR / SISBanner

Oracle,MSQL

Dinux6 Unix6

HP

Access!anagement

Sstems

LDAP

FamisBlackBard

Oracle Identit !anager 

Enterprise Provisioning solution

optimie! "or #!entity $anagement 

7/17/2019 WRC07028.pps

http://slidepdf.com/reader/full/wrc07028pps 19/30

&irector Services Products

GirtualiationGirtualiation SnchroniationSnchroniation StorageStorage

OracleOracleGirtualGirtual

&irector&irector

OracleOracle&irector&irector

IntegrationIntegration

PlatformPlatform

OracleOracleInternetInternet

&irector&irector

7/17/2019 WRC07028.pps

http://slidepdf.com/reader/full/wrc07028pps 20/30

Oracle Internet &irector

• ?eatures

• 5ull "eature 6DAP ser(er with a

RD7MS data&store

• Industry leading scala%ility and

HA capa%ilities

• Strong Oracle Plat"orm integration

• CS6DAP certi"ied and EA6= compliant

• enefits

• Reduced operational cost with

Oracle 3rid support

• Seamless integration with Oracle

 Applications and Products

7/17/2019 WRC07028.pps

http://slidepdf.com/reader/full/wrc07028pps 21/30

Oracle Girtual &irector

• ?eatures• CirtualiJation' Proy' Foin ,

Routing capa%ilities• Modern Fa(a , e% Ser(ices

technology• Superior etensi%ility

• Scala%le multi&site administration• Direct data access

• enefits• Per"orm Real&time directory integration•  Accelerate application deployment• 6ower de(elopment costs

LDAP

VDE DIRECTORY ENGINE

WEB GATEWAYWEB SERVICES WEB GATEWAY

JOIN VIEW

Local

StoreLDAP DB NT

Custom

Girtual &irector Product Architecture

7/17/2019 WRC07028.pps

http://slidepdf.com/reader/full/wrc07028pps 22/30

Enter*rise Identit !anagement

,OSC&irectoriesOS 8Unix;

Sstems @ e*ositoriesA**lications

EP )! H !ainframe

Auditing

and

e*ortingPolic and "orBflo=

Em*loeesIT Staff  SOA

A**lications

Partners

External

&elegated

Admin

SOA

A**lications

)ustomers

Internal

Identit !anagement Service

Access !anagement•Authentication @ SSO

•Authoriation @ A)• Identit ?ederation

Identit Administration•&elegated Administration

•Self4egistration @ Self4Service•User @ rou* !anagement

&irector Services•D&AP &irector•!eta4&irector•Girtual &irector

Identit Provisioning•Agent40ased•Agentless•Pass=ord Snchroniation

!onitoring

and

!anagement

7/17/2019 WRC07028.pps

http://slidepdf.com/reader/full/wrc07028pps 23/30

Audit and )om*liance Throughout

• ?eatures

• ho hasLhad what' when'how and why

• Periodic attestation o" userpri(ileges

• 6e(erages Oracles core datamanagement and reporting

competencies• Pre&%uilt Reports

• enefits• Reduced cost o" compliance

• Impro(ed process (isi%ility

• 7etter eception monitoringand management

7/17/2019 WRC07028.pps

http://slidepdf.com/reader/full/wrc07028pps 24/30

Attestation Process ?rame=orB

Delegate

Re(iewer re(iews data

and ta!es actions

Scheduled or on&demand

re)uest generation

7uild data snapshot

at re)uest time

#on"igura%le wor!"lows

%ased on re(iewer action

?oti"y re(iewer o"

attestation re)uest

 Archi(e attestation actions

 Archi(e data to %e attested

to

RejectCert!" Decl#e

?oti"y

process

owner Eception handling

wor!"lows

+uery operational data

Re(iewer

actions

 Archi(e delegation path

?oti"y

delegated

re(iewer 

7/17/2019 WRC07028.pps

http://slidepdf.com/reader/full/wrc07028pps 25/30

Protecting our most sensitive data: PII Gault SS, securit

Em*loee

      &     a       t      a 

      0       a 

     s      e 

 s 

      A    *    *      l      i    c    a

     t      i    o    n    s

Student

H

?inancial

Alumni

&e*t(

E4!ail

Degac

Portal

Student

uest C Gisitor 

State

@

?ederal

Agencies

Identit

!anagement

"e0

Service

      S       S       ,

      E     n

     c      r            *  

      t       i     o 

     n

    A   u    t     h

   e   n    t     i   c

   a    t   e

Entr ?orm

      S      S      D

Uniue Alt4SS,

e*orting

7/17/2019 WRC07028.pps

http://slidepdf.com/reader/full/wrc07028pps 26/30

!ost )om*rehensive6 est4In4)lass Suite

Area Oracle Offering

Web Access Oracle Access Manager 

Provisioning Oracle Identity Manager 

Federation Oracle Identity Federation

Delegated Administration Oracle Access Manager 

Password Synchronization Oracle Identity Manager 

Virtual Directory Oracle Virtual Directory

Meta-Directory Directory Integration Platform

Directory Oracle Internet Directory

Authentication/P! Oracle Certificate Authority

Web Services Oracle Web Services Manager 

"nter#rise SS$ Oracle nter!rise Single Sign On

7/17/2019 WRC07028.pps

http://slidepdf.com/reader/full/wrc07028pps 27/30

?or !ore Information

http.LLsearch$oracle$com

or 

htt*:CC===(oracle(comC

Oracle Identit !anagement

7/17/2019 WRC07028.pps

http://slidepdf.com/reader/full/wrc07028pps 28/30

 AQ&

7/17/2019 WRC07028.pps

http://slidepdf.com/reader/full/wrc07028pps 29/30

)ontact information

• Kwesi Edwards

• Kwesi$edwardsNoracle$com

7/17/2019 WRC07028.pps

http://slidepdf.com/reader/full/wrc07028pps 30/30