Con8813 securing privileged accounts with an integrated idm solution - final

Copyright © 2013, Oracle and/or its affiliates. All rights reserved.1

Securing Privileged Accounts with an Integrated IDM Solution

Olaf StullichProduct Manager, Oracle

Mike LaramieOracle Cloud for Industry Architecture Team


The following is intended to outline our general product direction. It is

intended for information purposes only, and may not be incorporated

into any contract. It is not a commitment to deliver any material, code,

or functionality, and should not be relied upon in making purchasing

decision. The development, release, and timing of any features or

functionality described for Oracle’s products remains at the sole

discretion of Oracle.

Safe Harbor Statement


Program Agenda

Introduction

What is Oracle Privileged Account Manager?

OPAM Integration with Oracle Identity Governance and

Database Security

Use Case: Oracle Cloud for Industry and OPAM

Demo


Introduction


What do have these two in Common?

• Privileged account access

• Excessive access privileges

• Difficult to monitor shared accounts across multiple administrators


2011 Data Breach Investigations Report

IDM – Overcome Threats and Regulations to Unlock Opportunities

76% Data Stolen From Servers 86% Hacking Involve Stolen Credentials48% Caused by Insiders17% Involved Privilege Misuse

Threats

Compliance

Opportunities

Increased Online Threat Costly Insider Fraud

Tougher Regulations Greater Focus on Risk Stronger Governance

Social Media Cloud Computing Mobile Access


Managing Privilege Access Is Not Well Defined

Deploying point solutions can increase integration costs

RISKSCALEManual solutions don’t scale (like managing privileged access via

spreadsheets)

Using default system passwords is prone to risk

COST


IDENTIFYING PRIVILEGED ACCOUNTS

TRACKINGPRIVILEGED ACCOUNTS

Two Big Management Problems


The Right Approach is Self-Reinforcing

Reporting & Certification

Access Request

Auto-Provisioning

Remediation

Self-Reinfor

cing

VISIBILITY ACROSS COMPLETE USER ACCESS IS KEY


Shared Connectors

Centralized Policies

Workflow Integration

Common Reporting

Privileged Account ManagementA Platform Approach

Reduce Risk

Improve Compliance


What is Oracle Privileged Account Manager


Oracle Fusion MiddlewareBusiness Innovation Platform for the Enterprise and Cloud

Complete and Integrated

Best-in-class

Open standards

On-premise and Cloud Foundation for Oracle Fusion

Applications and Oracle Cloud

User Engagement

Identity Management

Business Process

Management

Content Management

Business Intelligence

Service Integration Data Integration

Development Tools

Cloud Application Foundation

Enterprise Management

Web Social Mobile


Identity ManagementSecuring the Social Enterprise

Simplified Identity Governance– Access Request Portal with Catalog and Shopping cart UI

– In product, durable customization of UIs, forms and work flows

– Privileged Account Management – leverage Identity connectors, workflows, audit

Complete Access Management– Integrated SSO, Federation, API Management, Token Management,

Granular Authorization

– Mobile application security with SSO, device finger printing and step up authentication

– Social identity log-in from popular social media sites

– REST, OAuth, XACML

Directories that Scale– OUD optimized on T4 hardware delivering 3x performance gain and

15% of set up time


Privileged Account

– A “human” accessible accounts with elevated permissions (root for UNIX, Linux, or SYS for DB)

Service Account

– Most customers use the term “service accounts” when they refer to Privileged Accounts

– Some customers use the term “service accounts” when they refer to Application Accounts

– OPAM uses “services accounts” in the connector configuration

End User

– An administrator who is accessing OPAM to check-out an account

Administrator

– The OPAM server Administrator

– An Administrator who is accessing OPAM to checkout an account

Application accounts

– Accounts that are used by application (stored in applications) to access e.g. a database

Target

– OPAM manages account access on “Targets”

Privileged Account ManagerDefinition of Terms


Secure password vault to centrally manage passwords for privileged accounts– OPAM uses an Oracle DB EE instance with limited use license to TDE to encrypt passwords

Session Management and Auditing– Session control without revealing a privileged account password

– Session History and searchable Session Recording

Extensible Framework – JAVA based for customized solutions

Audit Reporting– Customizable audit reports through BI Publisher

– Real time status available via the OPAM dashboard (charts, tables, etc.)

Privileged Account ManagerOverview of Product Capabilities


Integrated with Identity Governance Platform– Shared Connectors and Workflow integration with OIM

– Centralized Policies Management via OIM and OIA

Using out-of-the-box connectors, OPAM Targets can be configured for– Databases, Operating Systems and LDAP Directories, and Oracle FMW applications

Policy-based access to privileged accounts via “grants”– Grants control if and when a given administrator has access to a privileged account

– Grants are represented as OPAM Usage Policies.

– Grants are typically assigned through LDAP Group Membership in the identity store

Flexible Password Policies– Mirror corporate password standards

Privileged Account ManagerOverview of Product Capabilities


Supported Clients / Targets

Generic Database Servers Generic LDAP DirectoriesGeneric UNIX Systems

UNIX MS SQLServer

Sybase 15


LDAP Server

Databaseand Unix

Admin(Joe)

HR Application Database

• User logs in as SYSTEM• Adds Table to DB• System out of space

Verify the OPAM User, Joe, is in the “HR DBA”

Role

OPAM sets the SYSTEM password for HR App Database, based on the

password policy for HR App Database

User checks in passwords

Oracle Privileged Account Manager

• User logs in as root• Adds disk space

Unix Server

Return SYSTEM password

Request SYSTEM password

Return root password

Request root password

Typical OPAM Use-Case

OPAM sets the root password for the Unix Server, based on the password

policy for Unix Server.


OPAM Integration with Oracle Identity Governance and Database Security


Leverage OIM policy/role based provisioning A system admin may be provisioned to specific LDAP groups that OPAM uses for

privileged account access Workflow and approval will be followed as defined

OPAM and OIM - a Complete Governance PlatformRequest for Privileged Account Access


OIM to publish privileged account entitlements in request catalog An admin user uses access request self service, search the catalog, pick the

privileged accounts he needs and submit for approval The request kicks off workflow and approval as defined The user is provisioned with group membership after approval The user can access OPAM for privileged password checkout and checkin

OPAM and OIM - a Complete Governance PlatformRequest for Privileged Account Access


Through existing OIM OIA integration and OIM OPAM integration, privileged access info is made available to OIA for certification.

Risk can be calculated based on its privilege status and other data such as provisioning method etc

If access violation is found, it can be revoked based on OIM OIA close-loop remediation

OPAM and OIM - a Complete Governance PlatformRisk based certification


Use Case: Oracle Cloud for Industry and OPAM


Oracle Cloud for Industry

What is OCI?– An internal provider of cloud-based IaaS and PaaS services available to

Oracle Global Business Units (GBUs) for the packaging of Oracle Industry Solutions to end customers.

E.g. Financial Services, Healthcare, Retail

– http://www.oracle.com/us/industries/index.html

Overview

http://www.oracle.com/us/industries/index.html



Disparate privileged account practices between multiple operational roles

– Password vault utilities

– Spreadsheets

Minimal auditing/reporting on privileged account usage Difficulty of access

– “Which vault is that stored in?”

Additional requirements driven by regulatory compliance– PCI

– HIPAA/HITECH

Problems



Implement password solution that– Easy to use

– Supports privileged accounts from multiple teams with differing requirements

– Reliable

– Secure

– Auditable

– Meets or exceeds regulatory compliance

Solution– OPAM

Solution



How did OPAM help?– Role based access to privileged accounts:

LDAP group membership determines which privileged accounts users can access

– Convenient, accessible BUI

– Automated reporting of privileged account access and usage

– Centralized, secure repository

– Automated password management

– Unique passwords for each system

OCI & OPAM



How did OPAM help with PCI Compliance? Addressed PCI DSS 2.0 Requirements:

– 2.1» “Always change vendor supplied passwords before installing a system…”

– 8.5.8» “Do not use group, shared, or generic accounts and passwords…”

– 8.5.9» “Change user passwords at least every 90 days.”

PCI & OPAM



Customized scripts for password aging reporting– Required for 8.5.9

– Wrote custom script to retrieve data from OPAM and email admins as necessary

RFE submitted to include functionality in future release’s BUI

Daily reports of check-in/check-out activity– Currently done through BI Publisher

Emailed to security team nightly

– On-Demand reporting will be in future release

OPAM Flexibility


Securely stores local privileged account information in a central location

Access to accounts is limited by LDAP group membership (RBAC)

Reportable audit trail on account usage

Case Study Overview

Solution

Insert Picture Here


OPAM Privileged Account Manager in Action


Oracle Privileged Account Manager in Action

How OPAM “lockbox” is used by Oracle Cloud for Industry How does OPAM Session Management and Auditing enhances the

“lockbox” concept to provide additional compliance data How to extend OPAM operations to enable emergency access How can emergency access be integrated with physical access

security using the Lockitron lock

Demo Overview


Summary


OPAM Benefits

Enforce internal security policies and eliminate potential security threats from privileged users

Cost-effectively enforce and attest to regulatory requirements Reduce IT costs through efficient self service and common security

infrastructure Real time usage reports Customizable audit reports

with BI Publisher


Moscone South

Oracle Identity Governance Suite:

Managing Privileged Accounts from Your

Identity Platform

Demo Pods

Moscone South

Identity Management Monitoring with Oracle Enterprise Manager

Moscone South

Oracle Identity Governance Suite:

Complete Identity Lifecycle

Management


Sessions not to miss

CON8823 Wednesday 09/25, 5:00PM Moscone West,

Room 2018

Access Management for the Internet of Things

Kanishk Mahajan, Oracle

CON8826 Thursday, 09/26, 3:30PM Moscone West,

Room 2018

Zero Capital Investment by leveraging Identity Management as a Service

Mike Neuenschwander, Oracle

CON8902 Thursday, 09/26 2:00PM Marriot Marquis –

Golden Gate C3

Developing Secure Mobile Applications Mark Wilcox, Oracle

CON8836 Thursday 09/26, 11:00AM Moscone West,

Room 2018

Leveraging the Cloud to simplify your Identity Management implementation

Guru Shashikumar, Oracle

CON 4342 Thursday 09/26, 12:30PM Moscone West,

Room 2018

Identity Services in the New GM IT GM

CON9024 Thursday 09/26, 2:00PM Moscone West,

Room 2018

Next Generation Optimized Directory - Oracle Unified Directory

Etienne Remillon, Oracle


Join the Oracle Community

Oracle.com/Identity

Twittertwitter.com/OracleIDM

Facebookfacebook.com/OracleIDM

Oracle Blogs

Blogs.oracle.com/OracleIDM



Technology

Con8813 securing privileged accounts with an integrated idm solution - final