Recently started the Oracle program: Are You The Smartest.
For me it is an opportunity to test my current knowledge level and to extend my knowledge.
After every session I follow, I will write a brief summary as part of the preparation for the test.
I will continue with the summary of the following session.
ARCHITECTS TRAINING – SECURITY – Access Management
This 1 hour and 52 minutes during session was divided into the following parts:
- Introduction and Background
- Control Access from Anywhere, Anytime
- Providing AM and SSO for Mobile Platforms
- Leveraging Social Networks
- Providing Security for Cloud-based Services
- Sharing information is key – Not only for the humans @ work – Identity Context
- How do I design an architecture for this
- Don‘t ever interrupt me or slow me down! Scale and Availability
This session contains a huge amount of abbreviation, which I have summarized at the end of this post.
Introduction and Background
What is Identity and Access Management?
At the most basic level it is understanding who has access to what and then governing that access.
- Creating and managing user identities of Customer/Employees/or Partners
- Assigning users rights and privileges
- Securely enabling users to get the access they should
- Monitoring and certifying access and rights
- Fundamental to all computing
Computing Troika – the impact of the shift to Cloud Computing, Mobile Computing, and Social Computing.
The consequence of this is that organizations have to provide controlled access to users which are using a myriad of different and mostly mobile devices. These users, part of the “Identity Explosion,” are business partners, customers, leads, and other groups. Many of these users request that login be based on existing social network accounts, like Facebook or LinkedIn.
Different perspective on security
- Oracle provides multiple layers of security to ensure that only authorized users have appropriate access to your systems.
- Security at the application layer includes comprehensive compliance management and centralized policy administration to support multiple compliance requirements.
- Middleware security provides role-based access controls and identity management, including rights management and identity governance.
- At the database layer, data is secured while in motion via SSL 256 bit encryption, and at rest using Oracle’s Transparent Data Encryption. You can transparently encrypt all application data or specific sensitive columns, such as credit cards, social security numbers, or personally identifiable information (PII), without making any changes to existing applications. Data Vault prevents privileged users from accessing application data. Other security measures include tracking configuration and information changes and auditing all database activity.
- Finally, security at the infrastructure layer includes hardware level encryption in order to protect data at rest from unauthorized disclosure, alteration and deletion – without impacting performance. Tamper resistant key storage protects cryptographic keys from theft.
Market Trends
Market Trend #1: Avoiding System Fragmentation & Reducing Cost
Most organizations today have evolved their security platform from multiple vendors and products. Acquisitions have also added to the complexity and customization. So much so that another trend shaping the industry is simplification … Avoiding System fragmentations and reducing cost.
- Shunning the current complex customizations required to meet individual requirements
- Seeking to accelerate configuration/deployment cycles and simplify maintenance
- Avoiding multi-vendor gaps, performance issues, integration challenges, upgrade cycle timing
- Reducing high TCO
Market Trend #2: Compliance Requiring Business Users
- Security policies and audit information (reporting) must be handled by business users, not by IT staff
- Increasing demand for self service access requests to reduce costs and accelerate processes
- Increasing volume and frequency of access certifications
Coming back to the enterprise space… there is a never-ending evolution of compliance and risk management obligations.
What’s happened is that in order to effectively scale, organizations are looking to empower end users to be a part of this compliance process.
As a result they want end users to have self service access to request systems to reduce cost and simplify the process
Similarly you have a desire for Business Managers to be able certify that their employees have the right access.
Finally to automate the process of securing Privileged Accounts. Many sensitive account require root access and those credentials need to be shared … so how are we securing that.
Market Trend #3: Environment is changing rapidly:
Mobile and Cloud Opportunities as well as Social Networks are becoming predominant challenges
- Securing access to systems from mobile phones and tablets
- Securing access and managing risk/compliance across enterprise and cloud applications
- Identifying web site visitors via consumer social identities to establish and develop relationships
Market Trend #4: Scale requirements are increasing
- Moving from employee to massive scale for even small companies.
Control Access from Anywhere, Anytime
- Email example: The RSA attack was started with a spear phishing scam
- Website example: Italian bank: Banca Fideuram – specific cross site scripting attack to steal account info from customers
- Mobile example: Researcher group in Germany demonstrate how to crack (via a jailbreak) an Iphone in 360 seconds
- Social example: New Facebook malware steals credit card data via. Untrusted Sign-on
Competing on the 3rd Platform
- 1e platform: mainframe, terminal
- 2e platform (PC): lan/internet, client/server
- 3e platform (mobile devices and apps): mobile broadband, Big data/analytics, social business, cloud services
IDC: From 2013 through 2020, 90% of IT industry growth will be driven by 3e platform technologies that, today represent just 22% of ICT spending. 80% of competitive energy should be focused on strengthening 3e platform.
Securing the „Internet of Things“ moves from Incidental to Critical
- The single perimeter is finally gone
- Privacy and protection for web-connected consumer goods
(TVs, fitness, GPS devices, of course tablets and phones) - Critical infrastructure needs a rethink
— Leon E. Panettas (minister of … in the States) warning from cyber-attacks - Large SCADA-type systems are vulnerable and a likely target:
Government as well as industry installations controlled e.g. by programmable logic controllers, vulnerable
Cloud Identity Driven by ‘Authentication as a Service’ & ‘Bring Your Own Identity’
- Proliferation of compromised certs, poor passwords + sophisticated attacks
= increasing risk & inconvenience - Federated identity in the cloud gets common
- Stronger authentication based on social networking credentials
- BYOiD – “How you behave” is now “Something you are”
Cyber Weapons and organized Crime / change Warfare and Commercial threats
- Modes
- Espionage (industrial vs. military)
- Disruption (private vs. public sector)
- Warfare (perception vs. definition)
- Commercial Exploits (organized crime vs. formerly gifted individuals)
- Unresolved Issues
- Identifying tools and actors
- Legality of response
- Control of code
- Rules of engagement
- Private sector information sharing
Social Networking: Has both Opportunities and Challenges: Marketing Security ROI?
- Centralized management of all “official” social networking
- Prevent spoofed or hijacked accounts
- Alert on accidents, mischief, and malicious activity
- Monitor sentiment towards corporate brands
- Address senior management’s questions:
- Are we consistent?
- What do people think?
- Is it paying off?
- Did/will it improve profitability?
Where does Privacy Start and End: ..perspectives vary..
- Facebook, Google, Twitter, Skype, WebEx – Who owns you?
- USA vs. European privacy
- Big data mining data from social networks
- Worldwide views on free speech
- Regulatory compliance and privacy
- Consumer & Corporate Privacy Market?
CxOs: Security must be a – Predictable, – Operational. Expense (CFO’s, CIO’s, etc.)
- Security layers deliver security complexity
- CxOs discouraged and frustrated as the range of technologies, services, and suppliers continue to expand
- Just want to know what went right or wrong, when was it fixed, and who should be fired
- Simplicity and risk offload drives managed and hosted security services
Analytics: Becomes the Differentiator in Threat Intelligence Excellence
- Current offerings:
- Raw data
- Focused
- Focused with remediation
- Future offerings:
- SIEM integration with custom reporting and dashboards
- Support for SCADA and programmable logic controllers
- Big data analytics based on hundreds of data feeds and trillions of events
Security Information and Event Management (SIEM) solutions are a combination of the formerly disparate product categories of SIM (security information management) and SEM (security event manager). SIEM technology provides real-time analysis of security alerts generated by network hardware and applications. SIEM solutions come as software, appliances or managed services, and are also used to log security data and generate reports for compliance purposes.
Providing AM and SSO for Mobile Platforms
Mobile Access Management
- Mobile Application Access Security
- Integrates native mobile apps and mobile web with corporate systems & information
- Access management, authorizations, API security, and fraud detection
- Device context based fine grained authorization
- Mobile Device Security Elements
- Device security – jailbreak detection at login
- Device lifecycle – white-list/blacklist/lost device management
- Device fingerprinting
Single Sign on between native applications, and also with mobile browser based applications.
- Username and Password
- Social Logon
- Step up Auth and OTP, can be applied:
- first time with this device (device registration)
- sensitive application
- high risk score
- user with high level of access to application
- Oracle Adaptive Access Manager
- Device Fingerprinting and Registration Database
- Risk-Based Authentication that Factors Mobile Context
- Oracle Enterprise Gateway
- Enables Mobile Application REST API’s and protects API’s, webservices, and SOA infrastructure from external threats and invalid / suspicious requests
- Extends Access Management with authentication, authorization, audit to REST API’s, web services
- Oracle Entitlement Server
- Make Authorization Decisions and Redact Data based on User, Mobile, or any other Context
- Externalize Authorization Policies from Application Code
- Oracle Access Management : Mobile & Social
- Mobile Identity and Access Gateway
- Authentication, Registration, and User Profile Services for Mobile
- Oracle Web Services Manager
- Last mile security for an organizations backend web services and SOA infrastructure
- Embedded agents
- Native Mobile Security SDK
- Native Login Screens / Secure Credential Storage
- Easy Integration w/ SSO and Web Services Security
- Native Mobile Security Apps
- Login App for Native and Web Apps Providing Device Context
- Native White Pages App Integrated w/ User Profile Services
Client SDKs: Use Native Libraries
Quickly build security into your mobile applications
- Store/Access Keys, Tokens, Handles and other secure data
- Access Mobile Device Information (OS, Carrier, Geolocation, IP/MAC)
- Support KBA, OTP via Email and SMS
- Manage Single Sign-on
Already available for iOS. Android is coming.
Data redaction: Determine which data could or could not.
Identity store has/keeps tokens (OTP).
Leveraging Social Networks
Social Identity
Add Social Identity Personalization and Federation Options to Mobile Applications, Websites, and resources protected by Oracle Access Manager and Oracle Entitlements Server
- Enable applications to consume Social Identities
- Enable customers to federate with social networking sites
- Support standard protocols like OAUTH and OpenID
Easily add to existing protected sites
Identity Collector, redirections
Providing Security for Cloud-based Services
The Cloud: Security and privacy
- Identity and access management
- Multi-tenancy
- Data masking, Encryption
- Secure bulk load and offload of ID data
- Secure and Federated Access
- Support all de-facto standards (SAML/Oauth/SPML/..)
- Identity as a Service
- Compliance and SLA reporting
- Physical and personnel security
- Availability
- Privacy
- Legal issues
The Cloud: Identity as a Service
- Customers are looking to outsource IAM
- Want to augment in-house IdM or replace parts of it
- IT Staff expertise is a challenge
- MSPs looking to offer IAM as a Service
- Cost benefits of shared service model over hosted instances
- Maintenance simplicity
- Requires many technical features:
- Multi-Tenancy
- Federation
- Metering/Billing
Sharing information is key – Not only for the humans @ work – Identity Context
Context-Aware Security Can Help Meet the Challenge
Security policies need access to contextual information about identity, for example:
- Application should disable a business function if the user’s device can’t be trusted
- Web Service request should be rejected if the user’s risk score computed during login was too high
- Database query should be rejected if the user’s level of assurance established during authentication is below an acceptable limit
Via EM
Sample ID Context Attributes
Category | Attributes (Sample) | Publisher |
Client |
|
ESSOAccess Mobile |
Risk |
|
OAAM |
Federation |
|
OIF |
Session |
|
OAM |
Identity |
|
OAMOVD |
How do I design an architecture for this
Oracle Access Management 11gR2: Reference Architecture
- Complete
- Innovative
- Simplified
- Scalable
- Open
Don‘t ever interrupt me or slow me down! Scale and Availability
Oracle Access Management: Scalable to any requirements
Large bandwidth needed. Is expensive.
Alternative: reauthenticate
Abbreviations / Explanations
- AM: Access Management
- AWG: Gateway
- DMZ: perimeter network
- ESSO: Enterprise Single Sign-On
- KBA: Knowledge Based Authentication (e.q. by challenge questions)
- OAAM: Oracle Adaptive Access Manager
- OAM: Oracle Access Management
- ODSEE: Oracle Directory Service Enterprise Edition
- OES: Oracle Entitlements Service
- OFM: Oracle Fusion Middleware
- OHS: Oracle HTTP Server
- OIA: Oracle Identity Analytics
- OIF: Oracle Identity Federation
- OIM: Oracle Identity Management
- OPAM: Oracle Privileged Account Management
- OPSS-JRF: Oracle Platform Security Service – Java Required Files
- OSTS: Oracle Security Token Service
- OTP: One-Time Password
- OUD: Oracle Unified Directory
- OVD: Oracle Virtual Directory
- OWSM: Oracle Webservice Manager
- RSA : public-key encryption algorithm
- SCADA: Supervisory Control And Data Acquisition (large scale processes).
- SIEM: Security Information and Event Management
- T2P: Tier 2 Payments