Sudha iyer principal product manager oracle corporation
This presentation is the property of its rightful owner.
Sponsored Links
1 / 41

Sudha Iyer Principal Product Manager Oracle Corporation PowerPoint PPT Presentation


  • 72 Views
  • Uploaded on
  • Presentation posted in: General

Sudha Iyer Principal Product Manager Oracle Corporation. Identity Management for Database Applications 40128. Reminder – please complete the OracleWorld online session survey Thank you. Agenda. Business Drivers for Security Identity and Security – related?

Download Presentation

Sudha Iyer Principal Product Manager Oracle Corporation

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Sudha iyer principal product manager oracle corporation

Sudha IyerPrincipal Product Manager

Oracle Corporation


Sudha iyer principal product manager oracle corporation

Identity Management for Database Applications

40128


Reminder please complete the oracleworld online session survey thank you

Reminder – please complete the OracleWorld online session surveyThank you.


Agenda

Agenda

  • Business Drivers for Security

  • Identity and Security – related?

  • Key Benefits of Identity Management

  • Strategies for deployed applications

  • Oracle Database 10g

  • Questions


Business drivers for security

Business Drivers for Security

Why security?


Business environment

Business Environment …

  • Increased threat to business continuity

    • Internal threats

    • External threats

  • Government Regulations (US and Foreign)

    • Security Policy

    • Security Products

  • Manageability and High Availability with Security


Measuring roi in security

Measuring ROI in Security

  • Opportunity Cost

    • What does lost business, delayed payments and customer retention mean to your business?

  • Lower Administrative Costs

    • Patch Management

    • User Provisioning

    • Eliminate Password Management woes


Security identity management

Security & Identity Management

Where do they meet?


Critical aspects of security

Critical aspects of Security

  • Privacy

    • Consumers vs. Businesses

    • Staying anonymous is expensive

  • Authentication

    • Critical to establish trust

  • Integrity

    • Non repudiation

  • Audit


Identity and security

Identity and Security

  • Identity

    • Username, Certificate DN, Global UID

  • Authenticate

    • Password (what you know)

    • Stronger alternatives (smart card, Certificate, TGT)

  • Trust

    • Secure the channel

    • Evaluate Access Control

    • Assist in non repudiation


Identity management in oracle 10 g

Identity Management in Oracle10g

Oracle Internet

Directory

LDAP standard repository for identity information

DirectorySynchronization

Integration with other directories (e.g. ADS, iPlanet)

ProvisioningIntegration

Automatic provisioning of users in the Oracle

environment

DelegatedAdministration

Self service administration tools for managing identity

information across the enterprise

AS 10gSingleSign-On

Single sign-on to web applications

Oracle CertificateAuthority

Issue and manage X.509v3 compliant certificates to

secure email and network connections


Oracle security architecture

Oracle Security Architecture

Oracle

E-Business Suite

Oracle

Collaboration Suite

OracleAS

Portal & Wireless

Application Component Security

Responsibilities, Roles ….

Secure Mail, Interpersonal Rights …

Roles, Privilege Groups …

OracleAS 10g

OracleAS 10g

OracleAS 10g

Oracle 10g

Oracle 10g

Oracle 10g Database

Oracle 10g Platform Security Bindings

JAAS,

WS Security

Java2 Permissions..

JAAS,

WS Security

Java2 Permissions..

JAAS,

WS Security

Java2 Permissions..

Enterprise users,

VPD, Encryption

Label Security

Enterprise users,

VPD, Encryption

Label Security

Enterprise users,

VPD, Encryption,

Label Security

External Security

Services

Access Management

OracleAS

Single

Sign-on

OracleAS

Certificate

Authority

Delegated

Administration

Services

Directory

Integration &

Provisioning

Enterprise Security

Infrastructure

Directory Services

Oracle Internet Directory

Provisioning Services

Oracle Identity Management


Benefits of identity management

Benefits of Identity Management

Valuable with over capacity in technology


Where is the pain

Where is the pain?

  • User Administration

    • Scalability

      • too many accounts for additions, deletions, role changes across 100s of databases

      • Solution: Directory Integration for Centralized User/Privilege Management

  • Ease of Use and Flexibility

    • too many passwords to remember/administer

      • Solution : Single Sign-On with digital certificates, and Single Password


Oracle identity management

Oracle Identity Management…

  • Improve ROI on administration

    • One network identity for a user

    • Eliminates maintaining users across databases

  • Enable self service for user management

    • Lost Passwords retrieved by end users

  • Security with Usability

    • SSL and Kerberos with ease of administration


Database security for directory users

Database Security for Directory Users

OID

Users, Label Security policies, User Privileges

managed in OID

  • Apps may rely on

  • Database Roles alone

  • Enterprise Roles in the directory

  • Single Sign On Users and

  • Enterprise users are unified in OID

Applications can enforce

VPD policies And Label security

Audit records, for directory users

Jane

Surgeon

Apps_User

Apps_User

Nurse

OracleDatabases


Ongoing user administration

Add User to Group

Ongoing User Administration

List

Group Access

Define a group

In OID


Directory users for legacy apps

Directory Users for Legacy Apps

Strategies to get more for less


Where to begin

Where to begin?

  • Understand application user model

  • Understand access control model

  • Understand security policies

  • Decide on new user model

  • Strategy

    • Centralize users first

    • Centralize roles second


Application user model 1

Application User Model - 1

  • Every application user is a database user

  • Application uses database’s authentication and authorization capability

  • Every user has an “exclusive” schema

  • Where are the application objects?


Best practice 1

Best Practice - 1

  • Usually, App objects are in an app schema

    • Move the database users to the directory

    • Map the user to a shared schema

  • Consider using Enterprise Roles

    • If app relies entirely on database roles


Application user model 2

Application User Model - 2

  • Application user is a database user but,

    • Some objects are shared and others are owned by each user

  • Application relies on database roles for access control enforcement


Best practice 2

Best Practice - 2

  • Move the database users to the directory

    • Each user has an exclusive schema

  • Consider using Virtual Private Database

    • Eliminate exclusive schemas; use shared schema


User management for model for 1 2

OID

User Management for Model for 1 & 2

  • Database users are transformed into Enterprise users

  • mapped to shared schema, or

  • Have exclusive schema

Database looks up user credentials

and gets all enterprise roles assigned

Oracle DB

Guest_Schema

  • Apps may rely on

  • Database Roles

  • Enterprise Roles

  • Client Server App,

  • Jane logs into the database

  • One Database Connection

  • established

APP_SCHEMA

Jane


Application user model 3

Application User Model - 3

  • Every application user is a database user

  • Application has its access control module

    • Application may use a pre-seeded “App User”

    • Home grown audit module

    • Direct access to database objects restricted by PUP*

      * Product user profile


Best practice 3

Best Practice - 3

  • Cost effective to map users to shared schema

  • Consider replacing home grown admin module using enterprise roles/database global roles


User management 3

OID

User Management - 3

Database users are transformed into Enterprise users, mapped to shared schema (APP_SCHEMA).

Apps_User proxies directory users.

Oracle DB

Apps_User

Jane

APP_SCHEMA

Apps_User

Jill


Application user model 4

Application User Model - 4

  • Application has robust user management module

  • Application uses application context to track users

  • How can these users leverage an Enterprise Directory?


Best practice 4

Best Practice - 4

  • Integrate with AS Single Sign-On

    • Provisioning of users handled automatically by HR

    • Password management policies of Oracle Internet Directory enforced

    • Eases integration with other applications in the enterprise

  • Second stage – delegate access control to DB/OID


Oracle 10 g

Oracle 10g


Kerberized enterprise users

Kerberized Enterprise Users

  • Directory users

    • Use Kerberos credentials to authenticate to the Oracle Database

  • Benefits

    • End-to-end security with desktop sign-on

    • Virtually no administrative cost

    • Centralized administration in heterogeneous environment


Integrated enterprise user security

Integrated Enterprise User Security

  • Identity Management infrastructure

    • Unified user model (one password)

  • Simplified configuration

    • Provide alternate secure channel for Database Directory communication

  • Benefits

    • Easy, low cost administration of users

    • Identity flows end-to-end aiding accountability

    • Database security for web application users

    • Rapid prototype


Security and identity management for grid

Security and Identity Management for GRID

  • Central provisioning of users for database services

  • Apply database security features for GRID users

  • Central administration of security policies for GRID users


Security with usability a scenario

Security with Usability… a scenario

Unix

Windows

KDC

MIT v5 / MSKDC

New employee

Provisioned in AD

Krb TGT

Patient

Profile

Surgeon

Patient

Care

Microsoft ADS

Oracle Internet Directory

AD Connector


Oracle label security oid integration

Oracle Label Security, OID Integration

  • Centrally administer

    • Oracle Label Security policies

    • sensitivity labels

    • user label authorizations

  • Benefit

    • Label authorizations enforced for directory users

    • Enforce uniform policies centrally

      • Aids GRID computing

    • Eases administration


Summary increase returns on investment

Summary Increase Returns on Investment

  • Lower administrative costs

  • Simplify user experience

    • Password resets, single password

  • Strong authentication alternatives

    • SSL, Kerberos

  • Assist Audit Compliance

  • Integrate with Database Security

    • Oracle Label Security, Virtual Private Database


Sudha iyer principal product manager oracle corporation

Q

&

Q U E S T I O N S

A N S W E R S

A


Next steps

Next Steps….

  • Recommended sessions

    • Securing J2EE Applications with Oracle Identity Management

    • Planning your Identity Management Deployment (40207)

    • Oracle and Thor: Identity Management Provisioning (40017)

  • Recommended demos and/or hands-on labs

    • Security and Identity Management Demo Pods

    • Oracle Security Command Center - Booth 1736

  • See Your Business in Our Software

    • Visit the DEMOgrounds for a customized architectural review, see a customized demo with Solutions Factory, or receive a personalized proposal.


Reminder please complete the oracleworld online session survey thank you1

Reminder – please complete the OracleWorld online session surveyThank you.


  • Login