Upload
hoangnhu
View
231
Download
1
Embed Size (px)
Citation preview
ORACLE DATA SHEET
ORACLE ADAPTIVE ACCESS MANAGER
PROACTIVE ENTERPRISE SECURITY
KEY FEATURES
• Fingerprint all types of devices whether
access is via browser or native mobile
application.
• OTP Anywhere - Risk-based, one time
password authentication
• Universal Risk Snapshot – Configuration
backup, migration and recovery
• Answer Logic – Balancing security and
usability
• Risk Analytics - Real-time and batch
data analysis
• Active Compliance – Incident prevention
and rich audit trail
• Deployment Options - WAM, Native,
Reverse Proxy, Listener
• Secure Self Service Password
Management – IAM Suite
interoperability
KEY BENEFITS
• Single security across both browser and
mobile applications can save money
compared to point soluitions.
• Risk-based authentication via out-of-
band channels including SMS, email,
instant message or voice ads additional
layers of security in a cost effective
mannner.
• Convenient change management allows
administrators to quickly backup,
restore, and migrate security
configurations.
• Answer logic reduces the major usability
issues that impact challenge question
based authentication solutions. Reduced
help desk calls brings overall solution
cost down and end user satisfaction up.
• Preventing fraud and misuse before it
occurs saves money by avoiding costly
manual reviews, remediation, lost
customers and compliance penalties.
• Quickly layer advanced security without
removing basic authentication methods
already in place.
• Securely offering self-service flows that
largely replace help desk calls can save
a lot of money.
Oracle Adaptive Access Manager makes exposing sensitive information,
transactions and business processes to consumers, remote employees or
partners via the internet, intranet and extranet safer. Cost effective real-time
risk analytics, risk-based authentication, anti-phishing and anti-malware
capabilities provide exceptional return on investment. A high degree of usability
for end users, administrators and deployment engineers makes the solution both
strong and operationally sound.
Introduction
Organizations that expose services and applications on the internet, intranet and extranet are
concerned about security, and rightly so. Fraud and abuse can incur both direct and indirect
costs for an enterprise. Fraud is not only a consumer facing problem anymore. Employee and
partner accounts are being compromised and misused at the expense of the enterprise. Fraud
and abuse is being conducted across multiple access channels using a large variety of
methods. Also, the popular approach of deploying stronger forms of credential based
authentication is not preventing fraud as new forms of threats break and circumvent these
authentication mechanisms. Also, because of new and evolving regulations governing online
data privacy, organizations are being required to quickly introduce reliable, cross channel
access security solutions to ensure that fraudulent activities are detected and prevented.
Oracle Adaptive Access Manager provides an innovative, comprehensive feature set to help
organizations prevent fraud and abuse. Strengthening standard authentication mechanisms,
innovative risk-based challenge methods, multiple types of real-time risk analysis, intuitive
policy administration and integration across both the Identity and Access Management Suite
and third party products makes Oracle Adaptive Access Manager uniquely flexible and
effective. Oracle Adaptive Access Manager provides real-time and batch risk analytics to
combat fraud and abuse across multiple channels of access. Real-time evaluation of multiple
data types helps stop fraud as it occurs which can save time, money and reputation.
Oracle Adaptive Access Manager provides a rich and adaptable set of deployment options
including native application integration, reverse proxy interceptor and batch based as well as
basic and advanced integration with Oracle Access Manager and Oracle Identity Manager.
Through Oracle’s large partner network other options are available using third party products
such as WAM and SSL VPN. The variety of available deployment methods, out of the box
integrations and easy to administer security policies make enabling advanced security and
ensuring regulatory compliance straightforward and cost effective.
2
Figure 1. Fraud Prevention Flow
Application Access Security
Oracle Adaptive Access Manager provides a number of cost effective and
strengthen existing web application login flows. Regardless of the type
place, Oracle Adaptive Access Manager can improve the level of both security
manner. Insider fraud, session hijacking, stolen credentials and other threats cannot be
eliminated by strong, credential based authentication alone. As in figure 1,
challenge layer behind existing authentication can greatly increase the level of security
minimal impact to the user experience – a critical factor for large deployments where
desk calls can dramatically impact the bottom line. Oracle Adaptive Access Manager
of virtual authentication devices combats phishing personalized images and phrases known
only to the server and the end user. Furthermore, through the use of
KeyPad and PinPad, security of the user's credentials during entry can be assured by not
capturing or transmitting the actual credential of the end user. This protects the credential
from theft by malware and other similar threats.. The virtual authentication devices are 100%
server driven; all features are provided without any client-side software or logic that can be
compromised by key-loggers and other common malware. Additionally, Oracle Adaptive
Access Manager performs device fingerprinting and behavioral profiling on every
determine the likelihood that the authentication is being attempted by the valid user.
Device Fingerprinting
One extremely valuable capability Oracle Adaptive Access Manager (OAAM)
customers is the ability to independently identify devices and track
proprietary clientless technologies and an extensible custom client integration framework
makes OAAM very flexible. Device usage is tracked to determine if there are any anomalies
which may elevate the level of risk. OAAM customers can secure both standard and mobile
browser-based access without additional client software, or choose to integrate a custom
developed client such as a JAVA applet for additional functionality if desired. For access
requests to a web application via a native mobile application customers and partners c
integrate OAAM device fingerprinting capabilities via the
OAAM generates a unique single-use fingerprint mapped to a unique device ID for each user
session. It is replaced upon each subsequent fingerprinting process with another unique
fingerprint. The fingerprinting process can be run any number of t
to allow detection of changes mid-session that can indicate session hijacking. OAAM
monitors a comprehensive list of device attributes. If any attributes are not available the
device can still be fingerprinted. The single-use capabilities combined with multiple attributes
evaluated by server-side logic and custom client extensibility make the OAAM device
fingerprinting
Answer Logic
Answer Logic increases the usability of Knowledge Based Authentication (KBA)
questions by accepting answers that are fundamentally correct but
ORACLE DATA SHEET
Oracle Adaptive Access Manager provides a number of cost effective and rich features to
strengthen existing web application login flows. Regardless of the type of authentication in
Oracle Adaptive Access Manager can improve the level of both security in a usable
. Insider fraud, session hijacking, stolen credentials and other threats cannot be
As in figure 1,adding a risk-based
challenge layer behind existing authentication can greatly increase the level of security with
large deployments where help
calls can dramatically impact the bottom line. Oracle Adaptive Access Manager’s suite
personalized images and phrases known
, through the use of virtual devices such as
of the user's credentials during entry can be assured by not
capturing or transmitting the actual credential of the end user. This protects the credential
The virtual authentication devices are 100%
side software or logic that can be
malware. Additionally, Oracle Adaptive
Access Manager performs device fingerprinting and behavioral profiling on every access to
being attempted by the valid user.
racle Adaptive Access Manager (OAAM) offers
customers is the ability to independently identify devices and track their usage. A mixture of
technologies and an extensible custom client integration framework
to determine if there are any anomalies
of risk. OAAM customers can secure both standard and mobile
or choose to integrate a custom
developed client such as a JAVA applet for additional functionality if desired. For access
requests to a web application via a native mobile application customers and partners can easily
client integration framework.
use fingerprint mapped to a unique device ID for each user
session. It is replaced upon each subsequent fingerprinting process with another unique
fingerprint. The fingerprinting process can be run any number of times during a user session
session that can indicate session hijacking. OAAM
monitors a comprehensive list of device attributes. If any attributes are not available the
abilities combined with multiple attributes
side logic and custom client extensibility make the OAAM device
fingerprinting, easy to deploy and secure.
entication (KBA) challenge
but may contain a small typo,
ORACLE DATA SHEET
3
abbreviation or misspelling. For example, if abbreviation Answer Logic is enabled and a user
is challenged with the question “What street did you live on in high school?” they may answer
“1st St.” which is fundamentally correct even though when they registered the answer six
months ago they entered “First Street”. By allowing a configurable variation in the form of
correct answers, Answer Logic dramatically increases the usability of registered challenge
questions making the balance between security and usability firmly in the control of the
enterprise.
OTP Anywhere
OTP Anywhere allows end users to authenticate themselves by entering a server generated
one-time-password (OTP) which they can receive via SMS, email, instant message or voice
channels. When the OTP is sent via SMS, the user’s cell phone serves as a physical second
factor that the user has in their possession. As well, the authentication is being sent out-of-
band to increase the level of assurance that only the valid user has access to the one-time-
password. When authentication methods such as Answer Logic and OTP Anywhere are
applied based on the level of risk it can dramatically increase web application access security
in an exceptionally cost-effective and usable manner.
Figure 2. Answer Logic Configuration
Self-Service Password Management
Giving end users the ability to securely create and reset their password without assistance
dramatically reduces help desk costs and limits the impact on users’ productivity. However, if
the flows are not user friendly there will still be high volumes of users calling the help desk.
Exposing password management and other sensitive flows on intranet, extranet and internet
sites requires advanced security measures to protect them from exploitation by criminals. As
seen in figure two, security professionals can easily set the level of answer logic in the
administration console user interface. The answer logic level controls how close the given
answer string must match the answer string given at the time of question registration. Oracle
Adaptive Access Manager 11g provides out of the box integrations with Oracle Identity
Manager 11g and Oracle Access Manager 11g to provide real-time risk analytics and risk-
based challenge mechanisms including KBA challenge questions and OTP Anywhere. These
integrations dramatically strengthen the security of these self-service flows which not only
increases usability but also reduces risk, making the solution valuable for any enterprise..
Risk Analytics
Oracle Adaptive Access Manager evaluates the level of risk for a specific situation by
ORACLE IDENTITY MANAGEMENT
Oracle Adaptive Access Manager
provides superior protection for
businesses and their customers through
multi-layered analysis and risk-based
multifactor authentication.
RELATED PRODUCTS
Oracle Access Manager delivers access
control, single sign-on, and session
management to a heterogeneous
application environment.
Oracle Entitlements Server externalizes
and centralizes fine-grained authorization
for enterprise applications and web
services via comprehensive, reusable,
and auditable authorization policies and a
simple, easy-to-use administration model.
Oracle Identity Federation enables
cross-domain single sign-on with an
identity federation server that is
completely self-contained and ready to
run out-of-the-box.
Oracle Web Services Manager is a
comprehensive solution for adding policy-
driven security and management
capabilities web services.
Oracle Identity Manager is a powerful
and flexible enterprise identity
provisioning and compliance solution that
automates the creation, updating, and
removal of users from enterprise systems.
Oracle Identity Analytics empowers
customers with rich analytics and
dashboards to allow monitoring, analyzing
and governing user access in order to
mitigate risk and satisfy compliance
mandates.
ORACLE DATA SHEET
4
analyzing event/transaction and contextual data from a variety of sources, including
application data, user profiles, device fingerprints, IP addresses, geo-location, other network
data and 3rd party data feeds. OAAM combines highly configurable rules, auto-learning
patterns and predictive techniques to analyze risk in real-time. By looking at various risk
factors simultaneously Oracle Adaptive Access Manager can determine the relative risk level,
alert investigators and take steps to proactively prevent fraud using challenge methods and/or
blocking. In addition, a detailed forensic trail of the analytics and actions taken is captured to
allow thorough investigations and proper auditing compliance.
Behavioral Profiling
Oracle Adaptive Access Manager dynamically identifies high risk situations in part by
learning what normal behavior is for users, devices, locations (IP address, city/state/country,
etc) and entities (credit card, address, etc). Oracle Adaptive Access Manager evaluates an
individual’s behavior against their own history and the history of all other individuals. This
“auto-learning” is constantly being updated in real-time so changes in behavior are captured
and ready for use in risk evaluations. As a result, Oracle Adaptive Access Manager is
constantly adapting to the changing behaviors of users and user populations without the need
for manual intervention.
Predictive Risk Analytics
Oracle Adaptive Access Manager integrates with Oracle Data Mining to provide statistical
risk analysis in real-time. This form of risk analysis “trains” over time so it nicely
compliments the highly configurable rules and behavioral profiling which do not require
training. The more training each model does, the more accurate the risk analysis becomes. The
out of the box predictive models are trained in two ways. The anomaly detection model trains
automatically when fed historical access data. The fraud classification model trains on the
findings of human fraud investigators. Additional models can be configured as required to
meet specific deployment use cases. This open approach to predictive risk analysis allows
OAAM customers to clearly see on which decisions outcomes are based and allows
augmentation as required.
Universal Risk Snapshot
Oracle Adaptive Access Manager provides business user friendly administration interfaces to
easily configure detailed and targeted security policies scoped to user groups, events,
transactions and applications. The Universal Risk Snapshot is used to back-up, restore and
migrate entire security configurations, including policies. This feature is very useful for
rollbacks, disaster recovery and test to production migration. Making change control simple
ensures smooth operation and eliminates any guesswork or mis-configuration between
environments.
Investigation and Forensics
Oracle Adaptive Access Manager provides access to a rich set of forensic data to power
investigations and auditing. Oracle Business Intelligence Publisher provides the reporting
engine allowing reporting to be fully customized to meet requirements. Out of the box report
templates are included that can be used as is or altered. The intuitive administration console
interface makes it quick and easy to cut through the noise and narrow in on the important data
and relationships. This allows a security analyst to better understand the relationships between
various security events and as a result, find related situations that otherwise might not be
identified. Furthermore, OAAM provides fraud case management tools to collect findings
from fraud investigations and automatically feed them back into the risk analysis engine to
tune rules and improve results. Oracle Adaptive Access Manager leverages the common audit
framework from Oracle Platform Security Services to capture full audit trails for
administration console users.
ORACLE DATA SHEET
5
Conclusion
As companies aggressively embrace the extranet for sales, self-service, profile management,
remote employee access and many other functions, online security is increasing in urgency.
Consumers need to be well protected while using the web to access sensitive information and
transactions via a plethora of devices and through a range of different channels. Furthermore,
compliance rules are constantly changing and mandates exist to ensure that companies
respond to the threats that this new way of interacting dictates. In addition, as organizations
are aiming to enable online access for their partners and mobile employees, they are facing a
strong need to better protect their extranet and intranet environments and to proactively
manage risks associated with remote access to critical business applications. To address the
growing security expectations for both consumer-facing and partner/employee-facing
environments, Oracle Adaptive Access Manager provides strong yet flexible protection for
businesses and their end users by strengthening login processes, self-service password
management flows, providing risk-based challenge methods and harnessing real-time and
batch-based fraud prevention/detection strategies.
Contact Us
For more information about Oracle Adaptive Access Manager visit www.oracle.com/identity or call +1.800.ORACLE1 to speak to an Oracle
representative.
Copyright © 2011, Oracle and/or its affiliates. All rights reserved. This document is provided for information purposes only and the contents hereof are subject to change without notice. This document is not warranted to be error-free, nor subject to any other warranties or conditions, whether expressed orally or implied in law, including implied warranties and conditions of merchantability or fitness for a particular purpose. We specifically disclaim any liability with respect to this document and no contractual obligations are formed either directly or indirectly by this document. This document may not be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without our prior written permission. Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners. AMD, Opteron, the AMD logo, and the AMD Opteron logo are trademarks or registered trademarks of Advanced Micro Devices. Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. UNIX is a registered trademark licensed through X/Open Company, Ltd. 0410