Oracle Identity Management [email protected] Senior Technical Sales Consultant NCAR/UCAR 20 June 2005

Oracle Identity Management

[email protected] Technical Sales Consultant

NCAR/UCAR 20 June 2005

mailto:[email protected]


3

Agenda

Security/IdM business drivers Oracle Identity Management

– Oblix

Demonstration of IdM Oracle Database 10g Where to go for more information


4

Security and Identity Management Business Drivers

State of Security – United States

90% of respondents* detected computer security breaches within the last twelve months.

80% of respondents acknowledged financial losses due to computer breaches.

– $455,848,000 in quantifiable losses– $170,827,000 theft of proprietary information– $115,753,000 in financial fraud

74% cited their Internet connection as a frequent point of attack

33% cited internal systems as a frequent point of attack

* Source: 2002 CSI/FBI Computer Crime and Security Survey


6

Bank of America/Wachovia: Employees Stole and

Bank of America/Wachovia: Employees Stole and

Sold Over 100,000 Customers’ Account

Sold Over 100,000 Customers’ Account

Information – May 23, 2005

Information – May 23, 2005

Polo Ralph Lauren:

Polo Ralph Lauren: 180,000 Credit 180,000 Credit

Cards Stolen - April 14, 2005

Cards Stolen - April 14, 2005

Boston College Database Hacked for 120,000 Boston College Database Hacked for 120,000 Alumni Records – March 17, 2005Alumni Records – March 17, 2005

Former AOL Employee Pleads Guilty in Customer Data Theft

Former AOL Employee Pleads Guilty in Customer Data Theft

February 7, 2005

February 7, 2005

Citigroup lost information on 3.9 million customers while in

Citigroup lost information on 3.9 million customers while in

transit to a credit bureau (June 6, 2005)

transit to a credit bureau (June 6, 2005)

MasterCard reports breach of over 19.9 million credit cards

MasterCard reports breach of over 19.9 million credit cards

(June 19, 2005)(June 19, 2005)


7

Cost for compliance by taking one-off versus integrated approach to compliance projects

10 x


8

Percentage of support calls relating to forgotten passwords

15-30%


9

Percentage of active accounts belonging to employees or contractors that no longer work for the organization

20%


10

Time per day, on average, signing into systems and being authenticated. This equals 2,666 employee hours in a typical 10,000

employee organization

16 min


11

Richard Clarke, 2002Special Advisor to the President Cyberspace Security

“If you spend more on coffee than on IT security, then you will be hacked…what's more, you deserve to be

hacked!”


12

Security Drivers

Government Regulations– Compliance Drivers

Shortened Supply-Chain– Everything is Online, Everybody is Online

Business Continuity– 24x7 availability

Risk Mitigation– Assess what is at risk

Ask your analysts to do a security TCO!

Oracle’s Response

Product and Process Security– Secure Installation & Configuration– Independent Evaluations– Secure Product Development Life Cycle

Oracle Platform Security– Oracle Database Security– Oracle Application Server Security

J2EE Security, Best practices for deployment – Oracle Identity Management

LDAP Server, Single Sign On, Provisioning Solutions and Certificate Authority, Federation


15



16

LDAP and OID

LDAP Data model, Naming model, functional model, security model LDAP protocol itself (connection oriented protocol) API for developing directory enabled applications LDIF – standard interchange format for directory data HTTP (lock step) vs. LDAP (in flight) LDAP standards define the wire protocol and the data model, but do not

specify implementations considerations – many details are left up to directory vendors.

Oracle Identity Management Includes LDAP v3 Directory Includes other pieces: Provisioning framework, Single-Sign on,

Directory Integration, Certificate Authority, Oblix components


17

Where does it all fit?


Oracle Application Server 10g


Identity Management


Identity Management Components


21

Oracle Internet Directory Scalability

– Millions of users – 1000’s of simultaneous clients

High availability– Multimaster replication– Hot backup/recovery, RAC, etc.

Manageability– Multi-node monitoring

Security– Comprehensive password policy– Role / policy based access control– Audit

Extensibility (Plug-in framework)– Virtual attributes– External authentication– Custom password policies

OracleDatabase

LDAPClients

DirectoryAdmin

Console

OID Server


Directory Integration Service

Connectors

External Directories

Sun1(iPlanet)

Active Directory

Oracle HR

Oracle DB

OpenLDAP

eDirectory

OracleInternet

Directory

DirectoryIntegration

Service


Provisioning Integration Service

ERP,CRM,… eMail Portal

Partner Provisioning System

Oracle Provisioning Integration Service

Event Notification

Engine

Pro

visi

on

ing

Co

nn

ecto

rs

Policy &Workflow

Engine

Delegated Admin Service(Pswds, preferences)

Corporate HR(Employee Enrollment)

Helpdesk Admin

eMail Admin

OID

Portal Admin


Delegated Administration Services Admin console w/ role-based

customization– User / group management– End-user vs Admin views– Admin delegation

End-user self-service– Self service provisioning– Set preferences, Org-chart– Pswd reset

Embeddable admin components– For integration with Apps

Extensively configurable– Accommodate new applications– Customize UI views


OracleAS

Single Sign-on

OracleAS Single Sign-On

PKI, pwd, Win2K Native Auth…

SecureID, Biokey

ERP,CRM,…

eMail

Portal

Partner SSO (Netegrity, RSA, Oblix)

Partner SSO Enabled Environment

OracleAS Enabled Environment

OID

ExtranetExtranet

Federation / Liberty

Integrates Oracle and partner-SSO enabled apps


OracleAS Certificate Authority

Allows Oracle customers to secure their deployments

Out-of-the-box PKI solution

Easy provisioning of X.509v3 digital certificates for end users

Web Based certificate management and administration

Seamless integration with Oracle Application Server Single Sign-On & OID

User

OracleCertificateAuthority

InfrastructureDatabase

Secure IT Facility

OracleSingle

Sign-On

OracleInternet

Directory


27

Oracle and Oblix

COREid Access

Web Single Sign-On

Flexible Authentication Methods

Policy-based Authorization

COREid Provisioning

Template-based workflow

Agent and Agentless account provisioning

Metadirectory synchronization

Password synchronization

Cross-platform connectivity

COREid Reporting

Centralized auditing

Pre-built identity and security reports

Global View user access

Robust logging framework

COREid Integration

Pre-built Connectors – to leading application servers, web servers, portal servers, and directory servers

“Data Anywhere” Configuration

Benefits

Increased Security

Integrated solution

Define and enforce security, administrative, and access control policies consistently across enterprise applications

Increased Compliance

Audit events across entire enterprise

Who has access to which applications

Access control managed per attribute

Meet Sarbanes-Oxley, HIPAA, and Gramm-Leach-Bliley compliance

Increased Governance

Centralized policy definition with localized enforcement

User, Group, and Organization Management

Delegated Administration

Self Service and Self Registration

Unified Workflow

Identity Web Services Controls

Password Management

COREid Identity


28

Demonstration


29

Oracle Database 10gR2


30

Grid Computing Components

Storage Database Servers Application Servers Provisioning and

Management Tools


31

Grid RoadmapR

OI &

TC

O

Adaptable Infrastructure

Reactive Managed Agile

Low ROI

High ROI

All Oracle• Standardize• Choose Grid platform servers

Upgrade to 9i/10g• Leverage TAF/FAN

Consolidate schemas• Customer data hub• Oracle Fusion• Streams

Leverage Clustering• RAC• OC4J clusters• ASM

Leverage Grid•Grid Control•Services

Axes are for illustrative purposes only

Many databases• Many servers• Many database vendors• Many database versions

Many application servers• Many servers• Many app server vendors• Many app server versions


32

Oracle 10gReal Application Clusters

Many small servers act as one Capacity on demand

– Add/remove servers online– Auto server allocation on failure

Mission critical QoS on standard, low cost servers

Scalable AND highly available

Start small, grow incrementally

Proven technology– Thousands of customers– Supported by leading ISVs– Runs on all platforms


33

Oracle 10gReal Application Clusters

Automatic Storage Management– Database file system providing clustered volume

management– Integrated into the Oracle kernel

Workload Management– Dynamic load balancing to meet service level

policies

Integrated clusterware stack– Easy to install and manage– Lower cost, single vendor support– Common features on all platforms, improved single

system image– Open to 3rd party clusterware– Clusterware API

34

Pre-enabled row level security– Built on Virtual Private Database – Label Based Access Control (LBAC) framework– Based on stringent government and commercial

requirements for row level security– Data access is based on sensitivity labels and

customizable enforcement options

Leverages Identity Management for …– Labels– Identities and roles– Policy information

Oracle Label Security

35

DBMS_Crypto package Upgrade Improvements DBUA Auditing Improvements Multiple EM improvements Database Backup to tape option Flashback Improvements:

– Flashback Recovery Area (space quota) / RMAN– Database, Table and Row level

Online Transportable Tablespace– Enables a DBA to copy or move a tablespace of data

using the transportable tablespaces feature without making the tablespace read-only in the source database.

Other Oracle 10gR2 new features


Oracle - Delivering Better Security Technology for > 25 years

1977 2003

Identity Management

On going Security Evaluations

Fine Grained Auditing

Oracle9iAS JAAS

Oracle9iAS Single Sign-On

Common Criteria (EAL4)

Advanced Security FIPS 140

Oracle Label Security (2000)

Virtual Private Database (1998)

Enterprise User Security

Oracle Internet Directory

Database Encryption API Kerberos framework

Support for PKI

Radius Authentication

Network Encryption

Oracle Advanced Security introduced

First Orange Book B1 evaluation (1993)

Trusted Oracle7 Multilevel Secure Database (1992)

Stored procedures and database roles (1992)

Paranoid Customer Commercial


37

Need help? More Information?

[email protected] 303.334.6684 http://www.oracle.com/technology/products/id

_mgmt/index.html Oracle by Example Series: Oracle Application

Server 10g (9.0.4): http://www.oracle.com/technology/obe/obe_as_10g/im/index.html

Deploying Oracle Identity Management with Multi-Master Replication (white paper)

mailto:[email protected]

http://www.oracle.com/technology/products/id_mgmt/index.html

http://www.oracle.com/technology/products/id_mgmt/index.html

http://www.oracle.com/technology/obe/obe_as_10g/im/index.html

http://www.oracle.com/technology/obe/obe_as_10g/im/index.html


38


Supporting Slides


Platform Security Architecture

Access Management

Directory Services

Provisioning Services

External Security Services Oracle

Platform Security

Application Security

E-Business Suite

Responsibilities, Roles ….

Collaboration Suite

S-MIME, Interpersonal Rights …

OracleASPortal /Wireless

Roles, Privilege Groups …

Oracle Internet Directory

OracleASCertificate Authority

DirectoryIntegration &Provisioning

OracleASSingle Sign-on

Delegated AdministrationServices

3rd PartyApplications

Authorization, Privacy, audit, ….

OracleASPortal /Wireless

Roles, Privilege Groups …

Oracle Database

Enterprise users, VPD, Label SecurityEncryption, DB Audit


Oracle Application Server

JAAS, JACC, WS Security, …


Oracle E-Business / IdM Integration

OID & DIP

User Enrollment

OracleASPortal

PartnerWebApp. OracleAS

SSO

User Browser

(Oracle) HR

DelegatedAdmin.

Oracle E-BusinessSuite Release 11i

Instances Account Provisioning Integration

Oracle HR Sync Agent


43

Identity Federation

Enabling identities to be shared and propagated between different systems

Allows individuals to “log-in” once to access resources on networks of different enterprises

No need for central storage of personal information

Organization authenticates its respective users and vouches for their access to third party organization’s services


44

Federation Standards - Liberty Alliance

Consortium of 150+ organizations developing open standards for federated network identity

– includes technology, business guidelines, and best practices

Oracle is a Sponsor Member of Liberty Alliance Liberty protocol defines two key functions

– Identity Provider(IDP): an entity that receives security-related requests and generates security assertions

– Service Provider(SP): an entity that generates security-related requests and consumes security assertions (that provides useful content to its clients)


45

Federation Usage Scenario

Financial services company– Retirement funds management– 1,000+ partner companies– Millions of end-user accounts

Need to be able to keep up with employment status changes in real time with partner companies

Want to provide users with transparent access to financial services through company portal


46

Way it is Done Today

1. Logon to Portal2. Click on Partner 401K link

3. Logon to Partner Site

Company HR

Database

PartnerAccount

Database

Batch Mode Data

Transfer


47

Implementation Using Federated Identity Standards

1. Logon to Portal2. Click on Partner 401K link

3. Request Data from Partner Site

4. Federation Protocol Between Oracle SSO & Partner Web Site

Partner website• Explicit login

• Provision and manage customer employee account


48

Oracle Consulting Services

Identity management specialists– Field sales– Consulting services

Benefits assessments Architectural assessments Implementation services


Grid computing model

BLADE FARM BLADE FARM (Local Grid)(Local Grid)

DynamicallyDynamicallyProvisioned & Provisioned &

RegisteredRegistered

TopologyTopologyManagerManager Workload & Workload &

QOSQOSManagerManager

ResourceResourceManagerManager

BLADESBLADES

High Speed High Speed InterconnectInterconnect

PolicyPolicyManagerManager

Cross-Tier Cross-Tier RoutingRouting

Identity Management InfrastructureIdentity Management Infrastructure


Oracle Security Platform

Key component of Oracle’s overall security strategy

Provides an integrated identity management infrastructure built upon Oracle’s “unbreakable” technology

Centralizes security management of Oracle applications across the enterprise

Provides a robust, standards-based platform for security services to the entire enterprise


51

Oracle DatabaseAdvanced Security Option

Privacy Solutions– Data Protection over the wire

Client to Server Mid tier to Server Dataguard (Primary to Standby)

– JDBC (thick and thin), OCI

Strong Authentication– Strong alternatives to passwords– Industry Standard Solutions

PKI, Kerberos, RADIUS


52

How Customers are Leveraging the Oracle Security Platform


53

Customer Case Study -Wireless Carrier

Problem– Subscriber directory for 25M cellular phone customers and phone

number entries worldwide Plans to scale to 100M numbers

– Continuous availability required during frequent bulk updates

Solution– Two Oracle Internet Directory instances with multi-master replication

Why they chose Oracle– Reliable, multi-master replication– Continuous service availability during bulk provisioning operations


54

Customer Case Study -Government Lab Problem

– Proliferation of web applications without any centralized management of security and identities

– Lots of Oracle Forms and Reports applications– Semi-independent departments without any central IT

organization Local privilege groups not to be visible outside department

Solution– Unified authentication for 5000 users across all web applications– Centralized user enrollment – Autonomous administration for department application security– Local Identity Management instances for fail-over

Why did they choose Oracle?– Support for autonomous fan-out Identity Management instances– Identity Management enablement for existing applications


55

Customer Case Study –Large Insurance Company

Problem– Over 80,000 employees, multi-million customers– A mixed environment: MS desktops, BEA, Oracle & in-house– Require single password for desktop as well as other apps– Availability is critical

Solution– Oracle Internet Directory as directory hub– AD integration, Transparent BEA based apps and custom apps

Why did they choose Oracle?– Support for heterogeneous environment– Scalability, high availability solutions– Deployment on Linux


56

Oracle Database 10gVirtual Private Database

Column Relevant Policies– Policy enforced only if specific columns are referenced– Increases row level security granularity

Store ID

AX703

B789C

JFS845

SF78SD

Revenue

10200.34

18020.34

12341.34

13243.34

Inventory($M)

100

150

200

88

OK

Select store_id, revenue… (enforce)


57

Oracle Database 10g Virtual Private Database

Column Filtering– Optional VPD configuration to return all rows but filter out

column values in rows which don’t meet criteria

OK

OK

OK

OK

Store ID

AX703

B789C

JFS845

SF78SD

Revenue

10200.34

18020.34

12341.34

13243.34

Inventory($M)

100

150

200

88

Select revenue…..(enforce)


58

Dynamically allocates Database storage– Load balances database files across disks Rebalanced

when storage configuration changes (with an optional WAIT)

Capacity on demand– Add/remove storage online– Automatic i/o load balancing

Enhanced data provisioning– Support transportable tablespaces– Eliminates storage fragmentation

Fault tolerant, high performance– Automatically mirrors and stripes

Low cost– Less DBA work: no i/o tuning to do– No volume manager or file system– Better disk utilization– Solved a lot of CW and 9i RAC issues

Oracle 10gAutomatic Storage Management


59

ASM – How it Works

Automatic StorageManagement

No volumes: just a pool of storage

– Simplifies layout of datafiles, control files, redo log files and flash recovery area

– Single instance and RAC

Partitions total disk space into uniform sized megabyte units


60

ASM – How it Works

No volumes: just a pool of storage

Partitions total disk space into uniform sized megabyte units

Efficient, online add/remove of disk with automatic rebalancing

– ASM Wait on Rebalance– Eliminates Storage

Fragmentation

Automatic StorageManagement


61

More on ASM

ASM provides (platform independent):– Services of a Filesystem – Services of a Logical Volume Manager (LVM) – Integrated into the Oracle kernel– Provides software RAID in a platform-independent manner

ASM can stripe and mirror your disks with a choice of redundancy

Allows disks to be added or removed while the database is under load

Automatically balances I/O to remove "hot spots“ Supports direct and asynchronous I/O Uses the Oracle Data Manager API (simplified I/O system call

interface) introduced in Oracle9i


62

More on ASM ASM can ONLY be used only for:

– Oracle Data Files – Redo Logs– Control Files – Flash Recovery Area

Files in ASM can be created and named automatically by the database or manually by the DBA.

Files in ASM are not accessible to the O/S; Only way to perform backup and recovery on databases that use ASM files is through Recovery Manager (RMAN).

Memory requirements for ASM are light: only 64 MB for most systems. Support for multiple Oracle database versions In RAC environments, an ASM instance must be running on each cluster node. Choice of Redundancy:

– HIGH – when files are mirrored ASM makes 2 copies instead of the usual 1 copy.– NORMAL – ASM provides an additional 1 copy of each file (conventional mirroring)– EXTERNAL – we rely on external storage to provide any redundancy


63

Automatic Workload Management

Application workloads can be defined as Services

– Individually managed and controlled– Assigned to instances during normal startup– On instance failure, automatic re-assignment– Service performance individually tracked– Fine grained control with Resource Manager– Rules can be defined dynamically


64

Integrated Clusterware (CRS)

Complete Oracle cluster software solution

Single-vendor support Low Cost

– No need to purchase additional software– Easy to install, manage

Single Instance or RAC installs– CRS CD

Common event and management API’s

Support for third-party clusterware

CRS requires two files to be shared among all of the hosts in the cluster:

– Oracle Cluster Registry (100 MB)– CRS Voting Disk (20 MB)

ConnectivityMessaging and Locking

Cluster Control/RecoveryServices Framework


65

Oracle Database Backup – Low Cost Tape Backup

Low cost alternative to complex backup products

Best integrated end-to-end backup of Oracle Databases

Scalable to low 100’s of servers, 10’s of millions of files

Easy to manage – EM 10g and RMAN

Bundled with Oracle Database - Single vendor support

Block Change Tracking – incremental backups

ASM, Database

Files, RecoveryAreas and OS FilesO

racleB

ackup

Performant, Low Cost

Tape Backup


66

Flashback Database Accessible via RMAN & SQL*Plus

SQL> FLASHBACK DATABASE to ‘2:05 PM’

Flash Recovery Area– Unified storage location for recovery

related files Flashback Database logs Redo Archive logs RMAN backups

Restores just changed blocks

Holds old block contents

DataFiles

New BlockVersion

Disk Write

Flash Recovery“Rewind” button for the Database

Old BlockVersion


67

Flashback Time Navigation

Select * from Emp VERSIONS BETWEEN ‘2:00 PM’ and ‘3:00 PM’ where …

Select * from DBA_TRANSACTION_QUERY where xid = ‘000200030000002D’;

Flashback Row Versions - see all versions of a row between two times, and the transactions that changed the row

Flashback Transaction Query – see all changes made by a transaction

Select * from Emp AS OF ‘2:00 P.M.’ where …

Flashback Query – see data at a point in time

Tx 1

Tx 2

Tx 3


68

Enterprise Manager Grid Control

Monitor and manage

Grid-wide view

End-to-end

Top-to-bottom

From anywhere

Manage froma Browser EM2Go

… or a PDA


69

Manage Groups as One

Single-view management and monitoring across components

Standardize policies– Configuration– Performance– Security

Automate processes

Automated patch management

Applications

Sets of Systems


70

View/Search

Compare/Diff

Change Tracking

ReferenceConfigurations

Analyze

Install/Clone

Configure

Patch

Secure

Maintain

Oracle.com

Product Updates

Patches

ProductConfiguration

OracleInventory

SoftwareConfigurations

HardwareConfigurations

Discover

Managing the Software Life Cycle

EnterpriseManager

Grid Control

Provision

Over 20% of downtime attributable to human configuration errors


71

Service Level ManagementMonitor End-user Experience Availability Performance

Monitor Database Click-to-SQL Drilldowns

Monitor Application Click-to-EJB J2EE Activity

ExternalNetwork

InternalNetwork

AppContent

AppServer Database


72

Self-Managing Database 10g

ASM

Built-in intelligent infrastructure – Self-aware performance analysis– Proactive server alerts– Automatic tasks

Automatic Database Diagnostic Monitor

– Expert engine in the database

Automatic SQL tuning– Optimize packaged and

custom applications

WorkloadRepository

Alerts &Advisories

AutomaticTasks

Packaged& Custom

Applications

Self-Optimizing SQL

Proven Cost-Based Optimizer

CustomizableApplications

Self-Optimizing SQL


Packaged& Custom

Applications


BetterPerformance

High-load SQL

SuggestedIndexes& MVs

Access Advisor

Self-Optimizing SQL


SQL Advice-> Better

SQL

Auto SQLAnalysis

Packaged& Custom

Applications


BetterPerformance

High-load SQL


Access Advisor

Self-Optimizing SQL


SQL Profile-> Improved

Plan

SQL Advice-> Better

SQL

Auto SQLAnalysis

Auto SQL Tuning

Packaged& Custom

Applications


BetterPerformance

High-load SQL


Access Advisor


77

Flashback Error Correction Database Level

– Flashback Database restores the whole database to time

Uses Flashback Logs Table Level

– Flashback Table restores rows in a set of tables to time

UNDO_RETENTION Maintains data integrity and

constraints– Flashback Drop restores a

dropped table or a index Recycle bin for DROPs

Row Level– Flashback Rows restores rows to

time Uses Flashback Query

Order

Database

Customer

Select * from Emp AS OF ‘2:00 P.M.’ where …

Documents

Oracle Identity Management [email protected] Senior Technical Sales Consultant NCAR/UCAR 20 June 2005