Oracle Identity ManagementPeopleSoft, Siebel,JDEdwards Oracle App Server Centralised Access...

Oracle Identity Managementfor “Protected Enterprise”

Presenter: Minsoo JoTitle: Senior Technical Consultant, SecurityDate: 23/Aug/2006

Agenda

• Security & Identity Management• Oracle Identity Management Solution• Oracle Differentiators

What is Security?: Protection From Outside

철옹벽철옹벽

해자해자

What is Security?: Protection From Inside

Roles & PrivilegesRoles & Privileges

Controlled AccessControlled Access 외부인외부인보다보다내부직원에내부직원에대한대한통제통제시급시급

어디에비용이많이소요되는가?The Hidden Costs of Security & Identity

- Computer Security Institute

“외부의공격으로인한손실은평균 $57,000 정도인데비해, 내부자에의한평균손실은

약 $2.7 million 이었다.”

사용자한명당패스워드관리비용으로연간약 $200 에서 $300 정도가소요된다.

- Gartner

기업내보안의취약점

• 대부분의보안의취약점은조직의안에있음• 보안정책의단편화

• 유령계정

• 접근권한만료

• 통합감사및기록보존책임의부족

• 패스워드유출및허술한관리• 요청기반의수작업계정관리는에러의위험성이있음.• 네트워크관리자는조직혹은롤의변화에대해인지하지못함

=> 기업내보안관리를위한시스템화된접근이필요

A Fragmented View of IdentityThe Traditional Approach

Business DomainBusiness Domain

Policy / Role

Policy / Role

Policy / Role

Policy / Role

Core Apps

Portal

File andPrint

Collaboration

Mainframe

User

IT DomainIT Domain

Directories

Databases

OperatingSystems

Business Identity

BusinessRoles

Employees

Customers

Suppliers / Partners

Core Apps

Portal

File andPrint

Collaboration

Mainframe

Access Mgmt

LDAP Directory

LDAP Directory

Desktop / Network Portal& SSO

Identity Hub

BusinessRoles

Employees

Customers

Suppliers / Partners

EnterpriseDirectoryDataHub

““Security is a byproduct ofSecurity is a byproduct ofa business needa business need””

A Business Driven ApproachSingle Business Identity: Possible Today

Identity Management 기대효과• 저렴한관리비용

• SSO, 패스워드변경, 관리권한이양, user self service, 자동화된 provisioning

• Help 데스크콜감소로연간인당$420비용절감

• Provisioning*을통한연간직원당 $1250ROI

• 개선된보안• Access control, user provisioning

• 강화된규정준수및 프라이버시• SoD, 개인정보보호강화, 통합감사

* * -- Burton Group Report August 2004Burton Group Report August 2004

Identity Management(IdM) 란?; 기업내의 IT 자산을보호하는것

• 어플리케이션과정보의액세스를보호하는것• 인증 (Authentication): Who you are (유저ID/PwD)• 권한(Authorization): what you have access to, when, where

• 전체라이프사이클을통하여디지털사용자관리를인식(Identify) 하는것

• 직원채용 -> 진급 -> 퇴사

• 확장성있고가용한 Identify 정보저장고• 프로파일 : Roles & attributes

Enterprise Identity Management

NOS/DirectoriesOS (Unix)

Systems & RepositoriesApplications

ERP CRM HR Mainframe

Auditingand

ReportingPolicy and Workflow

EmployeesIT Staff SOA Applications

Partners

External

Delegated Admin

SOA Applications

Customers

Internal

Identity Management Service

Access Management•Authentication & SSO•Authorization & RBAC• Identity Federation

Identity Administration•Delegated Administration•Self-Registration & Self-Service•User & Group Management

Directory Services•LDAP Directory•Meta-Directory•Virtual Directory

Identity Provisioning•Agent-based•Agentless•Password Synchronization

Monitoringand

Management

Agenda


Identity ManagementKey Areas

• Access Control• Single Sign-On• Identity Federation• Web Access Control• Web Services Security

• Identity Administration• User, Role Management• User Provisioning

• Identity Infrastructure• Virtual Directory• Directory

Oracle Identity Management

Leading Portals & Applications

Leading Directories, OS, DBs, J2EE

Oracle Identity Federation

Oracle Access Manager

Oracle Identity Manager

Oracle Web Services Manager

Oracle Virtual Directory

Oracle Internet Directory

Oracle Enterprise Single Sign-On


• 기능• 정책관리• 멀티-레벨, 멀티-팩터인증관리• 셀프서비스패스워드관리• 위임관리• 워크플로우엔진• 웹서비스인터페이스

• 장점• 이종환경간의중앙집중화되고일관성있는보안성

• 관리비용절감• 개선된사용자편의성• 규정준수

Authentication

Authorization

Identity Admin

Access Manager: Protects Business Critical Assets

HTTP(s)

Portals

Packaged E-Business Applications

Application Servers

Mainframe Security Connector for OS/390: RACF, ACF-2, TSS

Mainframe Systems

Single Sign-on to

multiple resources

LDAP-based Directory Server

Access Server™

WebGate

Web Server Oracle eBusiness, PeopleSoft, Siebel,JDEdwards

Oracle App Server

Centralised Access Management

Enterprise Resources

Single Sign-On to Enterprise Applications

Users(Employees, Partners,

Customers, Suppliers, etc)

LDAP-based

Directory Server

LDAP over SSL

User Identities for Authentication and

Authorisation

Security Policies for Authentication and

Authorisation

Web Server

Web Server

HTTP(s)

HTTP(s)

Secure Protocol over SSL

WebGate

WebGate

Oracle Access

Manager

Firewall FirewallDMZ

사례 – Burger King

• 위임관리모델과셀프서비스로사용자의효율적인추가,제거,수정이가능하게됨• 접근을허용/불허관리기능이안전하고쉬어서관리비용을절감

고객요구사항

• 연간종업원의교체율이 250% 이상• 정기적으로새로운사용자추가가필요• 퇴사한직원의접근을제거해야함

• 회사구조상종업원은지점에분산되어있고주로시스템을이용할수없는노동자로별도의노동자의개인정보를입력해주는종업원이필요

구현결과

오라클의솔루션

• Oracle Access Manager는기존의 Microsoft Active Directory 시스템과밀접한통합을제공

• Oracle Access Manager 는실시간보안을제공하며퇴사한직원의접근을즉시제거

Oracle Identity Federation

• 기능• SSO 와연계하여비즈니스파트너간의계정공유

• 멀티프로토콜게이트웨이– SAML, Liberty, WS-Federation

• 서비스제공자(Hub) / 계정제공자패키지(Spoke)로이용

• 유연한배치구성기능제공

• Standalone웹접근관리솔루션으로도제공가능

• 커스텀애플리케이션을위한 Protocol SDK 제공

• 장점• 비즈니스파트너와의 안전한통합보장

• 관리비용절감

• 개선된사용자편의성

• IdMBridge provides link between Federation and various user repositories (i.e. LDAP or RDMBS) for authentication and security systems (like Access Manager or CA SiteMinder) for authorization

• Receive assertion• Verify assertion• Set the session

cookie• Redirect to

requested resource• Manage domains• Manage certificates

• User repository interface

• Local authentication

• Map the assertion into a local user

• Check if user is authorized to access target resource

Authentication Authorization

• Authenticate• Build assertion• Send assertion• Manage domains• Manage

certificates

IdMBridge IdMBridge

Source Destination

COREid Federation Server

COREid Federation Server

Oracle Identity Federation Architecture

Identity Federation : Flow

BROWSER

6. Company B OIF server verifies signature, maps assertion to local user entry and creates an SSO session for user.

3. Employee clicks on a link to access protected resource at Company B (transfer request). Portal sets a header variable that identifies the user.

7. Company B uses the SSO cookie to determine authorization to requested resource.

8. If authorized, browser redirects to target URL, and sets Company B ObSSOCookieon user’s browser.

9. User can now go directly to any protected resource at Company B until the SSO session expires.

4. Request transferred to Company A OIF server, which uses the header variable to identify the user and creates a signed SAML assertion with attributes from the user’s LDAP profile.

Company A (Source Site) LDAP IdMBridge

Oracle Identity Federation Server™

Company B (Destination Site) COREid IdMBridge

Oracle Access Server™

Enterprise Resource

Oracle Identity Federation Server™

1. Company A employee logs intoemployer’s corporate portal.

2. Portal authenticates and authorizes user.

5. Browser posts SAML assertion to Domain B SAML receiver service.

• Oracle Access Manager 솔루션도입으로 월 120만 $의비용절감 ( 전체 4만명의사용자가월 30$의비용소요)

• 사용자패스워드가 7개에서 1개로감소함으로써월 39만$ 비용절감효과• 장비유휴시간감소로인한시간당 15000$ 절감효과

구현사례 – SWA & Boeing

고객요구사항

• SWA 는웹을통하여 Boeing 사의기술도면, 청사진, 컬러코딩리포트, 기술문서등을받아업무효율성을확보하고자함

• 여객기제조자와의트랜잭션에드는비즈니스비용을절감하고자함

구현결과


• Oracle Federation, Oracle Access Manager• 6주만의구현시간• SWA는여객회사최초로 SAML을구현한회사가됨


• 기능

• 사용자계정라이프사이클관리

• 자동화된사용자프로비저닝과

디프로비저닝

• 다양하고유연성있는커넥터프레임워크

• 워크플로우엔진과중재엔진제공

• 사용자편의성을위한요구와정책위저드

제공

• 법제준수기능자동화및리포팅기능

• 장점

• 관리비용의절감

• 개선된사용자편의성

• 법제준수를위한솔루션 (e.g. SOX )• 중앙집중적관리로개선된보안성

HRMS

HR 시스템의사용자생성,삭제

Business Applications

Workflow

롤, 접근권한을할당, 제거

Application Driven Identity

System

계정과접근권한을프로비저닝

Oracle Identity Manger – Sample Flow

대상시스템

관리자

계정신청/변경요청

프로파일변경

Trusted Source 중재

사용자프로파일정보

관리자

프로파일변경

예외상황

정보보안부서

자동화된사용자계정프로비저닝

감사보고

CICS/IMS

DATABASES

CRM/ERP SYSTEMS

LEGACYSYSTEMS

셀프서비스

사례 : Lehman Brothers

• Fortune 선정 500대기업중 113위랭킹글로벌투자금융회사

•주요비즈니스부문 : 투자금융, 자본시장, 고객서비스

•매년 20% 성장•수천개의 COTS (상용기성품)와커스텀애플리케이션

• 400,000 개이상의시스템계정

•관리대상에서누락된혹은고립된 시스템계정으로인해시스템위기사항가능성농후

•사용자접근권한에대한상세한감사기능의부재

•사용자접근권한변경을위한사용자관리의비용과다

고객소개 고객요구사항

•프로비저닝후접근시간을 5분이내로줄임•누가무엇을접근하는지에대해감사기능구현• 650개의관리시스템의로컬계정 관리통합구현으로 유령계정및고립된계정제거

•모든보안관리작업이감사됨 –SOX(Sarbane-Oxley) 등규정준수에대한비용절감

•프로비저닝프로세스내의여러가지 IT 작업의자동화

Oracle Xellerate의차별성 구현효과

•유연하고적용가능하며, 개방아키텍처•위임관리를위한계층적그룹멤버쉽접근이가능• GUI 기반비즈니스규칙개발• Adapter Factory를사용한통합어댑터개발의단순성

• Lehman Brothers의기술적평가에서최고점수

Oracle Internet Directory- Oracle LDAP

• 기능• Oracle 데이터베이스를저장소로가지면서 LDAP 서버의모든기능을수용

• 특징 -확장성및 HA 기능• 오라클플랫폼들과의강한통합성

• VSLDAP 인증및 EAL4 호환• 장점

• Oracle 그리드컴퓨팅의지원으로운영비용절감

• 오라클제품들과의매끄러운통합

구현사례 –삼성전자

• 개선된전사적제품정보공유기반구조확보• 개인화된포맷의통합데이터를신속하게전달• 최소한의다운타임을갖는 24 x 7 x 365 무정지시스템으로고가용성확보• 차세대 LCD 제조공정의프레임워크로선정

고객요구사항

• LCD 조립라인에서나오는데이터를분석하고리포트하는시간을줄이고자함

• 사용자에게개인화된정보를제공해야함• 효율적이며, 안정된솔루션의필요• 24x7x365 무정지시스템으로고가용성보장하는시스템

구현결과


• OracleAS 10g SSO & OID• 사용자관리• 삼성의기업 SSO인 SINGLE과의통합• OracleAS 인프라스트럭처고가용성솔루션


• 기능• 가상화,프록시,조인,라우팅기능• 최신자바와웹서비스기술수용

• 강력한확장성

• 대규모멀티사이트관리

• 직접적인데이터의접근

• 장점• 실시간디렉토리통합

• 애플리케이션배치의가속화

• 개발공수의절감

LDAP

VDE DIRECTORY ENGINE

WEB GATEWAYWEB SERVICES WEB GATEWAY

JOIN VIEW

LocalStore LDAP DB NT Custom

Virtual Directory Product Architecture

Oracle Virtual Directory:Integration with Identity Federation

Creates a single directory “view” of federated directories

dc=Division A, dc=Company, dc=de

dc=Division B, dc=Company, dc=de

ou=Division C, o=Company, c=de

dc=Company, dc=de

ou=DivBou=DivA ou=DivC

dc=Division A, dc=Company, dc=de

dc=Division B, dc=Company, dc=de

ou=Division C, o=Company, c=de

Microsoft AD Forest

Microsoft AD Forest

Sun ONE Directory

• 해결과제• Minute Maid 사업부서가분리되어 IT 인프라스트럭쳐를분리하게됨.• SAP 포탈은두개의인프라스트럭쳐에분산된사용자를단일지점에서볼수있어야함.

• 가상화디렉토리의성공요소

• 고객이단하루만에자체적으로설치함

• SAP 포탈은 30일이내에가동되었음• 기존의동기화방법에비해거의유지보수작업이없음

외부망디렉토리

Portal

고객디렉토리

직원디렉토리

사례 -코카콜라

Oracle eSSO

• 기능• 네트워크및시스템에접근시에사용자인증

• 각각의어플리케이션에대한접근시인증을

별도로수행

• 사용자가접근하고자하는모든것에대한

인증담당

• 장점• Windows 데스크톱및모든어플리케이션에대한패스워드를관리

• 사용자편의성을증대하며보안강화

• 규정준수

• 모든어플리케이션에대한인증강화

Oracle Enterprise Single Sign-On

Oracle eSSO주요기능• 응용프로그램의수정없이 smart card등의강력한인증기능을구현할수있다.

• Supports tokens, smart cards, biometrics and passwords • Increases security, enabling compliance with HSPD-12 mandate

• 웹응용프로그램뿐만아니라 C/S프로그램, 레거시응용프로그램까지하나의사용자로그인정보(Windows)로통합할수있다.

• Includes multi-user kiosks and distributed workstations• 암호관리의편리성

• Eliminates need for users to manage multiple passwords• Automatically distributes log-in credentials based on provisioning

instructions in OIM• Leverages OEMed by Passlogix

사례 : USPS

• 해결과제: • USPS 직원들의가장큰문제는 : 패스워드가너무많음• 155,000명의사무직, 3백만명의사용자• 수천어플리케이션을중앙전산팀에서모두관리하기힘듦

• 구현및유지보수하기에는 IT 인력이한정되어있음• 1년내에완벽히운영할수있는솔루션을 CTO가원함

• 구현결과:• 155,000 사용자에대해 8개월만에완료• 7,000개이상의어플리케이션에대해적용• 헬프데스크로접수되는패스워드관련문의가하루 1천건이상에서하루평균 10건으로감소

• 연간 $4 million 비용절감

Agenda


Most Comprehensive, Best-In-Class Suite

NOVL

PPPOracle SmartRoles (TBA)Ent. Role Mgmt

Oracle Internet Directory


Oracle Certificate Authority

Directory Integration Platform



Oracle Access Manager/Oracle Identity Manager

Oracle ESSO

Oracle Web Services Manager


Oracle Federation

Oracle Sun

P가상디렉토리

암호관리

위임관리

ESSO

Web Svcs Security

PFederation

디렉토리서버

AuthN/PKI

메타디렉토리

계정프로비저닝

웹접근관리

Area

P

BMCIBMHPCA

•P = Partnership

Hot-pluggable, Heterogeneous Support

Applications

Directories

Application/Web Servers

Operating Systems

Groupware

ACF-2 & TSS

Portals

RACF

Source: Oracle.com

Identity Management CustomersSome Sample References

Manufacturing & Transportation

Financial Services

Government & Public Sector

Hospitality, Retail & Services

Healthcare

Technology & Communications

Oracle Global SI Partner Summary

NA and APACYTCS*

Slowly converting from Sun coverage to OracleNANoPWC

NAYesInfosys

6 city NA Exec Roadshow completed in MarchJoint solution development around FFIEC and Internal Controls (SOD).

Strong in NA and UK, regionally strong in US SE and W, Growing in South America

NoDeloitte & Touche

Strong in NA and APAC

Strong in NA for Energy, FS and some Gov’t, Also well engaged in EMEA and APAC

Geo-Coverage

Joint solution development around Credential Service Provider solution (Federation)YesWIPRO

6 city NA Exec Roadshow completed in MarchJoint solution development around AcceratedI&AM and Securing Business Apps with IdM

YesAccenture*

MiscResellerPartner

Oracle IDM 솔루션의적용

Summary

Most Comprehensive, Best-In-Class Suite

Hot-pluggable and Open

Application Centric Identity Management

Q U E S T I O N SQ U E S T I O N SA N S W E R SA N S W E R S

Oracle Identity ManagementPeopleSoft, Siebel,JDEdwards Oracle App Server Centralised Access...

Documents

Transcript of Oracle Identity ManagementPeopleSoft, Siebel,JDEdwards Oracle App Server Centralised Access...