Oracle Privileged Account Manager 11gR2

of 40/40
R2 Oracle Privileged Account Manager 11gR2 Karsten Müller-Corbach [email protected]
  • date post

    03-Jan-2022
  • Category

    Documents

  • view

    1
  • download

    0

Embed Size (px)

Transcript of Oracle Privileged Account Manager 11gR2

Microsoft PowerPoint - OPAM-Overview.pptxKarsten Müller-Corbach
The following is intended to outline our general product direction.
It is intended for information purposes only, and may not be
incorporated into any contract. It is not a commitment to deliver
any material, code, or functionality, and should not be relied
upon in making purchasing decisions. The development, release,
and timing of any features or functionality described for Oracle’s
2
and timing of any features or functionality described for Oracle’s
products remains at the sole discretion of Oracle.
Agenda
• Introduction
• OPAM and Oracle’s Governance Platform
• OPAM and Oracle Security Solutions
3
• Summary
Root
Access
5
• Privileged accounts are a key entry point for fraud
• Difficult to monitor shared accounts across multiple administrators
• Excessive access privileges is the number one attack vector against databases
IDM – Overcome Threats and Regulations to Unlock Opportunities
76% Data Stolen From
2011 Data Breach Investigations Report
Stolen Credentials
• Unlimited power
• Shared Passwords
• Never Changed
Managing Privilege Access Is Not Well Defined
8
integration costs
privileged access via spreadsheets)
prone to risk
Reporting &
Shared Connectors
Centralized Policies
Reduce
Risk
Workflow Integration
Common Reporting
Improve
Compliance
Oracle Offers Security at Every Layer Security inside each later and across layers
Infrastructure
Role Mining
14Copyright © 2012, Oracle and/or its affiliates. All rights Reserved
Oracle Privileged Account Manager 11gR2
Introducing Oracle Privileged Account Manager
• Secure vault to centrally manage passwords for privileged and shared accounts
• Targets include Databases, Operating Systems and LDAP Directories, Oracle FMW
applications
• Automatic password change using Identity Connector Framework
15Copyright © 2012, Oracle and/or its affiliates. All rights Reserved
• Policy based password check-out and check-in
• Flexible usage policies
• Customizable audit reports through BI Publisher and real time status
• Extension to Identity Governance – OIM and OIA integration for complete
governance
A Typical Use Case
• Adds Table to DB
• System out of space
Role
Database based on password policy
for HR App DatabaseReturn DBA password
Request DBA password
Return unix password
LDAP ServerDBA
Request unix password
Supported Clients / Targets
19
UNIX
• Will ship with following connectors
• Generic UNIX
• Generic Database
• Oracle 9i, 10g, 11g
from privileged users
• Reduce IT costs through efficient self service and common security
infrastructure
• Real time usage reports
OPAM and Oracle Access Management
• OAM provides access control to OPAM service console
• Centralized, policy-driven services for web applications authentication
• Web single sign-on
• Real-time fraud prevention
• Software-based multifactor authentication
23Copyright © 2012, Oracle and/or its affiliates. All rights Reserved
OPAM and Oracle’s Governance Platform
Supports Oracle Identity Manager
OPAM OIM and OIA – a Complete Governance Platform
• Use case 1 – OIM to provision users to OPAM directory • Leverage OIM policy/role based provisioning, a system admin may be provisioned to specific
LDAP groups that OPAM uses for privileged account access
• Workflow and approval will be followed as defined
• Use case 2 – Request for Privileged Account Access Through OIM • OIM to publish privileged account entitlements in request catalog
25Copyright © 2012, Oracle and/or its affiliates. All rights Reserved
• OIM to publish privileged account entitlements in request catalog
• An admin user uses access request self service, search the catalog, pick the privileged accounts
he needs and submit for approval
• The request kicks off workflow and approval as defined
• The user is provisioned with group membership after approval
• The user can access OPAM for privileged password checkout and checkin
OPAM OIM and OIA – a Complete Governance Platform
• Use case 3 – Break glass access request through OIM • Ability for admins to request emergency access to certain privileged account(s) s/he normally is
not entitled to. E.g., a critical server is down but the designated server admin is not available.
• The admin goes through the OIM request process as defined earlier, but indicates this is break
glass emergency request
• Submission of the request will kick off break glass workflow with minimal or auto approval (per
customer process)
• The admin is presented with privileged password for emergency use
26Copyright © 2012, Oracle and/or its affiliates. All rights Reserved
• The admin is presented with privileged password for emergency use
• Special alert is generated for the event and sent to security administrators
• The access is automatically de-provisioned afterward (e.g., after some time)
OPAM OIM and OIA – a Complete Governance Platform
• Use case 4 – delegated access • Example Bob is on vacation for 3 weeks, Joe is authorized to access the accounts Bob has access
to. Joe’s access is revoked after Bob returns.
• Use case 5 – Risk based certification and close-loop remediation with OIA • Through existing OIM OIA integration and OIM OPAM integration, privileged access info is made
27Copyright © 2012, Oracle and/or its affiliates. All rights Reserved
• Through existing OIM OIA integration and OIM OPAM integration, privileged access info is made
available to OIA for certification.
• Risk can be calculated based on its privilege status and other data such as provisioning method etc
• If access violation is found, it can be revoked based on OIM OIA close-loop remediation
OPAM, OIM and OIA – a Complete Governance Platform
• Central governance of regular and privileged users
• Complete auditing, reporting and certification of user’s individual
and shared accounts
28Copyright © 2012, Oracle and/or its affiliates. All rights Reserved
OPAM and Oracle Security Solutions
29Copyright © 2012, Oracle and/or its affiliates. All rights Reserved
OPAM and Oracle Security Solutions
OPAM and Database Security
enterprise LDAP/AD password to connect to the database
• Database Vault provides stronger separation of duties for databases
• OPAM manages passwords for privileged users including SYS,
SYSTEM and application accounts
SYSTEM and application accounts
Database User Management Complete Solution
Service Description Supported by
Map Database Roles to Enterprise Roles EUS
Manage SYS/SYSTEM Passwords OPAM
Manage SYS/SYSTEM Passwords OPAM
Manage Application Passwords OPAM
Service Description Supported by
Privileged user access control to limit access to application data DB Vault
Multi-factor authorization for enforcing enterprise security policies DB Vault
Secure application consolidation DB Vault
32Copyright © 2011, Oracle and/or its affiliates. All right
Secure application consolidation DB Vault
Manage DB Vault Privileged Accounts Passwords like user_manager,
sec_admin
OPAM
OPAM and UNIX/LINUX User Management
• Oracle Authentication Services For Operating Systems
(OAS4OS) enables non-privileged UNIX/LINUX users to
authenticate to LDAP
33Copyright © 2012, Oracle and/or its affiliates. All rights Reserved
• OPAM provides password management for user accounts
such as root and other privileged application accounts on the
server
Service Description Supported by
Manage ROOT Passwords OPAM
Manage ROOT Passwords OPAM
Manage Windows passwords OPAM
software that uses Oracle Fusion Middleware or connects to
Oracle database
• This includes:
• This includes:
Summary
Summary
Summary
• Improves compliance and auditing of privileged account activities
• Can be deployed standalone or as part of complete Oracle Identity
Governance platform
• A key components of Oracle Identity Governance
• Together with OIM and OIA
• Central governance of regular and privileged users
• Complete auditing, reporting and certification of user’s individual and shared accounts
www.oracle.com/Identity
38
www.facebook.com/OracleIDM
www.twitter.com/OracleIDM
blogs.oracle.com/OracleIDM
39
40