Download - Oracle Privileged Account Manager 11gR2

R2

Oracle Privileged Account Manager 11gR2

Karsten Müller-Corbach

[email protected]

The following is intended to outline our general product direction.

It is intended for information purposes only, and may not be

incorporated into any contract. It is not a commitment to deliver

any material, code, or functionality, and should not be relied

upon in making purchasing decisions. The development, release,

and timing of any features or functionality described for Oracle’s

2

and timing of any features or functionality described for Oracle’s

products remains at the sole discretion of Oracle.

Agenda

• Introduction

• Oracle Privileged Account Manager 11gR2

• OPAM and Oracle’s Governance Platform

• OPAM and Oracle Security Solutions

3

• OPAM and Oracle Security Solutions

• Summary

• Q & A

Introduction

4

Introduction

With Great Power Comes Great Risks

Root

Access

5

DatabasesDirectory Servers Unix Servers

• Privileged accounts are a key entry point for fraud

• Difficult to monitor shared accounts across multiple administrators

• Excessive access privileges is the number one attack vector against databases

IDM – Overcome Threats and Regulations to Unlock Opportunities

76% Data Stolen From

Servers

86% Hacking Involve

Stolen Credentials

ThreatsThreats

Compliance Compliance

� Increased Online Threat

� Costly Insider Fraud

� Tougher Regulations

� Greater Focus on Risk

6Copyright © 2011, Oracle and/or its affiliates. All right

2011 Data Breach Investigations Report

Stolen Credentials

48% Caused by Insiders

17% Involved Privilege

MisuseOpportunities Opportunities

� Greater Focus on Risk

� Stronger Governance

� Social Media

� Cloud Computing

� Mobile Access

Privileged Accounts – Most Powerful but Most Unprotected

• Unlimited power

• Shared Passwords

• Never Changed

• Access not audited or

7

• Access not audited or

certified

• Unix/ Linux, Windows, databases, applications, routers, firewalls etc

• Each and every IT asset in the enterprise

Managing Privilege Access Is Not Well Defined

8

Deploying point solutions can increase

integration costs

RISKSCALE

Manual solutions don’t scale (like managing

privileged access via spreadsheets)

Using default system passwords is

prone to risk

COST

IDENTIFYING

PRIVILEGED

ACCOUNTS

Two Big Management Problems

9

TRACKING

PRIVILEGED ACCOUNTS

The Right Approach is Self-Reinforcing

Reporting &

Access Request

Auto-Self-Reinforcing

VISIBILITY ACROSS COMPLETE

10

Reporting & Certification

Auto-Provisioning

Remediation

Self-Reinforcing COMPLETE USER ACCESS IS KEY

Shared Connectors

Centralized Policies

Privileged Account ManagementA Platform Approach

Reduce

Risk

11Copyright © 2012, Oracle and/or its affiliates. All rights Reserved

Workflow Integration

Common Reporting

Improve

Compliance

Oracle Offers Security at Every Layer Security inside each later and across layers

Infrastructure

Security Governance &

Compliance

12

Identity&Access

Management

Database

Security

Cloud

Services

Governance

Password Reset

Privileged Accounts

Access Request

Roles Based

Provisioning

Role Mining

Access

Web Single Sign-on

Federation

Mobile, Social & Cloud

External Authorization

SOA Security

Directory

LDAP Storage

Virtual Directory

Meta Directory

Copyright © 2013, Oracle and/or its affiliates. All rights reserved.13

Role Mining

Attestation

Separation of Duties

Integrated ESSO

Token Services

Fraud Detection

Platform Security Services

Introducing Oracle Privileged Account Manager

• Secure vault to centrally manage passwords for privileged and shared accounts

• Targets include Databases, Operating Systems and LDAP Directories, Oracle FMW

applications

• Multiple access points for OPAM users and administrator

• Automatic password change using Identity Connector Framework


• Policy based password check-out and check-in

• Flexible usage policies

• Customizable audit reports through BI Publisher and real time status

• Extension to Identity Governance – OIM and OIA integration for complete

governance

OPAM Architecture


A Typical Use Case

HR Application Database

• User logs in as DBA

• Adds Table to DB

• System out of space

Verify OPAM User in HR DBA

Role

Set DBA password for HR App

Database based on password policy

for HR App DatabaseReturn DBA password

Request DBA password

Return unix password


LDAP ServerDBA

Role

User checks in passwords

Oracle Privileged Account

Manager

• User logs in as superuser

• Adds disk spaceUnix Server

Request unix password

User Check-Out Password Screen


Supported Clients / Targets

Generic Database Servers Generic LDAP DirectoriesGeneric UNIX Systems

19

UNIX

Default Supported Targets

• OPAM will support all OIM ICF connectors

• Will ship with following connectors

• Generic UNIX

• Any UNIX/LINUX server with SSH

• Generic Database

• Oracle 9i, 10g, 11g


• Oracle 9i, 10g, 11g

• Any

• Generic LDAP

OPAM Benefits

• Enforce internal security policies and eliminate potential security threats

from privileged users

• Cost-effectively enforce and attest to regulatory requirements

• Reduce IT costs through efficient self service and common security

infrastructure


• Real time usage reports

• Customizable audit reports through BI Publisher

OPAM and Oracle Access Management

• OAM provides access control to OPAM service console

• Centralized, policy-driven services for web applications authentication

• Web single sign-on

• Session control

• OAAM for layered access control to OPAM service console


• OAAM for layered access control to OPAM service console

• Real-time fraud prevention

• Software-based multifactor authentication

OPAM and Oracle’s Governance Platform


OPAM and Oracle’s Governance Platform

Supports Oracle Identity Manager

Enterprise Roles

• Request access

• De-provision access

• Reuse connectors

24

• Reuse connectors

• Works with request catalog

OPAM OIM and OIA – a Complete Governance Platform

• Use case 1 – OIM to provision users to OPAM directory• Leverage OIM policy/role based provisioning, a system admin may be provisioned to specific

LDAP groups that OPAM uses for privileged account access

• Workflow and approval will be followed as defined

• Use case 2 – Request for Privileged Account Access Through OIM• OIM to publish privileged account entitlements in request catalog


• OIM to publish privileged account entitlements in request catalog

• An admin user uses access request self service, search the catalog, pick the privileged accounts

he needs and submit for approval

• The request kicks off workflow and approval as defined

• The user is provisioned with group membership after approval

• The user can access OPAM for privileged password checkout and checkin


• Use case 3 – Break glass access request through OIM• Ability for admins to request emergency access to certain privileged account(s) s/he normally is

not entitled to. E.g., a critical server is down but the designated server admin is not available.

• The admin goes through the OIM request process as defined earlier, but indicates this is break

glass emergency request

• Submission of the request will kick off break glass workflow with minimal or auto approval (per

customer process)

• The admin is presented with privileged password for emergency use


• The admin is presented with privileged password for emergency use

• Special alert is generated for the event and sent to security administrators

• The access is automatically de-provisioned afterward (e.g., after some time)


• Use case 4 – delegated access• Example Bob is on vacation for 3 weeks, Joe is authorized to access the accounts Bob has access

to. Joe’s access is revoked after Bob returns.

• Use case 5 – Risk based certification and close-loop remediation with OIA• Through existing OIM OIA integration and OIM OPAM integration, privileged access info is made


• Through existing OIM OIA integration and OIM OPAM integration, privileged access info is made

available to OIA for certification.

• Risk can be calculated based on its privilege status and other data such as provisioning method etc

• If access violation is found, it can be revoked based on OIM OIA close-loop remediation

OPAM, OIM and OIA – a Complete Governance Platform

• Central governance of regular and privileged users

• Complete auditing, reporting and certification of user’s individual

and shared accounts

• More secure and more compliant


OPAM and Oracle Security Solutions


OPAM and Oracle Security Solutions

OPAM and Database Security

• Enterprise User Security allows non-privileged users to use their

enterprise LDAP/AD password to connect to the database

• Database Vault provides stronger separation of duties for databases

• OPAM manages passwords for privileged users including SYS,

SYSTEM and application accounts


SYSTEM and application accounts

• A complete Database Security solution from Oracle

Database User ManagementComplete Solution

Service Description Supported by

Use Existing Enterprise LDAP Passwords for End-User Passwords EUS

Map Database Roles to Enterprise Roles EUS

Manage SYS/SYSTEM Passwords OPAM


Manage SYS/SYSTEM Passwords OPAM

Manage Application Passwords OPAM

Manage non-Oracle database passwords OPAM

Database Vault IntegrationComplete Solution


Privileged user access control to limit access to application data DB Vault

Multi-factor authorization for enforcing enterprise security policies DB Vault

Secure application consolidation DB Vault


Secure application consolidation DB Vault

Manage DB Vault Privileged Accounts Passwords like user_manager,

sec_admin

OPAM

Manage SYS/SYSTEM and other DB Privileged Accounts Passwords OPAM

OPAM and UNIX/LINUX User Management

• Oracle Authentication Services For Operating Systems

(OAS4OS) enables non-privileged UNIX/LINUX users to

authenticate to LDAP

• OAS4OS simplifies migration from NIS to LDAP

• OPAM provides password management for user accounts


• OPAM provides password management for user accounts

such as root and other privileged application accounts on the

server

UNIX/LINUX User ManagementComplete Solution


Use Existing Enterprise LDAP for End-User Passwords OAS4OS

Map UNIX Groups & NIS Maps to LDAP OAS4OS

Manage ROOT Passwords OPAM


Manage ROOT Passwords OPAM

Manage superuser Application Account OPAM

Manage Windows passwords OPAM

Improve Security Of Oracle Middleware and Database

• Application passwords are often privileged and unmanaged

• OPAM can automatically manage application passwords for

software that uses Oracle Fusion Middleware or connects to

Oracle database

• This includes:


• This includes:

• Oracle Credential Security Framework (CSF)

• Oracle Wallet (planned post R2)

Summary


Summary

Summary

• Improves compliance and auditing of privileged account activities

• Can be deployed standalone or as part of complete Oracle Identity

Governance platform


• A key components of Oracle Identity Governance

• Together with OIM and OIA

• Central governance of regular and privileged users

• Complete auditing, reporting and certification of user’s individual and shared accounts

www.oracle.com/Identity

38

www.facebook.com/OracleIDM

www.twitter.com/OracleIDM

blogs.oracle.com/OracleIDM