1 copyright © 2013, oracle and/or its affiliates. all ... · securing privileged accounts with an...
TRANSCRIPT
Securing Privileged Accounts with an Integrated IDM Solution
[email protected] Manager, Oracle
Mike LaramieOracle Cloud for Industry Architecture Team
Buddhika KottahachchiOPAM Architect
The following is intended to outline our general product direction. It is
intended for information purposes only, and may not be incorporated
into any contract. It is not a commitment to deliver any material, code,
or functionality, and should not be relied upon in making purchasing
Safe Harbor Statement
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.3
or functionality, and should not be relied upon in making purchasing
decision. The development, release, and timing of any features or
functionality described for Oracle’s products remains at the sole
discretion of Oracle.
Program Agenda
� Introduction
� What is Oracle Privileged Account Manager?
� OPAM Integration with Oracle Identity Governance and
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.4
� OPAM Integration with Oracle Identity Governance and
Database Security
� Use Case: Oracle Cloud for Industry and OPAM
� Demo
What do have these two in Common?
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.6
• Privileged account access
• Excessive access privileges
• Difficult to monitor shared accounts across multiple administrators
IDM – Overcome Threats and Regulations to Unlock Opportunities
76% Data Stolen From
Servers
86% Hacking Involve
Stolen Credentials
ThreatsThreats
Compliance Compliance
� Increased Online Threat
� Costly Insider Fraud
� Tougher Regulations
� Greater Focus on Risk
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.7
2011 Data Breach Investigations Report
Stolen Credentials
48% Caused by Insiders
17% Involved Privilege
MisuseOpportunities Opportunities
� Greater Focus on Risk
� Stronger Governance
� Social Media
� Cloud Computing
� Mobile Access
Managing Privilege Access Is Not Well Defined
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.8
Deploying point solutions can
increase integration costs
RISKSCALEManual solutions don’t scale (like
managing privileged access via
spreadsheets)
Using default system
passwords is prone to risk
COST
IDENTIFYING
PRIVILEGED
ACCOUNTS
Two Big Management Problems
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.9
TRACKING
PRIVILEGED ACCOUNTS
The Right Approach is Self-Reinforcing
Reporting &
Access Request
Auto-Self-Reinfor
VISIBILITY ACROSS COMPLETE
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.10
Reporting & Certification
Auto-Provisioning
Remediation
Reinforcing
COMPLETE USER ACCESS IS KEY
Shared Connectors
Centralized Policies
Privileged Account ManagementA Platform Approach
Reduce
Risk
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.11
Workflow Integration
Common Reporting
Improve
Compliance
What is Oracle Privileged Account Manager
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.12
Oracle Fusion MiddlewareBusiness Innovation Platform for the Enterprise and Cloud
� Complete and Integrated
� Best-in-class
� Open standards
User Engagement User Engagement
Business Process Business Process
Content Content Business Business
Web Social Mobile
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.13
� On-premise and Cloud
� Foundation for Oracle Fusion
Applications and Oracle CloudIdentity ManagementIdentity Management
Process ManagementProcess
Management
Content ManagementContent
ManagementBusiness IntelligenceBusiness Intelligence
Service IntegrationService Integration Data IntegrationData Integration
Development Tools
Cloud Application Foundation
Enterprise Management
Identity ManagementSecuring the Social Enterprise
� Simplified Identity Governance
– Access Request Portal with Catalog and Shopping cart UI
– In product, durable customization of UIs, forms and work flows
– Privileged Account Management – leverage Identity connectors,
workflows, audit
� Complete Access Management
– Integrated SSO, Federation, API Management, Token Management,
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.14
– Integrated SSO, Federation, API Management, Token Management,
Granular Authorization
– Mobile application security with SSO, device finger printing and step up
authentication
– Social identity log-in from popular social media sites
– REST, OAuth, XACML
� Directories that Scale
– OUD optimized on T4 hardware delivering 3x performance gain and
15% of set up time
� Privileged Account
– A “human” accessible accounts with elevated permissions (root for UNIX, Linux, or SYS for DB)
� Service Account
– Most customers use the term “service accounts” when they refer to Privileged Accounts
– Some customers use the term “service accounts” when they refer to Application Accounts
– OPAM uses “services accounts” in the connector configuration
� End User
Privileged Account ManagerDefinition of Terms
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.15
– An administrator who is accessing OPAM to check-out an account
� Administrator
– The OPAM server Administrator
– An Administrator who is accessing OPAM to checkout an account
� Application accounts
– Accounts that are used by application (stored in applications) to access e.g. a database
� Target
– OPAM manages account access on “Targets”
� Secure password vault to centrally manage passwords for privileged accounts
– OPAM uses an Oracle DB EE instance using TDE to encrypt passwords
� Session Management and Auditing
– Session control without revealing a privileged account password
– Session History and searchable Session Recording
Privileged Account ManagerOverview of Product Capabilities
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.16
� Extensible Framework
– JAVA based for customized solutions
� Audit Reporting
– Customizable audit reports through BI Publisher
– Real time status available via the OPAM dashboard (charts, tables, etc.)
� Integrated with Identity Governance Platform
– Shared Connectors and Workflow integration with OIM
– Centralized Policies Management via OIM and OIA
� Using out-of-the-box connectors, OPAM Targets can be configured for
– Databases, Operating Systems and LDAP Directories, and Oracle FMW applications
Policy-based access to privileged accounts via “grants”
Privileged Account ManagerOverview of Product Capabilities
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.17
� Policy-based access to privileged accounts via “grants”
– Grants control if and when a given administrator has access to a privileged account
– Grants are represented as OPAM Usage Policies.
– Grants are typically assigned through LDAP Group Membership in the identity store
� Flexible Password Policies
– Mirror corporate password standards
Supported Clients / Targets
Generic Database Servers Generic LDAP DirectoriesGeneric UNIX Systems
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.18
UNIX MS SQLServer
Sybase 15
HR Application
Database
• User logs in as SYSTEM
• Adds Table to DB
• System out of space
Verify the OPAM User,
OPAM sets the SYSTEM password for
HR App Database, based on the
password policy for HR App Database
Return SYSTEM password
Request SYSTEM password
Return root password
Typical OPAM Use-Case
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.19
LDAP
Server
Database
and
Unix
Admin
(Joe)
Joe, is in the “HR DBA”
Role
User checks in passwords
Oracle Privileged
Account Manager
• User logs in as root
• Adds disk space
Unix Server
Return root password
Request root password
OPAM sets the root password for the
Unix Server, based on the password
policy for Unix Server.
OPAM Integration with Oracle Identity Governance and Database Security
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.20
and Database Security
� Leverage OIM policy/role based provisioning
� A system admin may be provisioned to specific LDAP groups that OPAM uses for
privileged account access
� Workflow and approval will be followed as defined
OPAM and OIM - a Complete Governance PlatformRequest for Privileged Account Access
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.22
� OIM to publish privileged account entitlements in request catalog
� An admin user uses access request self service, search the catalog, pick the
privileged accounts he needs and submit for approval
� The request kicks off workflow and approval as defined
� The user is provisioned with group membership after approval
The user can access OPAM for privileged password checkout and checkin
OPAM and OIM - a Complete Governance PlatformRequest for Privileged Account Access
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.23
� The user can access OPAM for privileged password checkout and checkin
� Through existing OIM OPAM integration, privileged access information is made
available for certification.
� Risk can be calculated based on its privilege status and other data such as
provisioning method etc
� If access violation is found, it can be revoked based on OIM close-loop remediation
OPAM and OIM - a Complete Governance PlatformRisk based certification
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.24
� Enterprise User Security allows non-privileged users to use their
enterprise LDAP/AD password to connect to the database
� Database Vault provides stronger separation of duties for
databases
� OPAM manages DB passwords for privileged users including SYS,
OPAM and Database Security
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.25
� OPAM manages DB passwords for privileged users including SYS,
SYSTEM and application accounts
� A complete Database Security solution from Oracle
Database User ManagementComplete Solution
Service Description Supported by
Use Existing Enterprise LDAP Passwords for End-User Passwords EUS
Map Database Roles to Enterprise Roles EUS
Manage SYS/SYSTEM Passwords OPAM
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.26
Manage SYS/SYSTEM Passwords OPAM
Manage Application Passwords OPAM
Manage non-Oracle database passwords OPAM
Database Vault IntegrationComplete Solution
Service Description Supported by
Privileged user access control to limit access to application data DB Vault
Multi-factor authorization to enforce enterprise security policies DB Vault
Secure application consolidation DB Vault
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.27
Secure application consolidation DB Vault
Manage DB Vault Privileged Accounts Passwords like user_manager,
sec_admin
OPAM
Manage SYS/SYSTEM and other DB Privileged Accounts Passwords OPAM
Use Case: Oracle Cloud for Industry and OPAM
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.28
Oracle Cloud for Industry
� What is OCI?
– An internal provider of cloud-based IaaS and PaaS services available to
Oracle Global Business Units (GBUs) for the packaging of Oracle Industry
Solutions to end customers.
Overview
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.29
Solutions to end customers.
� E.g. Financial Services, Healthcare, Retail
– http://www.oracle.com/us/industries/index.html
Oracle Cloud for Industry
� Different operational roles require different levels of access
– Server Admins
– Network Admins
– DB Admins
Operational Roles
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.30
� Some groups may require access to multiple resources
Oracle Cloud for Industry
� Disparate privileged account practices between multiple operational
roles
– Password vault utilities
– Spreadsheets
� Minimal auditing/reporting on privileged account usage
Problems
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.31
� Minimal auditing/reporting on privileged account usage
� Difficulty of access
– “Which vault is that stored in?”
� Additional requirements driven by regulatory compliance
– PCI
– HIPAA/HITECH
Oracle Cloud for Industry
� Implement password solution that
– Easy to use
– Supports privileged accounts from multiple teams with differing
requirements
– Reliable
Solution
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.32
– Reliable
– Secure
– Auditable
– Meets or exceeds regulatory compliance
� Solution
– OPAM
Oracle Cloud for Industry
� How did OPAM help?
– Role based access to privileged accounts:
� LDAP group membership determines which privileged accounts users
can access
– Convenient, accessible BUI
OCI & OPAM
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.33
– Convenient, accessible BUI
– Automated reporting of privileged account access and usage
– Centralized, secure repository
– Automated password management
– Unique passwords for each system
Oracle Cloud for Industry
� Unix Targets
– Guest VM/Hypervisor privileged accounts
� Database Targets
– Sys/System/Application
� LDAP Targets
OCI Use Cases
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.34
� LDAP Targets
– Service Accounts
� Lockbox Targets
– Storage appliances
– Application passwords
– Network devices
Oracle Cloud for Industry
� How did OPAM help with PCI Compliance?
� Addressed PCI DSS 2.0 Requirements:
– 2.1
» “Always change vendor supplied passwords before installing a systemN”
– 8.5.8
PCI & OPAM
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.35
– 8.5.8
» “Do not use group, shared, or generic accounts and passwordsN”
– 8.5.9
» “Change user passwords at least every 90 days.”
Oracle Cloud for Industry
� Customized scripts for password aging reporting
– Required for 8.5.9
– Wrote custom script to retrieve data from OPAM and email admins as
necessary
� RFE submitted to include functionality in future release’s BUI
OPAM Flexibility
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.36
� RFE submitted to include functionality in future release’s BUI
� Daily reports of check-in/check-out activity
– Currently done through BI Publisher
� Emailed to security team nightly
– On-Demand reporting will be in future release
� Securely stores local privileged
account information in a central
location
Case Study Overview
Solution
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.37
location
� Access to accounts is limited by
LDAP group membership (RBAC)
� Reportable audit trail on account
usage
OPAM Privileged Account Manager in Action
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.38
Oracle Privileged Account Manager in Action
� How OPAM “lockbox” is used by Oracle Cloud for Industry
� How does OPAM Session Management and Auditing enhances the
“lockbox” concept to provide additional compliance data
� How to extend OPAM operations to enable emergency access
Demo Overview
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.39
� How to extend OPAM operations to enable emergency access
Demo
Laptop
Demo
Server
Oracle
Identity
Governance
Session
Manager
Request Privileged Access to Avitek Retail Host
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.41
REQUESTING
PRIVILEGED
ACCESSApproval via
smartphone
Approval workflow
Demo
Laptop
Demo
Server
Oracle
Identity
Governance
Session
Manager
Sending “commands”
Command executed on
Demo Server
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.42
EXECUTING
COMMANDS
Command
recorded in
Session Log
Demo
Laptop
Oracle
Identity
Governance
Session
Manager
Access checkout history report
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.43
REVIEWING THE
PRIVILEGED
ACCESS
Session Logs
/Transcripts
Looking Forward – A Physical Security Demo
� Lockitron
– Internet connected lock
– Exposes REST interfaces
– Protected by an Access Token
� OPAM
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.44
� OPAM
– Protect Access Token in a Lockbox
� OPAM Plug-in
– Unlock/Lock as part of
Checkout/Check-in (using Access
Token)
OPAM Benefits
� Enforce internal security policies and eliminate potential security threats from
privileged users
� Session Management and Auditing User activities (who, did what, when)
� Cost-effectively enforce and attest to regulatory requirements
� Reduce IT costs through efficient self service and common security
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.46
infrastructure
� Extensible Java based Framework
Sessions not to miss
CON8823Wednesday 09/25,
5:00PMMoscone West,
Room 2018
Access Management for the Internet of
Things
Kanishk Mahajan, Oracle
CON8826Thursday, 09/26,
3:30PMMoscone West,
Room 2018
Zero Capital Investment by leveraging
Identity Management as a Service
Mike Neuenschwander,
Oracle
CON8902Thursday, 09/26
2:00PMMarriot Marquis –
Golden Gate C3
Developing Secure Mobile Applications Mark Wilcox, Oracle
Thursday 09/26, Leveraging the Cloud to simplify your Guru Shashikumar,
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.47
CON8836Thursday 09/26,
11:00AMMoscone West,
Room 2018
Leveraging the Cloud to simplify your
Identity Management implementation
Guru Shashikumar,
Oracle
CON 4342Thursday 09/26,
12:30PMMoscone West,
Room 2018
Identity Services in the New GM IT GM
CON9024Thursday 09/26,
2:00PMMoscone West,
Room 2018
Next Generation Optimized Directory -
Oracle Unified Directory
Etienne Remillon, Oracle
Join the Oracle Community
Twittertwitter.com/OracleIDM
Facebookfacebook.com/OracleIDM
Oracle Blogs
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.48
Oracle.com/Identity
Oracle Blogs
Blogs.oracle.com/OracleIDM
Further Information
� Oracle Privileged Account Manager
http://www.oracle.com/technetwork/middleware/id-mgmt/overview/opam-
homepage-1697430.html
� Documentation
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.49
Oracle Fusion Middleware 11gR2 Release (11.1.2.1.0)
� Software
http://www.oracle.com/technetwork/middleware/id-mgmt/downloads/index.html