1 copyright © 2013, oracle and/or its affiliates. all ... · securing privileged accounts with an...

Securing Privileged Accounts with an Integrated IDM Solution

[email protected] Manager, Oracle

Mike LaramieOracle Cloud for Industry Architecture Team

Buddhika KottahachchiOPAM Architect

The following is intended to outline our general product direction. It is

intended for information purposes only, and may not be incorporated

into any contract. It is not a commitment to deliver any material, code,

or functionality, and should not be relied upon in making purchasing

Safe Harbor Statement


or functionality, and should not be relied upon in making purchasing

decision. The development, release, and timing of any features or

functionality described for Oracle’s products remains at the sole

discretion of Oracle.

Program Agenda

� Introduction

� What is Oracle Privileged Account Manager?

� OPAM Integration with Oracle Identity Governance and


� OPAM Integration with Oracle Identity Governance and

Database Security

� Use Case: Oracle Cloud for Industry and OPAM

� Demo

Introduction


What do have these two in Common?


• Privileged account access

• Excessive access privileges

• Difficult to monitor shared accounts across multiple administrators

IDM – Overcome Threats and Regulations to Unlock Opportunities

76% Data Stolen From

Servers

86% Hacking Involve

Stolen Credentials

ThreatsThreats

Compliance Compliance

� Increased Online Threat

� Costly Insider Fraud

� Tougher Regulations

� Greater Focus on Risk


2011 Data Breach Investigations Report

Stolen Credentials

48% Caused by Insiders

17% Involved Privilege

MisuseOpportunities Opportunities

� Greater Focus on Risk

� Stronger Governance

� Social Media

� Cloud Computing

� Mobile Access

Managing Privilege Access Is Not Well Defined


Deploying point solutions can

increase integration costs

RISKSCALEManual solutions don’t scale (like

managing privileged access via

spreadsheets)

Using default system

passwords is prone to risk

COST

IDENTIFYING

PRIVILEGED

ACCOUNTS

Two Big Management Problems


TRACKING

PRIVILEGED ACCOUNTS

The Right Approach is Self-Reinforcing

Reporting &

Access Request

Auto-Self-Reinfor

VISIBILITY ACROSS COMPLETE


Reporting & Certification

Auto-Provisioning

Remediation

Reinforcing

COMPLETE USER ACCESS IS KEY

Shared Connectors

Centralized Policies

Privileged Account ManagementA Platform Approach

Reduce

Risk


Workflow Integration

Common Reporting

Improve

Compliance

What is Oracle Privileged Account Manager


Oracle Fusion MiddlewareBusiness Innovation Platform for the Enterprise and Cloud

� Complete and Integrated

� Best-in-class

� Open standards

User Engagement User Engagement

Business Process Business Process

Content Content Business Business

Web Social Mobile


� On-premise and Cloud

� Foundation for Oracle Fusion

Applications and Oracle CloudIdentity ManagementIdentity Management

Process ManagementProcess

Management

Content ManagementContent

ManagementBusiness IntelligenceBusiness Intelligence

Service IntegrationService Integration Data IntegrationData Integration

Development Tools

Cloud Application Foundation

Enterprise Management

Identity ManagementSecuring the Social Enterprise

� Simplified Identity Governance

– Access Request Portal with Catalog and Shopping cart UI

– In product, durable customization of UIs, forms and work flows

– Privileged Account Management – leverage Identity connectors,

workflows, audit

� Complete Access Management

– Integrated SSO, Federation, API Management, Token Management,


– Integrated SSO, Federation, API Management, Token Management,

Granular Authorization

– Mobile application security with SSO, device finger printing and step up

authentication

– Social identity log-in from popular social media sites

– REST, OAuth, XACML

� Directories that Scale

– OUD optimized on T4 hardware delivering 3x performance gain and

15% of set up time

� Privileged Account

– A “human” accessible accounts with elevated permissions (root for UNIX, Linux, or SYS for DB)

� Service Account

– Most customers use the term “service accounts” when they refer to Privileged Accounts

– Some customers use the term “service accounts” when they refer to Application Accounts

– OPAM uses “services accounts” in the connector configuration

� End User

Privileged Account ManagerDefinition of Terms


– An administrator who is accessing OPAM to check-out an account

� Administrator

– The OPAM server Administrator

– An Administrator who is accessing OPAM to checkout an account

� Application accounts

– Accounts that are used by application (stored in applications) to access e.g. a database

� Target

– OPAM manages account access on “Targets”

� Secure password vault to centrally manage passwords for privileged accounts

– OPAM uses an Oracle DB EE instance using TDE to encrypt passwords

� Session Management and Auditing

– Session control without revealing a privileged account password

– Session History and searchable Session Recording

Privileged Account ManagerOverview of Product Capabilities


� Extensible Framework

– JAVA based for customized solutions

� Audit Reporting

– Customizable audit reports through BI Publisher

– Real time status available via the OPAM dashboard (charts, tables, etc.)

� Integrated with Identity Governance Platform

– Shared Connectors and Workflow integration with OIM

– Centralized Policies Management via OIM and OIA

� Using out-of-the-box connectors, OPAM Targets can be configured for

– Databases, Operating Systems and LDAP Directories, and Oracle FMW applications

Policy-based access to privileged accounts via “grants”

Privileged Account ManagerOverview of Product Capabilities


� Policy-based access to privileged accounts via “grants”

– Grants control if and when a given administrator has access to a privileged account

– Grants are represented as OPAM Usage Policies.

– Grants are typically assigned through LDAP Group Membership in the identity store

� Flexible Password Policies

– Mirror corporate password standards

Supported Clients / Targets

Generic Database Servers Generic LDAP DirectoriesGeneric UNIX Systems


UNIX MS SQLServer

Sybase 15

HR Application

Database

• User logs in as SYSTEM

• Adds Table to DB

• System out of space

Verify the OPAM User,

OPAM sets the SYSTEM password for

HR App Database, based on the

password policy for HR App Database

Return SYSTEM password

Request SYSTEM password

Return root password

Typical OPAM Use-Case


LDAP

Server

Database

and

Unix

Admin

(Joe)

Joe, is in the “HR DBA”

Role

User checks in passwords

Oracle Privileged

Account Manager

• User logs in as root

• Adds disk space

Unix Server

Return root password

Request root password

OPAM sets the root password for the

Unix Server, based on the password

policy for Unix Server.

OPAM Integration with Oracle Identity Governance and Database Security


and Database Security

� Leverage OIM policy/role based provisioning

� A system admin may be provisioned to specific LDAP groups that OPAM uses for

privileged account access

� Workflow and approval will be followed as defined

OPAM and OIM - a Complete Governance PlatformRequest for Privileged Account Access


� OIM to publish privileged account entitlements in request catalog

� An admin user uses access request self service, search the catalog, pick the

privileged accounts he needs and submit for approval

� The request kicks off workflow and approval as defined

� The user is provisioned with group membership after approval

The user can access OPAM for privileged password checkout and checkin

OPAM and OIM - a Complete Governance PlatformRequest for Privileged Account Access


� The user can access OPAM for privileged password checkout and checkin

� Through existing OIM OPAM integration, privileged access information is made

available for certification.

� Risk can be calculated based on its privilege status and other data such as

provisioning method etc

� If access violation is found, it can be revoked based on OIM close-loop remediation

OPAM and OIM - a Complete Governance PlatformRisk based certification


� Enterprise User Security allows non-privileged users to use their

enterprise LDAP/AD password to connect to the database

� Database Vault provides stronger separation of duties for

databases

� OPAM manages DB passwords for privileged users including SYS,

OPAM and Database Security


� OPAM manages DB passwords for privileged users including SYS,

SYSTEM and application accounts

� A complete Database Security solution from Oracle

Database User ManagementComplete Solution

Service Description Supported by

Use Existing Enterprise LDAP Passwords for End-User Passwords EUS

Map Database Roles to Enterprise Roles EUS

Manage SYS/SYSTEM Passwords OPAM


Manage SYS/SYSTEM Passwords OPAM

Manage Application Passwords OPAM

Manage non-Oracle database passwords OPAM

Database Vault IntegrationComplete Solution

Service Description Supported by

Privileged user access control to limit access to application data DB Vault

Multi-factor authorization to enforce enterprise security policies DB Vault

Secure application consolidation DB Vault


Secure application consolidation DB Vault

Manage DB Vault Privileged Accounts Passwords like user_manager,

sec_admin

OPAM

Manage SYS/SYSTEM and other DB Privileged Accounts Passwords OPAM

Use Case: Oracle Cloud for Industry and OPAM


Oracle Cloud for Industry

� What is OCI?

– An internal provider of cloud-based IaaS and PaaS services available to

Oracle Global Business Units (GBUs) for the packaging of Oracle Industry

Solutions to end customers.

Overview


Solutions to end customers.

� E.g. Financial Services, Healthcare, Retail

– http://www.oracle.com/us/industries/index.html


� Different operational roles require different levels of access

– Server Admins

– Network Admins

– DB Admins

Operational Roles


� Some groups may require access to multiple resources


� Disparate privileged account practices between multiple operational

roles

– Password vault utilities

– Spreadsheets

� Minimal auditing/reporting on privileged account usage

Problems


� Minimal auditing/reporting on privileged account usage

� Difficulty of access

– “Which vault is that stored in?”

� Additional requirements driven by regulatory compliance

– PCI

– HIPAA/HITECH


� Implement password solution that

– Easy to use

– Supports privileged accounts from multiple teams with differing

requirements

– Reliable

Solution


– Reliable

– Secure

– Auditable

– Meets or exceeds regulatory compliance

� Solution

– OPAM


� How did OPAM help?

– Role based access to privileged accounts:

� LDAP group membership determines which privileged accounts users

can access

– Convenient, accessible BUI

OCI & OPAM


– Convenient, accessible BUI

– Automated reporting of privileged account access and usage

– Centralized, secure repository

– Automated password management

– Unique passwords for each system


� Unix Targets

– Guest VM/Hypervisor privileged accounts

� Database Targets

– Sys/System/Application

� LDAP Targets

OCI Use Cases


� LDAP Targets

– Service Accounts

� Lockbox Targets

– Storage appliances

– Application passwords

– Network devices


� How did OPAM help with PCI Compliance?

� Addressed PCI DSS 2.0 Requirements:

– 2.1

» “Always change vendor supplied passwords before installing a systemN”

– 8.5.8

PCI & OPAM


– 8.5.8

» “Do not use group, shared, or generic accounts and passwordsN”

– 8.5.9

» “Change user passwords at least every 90 days.”


� Customized scripts for password aging reporting

– Required for 8.5.9

– Wrote custom script to retrieve data from OPAM and email admins as

necessary

� RFE submitted to include functionality in future release’s BUI

OPAM Flexibility


� RFE submitted to include functionality in future release’s BUI

� Daily reports of check-in/check-out activity

– Currently done through BI Publisher

� Emailed to security team nightly

– On-Demand reporting will be in future release

� Securely stores local privileged

account information in a central

location

Case Study Overview

Solution


location

� Access to accounts is limited by

LDAP group membership (RBAC)

� Reportable audit trail on account

usage

OPAM Privileged Account Manager in Action


Oracle Privileged Account Manager in Action

� How OPAM “lockbox” is used by Oracle Cloud for Industry

� How does OPAM Session Management and Auditing enhances the

“lockbox” concept to provide additional compliance data

� How to extend OPAM operations to enable emergency access

Demo Overview


� How to extend OPAM operations to enable emergency access

HOW WE DID IT


Demo

Laptop

Demo

Server

Oracle

Identity

Governance

Session

Manager

Request Privileged Access to Avitek Retail Host


REQUESTING

PRIVILEGED

ACCESSApproval via

smartphone

Approval workflow

Demo

Laptop

Demo

Server

Oracle

Identity

Governance

Session

Manager

Sending “commands”

Command executed on

Demo Server


EXECUTING

COMMANDS

Command

recorded in

Session Log

Demo

Laptop

Oracle

Identity

Governance

Session

Manager

Access checkout history report


REVIEWING THE

PRIVILEGED

ACCESS

Session Logs

/Transcripts

Looking Forward – A Physical Security Demo

� Lockitron

– Internet connected lock

– Exposes REST interfaces

– Protected by an Access Token

� OPAM


� OPAM

– Protect Access Token in a Lockbox

� OPAM Plug-in

– Unlock/Lock as part of

Checkout/Check-in (using Access

Token)

Summary


OPAM Benefits

� Enforce internal security policies and eliminate potential security threats from

privileged users

� Session Management and Auditing User activities (who, did what, when)

� Cost-effectively enforce and attest to regulatory requirements

� Reduce IT costs through efficient self service and common security


infrastructure

� Extensible Java based Framework

Sessions not to miss

CON8823Wednesday 09/25,

5:00PMMoscone West,

Room 2018

Access Management for the Internet of

Things

Kanishk Mahajan, Oracle

CON8826Thursday, 09/26,

3:30PMMoscone West,

Room 2018

Zero Capital Investment by leveraging

Identity Management as a Service

Mike Neuenschwander,

Oracle

CON8902Thursday, 09/26

2:00PMMarriot Marquis –

Golden Gate C3

Developing Secure Mobile Applications Mark Wilcox, Oracle

Thursday 09/26, Leveraging the Cloud to simplify your Guru Shashikumar,


CON8836Thursday 09/26,

11:00AMMoscone West,

Room 2018

Leveraging the Cloud to simplify your

Identity Management implementation

Guru Shashikumar,

Oracle

CON 4342Thursday 09/26,

12:30PMMoscone West,

Room 2018

Identity Services in the New GM IT GM

CON9024Thursday 09/26,

2:00PMMoscone West,

Room 2018

Next Generation Optimized Directory -

Oracle Unified Directory

Etienne Remillon, Oracle

Join the Oracle Community

Twittertwitter.com/OracleIDM

Facebookfacebook.com/OracleIDM

Oracle Blogs


Oracle.com/Identity

Oracle Blogs

Blogs.oracle.com/OracleIDM

Further Information

� Oracle Privileged Account Manager

http://www.oracle.com/technetwork/middleware/id-mgmt/overview/opam-

homepage-1697430.html

� Documentation


Oracle Fusion Middleware 11gR2 Release (11.1.2.1.0)

� Software

http://www.oracle.com/technetwork/middleware/id-mgmt/downloads/index.html

1 copyright © 2013, oracle and/or its affiliates. all ... · securing privileged accounts with an...

Documents