Oracle Security Identity Management July 20 2005

Oracle Security & Identity Management July 20, 2005 Rafael Torres Sr. Solutions Architect Cincinnati, OH 513 -768 -6856 rafael. torres@oracle. com Gary Quarles Sr. Solutions Architect Columbus, OH 614 -280 -6500 gary. quarles@oracle. com

Agenda Ÿ 9 am-1015 am – Identity Management Ÿ OID, User Provisioning, Directory Integration, Proxy Authentication – – – Virtual Private Database Securing Data Access Secure Application Roles Ÿ BREAK (15 mins)

Agenda (con’t) Ÿ 1030 am-1145 am – – – – Label Security Fine Grained Auditing Stored Data Encryption Detecting Security Breaches Data Privacy Compliance Network Encryption User Security Oblix Roadmap Ÿ 1145 am-1 pm – Buffet Luncheon Ÿ 1 pm-115 pm – Raffle

Security Legislation Ÿ Sarbanes-Oxley – – Everyone Financial statements contain no errors Ÿ Gramm-Leach-Bliley – – Fin Services, Healthcare Ensure privacy, security, confidentiality Ÿ California’s Breach Disclosure Law – – Anyone with customers in California Audit breach of PII, notify those affected Ÿ Safe Harbor – – Anyone doing business in Europe Reasonable steps to secure from unauthorized access

Data Privacy Concerns Ÿ Customer information – protecting customer personally identifiable information (PII) Ÿ Employee information – majority of privacy regulations provide equal or greater rights of privacy to employees Ÿ Third Party information – protecting PII of third persons provided to you by customers or employees

Data Privacy Compliance 25% technical 75% policy and procedures www. oracle. com/consulting

The Expert View “ 90% detected computer security breaches in the past year. ” “ 80% acknowledged financial losses due to computer breaches. ” - CSI/FBI Computer Crime and Security Survey

“If you spend more on coffee than on IT security, then you will be hacked …what's more, you deserve to be hacked!” Richard Clarke Special Advisor to the President, Cyberspace Security

State of Security – United States Ÿ 90% of respondents* detected computer security breaches within the last twelve months. Ÿ 80% of respondents acknowledged financial losses due to computer breaches. – – – $455, 848, 000 in quantifiable losses $170, 827, 000 theft of proprietary information $115, 753, 000 in financial fraud Ÿ 74% cited their Internet connection as a frequent point of attack Ÿ 33% cited internal systems as a frequent point of attack * Source: CSI/FBI Computer Crime and Security Survey

Why Oracle for Security and Identity Management? Ÿ 25+ year history – First Oracle customer was a government customer Ÿ Information Assurance – – 17 independent security evaluations over past decade Substantial financial commitment to independent security evaluations More evaluations than any other major database vendor Culture of security at Oracle Ÿ Robust security features and Identity Management Infrastructure – – Row level security Fine Grained Auditing Integrated database security and identity management Ÿ Web Single Sign-on, Oracle Internet Directory Strong authentication

Oracle Database = 25+ years of security leadership Label Sec + ID Mgmt Column Sec Policies Security Evaluation 17 Identity Mgmt Release Fine Grained Auditing Common Criteria (EAL 4) Oracle 9 i. AS JAAS Oracle 9 i. AS Single Sign-On Oracle Label Security (2000) Virtual Private Database (1998) Enterprise User Security Oracle Internet Directory Database Encryption API 1977 Kerberos framework Support for PKI Radius Authentication Network Encryption Oracle Advanced Security introduced First Orange Book B 1 evaluation (1993) Trusted Oracle 7 Multilevel Secure Database (1992) Government customer 2004

Oracle Application Server 10 g

Identity Management

Identity Management Ÿ process by which the complete security lifecycle for users and other entities is managed for an organization or community of organizations. Ÿ management of an organization's application users, where steps in the security lifecycle include account creation, suspension, privilege modification, and account deletion.

Identity Management Components

The Identity Challenge End Users Application Directory Server or Database User Credentials for Authentication and Authorization Administrators Ÿ Redundant, silo’d application development Ÿ Non-uniform access policies Ÿ Orphan accounts Ÿ Audit/Log information fragmented

Bring Order to Chaos with Identity End Users Application Administrators Application User Credentials for Authentication and Authorization Application Ÿ Centralized, policy-based management of access & authorization Ÿ Faster development and deployment Ÿ Centralized audit and logging

Oracle ID Mgmt: Typical Deployments Ÿ Enterprise provisioning – Heterogeneous integration Ÿ Telco provisioning – Scalability & HA Ÿ Enterprise Portal – Single Sign-on, administrative delegation Ÿ Government R&D Organization, Corporate Conglomerates – Centralized Identities with autonomous administration of departmental applications Ÿ Multi-hosting with delegated subscriber admin – Multiple identity realms in one physical infrastructure + HA

Platform Security Architecture ISV & Custom Applications E-Business Suite Collaboration Suite BPEL Prcs Mgr, BI, Portal, ADF Authorization, Privacy, audit, …. Responsibilities, Roles …. Secure Mail, Interpersonal Grants … Roles, Privilege Groups … Oracle Application Server External Security Services Access Management Provisioning Services Directory Services Oracle Database JAAS, JACC, WS Security, … Application Security Enterprise users, VPD, Label Security Encryption, Audit Oracle Identity Management Provisioning &RBAC & Public SSO & Directory Delegated Key Web Identity Administration. Authorization Infrastructure Integration Federation Oracle Internet Directory Oracle Platform Security

Internet Directory Ÿ Scalability – – Millions of users 1000’s of simultaneous clients Ÿ High availability – – Multimaster & Fan-out replication Hot backup/recovery, RAC, etc. LDAP Clients Ÿ Manageability – OID Server Grid Control multi-node monitoring Ÿ Security – – – Comprehensive password policies Role & policy based access control Auditability Ÿ Extensibility & Virtualization – – Plug-in Framework Attribute and namespace virtualization External authentication Custom password policies Directory Admin Console Oracle Database

Directory Integration External Directories Sun. One Active Directory Oracle Internet Directory Integration Service Oracle HR Oracle DB Open. LDAP e. Directory Connectors

Provisioning Integration Corporate HR ERP, CRM, … Helpdesk Admin OID Event Notification Engine Policy & Workflow Engine Portal Admin e. Mail Admin Provisioning Connectors (Employee Enrollment) Oracle Provisioning Integration Service Self-service (Pswds, preferences) e. Mail Partner Provisioning System Portal

Single Sign-On Oracle. AS Enabled Environment ERP, CRM, … PKI, pwd, Win 2 K Native Auth… Portal Oracle. AS Single Sign-on Partner SSO (Netegrity, RSA, Oblix) Secure. ID, Biokey, Ÿ Integrates Oracle and partner-SSO enabled apps Ÿ Transparent access to DB Tier, 3 rd party web apps Ÿ Multiple Auth. N options Ÿ Different auth modes to match application security levels Federation / Liberty Extrane t OID e. Mail Partner SSO Enabled Environment

Demonstration Id. M: SSO

SSO Benefits Ÿ 1) Tightly integrated with the Oracle product stack Ÿ 2) Easy to deploy, part of Oracle Identity Management Ÿ 3) Supports PKI authentication with industry standard X. 509 V 3 certificates Ÿ 4) Accepts Microsoft Kerberos tokens for easy authentication in a windows environment Ÿ 5) Integrated with Oracle Certificate Authority (OCA) for easy provisioning of X. 509 V 3 certificates using OCA

Certificate Authority Ÿ Solution for strong authentication / PKI Ÿ Easy provisioning of X. 509 v 3 digital certificates for end users Oracle Internet Directory User Oracle Single Sign-On Ÿ Web Based certificate management and administration Ÿ Seamless integration with Oracle Application Server Single Sign-On & OID Oracle Certificate Authority Secure IT Facility Metadata Repository

Future support Ÿ SAML (Security Assertions Meta Language) – facilitates interoperation and federation among security services. Ÿ SPML (Service Provisioning Meta Language) – XML standard that facilitates integration among provisioning environments by defining the protocol for interaction between provisioning service components and agents representing provisioned services. Ÿ DSML – XML standard for exchanging directory data as well as invoke directory operations over the Internet.

Future support (con’t) Ÿ XKMS – XML Key Management Specification. It is intended to simplify deployment of PKI in a web services environment. Ÿ WS-Security – defines a set of SOAP extensions that can be used to provide message confidentiality, message integrity, and secure token propagation between Web Services and their clients Ÿ Liberty Alliance standards define the framework and protocol for network identity based interactions among users and services within a federated identity management environment.

Delegated Administration Services Ÿ Admin console w/ role-based customization – – – User / group management End-user vs Admin views Admin delegation Ÿ End-user self-service – – – Self service provisioning Set preferences, Org-chart Pswd reset Ÿ Embeddable admin components – For integration with Apps Ÿ Extensively configurable – – Accommodate new applications Customize UI views

Demonstration Id. M: Delegated Admin Svs

Delegated Admin Benefits Ÿ 1) Enables self service administration of passwords and password resets Ÿ 2) Enables administrative granularity of Identity Management components Ÿ 3) Centralized provisioning for web SSO and enterprise user database access Ÿ 4) Supports password or PKI based authentication Ÿ 5) Self Service password management without the intervention of an administrator Ÿ 6) Delegated administrators, such as non-technical managers, to create and manage both users and groups Ÿ 7) Allows users to search parts of the directory to which they have access

Grid Computing End-to-End Security Data Grid Application Grid Securely Proxies User Identity to RDBMS Client Authenticates To App Server • Retrieve Authorizations for Users • Connect users to Application Schema Authenticate user OID Identities, Roles & Authorizations

AS 10 g r 2 New 3 -tier features Ÿ Via proxy authentication, including credential proxy of X. 509 certificates or Distinguished Names (DN) to the Oracle Database Ÿ Support for Type 2 JDBC driver, connection pooling for ‘application users’ (Type 2 and Type 4 JDBC Drivers, OCI) Ÿ Integration with Oracle Identity Management for Enterprise Users (EUS).

Demonstration User Security

User Security Benefits Ÿ 1) Enables centralized management of traditional application users in Oracle Identity Management Ÿ 2) Oracle Identity Management directory integration services can be used for bi-directional synchronization with existing Identity Management infrastructures (AD, Sun. One/i. Planet, Netscape) Ÿ 3) Optionally map users to shared schemes or retain individual account mappings in database for complete application transparency Ÿ 4) Optionally manage database roles in Oracle Identity Management infrastructure Ÿ 5) Optionally can be used with Oracle Label Security to maintain security clearances in Oracle Identity Management

Oracle IT: Before ID Mgmt HR IDs, passwords, profiles, prefs Employees Self-registered Tech. Net users My. oracle. com Oracle Files IDs, passwords, profiles, prefs E-Business Apps Oracle Technology Network IDs, passwords, profiles, prefs Web Mail / Calendar Intranet Web Apps Numerous Ids / Passwords & Sign-On IDs, passwords, profiles, prefs Global Mail IDs, passwords, profiles, prefs Partners / Suppliers Extranet Web Conferencing DMZ Employees Corporate Network Calendar

Oracle IT: After ID Mgmt HR Employees Self-registered Tech. Net users My. oracle. com Oracle Files Oracle Id. M Infrastructure DMZ Web Conferencing Web Mail / Calendar Single ID/Pswd & SSO Partners / Suppliers Extranet E-Business Apps Oracle Technology Network Employees Intranet Web Apps Corporate Network Global Mail Calendar

Oracle Id. M Summary Ÿ Oracle Identity Management is a complete infrastructure providing – – – directory services directory synchronization user provisioning delegated administration web single sign-on and an X. 509 v 3 certificate authority. Ÿ Oracle Identity Management is designed to provide ready, out-of-the-box deployment for Oracle applications, as well as serve as a general-purpose identity management infrastructure for the enterprise and beyond.

Break 15 minutes

Privacy & Access Control

Oracle 9 i/10 g Secure Application Role CREATE ROLE SAR identified using SCHEMA_USER. PACKAGE_NAME; JDBC / Net 8 / ODBC User A, HR Application User A, Financials Application User A, Ad-Hoc Reports Oracle 9 i 10 g • Secure application role is a role enabled by security code • Application asks database to enable role (can be called transparently) • Security code performs desired validation before setting role (privileges)

Secure Application Role Benefits Ÿ Security policy can check anything: – – – time of day of week IP address/domain Local or remote connection user connected through application X. 509 data, etc. Ÿ Database controls whether privileges are enabled Ÿ Multiple applications can access database securely Ÿ Allows secure handshake between applications and database

Demonstration Secure Application Role

Oracle Database 10 g Virtual Private Database Ÿ Column Relevant Policies – – Policy enforced only if specific columns are referenced Increases row level security granularity Store ID Select store_id, revenue… (enforce) Revenue Department AX 703 10200. 34 Finance B 789 C 18020. 34 Engineering JFS 845 12341. 34 Legal SF 78 SD 13243. 34 HR OK

Oracle Database 10 g Virtual Private Database Ÿ Column Filtering – Optional VPD configuration to return all rows but filter out column values in rows which don’t meet criteria Store ID Select revenue…. . (enforce) Revenue Department AX 703 10200. 34 Finance OK B 789 C 18020. 34 Engineering OK JFS 845 12341. 34 Legal OK SF 78 SD 13243. 34 HR OK

Demonstration Virtual Private Database

Object Access Control SELECT Org A SELECT Org B DATA TABLE

Oracle 9 i/10 g Label Security Ÿ Out-of-the-box, customizable row level security Ÿ Design based on stringent commercial and government requirements for row level security Project Location Department Sensitivity Label AX 703 Chicago Corporate Affairs Public B 789 C Dallas Engineering Sensitive JFS 845 Chicago Legal Highly Sensitive SF 78 SD Miami Human Resource Confidential : Europe

Components of Label Security Label Components are the encoding within data labels and user labels that determine access. Ÿ Levels – Sensitivity Level (e. g. , “Top Secret, Unclassified”) Ÿ Compartments – (‘X’, ’Y’, ’Z’), User must possess all Ÿ Groups for “Need to Know” – Hierarchical – Supports Organization Infrastructure

Oracle Label Security Oracle 9 i OLS Oracle Label Security Authorizations Confidential : Partners Application Table Project Location Department Sensitivity Label AX 703 Boston Finance Public OK B 789 C Denver Engineering Confidential: Partners OK JFS 845 Boston Legal Company Confidential SF 78 SD Miami HR Company Confidential

Demonstration Oracle Label Security

Fine-grained Auditing Enforce Audit Policy in Database. . . Where Salary > 500000 AUDIT COLUMN = Salary Audit Record Shows. . . User Queries. . . Select name, salary from emp where. . . Employee Table Select name, salary from emp where name = ‘KING’, ,

The Expert View “ …Companies that properly maintain the security of their systems will eliminate 90 percent of all potential exploits. Companies that fail to take these precautions should prepare for breaches at an increasing rate. ” - Giga Information

Stored Data Encryption DBMS_OBFUSCATION (9 i) DBMS_CRYPTO (10 g) Oracle 9 i Database First Diana Paul Julia Steven Last Roberts Nelson Patterson Drake Store Id 100 200 100 300 Credit Card !3 Asjfk 234 #k 230 d 23* J@a. K. 2 ejfk #dkal 3 j 49 I 3!

Supported Encryption Standards ü AES (128, 192 and 256 Key) ü RC 4 (40, 56, 128, 256 Key) ü 3 DES (2 Key and 3 Key) ü MD 5 ü SHA 1

Demonstration Data Encryption

Advanced Security Option Ÿ Encryption for data in motion – – RSA RC 4 Public Key Encryption 40, 56 and 128 bit key lengths Support for Data Encryption Standard (DES) algorithm Support for Message Digest 5 (MD 5) checksumming algorithm

Advanced Security Option Ÿ Authentication device support – – – RADIUS device Token cards (secur. ID for example) Biometric devices Ÿ Secure Socket Layer – With X. 509 V 3 certificate support Ÿ Support for Open Software Foundation’s Distributed Computing Environment (DCE)

Threats to Networks and Internet 1. Data Theft 2. Data Modification or Replay x Eavesdroppers can see all data 3. Data Disruption x Packets can be stolen -- data never arrives $500 becomes $50, 000

Demonstration Network Encryption

Oblix Brief Overview and Roadmap

Oblix: Pure-Play Product Leader Ability To Execute Loosely Coupled: “Leader” in Web Services Management Source Gartner Research (June 2004) Gartner: “Leader” in Access Management

Oblix COREid Access COREid Provisioning l Web Single Sign-On l Template-based workflow l Flexible Authentication Methods l l Policy-based Authorization Agent and Agentless account provisioning l Metadirectory synchronization l Password synchronization l Cross-platform connectivity COREid Identity l Self Service and Self Registration l Unified Workflow l Identity Web Services Controls l Password Management l Integrated solution Define and enforce security, administrative, and access control policies consistently across enterprise applications Delegated Administration l Increased Security l User, Group, and Organization Management l Benefits Increased Compliance l l l Pre-built Connectors – to leading application servers, web servers, portal servers, and directory servers. “Data Anywhere” Configuration Centralized auditing l Pre-built identity and security reports l Global View user access l Robust logging framework Access control managed per attribute l COREid Reporting Who has access to which applications l COREid Integration Audit events across entire enterprise Meet Sarbanes-Oxley, HIPAA, and Gramm. Leach-Bliley compliance Increased Governance l Centralized policy definition with localized enforcement

Oracle / Oblix Id. M Integration Roadmap Current Portfolios Integration Roadmap 10 g / 10. 1. 3 Oblix Immediate Availability Integrated Portfolio Federation (Liberty / SAML-2. 0) SHAREid COREid Federation Identity Federation COREid Identity & Access Control COREid Provisioning Auditing & Reporting Oracle. AS SSO Web Authorization Provisioning connectors Provisioning Integration (DIP) Delegated Admin Service COREid Access Oracle-Oblix Id. M COREid Provisioning SSO Identity Provisioning Certificate Authority Delegated Admin Service COREid Identity Oracle AS SSO Meta-Directory Certificate Authority Cert. Authority / PKI (OCA) Provisioning Integration Virtual Directory (OID) Meta Directory (DIP) Oracle Identity Mgmt Directory (OID) COREsv Web Services Management Identity Grid Control WS Management (COREsv) Oracle. AS Option Virtual Directory (OID) ID Grid Control Oracle Identity Mgmt WS Management Gateway Oracle. AS Option

Id. M – What does Oracle offer today? SSO Identity & Access Mgmt Delegat ed Admin Identity Integration Web Authorizatio ns Role Based Access Ctrl Enterpris e Provisioni ng Policy Automati Based on Access Ctrl Security Monitoring & Audit Services PKI Non-web & 3 rd party SSO Certificate Services Identity Federation Yes Virtual Directory Privacy & Compliance Manageme nt Password Manageme nt Meta-Directory Oracle - Full Functionality Oracle - Limited Functionality Partner Offering Planned Functionality

Current offering with Oblix today SSO Identity & Access Mgmt Delegat ed Admin Identity Integration Web Authorizatio ns Role Based Access Ctrl Enterpris e Provisioni ng Policy Automati Based on Access Ctrl Security Monitoring & Audit Services PKI Non-web & 3 rd party SSO Certificate Services Identity Federation Yes Virtual Directory Privacy & Compliance Manageme nt Password Manageme nt Meta-Directory Oracle - Full Functionality Oracle - Limited Functionality Partner Offering Planned Functionality

Thursday, August 11, 2005 8: 00 am - 11: 00 am (Breakfast & Registration at 8: 00 am) Oracle Office - Cincinnati 312 Elm Street Suite 1525 Cincinnati, OH 45202 • Oracle COREid Access & Identity • Oracle COREid Federation • Oracle COREid Provisioning • Oracle Single Sign On/Oracle Internet Directory • Oracle Application Server, Enterprise Edition • Oracle Web Services Manager http: //www. oracle. com/webapps/events/Events. Detail. jsp? p_event. Id=42000&src=3830746&Act=41

Q & A QUESTIONS ANSWERS

Additional Slides

Security Tips 101 Ÿ“Oracle Security Step-by-step” – – By Pete Finnigan SANS Press

Security Tips 101 Ÿ Keep up with security patches! – – Security alerts from Oracle Technology Network site Security Issues Website

Security Tips 101 Ÿ Check your file system privileges Ÿ If on Windows, use NTFS not FAT or FAT 32 Ÿ Prevent seeing passwords with UNIX “ps” command –Note 136480. 1 or 1009091. 6 Ÿ Check privileges on export files in OS

Security Tips 101 Ÿ If a full export is done to populate a test database, immediately change all passwords Ÿ No database user except SYS must have: –ALTER SYSTEM –ALTER SESSION

Security Tips 101 Ÿ Change default passwords: – – List of default users and passwords Where to get this list ŸSYS should not be “CHANGE_ON_INSTALL” !!!! ŸSYSTEM should not be “MANAGER” !!!!

Security Tips 101 Ÿ Check scripts that are in the file system that have embedded passwords! Ÿ Make sure REMOTE_OS_AUTHENT = FALSE –(Allows login without password) Ÿ REMOTE_OS_ROLES = FALSE also Ÿ Check for all users with DBA role Ÿ Check for users or roles with an “ANY” privilege –UPDATE ANY TABLE –DROP ANY TABLE

Security Tips 101 Ÿ Revoke RESOURCE role from normal users Ÿ No users or roles should have access to: –dba_users –Sys. link$ –Sys. user_history$ Ÿ These have clear text passwords!

Security Tips 101 Ÿ Make sure your listener has a password Ÿ Use “Current User” database links if possible –“CONNECT TO CURRENT USER” Ÿ Check database links from Test, Dev and QA instances. Remove any that are not absolutely necessary Ÿ Avoid plain text passwords in batch files. Use an encryption utility Ÿ Avoid external accounts for batch processes

Security Tips 101 Ÿ Use the Oracle Security Checklists: – – 9 i R 2 Security Checklist 9 i. AS Security Checklist Ÿ Or third party utilities to check your security Ÿ Oracle Enterprise Manager 10 g includes Security Checking

Security Tips 101 Ÿ 1. Only two highly trusted DBAs have sys privileges Ÿ 2. All other DBAs log in using unique user IDs and those IDs be granted ONLY the privileges needed to do their job. Ÿ 3. Partition responsibilities as much as possible between the DBAs Ÿ 4. Security administration, not DBAs, have the ability to grant or change access privileges Ÿ 5. Employ strong password policies Ÿ 6. Audit ALL activities the DBAs do Ÿ 7. Audit ALL activities the two trusted DBAs do both in their regular login and when connected as sys. (9 i. R 2 and higher)

Security Tips 101 Ÿ 8. Audit logs are locked out of DBAs reach and monitored and reviewed by security administration, possibly stored on a separate system Ÿ 9. Replicate the logs to help identify if a log has been tampered with Ÿ 10. Audit ALL DML on the audit logs Ÿ 11. Set up fine grained auditing alerts on key information when there is attempted access by unauthorized persons. These alerts are sent to the security administrator. Ÿ 12. If offshore DBA services are employed, track everything they do very closely and restrict what they can see or do.