2. CON8819: Context and Risk
Aware Access Control – Any
Device Any Where
Svetlana Kolomeyskaya
Group Product Manager, Oracle
Ashish Kolli
Software Development Senior Director,
Oracle
Securing access to systems from mobile phones and tabletsSecuring access and managing risk/compliance across enterprise and cloud applicationsIdentifying web site visitors via consumer social identitiesProliferation of APIs
Shunning the current complex customizationsSeeking to accelerate deployment and simplify maintenanceAvoiding multi-vendor gaps, performance issues, integration challenges, upgrade cycle timingReducing high TCO
Balances security vs user experienceAdjust authentication level based on application security requirementsAdapt security based on contextPass identity context through entire stack End to end security including desktop, mobile, cloud and web servicesRequire an intelligent access platform that understands context and riskIdentity context, device context, resource context, transaction context, etcWeighted risk based on real-time contextTake actions based on context and riskCompleteIdentify, authenticate, federate and authorizeReal time authorization and data redaction based on contextual authentication techniques to reduce fraudMulti-user type, multi-platform, multi-channel and multi-device securitySecure & Manage API’s Lower TCO due to common policy store for all access eventsSupport Oracle, 3rd party and custom applicationsSimplifiedConverged ServicesAuthentication and SSO (OAM)Federated SSO (OIF)Mobile & SocialSecurity Token ServiceCommon InfrastructureSession managementIdentity ContextPolicy StoreLifecycle ManagementInstall & ConfigurationInnovativeMobile SecuritySocial IdentityREST ServicesEnd-to-end Identity Context
Username and PasswordSocial LogonStep up Auth and OTP, can be applied:-first time with this device (device registration)-sensitive application-high risk score-user with high level of access to application
Selective Data RedactionWe work with a large number of customers in Financial Services, Healthcare, Public Sector / Government Agencies, Telecom, Insurance etc that are looking at exposing information and corporate systems for access from / by mobile devices, business partners, customers, and/or the cloud. Many of these organizations internally expose web services and/or have corporate systems for accessing information about customers, patients, or citizens among other things. These web services and systems were probably built a long time ago, and often return any and all information about the customer or patient, including sensitive information such as social security numbers, credit card numbers, or medical and health records to the requester. With the combination of Oracle Entitlements Server and Oracle Enterprise Gateway we can as discussed expose REST based API’s (or other types of webservices) to our clients, and define XACML based authorization policies that determine what information should actually be allowed to leave the network or need to be redacted. For example: We can control what information Bob (some user) can access about a given customer or patient (Bart Simpson above) from a given client device, location, network based on Bob’s relationship with the customer/patient (account manager, doctor, something else, or none) and have any other information be automatically redacted. In the example here we’ve determined that the current user should not be allowed to see Bart’s social security number or date of birth, whereas perhaps if Bob was to query up a different customer/patient record he would be able to see all the information (perhaps because of his relationship with the customer or we’ve determined that it is safe to do so as he is accessing the system through a secure network, or the risk score is within acceptable limits).Business TransactionsAs in the data redaction example we can also control what business transactions a given set of users are allowed to perform under various conditions. This is not only whether the user is authorized to do salary changes in general, as in the example above, but for what set of employees, the actual $$$ amount being changed, and other factors. Another example could be whether you’re allowed to submit orders over a certain amount based on Identity and Device Context. The really cool part about this is that in both these examples we can impose rules and authorization policies on what data can be accessed and whether a given business transaction can be submitted without any coding and code changes to the backend systems. This is because OEG, OES, and our Mobile Access integrations sits in front of the backend systems and we can inspect and control what messages and message content are allowed to go in either direction (request or response).An additional benefit is we also get full insight as our components provide a full audit trails and we can even monitor the transactions and information flow in real-time (or time interval) with alerts and notifications if we see anomalies in access patterns and suspicious behavior. Our solution is fully standards based and supports XACML, Role Based Access Control (RBAC), REST, SOAP, JSON, XML, JWT etcetc
Turns social integration into an administrator actionProvides out-of-the-box support for leading social providersProvides increased levels of assurance as user progresses to more secure servicesSimplifies registration and single sign-on from multiple providersMobile or Web basedCan plug in to existing OAM deploymentsWill you let a customer using FaceBook identity for Online banking transactions?Buying products from your online stores?Accessing company intellectual properties (IP)Higher risk transactions demand higher level of trust and security
OAAM evaluates the full context of an access request to determine what the level of risk is. There are three complimentary types of evaluation OAAM performs based on the specific situation at hand.Static – Known indicators of risk can easily be defined as rules.Patterns – User behavioral profiling is very valuable for detecting insider fraud/abuse and stolen/compromised credentials.Predictive – Detecting fraud that has not been seen before is best accomplished with statistical models used to make predictions.
1) Publisher - Collect and publish information to Identity Context OAM – Session dataOAAM – Risk dataOESSO – Device health dataOIF – Federated Partner data2) EvaluatorEvaluate security policies based on Identity Context dataOAM – Web Perimeter PolicyOES – App-specific Policy3) PropagatorAutomatically propagate Identity Context between Publisher and EvaluatorOPSS – JEE ContainerOWSM – Web Services ManagerWe have enhanced oracle Access manager to provide mobile social sign on. Today within the enterprise we have a high degree of trust but now it’s a bring your own device culture. Each user has multiple devices and they are connecting them to the network. We are trying to re-establish the level of trust with mobile devices. If you look at a typical user’s phone they have 20+ applications. As organizations deploy more apps to the mobile devices they can’t keep up with the support cost or risk inherent in multiple passwords across applications . Mobile users and devices need access to information in the corporate network, often from legacy systems that have little or no security. How do you make this information accessible in a secure manner, how do you control and monitor what sensitive data leaves your network.We we are enabling single sign on, restful sign-on, authorize access to data, and secure your REST API’s. We are helping to rebalance risk and trust. We also support Android and IOS. So basically the case is - Organizations that want to connect with their external subscribers. To make it simple and avoid the work of managing all of the registrations we can simply trust the social networking site for authentication and dynamically provision the user without the user having to re-register again 2. And we have a customer who is looking at this as part of their deployment.
With Fusion Middleware, you can extend and maximize your existing technology investment with the same technologies used in Fusion Applications, including embedded analytics and social collaboration, and mobile and cloud computing. Oracle’s complete SOA platform lets your IT organization rapidly design, assemble, deploy, and manage adaptable business applications and—with Oracle’s business process management tools—even bring the task of modeling business processes directly to the business analysts. Oracle Business Intelligence foundation brings together all your enterprise data sources in a single, easy-to-use solution, delivering consistent insights whether it’s through ad hoc queries and analysis, interactive dashboards, scorecards, OLAP, or reporting. And, your existing enterprise applications can leverage the rich social networking capabilities and content sharing that users have come to expect in consumer software. Oracle Fusion Middleware is based on 100 percent open standards, so you aren’t locked into one deployment model when your business requirements change.