2. This document is for informational purposes. It is not a
commitment to deliver any material, code, or functionality, and
should not be relied upon in making purchasing decisions. The
development, release, and timing of any features or functionality
described in this document remains at the sole discretion of
Oracle. This document in any form, software or printed
matter, contains proprietary information that is the exclusive
property of Oracle. This document and information contained
herein may not be disclosed, copied, reproduced or distributed to
anyone outside Oracle without prior written consent of
Oracle. This document is not part of your license agreement nor
can it be incorporated into any contractual agreement with Oracle
or its subsidiaries or affiliates.
2
3. Agenda
<Insert Picture Here>
• Oracle Entitlements Server Overview
• Oracle Entitlements Server 11g – What’s New?
• Planning Your Deployment (SENA Systems)
3
4. Homegrown Applications Pose Significant Risk
• Vast Majority of Apps are Homegrown
• 50% of applications budgets on in-house
software *
• Homegrown Apps often host sensitive
information
• Homegrown Apps are more vulnerable to
security breaches
* For large companies in competitive, fast-moving industries such as
telecommunications, financial services, high tech, pharmaceuticals, and
media, those outlays can run into hundreds of millions of dollars.
4
5. State of Security Solutions Today
Homegrown Apps, Cloud Applications Mobile Computing
SOA, and Portals
• Evolving security • Modern IT initiatives
needs and compliance require enforcement of
• Security policies are
mandates require granular access
fragmented
constant application privileges
• Often host sensitive
retooling resulting in • Insufficient tooling and
information that is
higher costs and support for developing
vulnerable to security
diminished service apps that require fine-
risks.
levels. grained authorization
5
6. Declarative Security
Examples
Users Roles Privileges Resource Context
Equity Trades Mortgage Equity • NASDAQ trading 10am-4pm
Fund • Restrict Trade Sizes to < $100K
• By Geography
Municipal Equity • Daily trading limit of $5M
• By Trade limit Fund
Amy Harris Junior Traders
• Unauthorized for trading
Equity Research Oil & Gas
• Authorized for Review of Energy
• By Vertical industry Semiconductors Companies listed on NYSE
• By Line of Business • Authorized for access to research
reports
Ellen Stewart Equity Analyst
Mortgage Equity • Authorized for 24x7 Trading
Equity Trades Fund • Rebalancing of Small-Cap Funds
Rebalance Funds Municipal Equity • Daily Trading Limit of $1B
Fund
Steve Jackson Fund Manager
8. Oracle Entitlements Server
Sample Fine-grained Authorization Policies
• Example Policies
• Junior Traders can submit nstock trades / day with a total value of $5M, during regular
trading hours, if market volatility is low
• Sensitive patient information should not be visible to clerical workers but allowed for
Specialists as long as consent has been given or an emergency
• Call Center Reps need approval from a Supervisor to transfer a support case to
Engineering
• Documents of a given type, sensitivity, and content is only available to employees of
(x,y,z) with sufficient clearance, grade, and authentication level
8
10. Oracle Entitlements Server 11g
Key Design Themes
Real-time Rapid Application Comprehensive
Authorization Integration Standards Support
10
11. Real-time Authorization
with Oracle Entitlements Server 11g
• Massively scalable External Authorization
Management
• Scales easily to large number of protected
resources
• Hundreds of millions of users
• Thousands of roles
• From small workgroups to mission-critical
deployments
• Authorization checks enforced with real-time
latency
11
12. Oracle Entitlements Server 11g
Key Design Themes
Real-time Rapid Comprehensive
Authorization Application Standards Support
Integration
12
13. Fine-grained Authorization for SOA & Web Services
isAuthorized(user = Bob Doe,
userOrg = Acme Corp
Request userRole = Marketing Manager
customerId = 99999
HTTP GET/POST action =getCustomerDetail)
Web
Client REST
XML
Web SOAP Web
REST/SOAP Service
Service
Client
JMS
<SOAP:Envelope>
…
<SOAP:Body>
<getCustomerDetailResponse>
<customerID>99999</customerID>
<name> Sally Smith </name>
Oracle Entitlements Server <phone> 555-1234567 </phone>
<SSN>***********</SSN>
<creditCardNo>@^*%&@$#%!</creditCardNo>
<purchaseHistory> … </purchaseHistory>
•Selective Data Redaction & Encryption of the Response </getCustomerDetailResponse>
response payload </SOAP:Body>
</SOAP:Envelope>
•OES authorization decision returns an “Obligation”
with information on what to redact and/or encrypt
13
14. Data Security
withOracle Entitlements Server
Security Module Security Module
Oracle
Entitlements
Security Module Server (Admin Security Module
Server)
• Enforcement of data security for heterogeneous data sources
- RDBMS, Object Relational, XML, Multi-Dimensional Cubes
• Enforcement of security at Data, Business Logic and Presentation tiers
• Integrates with Oracle and non-Oracle Databases, Hibernate, TopLink
14
15. Native & Custom Integrations
Portals and Content Management Identity Management
App Servers & Dev Frameworks XML Gateways
Middleware Data Sources
15
16. Oracle Entitlements Server 11g
Key Design Themes
Real-time Rapid Application Comprehensive
Authorization Integration Standards Support
16
17. Comprehensive Standards Support
with Oracle Entitlements Server 11g
• Supports modern authorization standards
• Attribute based Access (ABAC, XACML, OpenAZ)
• Role based Access (NIST RBAC, Enterprise RBAC)
• Java security frameworks (JAAS)
• Choice and flexibility ensures protection of existing investments
• Supports different IT maturity levels for externalizing authorization
• Commitment to innovation, contribution and implementation of
open standards.
17
The problem is that some of the most mission critical applications are still home grown. This is especially true in industries where the line of business applications can provide a competitive advantage. Today 50% of application budgets are spent on Home grown apps.In Financial services – trading platforms and wealth management applications are a competitive advantage and are typically home grown In health care – the claims management and optimization systems These applications also hold the most critical information for a business – This would be consumer information, product data and market information. These applications are usually at the top of the audit list for most regulated companies. These apps are also the most vulnerable because the security is typically hard coded into the application and difficult to change. Most of these applications have the toughest audit constraints.When new regulations come out companies have to spend millions of dollars to retool the applications and developers re-invent security policy within the application. In cases like Societe General its just a matter of time before an insider outsmarts the system.To reduce the risk companies need a solution that will separate access to data and transactions in a policy driven solution that can change without re-tooling the application and provide high scale authorization to grow with the business