Icam oracle-webcast-2012-10-102. Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
2
The preceding is intended to outline our general product direction. It is intended
for information purposes only, and may not be incorporated into any contract.
It is not a commitment to deliver any material, code, or functionality, and should
not be relied upon in making purchasing decisions. The development, release,
and timing of any features or functionality described for Oracle’s products
remains at the sole discretion of Oracle.
3. Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
3
ICAM Framework for Enabling
Agile, Flexible Service Delivery
Derrick Harcey, P.E., CISSP
Enterprise Security Architect
Darin Pendergraft
Principal Product Marketing Director
4. Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
4
Agenda
• ICAM Overview
Oracle Identity Platform
Deployment Recommendations
Questions
5. Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
5
•ICAM Overview
6. Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
6
Identity Management
Evolution
Single Sign-on Automation Governance
Password
Mgmt
Audit
1990s 2000s 2010 Current
7. Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
7
Government Security Momentum
e-authentication
Federal PKI – 2002
FISMA
PIV, PIV-I, HSPD-12
NIEM 1.0 Federal Identity,
Credentialing and Access
Management (FICAM)
NIEM 2.0
HITECH
OMB 11-11
ARRA Mandates State
HIE compliance by 2014,
HIX
SICAM Roadmap
released
National Strategy for
Trusted Identities in
Cyberspace (NSTIC)
HIPPA - 1996
1990s 2000s 2010 Current
8. Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
8
Identify Security Controls
Model for Classification and Trust NIST 800-37 / FISMA
NIST 800-53, NIST 800-30
NIST 800-63, NIST 800-37,
FIPS 199
NIST 800-63, NIST 800-53
NIST 800-63
NIST 800-53, NIST 800-53 A
NIST 800-37, NIST 800-53,
NIST 800-53 A
Step 1: Categorize
Information System
Step 2: Select Security
Controls
Step 3: Implement Security
Controls
Step 4: Assess Security
Controls
Step 5: Authorize Information
System
Step 6: Monitor Security
Controls
Data Classification
Impact Assessments and
Authentication Levels
Authentication and Identity
Proofing requirements
Identity Management Controls
Implemented
Initial Security Certification
and Accreditation
Annual Certification and
Accreditation
Outcome
Process Standards
NIST SP 800-37, NIST SP 800-18, NIST SP 800-60, NIST SP 800-53
9. Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
9
9
Assurance
Level
High Level Requirements
1 Secure pseudonym without ID proofing - password
2 Secure pseudonym with ID proofing - password
3 Two factor authentication with ID proofing
4 Hard crypto with ID proofing
NIST
800-63
National Institute of Standards and Technology: http://www.nist.gov
NIST 800-63
Authentication Assurance Levels
10. Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
10
Federal
Identity
Credential
Access
Management
The purpose of the Roadmap is to outline a common framework for ICAM within
the Federal Government and to provide supporting implementation guidance for
agencies as they plan and execute their architecture for ICAM programs.
- Federal Chief Information Officer (CIO) Council
- ICAM Roadmap
FICAM
11. Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
11
State
Identity
Credential
Access
Management
The implementation of SICAM initiatives will facilitate the creation of
government services that are more accessible, efficient, and easy to use.
- NASCIO SICAM Roadmap and Implementation Guidelines
SICAM
12. Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
12
ICAM Architecture
SUNY
• Centralized Services
• Standards Based Enterprise Architecture
• Foundation for Trust and Interoperability
FICAM Services
SICAM Services
13. Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
13
Requirement Oracle Product Mapping
Token
Identity Proofing
Authentication
Assertion
Oracle ICAM components
NIST 800-63 mapping
14. Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
14
FICAM – Service Framework
Digital Identity
Identity Proofing
Vetting
Adjudication
Lifecycle Management
Linking / Association
Authoritative Attr Exchange
Credentialing
Sponsorship
Enrollment / Registration
Issuance
Lifecycle Management
Self Service
Authentication
Credential Validation
Biometric Validation
Session Management
Federation
AuthZ and Access
Backend Attr Retrieval
Policy Administration
Policy Decision
Policy Enforcement
Cryptography
Encryption / Decryption
Digital Signature
Key Management
Audit and Reporting
Audit Trail
Reports Management
Privilege Management
Account Management
Bind / Unbind
Provisioning
Privilege Administration
Resource Attr / Meta Mgmt
15. Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
15
Identity and Access Management
Modern, Innovative & Integrated ICAM Foundation
Identity Governance
• Access Request & Approval
• Roles based User Provisioning
• Risk-based Access Certification
• Closed Loop Remediation
• Role Mining & Management
• Privileged Account Management
Access Management
• Mobile Access Management
• Social Identity Access
• Single Sign-On & Federation
• Authentication + Credentials
• Authorization & Entitlements
• Web Services Security
Directory Services
• Elastic Scalability
• Proxy-based Search
• LDAP Storage
• Virtualized Identity Access
• LDAP Synchronization
Platform Security Services
Digital Identity
Identity Proofing
Vetting
Adjudication
Lifecycle Management
Linking / Association
Authoritative Attr Exchange
Credentialing
Sponsorship
Enrollment / Registration
Issuance
Lifecycle Management
Self Service
Privilege Management
Account Management
Bind / Unbind
Provisioning
Privilege Administration
Resource Attr / Meta Mgmt
Authentication
Credential Validation
Biometric Validation
Session Management
Federation
AuthZ and Access
Backend Attr Retrieval
Policy Administration
Policy Decision
Policy Enforcement
Audit and Reporting
Audit Trail
Reports Management
Cryptography
Encryption / Decryption
Digital Signature
Key Management
16. Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
16
Oracle Identity Platform
17. Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
17
Governance
Password Reset
Privileged Accounts
Access Request
Roles Based Provisioning
Role Mining
Attestation
Separation of Duties
Access
Web Single Sign-on
Federation
Mobile, Social & Cloud
External Authorization
SOA Security
Integrated ESSO
Token Services
Directory
LDAP Storage
Virtual Directory
Meta Directory
Platform Security Services
Identity and Access Management Platform
18. Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
18
Oracle IDM – Themes and Drivers
Simplify and Innovate
Simplified Experience
Cloud, Mobile and Social
Extreme Scale
Clear Upgrade Path
Faster
Deployment
Lower
TCO
Modernized Platform
19. Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
19
Oracle Identity Governance
Self Service
Actionable compliance dashboards
80+ OOTB
360 deg. view of user access
Role Governance
– Role Mining
– Role Consolidation
– Role Versioning
Provisioning, Certification, Role Governance, SoD
20. Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
20
End-User friendly User Interface
Browser-based customizable UI
21. Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
21
Access Request
Shopping Cart Simplicity
Search &
Select
Track Receipt
Confirmation
Browse
22. Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
22
Spreadsheet approach
Risk Analytics
Business – IT collaboration
Access Certification
Making Certification sustainable
23. Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
23
WORK IS SOCIAL
Plan to social enable
applications in the near
future
44% Source: Enterprise strategy group 2012
Of the world reached by
social media sites
82% ComScore Datamine Jan 2012
24. Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
24
CLOUD, MOBILE, SOCIAL
SIGN-ON
Social Trust
REST Sign-on
Fraud Detection
Mobile Sign-on
Device Attributes
Location Data
New Access Management
25. Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
25
Get Citizen Information:
John, Doe
99343 Anywhere Street,
Waterson Street, MD
20147
555-223-2233
444-33-2222
Tuesday April 10th
2:15 am PDT
Has he accesses between 00:00
– 03:00 in the
last two months?
Has he used this device more
than 20% in the last three
months?
Behavioral Patterns
Does subject live in same
residence as requestor?
Does usually perform citizen
lookups?
Context Aware Access Management
Example
Valid Credentials given from
inside network, but already
logged in from outside network.
Which session is really who we
think it is?
26. Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
26
- getUserDetail
- updateUser
- deleteUser…
User Service
PII Protection & Data Redaction
Response
isAuthorized(user = Bob Doe, Acme Corp
Device = iOS 5.0, non-registered
Location = 37.53043790,-122.26648800
userId = 99999
action = getUserDetail)
HTTP
/
REST
/
SOAP
/
OAuth
Clients
Oracle Entitlements Server
26
Oracle Enterprise
Gateway
• Context Aware Authorization of Transactions
• Authorization for REST API’s
• Selective Data Redaction of the response payload
• Authorization Service can also be exposed directly to Any client even mobile
{ “UserDetailResponse“:
{ “usererID”: “99999”
“name”: “Sally Smith”
“phone”: “555-1234567”
“SSN”: “***********“
“creditCardNo”: ”@^*%&@$#%!“
“purchaseHistory”: “…”
}
}
• Threat Detection & Protection
• API Security & Management
• Secure Cloud Connectivity
• Mobile Access Gateway
Request
27. Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
27
Oracle Unified Directory
Extreme Scale
Next Generation
Integrated and
Interoperable
• Scale to 10’s of Billions
• Convergence of directories
• Integrated with Enterprise
Manager
• Interoperable with all certified
ODSEE ISV software
• Integrated with ODS+
Features
28. Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
28
3X PERFORMANCE
1/3 COST
OPTIMIZED SYSTEM
DIRECTORY SERVER
Hardware/Software Synergy
29. Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
29
Partner for Success
Upgrade to a more cost effective
and feature rich solution
Leverage experienced SI partners
Make use of available tools
Coexistence strategy or replatform?
Focusing on Action
Sun2Oracle Upgrade Program
30. Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
30
Platform Architectural Benefits
Shared Connectors Less Customization Faster Implementation
Centralized Policies Standardize Access Reduced Risk
Workflow Integration Automated Process Improved Compliance
Common Data Model Standard Reporting Fewer Data Stores
31. Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
31
Platform Approach Reduces Cost
Benefits
Oracle IDM Platform
Advantage
Increased End-
User Productivity
• Emergency Access
• End-user Self Service
• 11% faster
• 30% faster
Reduced Risk
• Suspend/revoke/de-provision
end user access
• 46% faster
Enhanced Agility
• Integrate a new app faster with
the IAM infrastructure
• Integrate a new end user role
faster into the solution
• 64% faster
• 73% faster
Enhanced
Security and
Compliance
• Reduces unauthorized access
• Reduces audit deficiencies
• 14% fewer
• 35% fewer
Reduced Total
Cost
• Reduces total cost of IAM
initiatives
• 48% lower
14%
Cost Savings
48%
Fewer instances of
unauthorized
access
35% Fewer Audit
Deficiencies
Source: Aberdeen “Analyzing Point Solutions vs. Platform” 2011
32. Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
32
Scalable
Operationally
Satisfied
Users
Easy
Adoption
Architecture
Simplicity
Business
Friendly
Suite
Consolidation
Oracle Identity Management
33. Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
33
Deployment Recommendations
34. Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
34
Federal ICAM Recommendations
• Expand and Modernize FICAM Architecture
• Application Integration
• Application Request Lifecycle
• Risk Management
• Application Access Control (M 11-11)
• Align with Agency External Services
35. Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
35
State Government Recommendations
• Define State Strategy for SICAM
• Implement Governance Process
• Implement Shared Services – Identity Providers
• Integrate Key Relying Parties
36. Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
36
FICAM AAES* – Oracle Alignment
AAES 1 Provides aggregation of identity attributes OVD
AAES 2
Supports deployment of connectors and service interfaces to retrieve identity
attributes for distributed sources.
OVD, OIM
AAES 3 Utilizes a unique person identifier to distinguish between identities. OIM, OVD
AAES 4
Provides transformation of identity attributes from authoritative source data storage
format to a standardized format to present data externally.
OVD
AAES 5
Provides correlation of identity attributes from distributed sources of identity
information.
OIM, OVD
AAES 6
Provides the capability to reconcile differences between different sources of identity
attributes.
OIM
AAES 7
Provides an interface to request identity attributes over common protocols such as
LDAP/s, DSML, SAML, and SPML.
OEG, OIM, OIF
AAES 8
Provides security to protect data against unauthorized access and logging to facilitate
audits.
OES, OEG, OVD
AAES 9
Provides various views of identity attributes and display them only to users or systems
that are authorized to view those attributes.
OVD
AAES 10
Provides the ability to request identity data based on a variety of methods (name,
globally unique identifier, email, DOB).
OVD
AAES 11 Provides reports of identity attributes. OBIEE
AAES 12
Provides the capability to push or pull identity attributes including the ability to
distribute new identities and updates to existing identity attributes.
OIM
AAES 13 Provides the capability to protect data at rest. OUD, DB Sec
AAES 14 Provides the capability to sign attribute assertions. OIF, STS, OEG
* Authoritative Attribute Exchange Service
37. Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
37
Oracle Solution Advantages
Federated Trust, but Verify
Protected
Resources
Credential
John Smith
Service Provider Security Layers
User authenticated by an Identity Provider (out of SP control) with ICAM Scheme*
SP can trust the assertion but assess risk of access request
Challenge users for additional identity verification based on risk
Identity Provider
Device
Tracking
Location
Profile
Verify ID
User
Profile
*idmanagement.gov
38. Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
38
Oracle ICAM Identity Platform
HTTP GET/POST
REST
XML
SOAP
JMS
REST
Access Services
OAM, OAAM, OIC,OIF,OES
.Net Web
Apps
MQ, JMS
Mobile Clients
Mobile Clients
Web Applications
Web Applications
Extranet DMZ Intranet App Tier
Directory Services
OVD, OUD
Identity Governance Services
OIM/OIA
Enterprise
Gateway
Entitlement
Server
PEP/PDP
Java EE Web
Apps
.Net Web
Srvcs
Intranet Data Tier
WebGates
DB Firewall
Third-party Stores
Database/Directories
Java EE Web
Srvcs
OWSM
Agents
Web Services
Web Services
ESSO
39. Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
39
Oracle’s ICAM Resources
Oracle Secure Government Resource Center
– ICAM Resources
Oracle Security
– Identity and Access Management
– Database Security
Oracle Secure Government Blog
http://blogs.oracle.com/securegov/
ICAM Engagements
ICAM Engagements
ICAM Assessment Workshop
40. Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
40
Government Security Summary
1 Standards based Enterprise Architecture
2
3
4
Standard Processes for Security Controls
Data Security
Web Services Secure Services
5 Comprehensive ICAM Solution
41. Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
41
Oracle Identity Management Overview:
http://www.oracle.com/technetwork/middleware/id-mgmt/overview/index.html
Oracle Identity Management 11g Whitepaper:
http://www.oracle.com/technetwork/middleware/id-mgmt/overview/oracle-idm-wp-11gr2-1708738.pdf
Oracle Reference Architecture for Security:
http://www.oracle.com/technetwork/topics/entarch/oracle-ra-security-r3-0-176702.pdf
Oracle Identity Management 11.1.2 - Enterprise Deployment Blueprint
http://www.oracle.com/technetwork/database/availability/maa-deployment-blueprint-1735105.pdf
Oracle Real Application Clusters Administration and Deployment Guide
http://download.oracle.com/docs/cd/E11882_01/rac.112/e16795/toc.htm
Oracle Internet Directory 11g in the Facebook Age
http://www.oracle.com/technetwork/middleware/id-mgmt/overview/oid11g-500m-socialmedia-benchmark-349887.pdf
Two Billion Entry Directory Benchmark – Oracle
http://www.oracle.com/technetwork/middleware/id-mgmt/overview/peg-oid-benchmark-131118.pdf
Oracle Identity Federation
http://download.oracle.com/docs/cd/E10773_01/doc/oim.1014/b25355/deployinstall.htm#BABHIJGJ
Oracle Product Information
42. Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
42
Upcoming Secure Government Activities
Safeguarding Government
Cyberspace
November 28, 2012, 2:00 p.m. ET
http://events.oracle.com
Oracle Federal Forum: Secure
Government Track
November 14, 2012 8:00 a.m. –
5:00 p.m. ET
www.oracle.com/goto/OracleFedFor
um
43. Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
43
Secure Government Resource Center
Access Link:
http://www.oracle.com/go/?&Src=7618005&Act=32&pcode=WWMK12041319MPP022
Helping Organizations Achieve
Security Throughout the
Enterprise
Cloud Security
Cyber Security
Data Security
Identity, Credential and Access
Management (ICAM) Security Framework
44. Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
44
Questions
Hinweis der Redaktion There has been significant progress building the standards and infrastructure at the federal level to establish a baseline for trust and security for user access.
These efforts have provided a solid foundation for the Identity Governance is fully integrated with Access Management and Directory Services, and uses our Platform Security Services, to provide a complete, scalable, standards based IDM Platform. One of the long time problems that we have addressed is how to preserve all of your customizations. After all, if you spend the time to get a UI exactly how you want it, you really don’t want to have to rebuild it after an upgrade. Integration with social networks is important for employee and consumer relationships
Study by Enterprise Consulting group: 44% of organizations plan to social enable apps in the near future OAAM: Placing more than one layer between the end user and the protected resource
Credential authentication alone is a single point of failure
Credentials don’t address many modern threats. Even the strongest credential is not a magic bullet.
No solution is complete without layered access security
Device Fingerprinting
Location tracking
User behavioral profiling
Transaction risk analysis
Risk-based interdiction
Trust but verify - authN creds are important but they should not be trusted alone
Look beyond "strong" credentials to other available factors to make an access decision
Profile behaviors - does this access request seem strange compared to other? Does it look similar to past fraud or abuse?
Allow access based on the specific risk of the current sitution
Improve UX where possible
Challenge only when required by risk
users don't try to get around good UX
productivity is lost when authN is burdensome
)