4. Defining External Authorization
“Managing granular access permissions for applications, middleware and databases by
externalizing and centralizing standards-based authorization policies.”
Data Applications Web Services Portals
Data redaction Fine-grained access to Data filtering for Access control for
and filtering for applications based on standards-based web sensitive documents
data at rest and services stored in portals and
roles, entitlements, content management
data in motion.
attributes, runtime systems based on roles
context and identity attributes
Context-Aware Access Control
5. Why Is It Important?
Regulatory Role Explosion
Considerations Fragmented Security
Regulations are Role explosion makes it
getting complex and difficult to secure Authorization policies
often demand transactions and data are often hardwired into
enforcement of based on roles application business
Granular Access logic
Privileges
7. Common Use Cases
• Web Services (SOA) Security
• Web Access Control
• Application Transactions
• Relational Database Information
• Portals (SharePoint, etc)
9. Oracle Entitlements Server (OES)
• Unified External Authorization
for Applications, Web Services,
Portals and Databases
• Standards-based Policy
Enforcement at Run-time
• Declarative Security Model
Simplifies Application Lifecycle
11. Comprehensive Standards Support
• Attribute Based Access Control
• XACML
• OpenAZ
• NIST Role Based Access
Control
• Enterprise RBAC
• Java2 / JAAS
• Code Based Access Control
• JSR 115 / JACC*
• Data Security
Oracle Confidential
12. Native & Custom Integrations
Identity Management Application Servers Portals & Content Mgmt
Development FWK’s SOA
Policy Store Data Sources XML Gateways
< XML >
Oracle Confidential
14. Use Cases
Application
Access Control Data Security
SharePoint Web Services
Security Security
15. Architecture
PEP
Id Store
PDP
PIPs
PEP
OES Admin Server
Identity Store
Policy Store
Id Store PDP
PIPs
PEP
Id Store
PIPs
PDP
16. Application Access Control
Web Access Control (URL-based and
Fine-grained)
* Oracle Entitlements
Attribute based Access Control Server can be used to
enforce multiple
(ABAC/XACML) compliance
requirements.
Static and Dynamic Role Mapping
Role Inheritance
Separation of Duties Checks
Runtime Constraint and Context-
aware Policy Enforcement
Integration with LDAP-based
directories
17. Data Security
Selective Data Redaction/Filtering * OES enables
- Row-level security management of
-Columnar security access policies based
on business need.
Centralized Authorization Policy
Administration for Databases
Integration with major databases
(Oracle, DB2, Sybase, MySQL)
18. SharePoint Security
Document Access Control (based
* OES provides a variety
on document tags, attributes, of authorization
location, user, role, etc) decisions for different
types of applications
Custom Page Content (FGA checks and users.
for ASP.NET pages)
Integration with Active Directory
and LDAP-based directories
19. Web Services Security
Integration with XML Gateways * Policies can be set up to
Selective Data Redaction/Filtering secure connectivity to SOA
and cloud environments..
for SOA web services
Support for a variety of message
standards (XML/SOAP/REST/JMS)
20. Aberdeen Group Event Series
Featuring Derek Brink
Chicago New York
April 10th April 12th
San Francisco
May 22nd
Toronto Boston
April 17th April 19th
Register at: www.oracle.com/identity
21. Platform Webcast Series
Oracle Customers Discussing Results of Platform
Approach
Platform Best Cisco’s Platform
Practices Approach
Agilent Technologies Cisco Systems
Available On-Demand Available On-Demand
Platform for Platform Business
Compliance Enabler
ING Bank Toyota Motors
April 11th 2012 May 30th 2012
Register at: www.oracle.com/identity
There has been a dramatic shift in the requirements for providing secure access to applications, web services and databases.Even though many organizations have centralized their web access management infrastructure, many authorization decisions are hard-wired into the application business logic itself. The business logic that makes authorization decisions is not centrally managed, governed or controlled by a security team. To make matters worse, runtime access control decisions are rarely audited. The result is a fragmented policy framework that is difficult to control and manage. External Authorization solutions overcome this problem by externalizing granular access privileges from applications and then centralizing administration. External Authorization solutions can enforce policies based on a combination of roles, attributes, context, or runtime conditions.External Authzdoes for authorization what Single Sign-On did for authentication. With SSO, we achieved the first step of externalizing user names, passwords, and logins to a centralized enterprise-wide system. With ExternalAuthz, we can now abstract policies that were previously hard-coded into applications. The benefits include– enabling your business to adapt and change on a dime as market conditions and compliance mandates require enforcement of newer and more complex policies. Centralizing policy management allows for consistent enforcement, improving security and achieving good governance across the enterprise.
There are three primary business drivers fueling the need to externalize authorization from applications. Regulatory considerations are getting more stringent and complex. Meeting modern regulatory demands often requires enforcement of granular access privileges at application runtime. With role based access becoming predominant, many organizations are now dealing with the challenge of role explosion wherein redundant role definitions can often make it difficult to secure transactions and data on the basis of roles. Finally, a lot of homegrown applications have authorization policies built into the business logic which makes it hard to change policies in response to evolving security and regulatory mandates. This has led to the growth of External Authorization solutions which make it easy to externalize and centralize authorization policy definitions. Solutions like Oracle Entitlement Server allow extremely rich policy definitions to be set up on the basis of context, attributes, roles or runtime conditions.
External Authorization solutions can be applied to solve multiple kinds of real world problems.From securing content to securing collaboration. And For securing privacy and confidentiality of data. Recent regulations such as Healthcare regulations and privacy laws have placed stricter requirements on access to applications and auditing of that access. Often meeting these compliance mandates require fine grained access control policies. In the absence of a central infrastructure to manage and enforce granular security policies, organizations find themselves constantly retooling applications to keep pace with changing regulatory demands. Regulatory demands like enforcement of segregation of duties and Chinese walls can be easily enforced by externalizing authorization. External authz solutions can keep track of entitlement activity in your enterprise. Every time an authz policy decision is made, an audit record can be created that can be later analyzed or reported on.
With External Authorization, organizations can enforce granular security throughout the stack - apps, web services, portals or databasescan be secured by externalizing authorization policies.SOA – ExternalAuthz can simplify and secure connectivity to SOA environments.Data - Existing security tools do not address the fundamental need of protecting the data itself based on the context of the access. Either they provide an excessively coarse-grained control over the data source – an all or nothing proposition that does not work in most cases – or they require changes in all the applications that can access the data. Every application touching the data source requires developers to write custom code to filter database tables and present only the subset of the data that is appropriate to the context of the application, process, and user making the request. External authz can provide only the necessary subset of data pertinent to the context of the access request. Applications- Applications of many flavors – including homegrown, packaged and cloud applications can be secured.Organizations can decouple the evolution of authzpolicies from business logic by externalizing access privileges from applications.
The architecture for the use case review consisted of the following OES components:Administration Console: The Administration Console provides a rich Web based UI for policy authoring and management. It can also distribute policy updates to applications. Policy Store: The Policy Store serves as a central persistent store for authorization policies. This helpsin centralized management of security. Applications can get policies directly from the central policy store. Policy Decision Point (PDP): This is the runtime component which includes the core authorization engine (also known as Security Module or SM). When the SM gets an authorization request from a user or application, it evaluates this request against all relevant policies and gives a final authorization result. As part of policy evaluation, the SM can look up information from external data sources such as LDAP systems, databases, Web Services and other data sources. An SM also includes PEPs (Policy Enforcement Points), which can be used to automatically enforce OES authorization decisions in environments such as WebLogic and SharePoint among others.
Oracle Entitlements Server (OES) can be used to secure applications of all flavors – homegrown, mainframe, packaged, cloud. It provides authorization for a broad set of ecosystems including Java EE, Java SE, .NET, content management systems and databases. OES provides a rich hierarchical policy model based on the Role Based Access Control (RBAC) and Attribute Based Access Control (ABAC) standards.OES allows both static and dynamic assignment of Applications Roles based on policy. In dynamic role mapping, roles are assigned on an as needed basis depending on the action initiated by the user. For example, the role of Fund Manager should be granted to a person only on certain funds. They come into existence when an authorization request is made and they are destroyed once a decision is computed. OES provides sophisticated facilities to accurately control role assignments based on the contextBusiness roles are often structured hierarchically. Employees in higher positions are automatically granted privileges of people in their reporting hierarchy. To model these real world relationships OES supports role inheritance.OES can also be used to enforce SoD checks. There may be a need to ensure that certain users cannot perform tasks that might establish a conflict of interest (e.g. Financial Analyst making trades on the company they are covering). It also help establish how certain tasks should be given to certain users only (e.g. delegated administration). These policies are intended to make sure that only the correct user is doing the correct thing.OES can also enforce policies based on context or runtime conditions. For example, you may to change what an application allows a user to do based upon time of day or business conditions. Also there may be policies that dictate how an application carries out an activity (e.g. more than just a grant/deny decision for a piece of functionality).And OES integrates easily with LDAP based directories for sourcing identity attributes.
In enterprises, most data originates from a database, flows through various service tiers and is finally rendered by the UI. Securing data at the source ensures that information does not leak. OES supports data redaction filters in the data tier as well as in the business tier.Sometimes information stored in a database is extremely sensitive and extensive checks need to be done irrespective of the application. For example, credit card numbers and passwords should only be shared on a need to know basis. In these situations it may be desirable to enforce restrictions from within the Database itself. OES can be used to do Row and Column level filtering based on standards based authorization policies. Because this filtering is done within the database, security policies will be enforced irrespective of the application. This solution is also useful with legacy applications which cannot externalize authorization. And OES integrates easily with most major databases.
Content Management Servers such as SharePoint provide excellent facilities for storing, retrieving and sharing documents. They often come with standard facilities to secure documents. OES can extend these simple security models with sophisticated RBAC and ABAC based models. For example, a policy such as “Only employees with clearance level 4 can view confidential documents” can be easily implemented using OES policy constraints. SharePoint serves as both a portal and document repository. OES provides OOTB policy enforcementPoints (PEPs) for securing SharePoint Sites, URLs, Pages, Portlets, Web Parts, page contents and documents. An OES HTTP module secures Web pages and the OES Web Control secures Web Parts. In addition OES provides an authorization tag library which allows conditional execution of code and custom UI rendering.This allows you to gain control of prolific use of SharePoint in your organization. It also allows you to lock down information hosted in SharePoint to a very granular level. It allows you to protect web parts, pages, list items – any user information that can be rendered can protected with OES. It is wellintegrated with Active Directory and can naturally reuse the information stored in AD.
OES integrates easily with XML gateways to help simplify and secure connectivity to SOA environments. OES is natively integrated with Oracle Enterprise Gateway, the recently launched Oracle XML Gateway Product. OES Security Modules are embedded within OEG. This can help enforce granular security for SOA environments. For instance, you can now enforce security policies for web services based on the content of SOAP headers and attribute information. This makes it easier to enforce policies based on time of day, client IP etc. Policies can be setup to redact confidential information from web service responses.OES supports most web services message standards including SOAP, REST, and JMS.
Oracle is proud to sponsor the Platform Approach seminar series. In this multi-city event series, Derek Brink (research analyst from Aberdeen Group) will discuss how organizations can build a business case for a comprehensive identity and access program. In addition, attendees will learn how to build a roadmap that optimizes the results of large scale Identity Management. Oracle experts and architects will also provide information on how to unlock the potential of the Oracle Identity Platform. Register today at oracle.com/identity
You also have a unique online opportunity to learn from and get questions answered by Oracle customers. These are webcasts but they will also be available on demand as well.Agilent Technologies discusses how they moved from multiple point solutions to consolidate their deployment on OracleCisco discusses their unique approach to consolidate their identity program into a platform On April 11th – ING Bank - will discusshow a platform with integrated administration and governance reduced cost and improved complianceOn May 30th – Toyota Motors – will discuss they leveraged a platform to build a social network for cars.
OES integrates easily with XML gateways to help simplify and secure connectivity to SOA environments. OES is natively integrated with Oracle Enterprise Gateway, the recently launched Oracle XML Gateway Product. OES Security Modules are embedded within OEG. This can help enforce granular security for SOA environments. For instance, you can now enforce security policies for web services based on the content of SOAP headers and attribute information. This makes it easier to enforce policies based on time of day, client IP etc. Policies can be setup to redact confidential information from web service responses.OES supports most web services message standards including SOAP, REST, and JMS.
Join the Oracle community for regular updates on content and hear about upcoming events and news.