Con8819 context and risk aware access control any device any where - final

Copyright © 2013, Oracle and/or its affiliates. All rights reserved.1

CON8819: Context and Risk Aware Access Control – Any Device Any WhereSvetlana KolomeyskayaGroup Product Manager, OracleAshish KolliSoftware Development Senior Director, Oracle

Copyright © 2013, Oracle and/or its affiliates. All rights reserved.3

The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.

Copyright © 2013, Oracle and/or its affiliates. All rights reserved.4

Program Agenda

Market Trends

Oracle Access Management 11gR2 - Context and Risk

Aware Access Control

Customer panel discussion

Q & A

Copyright © 2013, Oracle and/or its affiliates. All rights reserved.5

Market Trends

Copyright © 2013, Oracle and/or its affiliates. All rights reserved.6

Market Trend: New Mobile and Cloud Opportunities

The NEW Digital Experience

Mobile Cloud

Copyright © 2013, Oracle and/or its affiliates. All rights reserved.7

Market Trend: Avoiding System Fragmentation & Reducing Cost

Accelerate deployment and

simplify maintenance

Avoid multi-vendor gaps,

performance issues, integration

challenges, upgrade cycle timing

Reduce high TCO

Copyright © 2013, Oracle and/or its affiliates. All rights reserved.8

Market Trend: Secure Access Anywhere, Anytime

Security for different user identities –

work, social, mobile, etc Access anytime, anywhere, any device Balance security vs user experience

ACCESS

MANAGEMENTDesktopWeb Based

CloudMobile

APIs

Copyright © 2013, Oracle and/or its affiliates. All rights reserved.9

Oracle Access Management 11gR2 - Context and Risk Aware Access Control

Copyright © 2013, Oracle and/or its affiliates. All rights reserved.10

Oracle Access Management 11gR2

Complete

Simplified

Innovative

Scalable

Oracle Access Management 11gR2 – Web Single Sign-on

– Federation

– Mobile and Social

– Authorization

– API Security

– Desktop application access

– Token Services

– Fraud Detection

Context Driven Risk Aware

Copyright © 2013, Oracle and/or its affiliates. All rights reserved.11

Oracle Access Management 11gR2Simplified and Innovative

Converged Services– Authentication and SSO– Federated SSO – Mobile & Social– Security Token Service

Innovation– Mobile Security– Social Identity– REST Services– Identity Context

Copyright © 2013, Oracle and/or its affiliates. All rights reserved.12

Oracle Access Management 11gR2Flexible Policy Model

Adjusts authentication level based on

application security requirements

Adapts security based on context

Copyright © 2013, Oracle and/or its affiliates. All rights reserved.13

Mobile AuthenticationFlexible Options for Devices, Applications and Users

Copyright © 2013, Oracle and/or its affiliates. All rights reserved.14

Device Based Security

Mobile Device Information (OS, Carrier, Jailbroken, IP/MAC)

Device Registration/ Fingerprint

Blacklist/ Whitelist

Device Based Security

Stronger Authentication (KBA, OTP, etc)

Copyright © 2013, Oracle and/or its affiliates. All rights reserved.15

Context Aware AuthorizationBusiness TransactionsSelective Data Redaction

Context Aware

Standards Based

Full Audit Trail

No Code Changes Required

Copyright © 2013, Oracle and/or its affiliates. All rights reserved.16

Select Login Authorize

Oracle Access Management Social Identity Social Sign On

Copyright © 2013, Oracle and/or its affiliates. All rights reserved.17

Behavior and Context Matter

Protected Resources

Password DeviceTracking

Location Profile

Transaction RiskJohn Smith Verify ID

Authentication credential is valid but is this really John Smith?

Is anything suspicious about John’s behavior or the situation?

Can John answer a challenge if the risk is elevated?

Copyright © 2013, Oracle and/or its affiliates. All rights reserved.18

Risk-Based AuthenticationImprove Usability and Security

LOW

MED-LOW

HIGH

MED-HIGH

RESPONSE

ALLOW DENY

If the risk is low: Do nothing

If the risk is medium:Ask a challenge question

If the risk is high:Send a one-time password to users mobile phone

If the risk is very high:Deny access and alert the security team

RIS

K

Copyright © 2013, Oracle and/or its affiliates. All rights reserved.19

Context-Aware Risk Analysis

• Dynamic behavioral profiling in real-time• In the last month has Joe used this device for less than

3% of his access requests?• In the last three months have less than 1% of all users

accessed from the country?

• Specific scenarios that always equate to risk• If a device appears to be traveling faster the jet speed

between logins the risk is increased.

• Indicates probability a situation would occur• Is the probability less than 5% that an access request

would have this combination of data values?

Predictive Analysis

Pattern Profiling

Static Scenarios

Analyzes risk in Real-Time

Profiles Behaviors

Recognizes Patterns

Detects Anomalies

Takes Preventative Actions

Copyright © 2013, Oracle and/or its affiliates. All rights reserved.20

Oracle Access Management 11gR2Context aware security

Security policies need access to contextual information about identity

Identity context is available from different sources – Can be static (ID Store Profile) or dynamic (User’s Risk Score)

Too much dynamic information for applications to handle– Managing “Identity Context” should be built into security infrastructure

Copyright © 2013, Oracle and/or its affiliates. All rights reserved.21

Requirements for Identity ContextIdentity Context 1.0 Identity Context 2.0

• User Profile (Attributes, Groups)

• Application and Enterprise roles

• User Profile (Attributes, Groups)

• Application and Enterprise roles

• Authentication Level of Assurance (Weak, Strong)

• Device State (Known, Managed, Trusted)

• Presence (Location, Historical Patterns)

• Business Partner Data (Federation Claims)

• Risk Assessment Data (Pattern Analysis)

Copyright © 2013, Oracle and/or its affiliates. All rights reserved.22

Oracle Access Management 11gR2Sample Context Attributes

Category Attributes (Sample) Component

Client • Is Firewall Enabled• Is Anti Virus Enabled• Device Fingerprint• Location

Enterprise SSOMobile and Social

Risk • Is Known Device• Is Trusted Device• Risk Score

Risk analysis and Fraud Detection

Federation • Partner ID• Partner Attributes

Federation

Session • Session ID• Any attribute in the current session

Web SSO

Identity • Any attribute in the user’s ID Store profile• True/False result of a search

Web SSODirectory Virtualization

Copyright © 2013, Oracle and/or its affiliates. All rights reserved.23

Oracle Access Management 11gR2 Context and Risk Aware

DMZ & Web Tier

Web SSO

ApplicationTier

Application

Portal

ServiceTier

Web Services

EJBs

Databases

Directories

Federation

SOA

Service Bus

Risk / Adaptive Authentication

2. Publish, Propagate & Evaluate attributes across Oracle’s Fusion Middleware stack

1.

Co

llect

Att

ribu

tes

DeviceTier

Smartphone

Tablet

Laptop

Server

AuthorizationAuthorization

Real-time context collection, propagation for risk analysis, authentication and authorization

APIs

Authorization

Context

Copyright © 2013, Oracle and/or its affiliates. All rights reserved.24

Oracle Access Management 11gR2Summary

An intelligent access platform that understands context

and risk

Enhances security & improves user experience

– Intelligent flexible trust model

Lowers Total Cost of Ownership (TCO)

Copyright © 2013, Oracle and/or its affiliates. All rights reserved.25

Customer Panel Discussion

Copyright © 2013, Oracle and/or its affiliates. All rights reserved.26

Customer Panel

Cisco Systems– Ranjan Jain, Enterprise IT Architect

MITRE– Manish Gulati, Department Head - ERP Deployment & Maintenance

Copyright © 2013, Oracle and/or its affiliates. All rights reserved.27

Q & A

Copyright © 2013, Oracle and/or its affiliates. All rights reserved.28

Moscone South

Complete and Scalable Access Management

Demo Pods

Moscone South

Mobile Access Management

Moscone South

Federation and Leveraging Social Identities

Copyright © 2013, Oracle and/or its affiliates. All rights reserved.29

Sessions not to missTuesday10:15am – 11:15 am • CON9437: Mobile Access Management Moscone West, Room 3022

11:45am – 12:45pm • CON9491: Enhancing End User Experience with Oracle Identity Governance

Moscone West, Room 3008

1:15 pm– 2:15 pm • CON9447: Enabling Access for Hundreds of Million of Users Moscone West, Room 3008

5:00pm – 6:00pm • CON9465: Next Generation Directory – Oracle Unified Directory Moscone West, Room 3008

Wednesday10:15am – 11:15am • CON9458: Eliminate end-user managed passwords while increasing

security with Oracle ESSOMoscone West – 3008

11:45am-12:45pm • CON9494: SUn2Oracle: Identity Management platform transformation

Moscone West – 3008

1:15pm-2:15pm • CON9493: Identity Management and the Cloud Moscone West – 3008

3:300 pm – 4:30 pm • CON9625: Real-time External Authorization for Middleware, Applications and Databases

Moscone West – 3008

Copyright © 2013, Oracle and/or its affiliates. All rights reserved.30

Join the Oracle Community

Oracle.com/Identity

Twittertwitter.com/OracleIDM

Facebookfacebook.com/OracleIDM

Oracle Blogs

Blogs.oracle.com/OracleIDM

Copyright © 2013, Oracle and/or its affiliates. All rights reserved.31

Oracle Fusion MiddlewareBusiness Innovation Platform for the Enterprise and Cloud

Complete and Integrated

Best-in-class

Open standards

On-premise and Cloud Foundation for Oracle Fusion

Applications and Oracle Cloud

User Engagement

Identity Management

Business Process

Management

Content Management

Business Intelligence

Service Integration Data Integration

Development Tools

Cloud Application Foundation

Enterprise Management

Web Social Mobile

Copyright © 2013, Oracle and/or its affiliates. All rights reserved.32

Copyright © 2013, Oracle and/or its affiliates. All rights reserved.33