Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 1
Nov 10, 2014
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.1
CON8819: Context and Risk Aware Access Control – Any Device Any WhereSvetlana KolomeyskayaGroup Product Manager, OracleAshish KolliSoftware Development Senior Director, Oracle
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.3
The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.4
Program Agenda
Market Trends
Oracle Access Management 11gR2 - Context and Risk
Aware Access Control
Customer panel discussion
Q & A
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.5
Market Trends
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.6
Market Trend: New Mobile and Cloud Opportunities
The NEW Digital Experience
Mobile Cloud
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.7
Market Trend: Avoiding System Fragmentation & Reducing Cost
Accelerate deployment and
simplify maintenance
Avoid multi-vendor gaps,
performance issues, integration
challenges, upgrade cycle timing
Reduce high TCO
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.8
Market Trend: Secure Access Anywhere, Anytime
Security for different user identities –
work, social, mobile, etc Access anytime, anywhere, any device Balance security vs user experience
ACCESS
MANAGEMENTDesktopWeb Based
CloudMobile
APIs
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.9
Oracle Access Management 11gR2 - Context and Risk Aware Access Control
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.10
Oracle Access Management 11gR2
Complete
Simplified
Innovative
Scalable
Oracle Access Management 11gR2 – Web Single Sign-on
– Federation
– Mobile and Social
– Authorization
– API Security
– Desktop application access
– Token Services
– Fraud Detection
Context Driven Risk Aware
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.11
Oracle Access Management 11gR2Simplified and Innovative
Converged Services– Authentication and SSO– Federated SSO – Mobile & Social– Security Token Service
Innovation– Mobile Security– Social Identity– REST Services– Identity Context
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.12
Oracle Access Management 11gR2Flexible Policy Model
Adjusts authentication level based on
application security requirements
Adapts security based on context
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.13
Mobile AuthenticationFlexible Options for Devices, Applications and Users
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.14
Device Based Security
Mobile Device Information (OS, Carrier, Jailbroken, IP/MAC)
Device Registration/ Fingerprint
Blacklist/ Whitelist
Device Based Security
Stronger Authentication (KBA, OTP, etc)
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.15
Context Aware AuthorizationBusiness TransactionsSelective Data Redaction
Context Aware
Standards Based
Full Audit Trail
No Code Changes Required
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.16
Select Login Authorize
Oracle Access Management Social Identity Social Sign On
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.17
Behavior and Context Matter
Protected Resources
Password DeviceTracking
Location Profile
Transaction RiskJohn Smith Verify ID
Authentication credential is valid but is this really John Smith?
Is anything suspicious about John’s behavior or the situation?
Can John answer a challenge if the risk is elevated?
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.18
Risk-Based AuthenticationImprove Usability and Security
LOW
MED-LOW
HIGH
MED-HIGH
RESPONSE
ALLOW DENY
If the risk is low: Do nothing
If the risk is medium:Ask a challenge question
If the risk is high:Send a one-time password to users mobile phone
If the risk is very high:Deny access and alert the security team
RIS
K
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.19
Context-Aware Risk Analysis
• Dynamic behavioral profiling in real-time• In the last month has Joe used this device for less than
3% of his access requests?• In the last three months have less than 1% of all users
accessed from the country?
• Specific scenarios that always equate to risk• If a device appears to be traveling faster the jet speed
between logins the risk is increased.
• Indicates probability a situation would occur• Is the probability less than 5% that an access request
would have this combination of data values?
Predictive Analysis
Pattern Profiling
Static Scenarios
Analyzes risk in Real-Time
Profiles Behaviors
Recognizes Patterns
Detects Anomalies
Takes Preventative Actions
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.20
Oracle Access Management 11gR2Context aware security
Security policies need access to contextual information about identity
Identity context is available from different sources – Can be static (ID Store Profile) or dynamic (User’s Risk Score)
Too much dynamic information for applications to handle– Managing “Identity Context” should be built into security infrastructure
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.21
Requirements for Identity ContextIdentity Context 1.0 Identity Context 2.0
• User Profile (Attributes, Groups)
• Application and Enterprise roles
• User Profile (Attributes, Groups)
• Application and Enterprise roles
• Authentication Level of Assurance (Weak, Strong)
• Device State (Known, Managed, Trusted)
• Presence (Location, Historical Patterns)
• Business Partner Data (Federation Claims)
• Risk Assessment Data (Pattern Analysis)
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.22
Oracle Access Management 11gR2Sample Context Attributes
Category Attributes (Sample) Component
Client • Is Firewall Enabled• Is Anti Virus Enabled• Device Fingerprint• Location
Enterprise SSOMobile and Social
Risk • Is Known Device• Is Trusted Device• Risk Score
Risk analysis and Fraud Detection
Federation • Partner ID• Partner Attributes
Federation
Session • Session ID• Any attribute in the current session
Web SSO
Identity • Any attribute in the user’s ID Store profile• True/False result of a search
Web SSODirectory Virtualization
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.23
Oracle Access Management 11gR2 Context and Risk Aware
DMZ & Web Tier
Web SSO
ApplicationTier
Application
Portal
ServiceTier
Web Services
EJBs
Databases
Directories
Federation
SOA
Service Bus
Risk / Adaptive Authentication
2. Publish, Propagate & Evaluate attributes across Oracle’s Fusion Middleware stack
1.
Co
llect
Att
ribu
tes
DeviceTier
Smartphone
Tablet
Laptop
Server
AuthorizationAuthorization
Real-time context collection, propagation for risk analysis, authentication and authorization
APIs
Authorization
Context
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.24
Oracle Access Management 11gR2Summary
An intelligent access platform that understands context
and risk
Enhances security & improves user experience
– Intelligent flexible trust model
Lowers Total Cost of Ownership (TCO)
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.25
Customer Panel Discussion
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.26
Customer Panel
Cisco Systems– Ranjan Jain, Enterprise IT Architect
MITRE– Manish Gulati, Department Head - ERP Deployment & Maintenance
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.27
Q & A
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.28
Moscone South
Complete and Scalable Access Management
Demo Pods
Moscone South
Mobile Access Management
Moscone South
Federation and Leveraging Social Identities
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.29
Sessions not to missTuesday10:15am – 11:15 am • CON9437: Mobile Access Management Moscone West, Room 3022
11:45am – 12:45pm • CON9491: Enhancing End User Experience with Oracle Identity Governance
Moscone West, Room 3008
1:15 pm– 2:15 pm • CON9447: Enabling Access for Hundreds of Million of Users Moscone West, Room 3008
5:00pm – 6:00pm • CON9465: Next Generation Directory – Oracle Unified Directory Moscone West, Room 3008
Wednesday10:15am – 11:15am • CON9458: Eliminate end-user managed passwords while increasing
security with Oracle ESSOMoscone West – 3008
11:45am-12:45pm • CON9494: SUn2Oracle: Identity Management platform transformation
Moscone West – 3008
1:15pm-2:15pm • CON9493: Identity Management and the Cloud Moscone West – 3008
3:300 pm – 4:30 pm • CON9625: Real-time External Authorization for Middleware, Applications and Databases
Moscone West – 3008
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.30
Join the Oracle Community
Oracle.com/Identity
Twittertwitter.com/OracleIDM
Facebookfacebook.com/OracleIDM
Oracle Blogs
Blogs.oracle.com/OracleIDM
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.31
Oracle Fusion MiddlewareBusiness Innovation Platform for the Enterprise and Cloud
Complete and Integrated
Best-in-class
Open standards
On-premise and Cloud Foundation for Oracle Fusion
Applications and Oracle Cloud
User Engagement
Identity Management
Business Process
Management
Content Management
Business Intelligence
Service Integration Data Integration
Development Tools
Cloud Application Foundation
Enterprise Management
Web Social Mobile
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.32
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.33