The following is intended to outline our general product direction.
It is intended for information purposes only, and may not be
incorporated into any contract. It is not a commitment to deliver
any material, code, or functionality, and should not be relied
upon in making purchasing decisions. The development, release,
and timing of any features or functionality described for Oracle’s
2
and timing of any features or functionality described for Oracle’s
products remains at the sole discretion of Oracle.
Agenda
• Introduction
• Oracle Privileged Account Manager 11gR2
• OPAM and Oracle’s Governance Platform
• OPAM and Oracle Security Solutions
3
• OPAM and Oracle Security Solutions
• Summary
• Q & A
Introduction
4
Introduction
With Great Power Comes Great Risks
Root
Access
5
DatabasesDirectory Servers Unix Servers
• Privileged accounts are a key entry point for fraud
• Difficult to monitor shared accounts across multiple administrators
• Excessive access privileges is the number one attack vector against databases
IDM – Overcome Threats and Regulations to Unlock Opportunities
76% Data Stolen From
Servers
86% Hacking Involve
Stolen Credentials
ThreatsThreats
Compliance Compliance
� Increased Online Threat
� Costly Insider Fraud
� Tougher Regulations
� Greater Focus on Risk
6Copyright © 2011, Oracle and/or its affiliates. All right
2011 Data Breach Investigations Report
Stolen Credentials
48% Caused by Insiders
17% Involved Privilege
MisuseOpportunities Opportunities
� Greater Focus on Risk
� Stronger Governance
� Social Media
� Cloud Computing
� Mobile Access
Privileged Accounts – Most Powerful but Most Unprotected
• Unlimited power
• Shared Passwords
• Never Changed
• Access not audited or
7
• Access not audited or
certified
• Unix/ Linux, Windows, databases, applications, routers, firewalls etc
• Each and every IT asset in the enterprise
Managing Privilege Access Is Not Well Defined
8
Deploying point solutions can increase
integration costs
RISKSCALE
Manual solutions don’t scale (like managing
privileged access via spreadsheets)
Using default system passwords is
prone to risk
COST
IDENTIFYING
PRIVILEGED
ACCOUNTS
Two Big Management Problems
9
TRACKING
PRIVILEGED ACCOUNTS
The Right Approach is Self-Reinforcing
Reporting &
Access Request
Auto-Self-Reinforcing
VISIBILITY ACROSS COMPLETE
10
Reporting & Certification
Auto-Provisioning
Remediation
Self-Reinforcing COMPLETE USER ACCESS IS KEY
Shared Connectors
Centralized Policies
Privileged Account ManagementA Platform Approach
Reduce
Risk
11Copyright © 2012, Oracle and/or its affiliates. All rights Reserved
Workflow Integration
Common Reporting
Improve
Compliance
Oracle Offers Security at Every Layer Security inside each later and across layers
Infrastructure
Security Governance &
Compliance
12
Identity&Access
Management
Database
Security
Cloud
Services
Governance
Password Reset
Privileged Accounts
Access Request
Roles Based
Provisioning
Role Mining
Access
Web Single Sign-on
Federation
Mobile, Social & Cloud
External Authorization
SOA Security
Directory
LDAP Storage
Virtual Directory
Meta Directory
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.13
Role Mining
Attestation
Separation of Duties
Integrated ESSO
Token Services
Fraud Detection
Platform Security Services
Oracle Privileged Account Manager 11gR2
14Copyright © 2012, Oracle and/or its affiliates. All rights Reserved
Oracle Privileged Account Manager 11gR2
Introducing Oracle Privileged Account Manager
• Secure vault to centrally manage passwords for privileged and shared accounts
• Targets include Databases, Operating Systems and LDAP Directories, Oracle FMW
applications
• Multiple access points for OPAM users and administrator
• Automatic password change using Identity Connector Framework
15Copyright © 2012, Oracle and/or its affiliates. All rights Reserved
• Policy based password check-out and check-in
• Flexible usage policies
• Customizable audit reports through BI Publisher and real time status
• Extension to Identity Governance – OIM and OIA integration for complete
governance
OPAM Architecture
16Copyright © 2011, Oracle and/or its affiliates. All right
A Typical Use Case
HR Application Database
• User logs in as DBA
• Adds Table to DB
• System out of space
Verify OPAM User in HR DBA
Role
Set DBA password for HR App
Database based on password policy
for HR App DatabaseReturn DBA password
Request DBA password
Return unix password
17Copyright © 2011, Oracle and/or its affiliates. All right
LDAP ServerDBA
Role
User checks in passwords
Oracle Privileged Account
Manager
• User logs in as superuser
• Adds disk spaceUnix Server
Request unix password
User Check-Out Password Screen
18Copyright © 2011, Oracle and/or its affiliates. All right
Supported Clients / Targets
Generic Database Servers Generic LDAP DirectoriesGeneric UNIX Systems
19
UNIX
Default Supported Targets
• OPAM will support all OIM ICF connectors
• Will ship with following connectors
• Generic UNIX
• Any UNIX/LINUX server with SSH
• Generic Database
• Oracle 9i, 10g, 11g
20Copyright © 2012, Oracle and/or its affiliates. All rights Reserved
• Oracle 9i, 10g, 11g
• Any
• Generic LDAP
OPAM Benefits
• Enforce internal security policies and eliminate potential security threats
from privileged users
• Cost-effectively enforce and attest to regulatory requirements
• Reduce IT costs through efficient self service and common security
infrastructure
21Copyright © 2012, Oracle and/or its affiliates. All rights Reserved
• Real time usage reports
• Customizable audit reports through BI Publisher
OPAM and Oracle Access Management
• OAM provides access control to OPAM service console
• Centralized, policy-driven services for web applications authentication
• Web single sign-on
• Session control
• OAAM for layered access control to OPAM service console
22Copyright © 2012, Oracle and/or its affiliates. All rights Reserved
• OAAM for layered access control to OPAM service console
• Real-time fraud prevention
• Software-based multifactor authentication
OPAM and Oracle’s Governance Platform
23Copyright © 2012, Oracle and/or its affiliates. All rights Reserved
OPAM and Oracle’s Governance Platform
Supports Oracle Identity Manager
Enterprise Roles
• Request access
• De-provision access
• Reuse connectors
24
• Reuse connectors
• Works with request catalog
OPAM OIM and OIA – a Complete Governance Platform
• Use case 1 – OIM to provision users to OPAM directory• Leverage OIM policy/role based provisioning, a system admin may be provisioned to specific
LDAP groups that OPAM uses for privileged account access
• Workflow and approval will be followed as defined
• Use case 2 – Request for Privileged Account Access Through OIM• OIM to publish privileged account entitlements in request catalog
25Copyright © 2012, Oracle and/or its affiliates. All rights Reserved
• OIM to publish privileged account entitlements in request catalog
• An admin user uses access request self service, search the catalog, pick the privileged accounts
he needs and submit for approval
• The request kicks off workflow and approval as defined
• The user is provisioned with group membership after approval
• The user can access OPAM for privileged password checkout and checkin
OPAM OIM and OIA – a Complete Governance Platform
• Use case 3 – Break glass access request through OIM• Ability for admins to request emergency access to certain privileged account(s) s/he normally is
not entitled to. E.g., a critical server is down but the designated server admin is not available.
• The admin goes through the OIM request process as defined earlier, but indicates this is break
glass emergency request
• Submission of the request will kick off break glass workflow with minimal or auto approval (per
customer process)
• The admin is presented with privileged password for emergency use
26Copyright © 2012, Oracle and/or its affiliates. All rights Reserved
• The admin is presented with privileged password for emergency use
• Special alert is generated for the event and sent to security administrators
• The access is automatically de-provisioned afterward (e.g., after some time)
OPAM OIM and OIA – a Complete Governance Platform
• Use case 4 – delegated access• Example Bob is on vacation for 3 weeks, Joe is authorized to access the accounts Bob has access
to. Joe’s access is revoked after Bob returns.
• Use case 5 – Risk based certification and close-loop remediation with OIA• Through existing OIM OIA integration and OIM OPAM integration, privileged access info is made
27Copyright © 2012, Oracle and/or its affiliates. All rights Reserved
• Through existing OIM OIA integration and OIM OPAM integration, privileged access info is made
available to OIA for certification.
• Risk can be calculated based on its privilege status and other data such as provisioning method etc
• If access violation is found, it can be revoked based on OIM OIA close-loop remediation
OPAM, OIM and OIA – a Complete Governance Platform
• Central governance of regular and privileged users
• Complete auditing, reporting and certification of user’s individual
and shared accounts
• More secure and more compliant
28Copyright © 2012, Oracle and/or its affiliates. All rights Reserved
OPAM and Oracle Security Solutions
29Copyright © 2012, Oracle and/or its affiliates. All rights Reserved
OPAM and Oracle Security Solutions
OPAM and Database Security
• Enterprise User Security allows non-privileged users to use their
enterprise LDAP/AD password to connect to the database
• Database Vault provides stronger separation of duties for databases
• OPAM manages passwords for privileged users including SYS,
SYSTEM and application accounts
30Copyright © 2012, Oracle and/or its affiliates. All rights Reserved
SYSTEM and application accounts
• A complete Database Security solution from Oracle
Database User ManagementComplete Solution
Service Description Supported by
Use Existing Enterprise LDAP Passwords for End-User Passwords EUS
Map Database Roles to Enterprise Roles EUS
Manage SYS/SYSTEM Passwords OPAM
31Copyright © 2011, Oracle and/or its affiliates. All right
Manage SYS/SYSTEM Passwords OPAM
Manage Application Passwords OPAM
Manage non-Oracle database passwords OPAM
Database Vault IntegrationComplete Solution
Service Description Supported by
Privileged user access control to limit access to application data DB Vault
Multi-factor authorization for enforcing enterprise security policies DB Vault
Secure application consolidation DB Vault
32Copyright © 2011, Oracle and/or its affiliates. All right
Secure application consolidation DB Vault
Manage DB Vault Privileged Accounts Passwords like user_manager,
sec_admin
OPAM
Manage SYS/SYSTEM and other DB Privileged Accounts Passwords OPAM
OPAM and UNIX/LINUX User Management
• Oracle Authentication Services For Operating Systems
(OAS4OS) enables non-privileged UNIX/LINUX users to
authenticate to LDAP
• OAS4OS simplifies migration from NIS to LDAP
• OPAM provides password management for user accounts
33Copyright © 2012, Oracle and/or its affiliates. All rights Reserved
• OPAM provides password management for user accounts
such as root and other privileged application accounts on the
server
UNIX/LINUX User ManagementComplete Solution
Service Description Supported by
Use Existing Enterprise LDAP for End-User Passwords OAS4OS
Map UNIX Groups & NIS Maps to LDAP OAS4OS
Manage ROOT Passwords OPAM
34Copyright © 2011, Oracle and/or its affiliates. All right
Manage ROOT Passwords OPAM
Manage superuser Application Account OPAM
Manage Windows passwords OPAM
Improve Security Of Oracle Middleware and Database
• Application passwords are often privileged and unmanaged
• OPAM can automatically manage application passwords for
software that uses Oracle Fusion Middleware or connects to
Oracle database
• This includes:
35Copyright © 2012, Oracle and/or its affiliates. All rights Reserved
• This includes:
• Oracle Credential Security Framework (CSF)
• Oracle Wallet (planned post R2)
Summary
36Copyright © 2012, Oracle and/or its affiliates. All rights Reserved
Summary
Summary
• Improves compliance and auditing of privileged account activities
• Can be deployed standalone or as part of complete Oracle Identity
Governance platform
37Copyright © 2012, Oracle and/or its affiliates. All rights Reserved
• A key components of Oracle Identity Governance
• Together with OIM and OIA
• Central governance of regular and privileged users
• Complete auditing, reporting and certification of user’s individual and shared accounts
www.oracle.com/Identity
38
www.facebook.com/OracleIDM
www.twitter.com/OracleIDM
blogs.oracle.com/OracleIDM
39
40