Data Protection, Identity/Access

Management and Governance, Risk and Compliance

Enabling Effective Security in Enabling Effective Security in an Insecure World:an Insecure World:

AgendaAgenda

Business Drivers and Pain Points Oracle Solution

Oracle Advanced Security Oracle Label Security Oracle Audit Vault Oracle Data Vault Oracle Identity Management Oracle Identity Federation Oracle Internet Directory Oracle Virtual Directory Oracle Access Manager Oracle Enterprise Single Sign-On

Summary/Contact Info

Breaches Common Front Page NewsBreaches Common Front Page News

Publicly Available = Public ExposurePublicly Available = Public Exposure

5

Regulatory Compliance Challenges Regulatory Compliance Challenges Costly and ComplexCostly and Complex

More global data privacy regulations 90% companies fail compliance

Costly breach disclosure laws $239/record Up to $35M/breach

Complex IT requirements Separation of duties Proof of compliance Constant self assessment On-the-spot audit reporting

SOX

K-SOX

GLBAPCI

HIPAA

EU Directives

Basel II

PIPEDA

J-SOX

SAS70

21 CFR Part 11

Enterprise Security Strategy GoalsEnterprise Security Strategy GoalsMitigate Risk and CostMitigate Risk and Cost

Provisioning: Streamline Onboarding & Offboarding Automate user account Add/Mod/Deletion to the Content Server

Simplify & secure access to all content SSO & unified Web access control & Web Services security

Secure stored data Securely store data in motion, data at rest and data in

hibernation

Role Management Holistic view of business users, job functions and entitlements

Information Rights Management (IRM) Protect sensitive/confidential information, audit usage, control

actions Ensure destruction of obsolete/remote content based on

business rules

IT LandscapeIT Landscape

EmployeesCustomersPartners

Directories

Web Servers

Packaged Apps (PSFT,

EBS, Hyperion,

Siebel, SAP)

BI and Content

Management

Portal and App

Servers

Email / File

Servers

Mainframe

Web Services

(External)Web

Services(Internal

)

Databases

DataWarehous

es

Unstructured

Content

Presentation Tier

8

Logic (Business) Tier Data

Tier

Presentation TierPresentation Tier

EmployeesCustomersPartners

Logic (Business) Tier

Presentation Tier

DataTier

Web Servers

Packaged Apps (PSFT,

EBS, Hyperion,

Siebel, SAP)

BI and Content

Management

Portal and App

Servers

Email / File

Servers

Mainframe

Web Services

(External)Web

Services(Internal

)

Presentation Tier

This Includes Web Servers, Fat Clients and Externally exposed web services

Databases

Directories

DataWarehous

es

Unstructured

Content

EmployeesCustomersPartners

Logic (Business) Tier

Presentation Tier

DataTier

Web Servers

Packaged Apps (PSFT,

EBS, Hyperion,

Siebel, SAP)

BI and Content

Management

Portal and App

Servers

Email / File

Servers

Mainframe

Web Services

(External)Web

Services(Internal

)

Presentation Tier SolutionsPresentation Tier Solutions

Databases

Directories

DataWarehous

es

Unstructured

Content

Risk-Based Authentication

Deploy Online Fraud Detection

Use stronger forms of Authentication than a password like software authenticators

Self Service

Deploy web-based, self-help tools for Password Reset, Registration and Account Administration

Centralize Authorization

Centralize the protection of your Web Applications AND Web

ServicesSingle Sign On

Simplify User Access with SSO:

1. Web-based Apps

2. Client / Server-based Apps

3. Partners with Federation

EmployeesCustomersPartners

Logic (Business) Tier

Presentation Tier

DataTier

Web Servers

Packaged Apps (PSFT,

EBS, Hyperion,

Siebel, SAP)

BI and Content

Management

Portal and App

Servers

Email / File

Servers

Mainframe

Web Services

(External)Web

Services(Internal

)

Logic (Business) Tier This Includes Packaged Applications, Application

Servers, Mainframes, Email Servers and File Servers as well

as internal web services

Logic (Business) TierLogic (Business) Tier

Databases

Directories

DataWarehous

es

Unstructured

Content

EmployeesCustomersPartners

Logic (Business) Tier

Presentation Tier

DataTier

Web Servers

Packaged Apps (PSFT,

EBS, Hyperion,

Siebel, SAP)

BI and Content

Management

Portal and App

Servers

Email / File

Servers

Mainframe

Web Services

(External)Web

Services(Internal

)

Logic (Business) Tier SolutionsLogic (Business) Tier Solutions

Databases

Directories

DataWarehous

es

Unstructured

Content

Identity Management

Automate On-Boarding, Off-

Boarding and User Change based HR

data

Enterprise-Level Role Management

Mine, create and manage roles at an “Enterprise Level” spanning many

applications

Password Management

Reduce the number of passwords by

synchronizing them across systems

Identity Audit/Governance

Use a integrated, web-based system to:

• Quickly tell you “Who Has (and Had) access to what?”

• Allows you to schedule and delegate attestation of user entitlements

• Notifies you about rogue accounts

EmployeesCustomersPartners

Logic (Business) Tier

Presentation Tier

DataTier

Web Servers

Packaged Apps (PSFT,

EBS, Hyperion,

Siebel, SAP)

BI and Content

Management

Portal and App

Servers

Email / File

Servers

Mainframe

Web Services

(External)Web

Services(Internal

)

Data TierData Tier

Data Tier

This Includes Oracle and Non-Oracle Databases, Directories,

File Shares, etc

Databases

Directories

DataWarehous

es

Unstructured

Content

EmployeesCustomersPartners

Logic (Business) Tier

Presentation Tier

DataTier

Web Servers

Packaged Apps (PSFT,

EBS, Hyperion,

Siebel, SAP)

BI and Content

Management

Portal and App

Servers

Email / File

Servers

Mainframe

Web Services

(External)Web

Services(Internal

)

Data Tier SolutionsData Tier Solutions

Databases

Directories

DataWarehous

es

Unstructured

Content

Encryption

Secure your data with

integrated, tested and

proven database options

Database User Management

Externalize and Centralize users and

passwords for database users in existing

directories (like AD)

Access Control

Lock Down access to ANY

Oracle Database data

• Credit cards,

• Employee Data

from unauthorized access…even

the DBA

Lots of Data Stores, Need a Common View

Create a single “Virtual” LDAP view of heterogeneous data stores (Directories, Database Tables, Web services)

Data

Defense in DepthDefense in Depth

Privacy &integrity of

data

Comprehensiveauditing

Privacy &integrity of

communications

Network

Users

Authenticate Accesscontrol

KNOX 12029

KYTE 17045

CAREY 12032

HOECHST 18029

PIERMAR 17170

SCOTT 14220

KING 18031

Org 10

Org 20

Admin

Org 30

16

Data Privacy and Regulatory ComplianceData Privacy and Regulatory ComplianceDatabase Security Focus AreasDatabase Security Focus Areas

Protecting Access Protecting Access to Application Datato Application Data

Data Data ClassificationClassification

Database Database Monitoring Monitoring

De-Identifying De-Identifying Information for Information for

SharingSharing

Protecting Protecting Data-at-RestData-at-Rest

17

Prevent privileged users from accessing data outside their authorization

Eliminate security risks from database consolidation

Enforce Separation of Duties, Least Privilege, and other policies

No changes to existing applications required

Protecting Data Access: Oracle Protecting Data Access: Oracle Database Vault Database Vault

DBA

HR App DBA

SELECT * FROM HR.EMP

FIN App DBA

HR

HR Realm

FIN

FIN Realm

18

Oracle Database VaultOracle Database VaultReal-Time Multi-Factor AuthorizationReal-Time Multi-Factor Authorization

HR Application User

FIN Application DBA

HR

FIN

CONNECT …

CREATE …

Business hours

Unexpected IP address

Command rules consider multiple factors

Enforce two-admin rules and other security policies

Prevent application by-pass and ad-hoc access

Out-of-the-box policies for Oracle applications

19

Protecting Data-At-Rest: Oracle Protecting Data-At-Rest: Oracle Advanced SecurityAdvanced Security Protect sensitive application data

by transparently encrypting: Specific columns (credit cards) Entire application tables New SecureFile type (images,

documents)

Automated built-in key management Two-tier scheme for separation of

duties Hardware Security Modules (HSM)

integration

No changes to applications required

NetworkEncryption

^#^ *75000

20

Data Classification: Oracle Label Data Classification: Oracle Label SecuritySecurity

Classify data with labels

Assign clearances to users

Use classification label to enforce security policies “Need to Know”

Labels can be "factors" in Oracle Database Vault policies

Confidential

Highly Sensitive

Sensitive

User Label Authorizations

Sensitive Highly Sensitive

21

De-Identifying Shared Information: De-Identifying Shared Information: Enterprise Manager Data Masking PackEnterprise Manager Data Masking Pack

Turn sensitive information into non-sensitive information for sharing

Consistent masking via extensible format library

Maintains referential integrity for applications

Automated data masking for databases enterprise-wide

Cloned Database

MaskProduction Database

LAST_NAME CREDIT_CARD AMT

AGUILAR 4408041254369873 80.00

BENSON 4417123456789112 60.00

LAST_NAME CREDIT_CARD AMT

ANSKEKSL 4111111111111111 80.00

BKJHHEIEDK 4408041234567890 60.00

22

Monitoring Database Activity: Oracle Monitoring Database Activity: Oracle Audit VaultAudit Vault Manage Audit Data

Secure consolidation of audit data from all Oracle databases

Centrally manage all Oracle database audit settings

Detect suspicIous activitiesMonitor all database users –

especially privileged usersAlert on unauthorized

activities

Simplify compliance reportingBuilt-in compliance reportsDefine custom reports

Other Sources

(Future)Oracle Database

Audit Data

Oracle Audit VaultOracle Audit Vault

23

Audit Vault ReportsAudit Vault ReportsOut-of-the-box Audit Assessments and ReportsOut-of-the-box Audit Assessments and Reports

Out-of-the-box reports Privileged user activity Role grants DDL activity

User-defined reportsWhat privileged users did

on the financial database?What user ‘A’ did across

multiple databases?Who accessed sensitive

data?

Identity Management – Key AreasIdentity Management – Key Areas

Access Control Single Sign-On Identity Federation Web Access Control Web Services Security*

Identity Administration User, Role Management User Provisioning

Identity Infrastructure Virtual Directory Directory

*Oracle Web Services Manager licensed separately from the Identity and Access Management Suite

Enterprise Identity ManagementEnterprise Identity Management

NOS/DirectoriesOS (Unix)

Systems & RepositoriesApplications

ERP CRM HR Mainframe

Auditing

and

Reporting

Policy and Workflow

EmployeesIT Staff SOA

Applications

Partners

External

Delegated

Admin

SOA

Applications

Customers

Internal

Identity Management Service

Access Management

•Authentication & SSO

•Authorization & RBAC

• Identity Federation

Identity Administration

•Delegated Administration

•Self-Registration & Self-Service

•User & Group Management

Directory Services

•LDAP Directory

•Meta-Directory

•Virtual Directory

Identity Provisioning

•Agent-based

•Agentless

•Password Synchronization

Monitoring

and

Management

Oracle Identity ManagerOracle Identity Manager Features

Automated user provisioning and de-provisioning

Rich, flexible connector framework User-friendly request & policy wizards Sophisticated workflow & reconciliation

engines Unique compliance automation & reporting

Benefits Reduced administration cost Improved end user experience Critical for regulatory compliance Improved security

Differentiators Enables compliance via comprehensive audit

history and periodic attestation framework Powers largest global provisioning

implementation by number of targets Adapter Factory significantly lowers the TCO

of customers’ solutions over time

HRMS

User created or

removed in

HR system

Business Applications

Workflow;Assign or

revoke roles,

privileges

Application Driven Identity

SystemProvision

accounts and access rights

Oracle Identity FederationOracle Identity Federation Features

Identity and trust sharing across business partners, both as Service Provider (Hub) or Identity Provider (Spoke)

Lightweight, multi-protocol gateway – SAML, Liberty, WS-Federation

Integrates with leading Identity Management platforms

Benefits Reduced cost of interaction between

business partners Reduce administration cost Deliver improved end user experience

Differentiators Self-contained, easy to deploy solution Flexible deployment configurations Rich, 100% web-based configuration

interfaces for improved administrator and end user experience

Proven scalability - large production deployments

Oracle Internet DirectoryOracle Internet Directory Features

Full feature LDAP server with a RDBMS data-store

Industry leading scalability and HA capabilities

Strong Oracle Platform integration VSLDAP certified and EAL4 compliant

Benefits Reduced operational cost with

Oracle Grid support Seamless integration with Oracle Applications

and Products

Differentiators RDBMS backend provides proven scalability &

performance Rich, built in auditing of all events and

operations Flexible data replication and redundancy

features Ships with built-in directory integration

functionality

Oracle Virtual DirectoryOracle Virtual Directory Features

Virtualization, Proxy, Join & Routing capabilities

Modern Java & Web Services technology

Superior extensibility Scalable multi-site administration Direct data access

Benefits Perform Real-time directory integration Accelerate application deployment Lower development costs

Differentiators Lightweight & flexible architecture Supports true virtualization without

local cache, enabling stringent policy or privacy requirements

Modular architecture supports the addition of connectors to a wide array of identity stores

LDAP

VDE DIRECTORY ENGINE

WEB GATEWAYWEB SERVICES WEB GATEWAY

JOIN VIEW

LocalStore LDAP DB NT

Custom

Oracle Access ManagerOracle Access Manager Features

Multi-level, multi-factor authentication Web and App server level authorization Workflow driven Self-service & Delegated

administration Services-based architecture eases

integration with existing IT infrastructure Benefits

Policy-based access management Centralized and consistent security

across heterogeneous environments Reduced administration cost Increased IT governance and compliance

readiness

Differentiators Administrative scalability via workflow

and delegation Access control leverages up to date

identity information Comprehensive auditing to a common

database

Authentication

Authorization

Identity Admin

Oracle Enterprise Single Sign-on (ESSO) Oracle Enterprise Single Sign-on (ESSO) SuiteSuite Oracle ESSO Logon Manager is an event-driven single sign-

on solution that eliminates the need for end users to remember and manage their sign-on credentials

Oracle ESSO Password Reset enables end users to reset their Windows password from a locked workstation (note: also available stand-alone)

Oracle ESSO Authentication Manager enables end users to authenticate with forms of strong authentication and grant specific levels of access based on the form of authentication

Oracle ESSO Provisioning Gateway enables OIM to add, edit and delete credentials within an end user’s Oracle ESSO credential store

Oracle ESSO Kiosk Manager provides fast user switching and sign-on/sign-off support for kiosk users

33

Oracle Enterprise Security SolutionsOracle Enterprise Security SolutionsAddresses top 3 Security Focus AreasAddresses top 3 Security Focus Areas

IT Governance

IT Risk Mgmt

IT Compliance

Oracle AccessManager

Oracle eSSOSuite

AdvancedSecurity Option

Oracle SecureBackup

Oracle IdentityFederation

Oracle VirtualDirectory

Oracle IdentityManager

Oracle InternetDirectory

OracleAppServer SSO

Database VaultOracle Label

Security

Oracle AuditVault

Oracle IdentityManager

Contents DB/Records DB

Database Vault

Oracle WebServices Mgr.

Database Vault AdvancedSecurity Option

Oracle IRMSensitive docs

Oracle OAACGApplication Control

34 34

Strongest Vendor According ToStrongest Vendor According To

“Oracle is currently the IdM vendor to beat”

- VantagePoint 2007: Identity and Privacy Trends in Enterprise IT

“Oracle continues to increase in

mindshare while broadening its IdM

portfolio.”- VantagePoint 2008: Identity and Privacy

Trends in Enterprise IT

35 35

Market Leader According ToMarket Leader According To

“Oracle has established itself as Leader.”

- The Forrester Wave: Identity And Access Management, Q1 2008

Oracle reached the top of our evaluation through a combination of the breadth, depth, interoperability, and packaging of its IAM features alongside the strategy and current state of market execution on its application-centric identity vision.- The Forrester Wave: Identity And Access Management, Q1 2008

TUSC – Trusted Oracle Expertise Across TUSC – Trusted Oracle Expertise Across Techology and ApplicationsTechology and Applications

• Oracle E-Business Suite

• PeopleSoft Enterprise

• Siebel CRM

• JD Edwards EnterpriseOne

• JD Edwards World

• Oracle Retail

• i-flex

• Communications Billing

• ProfitLogic

• G-Log

• Application Server

• Integration / SOA

• Hot-Pluggable

• Business Intelligence

• Identity Management

• Data Hubs

• Collaboration Services

• Process Orchestration

• Java Development Tools

• Database

• Real Application Clusters (RAC)

• Enterprise Manager

• Partitioning

• OLAP

• Security

• Lite

• Times Ten

Fusion

MiddlewareInformation Age

ApplicationsDatabase and

Grid Computing

Contact UsContact Us

West: Brian Decker, deckerb@tusc.com, (626) 836-9574 South/Central: Lisa DiNitto, dinittol@tusc.com, (770) 325-2191 East/Central: Mike Margulies, mjm@tusc.com, (203) 293-4422

For additional information and consultation Oracle Investment Value Analysis™

Review of existing Oracle topology and architecture, including deployment growth and capacity analysis

Review of existing Oracle licenses ownership and license surplus/exposure analysis

License optimization recommendations, including leveraging maximum available discounts and financing options

Solutions Requirements Assessments Security/Identity/Compliance healthcheck and other delivery

options