Friday Aug 23, 2013

Implementing Oracle Identity & Access Governance with Database Security (Deloitte)

As organized cyber-attacks become sophisticated and targeted, organizations, particularly those in the financial and health sectors, have come under strict regulations. The growing security risks from internal and external sources have brought focus on both preventive and detective controls working together to protect data. In this edition of the Oracle IAM blog series, we will take a look at how an organization can leverage Oracle’s Identity and Access Management technologies in conjunction with Oracle’s database security offerings.

Challenge

Traditionally, encryption has been considered as the required approach to protect information. However, complex information systems have led to implementation of a defense-in-depth approach to database security that includes stronger preventive and detective controls. In addition to encryption, preventive measures should also include restricting access to data within the organization. Compliance requirements on the other hand, have driven adoption of detective controls such as database activity monitoring and auditing. Detective controls complement preventive controls by filtering attempts to connect to the information system, generating activity reports, and help investigations of potential breaches.

A common concern identified in several organizations is the lack of insight about the access users have. This usually stems from multiple points to manually create users and ad-hoc processes, such as a phone call, to grant access to applications. By relying on incoherent manual processes to provide, monitor and audit user access, the organization risks drastic implications on the privacy and integrity of their information. Deloitte approaches this problem by leveraging solutions like Oracle’s IAM stack to pro-actively restrict database access by defining user profiles and centrally managing user life cycle. This, coupled with preventive and detective controls, can offer a holistic approach to securing information.

Separation of Duties

Separation of duties is an important component to managing user access because it separates the responsibility of sensitive tasks into multiple people, so that no one person has all power. Oracle Database Vault, an add-on to Oracle database, protects against insider threats by restricting read/write access to sensitive data. For example, an administrator can be allowed to increase or decrease the size of a table, but given the role, they will be denied read/write access to the contents of the table. By securing access to the data based on multi-factor policies such as application, IP address, and other pre-determined factors, organizations have granular control over what, when, where, and how users can access sensitive data.

Deloitte’s strategy lets the client manage access to its data layer by separating approach vectors, such as internal or external clients, or type of access such as web and mobile applications. Oracle Access Manager helps to control user’s access to web applications, and Oracle Entitlement Server allows administrators to control what a user can see within an application.

Preventive Controls

The first step in this direction is to have a least-privilege approach to endeavor to provide that each user has a base profile giving them minimum access to the database. These profiles can be configured through Oracle Identity Manager (OIM). If a user’s business function requires elevated access, it can be requested. Requests access can be made through a central portal and provisioned automatically through OIM. The requirement for approvals adds a layer of control for the client over what a user can view or modify.

In order to have granular access control, the information stored within the database should be ranked based on sensitivity; this can be achieved by deploying Oracle Label Security (OLS). With OLS in place, only the users with read/write access to sensitive information will be able to interact with the data. By comparing a user’s profile and the level assigned to the data, level based access to data is determined. These data ranks are defined according to the organization’s requirements with the highest level assigned to the most sensitive information. Adding finer security controls, data is put in “compartments” that can have their own levels. For example, the financial compartment can have the highest level ranking.

Detective Controls

As mentioned above, Oracle Database Vault provides security by preventing access. There is a lot that can be done to secure information above the data level. Database defense-in-depth also includes database activity monitoring and auditing. Oracle Audit Vault and Database Firewall monitor database traffic to detect and block threats. The tools help improve compliance reporting by consolidating audit data from databases, operating systems, directories, and other sources. The following illustration shows how the two can work together:


Logs from the Database Firewall and other systems in the network, can be fed into the Audit Vault. Then, custom and template-driven database activity reports can be generated to help address compliance and regulations.

Conclusion

Deloitte suggests organizations establish a database defense-in-depth strategy that includes multiple layers of both preventive and detective security controls. By logging the entire process of user account creation, granting access, changing roles, and user account termination, the organization has a 360-degree approach to access governance. Detective controls add valuable context for investigations and provide a critical layer of security during a security breach incident. If network firewalls are by-passed, or in the case of an insider threat, preventive controls can offer a strong defense. Since these security controls are granular, they can be effectively configured to limit employees to their day-to-day activities. Identity and access management helps setup work flows for provisioning and defining roles to limit access; this coupled with encryption, activity monitoring and reporting, form a holistic defense-in-depth approach to security and compliance.

Monday Jan 28, 2013

Gartner Positions Oracle as a Leader for Identity Management

Oracle Named a Leader in both Gartner Magic Quadrant for Identity and Access Governance and User Administration/Provisioning Reports

Once again, Gartner has named Oracle as a Leader in both of its recently published Identity Management reports - Gartner Magic Quadrant for Identity and Access Governance, 2012, and Gartner Magic Quadrant for User Administration/Provisioning, 2012.  Read the press release for more information.

Recently Gartner published their Magic Quadrant Report for User Administration and Provisioning, December 2012 and Oracle was named a Leader.

Figure 1. Magic Quadrant for User Administration and Provisioning


Source: Gartner (December 2012).

This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Oracle here. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any of warranties of merchantability or fitness for a particular purpose.

Gartner describes leaders in user administration/provisioning as, “high-momentum vendors (based on sales, world presence and mind share growth). They possess impressive track records in UAP use across most industry segments. Business investments position them well for the future. Leaders demonstrate balanced and exceptional progress and effort in the Ability to Execute and Completeness of Vision categories. They possess comprehensive feature sets and enjoy reasonable customer satisfaction. They can — and often do — change the course of the industry.

Gartner also published their Magic Quadrant Report for Identity and Access Governance, December 2012 and Oracle is a leader.

Figure 1. Magic Quadrant for Identity and Access Governance

Source: Gartner (December 2012)

This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Oracle here. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any of warranties of merchantability or fitness for a particular purpose.

Identity and Access Governance solutions offer business users identity analytics and reports to address governance, audit and compliance challenges. According to Gartner, leaders in Identity and Access Governance (IAG), “deliver a comprehensive toolset for the governance of identities and access. Leaders also show evidence of superior vision and execution for anticipated requirements related to technology, methodology or means of delivery. Leaders typically show strong revenue growth and demonstrate customer satisfaction with IAG capabilities and/or related service and support.”


Oracle’s position in the Leaders Quadrant in both User Provisioning and Identity and Access Governance Reports further confirms that organizations recognize the advantages of a platform approach to Identity Management and that the benefits of an integrated solution far outweigh those of deploying individual, point solutions. The recently announced
Oracle Identity Governance Suite offers customers proven, industry leading and tightly integrated user provisioning, identity & access governance and privileged account management capabilities.

If you are looking at user provisioning and/or compliance solutions, we suggest you start by downloading these analyst reports and our recently issued press release on the subject. For more information on Oracle’s platform approach to Identity Management and to learn more about our best-in-class Identity Management solutions, visit us at www.oracle.com/identity or contact us via our online communities: Facebook, Blog and Twitter.

Resources:

Thursday Sep 15, 2011

Security Inside Out Newsletter - September Edition

This month’s edition of the Oracle Security Inside Out newsletter is now available.

In this edition we look at some of the OpenWorld sessions that you just don't want to miss. We also discuss Oracle Unified Directory 11g, and reveal the latest in identity management webcasts, videos, events and more.

If you don’t have a subscription to this bi-monthly security information update, you can sign up here.

For a full listing of all the Identity Management sessions at this year's OpenWorld, check out the FocusOn document.

Tuesday Aug 30, 2011

Got Audit Eye?

Are you at a loss come audit time? Still trying to figure out how you can realistically confirm for ALL your employees and across ALL your enterprise systems who has access to what and when? You are not alone; just check out this video and remember Oracle Identity Analytics can help.

 Audit Eye

About

Oracle Identity Management is a complete and integrated next-generation identity management platform that provides breakthrough scalability; enables organizations to achieve rapid compliance with regulatory mandates; secures sensitive applications and data regardless of whether they are hosted on-premise or in a cloud; and reduces operational costs. Oracle Identity Management enables secure user access to resources anytime on any device.

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
3
4
5
6
7
8
11
12
13
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today