Tuesday Jun 18, 2013

The Keys to the Password Vault by Matthew Scott (aurionPro SENA)

Super user accounts are, unfortunately, a necessary evil. It’s just a fact of life in the IT industry that someone, somewhere, has to have the ability to make fundamental (and therefore potentially catastrophic!) changes to key systems.

One of my least favourite experiences as a consultant was gaining access to an account though a process that was reminiscent of a spy thriller  – the password was typed onto a card, which was cut in two, with each half stored in a separate safe and each key entrusted to a meticulous security officer. Navigating the procedures to get the halves together in time to be useful was a trial of persuasion and scheduling – I can see why Tom Cruise prefers to abseil in through the roof instead of filling in yet another form!

Compliance officers are increasingly scrutinising privileged accounts and the processes that control access to them – not surprisingly, since surveys have shown that up to a quarter of IT professionals have experienced misuse of such accounts, and almost half of all companies fail to manage these accounts in accordance with the law (http://www.computerweekly.com/news/2240111956/One-in-four-IT-security-staff-abuse-admin-rights-survey-shows). The results can be spectacular and sobering – the UBS trader Kweku Adoboli cost his company $2.3 billion after making disastrous trades using a privileged account which he was not authorised to use.

Thankfully, there is now a better way. As we’ve seen in this series, with the ESSO suite the technology exists to manage user passwords without the user having to actually ‘know’ that password. It is possible to extend this functionality to include those previously hard to manage privileged accounts by introducing Oracle Privileged Accounts Manager (OPAM). OPAM acts as a secure password vault for privileged accounts, but unlike other password vaults it can be connected directly to the ESSO Logon Manager agent so that passwords can be requested, obtained and used, all from the user’s desktop.

OPAM is particularly useful for companies with large, decentralised UNIX environments. We are currently engaged with a large financial organisation which has several hundred servers, with various distributions of Linux and UNIX that are managed by different teams. With OPAM, all those precious root accounts have for the first time been corralled together in one location, where they can be released as needed to any authorised user. OPAM is equally adept at managing identities stored in directories, including Windows service accounts within Active Directory.

To calm the fears of any compliance officers who may be reading these words nervously, it is possible to implement workflows to control the request process. This may include approvals from a higher authority, complete with email or mobile notifications to the approver. And of course ESSO and OPAM feature end-to-end audit trails – from request, to check out, to each use of the privileged account, through to check in. Tracking who has being doing what with each account has never been easier.

In addition to managing privileged accounts, the ESSO suite also allows users to distribute their personal accounts in a similar manner. Many of us have experienced the frustration of needing access to a system, a record or an email only to discover that the person with access is on holiday or otherwise unavailable. In extreme cases, this may require that the absent user’s Windows account be reset to allow another user to log on and gain access. ESSO’s Account Delegation allows these key users to pro-actively devolve their account credentials to another user for a set period – no passwords required!

Wednesday Sep 19, 2012

Security Newsletter – September Edition is Out Now


The September issue of Security Inside Out Newsletter is out now. This month’s edition offers a preview of Identity Management and Security events and activities scheduled for Oracle OpenWorld. Oracle OpenWorld (OOW) 2012 will be held in San Francisco from September 30-October 4. Identity Management will have a significant presence at Oracle OpenWorld this year, complete with sessions featuring technology experts, customer panels, implementation specialists, product demonstrations and more. In addition, latest technologies will be on display at OOW demogrounds. Hands-on-Labs sessions will allow attendees to do a technology deep dive and train with technology experts.

Executive Edge @ OpenWorld also features the very successful Oracle Chief Security Officer (CSO) Summit. This year’s summit promises to be a great educational and networking forum complete with a contextual agenda and attendance from well known security executives from organizations around the globe.

This month’s edition also does a deep dive on the recently announced Oracle Privileged Account Manager (OPAM). Learn more about the product’s key capabilities, business issues the solution addresses and information on key resources. OPAM is part of Oracle’s complete and integrated Oracle Identity Governance solution set.

And if you haven’t done so yet, we recommend you subscribe to the Security Newsletter to keep up to date on Security news, events and resources.

As always, we look forward to receiving your feedback on the newsletter and what you’d like us to cover in the upcoming editions.

Tuesday Sep 04, 2012

ISACA Webcast follow up: Managing High Risk Access and Compliance with a Platform Approach to Privileged Account Management

Last week we presented how Oracle Privileged Account Manager (OPAM) could be used to manage high risk, privileged accounts.  If you missed the webcast, here is a link to the replay: ISACA replay archive (NOTE: you will need to use Internet Explorer to view the archive)

For those of you that did join us on the call, you will know that I only had a little bit of time for Q&A, and was only able to answer a few of the questions that came in.  So I wanted to devote this blog to answering the outstanding questions.  Here they are.

1. Can OPAM track admin or DBA activity details during a password check-out session?

Oracle Audit Vault is monitoring these activities which can be correlated to check-out events.

2. How would OPAM handle simultaneous requests?

OPAM can be configured to allow for shared passwords.  By default sharing is turned off.

3. How long are the passwords valid?  Are the admins required to manually check them in?

Password expiration can be configured and set in the password policy according to your corporate standards.  You can specify if you want forced check-in or not.

4. Can 2-factor authentication be used with OPAM?

Yes - 2-factor integration with OPAM is provided by integration with Oracle Access Manager, and Oracle Adaptive Access Manager.

5. How do you control access to OPAM to ensure that OPAM admins don't override the functionality to access privileged accounts?

OPAM provides separation of duties by using Admin Roles to manage access to targets and privileged accounts and to control which operations admins can perform.

6. How and where are the passwords stored in OPAM?

OPAM uses Oracle Platform Security Services (OPSS) Credential Store Framework (CSF) to securely store passwords.  This is the same system used by Oracle Applications.

7. Does OPAM support hierarchical/level based privileges?  Is the log maintained for independent review/audit?

Yes. OPAM uses the Fusion Middleware (FMW) Audit Framework to store all OPAM related events in a dedicated audit database.

 8. Does OPAM support emergency access in the case where approvers are not available until later?

Yes.  OPAM can be configured to release a password under a "break-glass" emergency scenario.

9. Does OPAM work with AIX?

Yes supported UNIX version are listed in the "certified component section" of the UNIX connector guide at:

10. Does OPAM integrate with Sun Identity Manager?

Yes.  OPAM can be integrated with SIM using the REST  APIs.  OPAM has direct integration with Oracle Identity Manager 11gR2.

11. Is OPAM available today and what does it cost?

Yes.  OPAM is available now.  Ask your Oracle Account Manager for pricing.

12. Can OPAM be used in SAP environments?

Yes, supported SAP version are listed in the "certified component section" of the SAP  connector guide here: http://docs.oracle.com/cd/E22999_01/doc.111/e25327/intro.htm#autoId0

13. How would this product integrate, if at all, with access to a particular field in the DB that need additional security such as SSN's?

OPAM can work with DB Vault and DB Firewall to provide the fine grained access control for databases.

14. Is VM supported?

As a deployment platform Oracle VM is supported. For further details about supported Virtualization Technologies see Oracle Fusion Middleware Supported System configurations here: http://www.oracle.com/technetwork/middleware/ias/downloads/fusion-certification-100350.html

15. Where did this (OPAM) technology come from?

OPAM was built by Oracle Engineering.

16. Are all Linux flavors supported?  How about BSD?

BSD is not supported. For supported UNIX version see the "certified component section" of the UNIX connector guide

17. What happens if users don't check passwords in at the end of a work task?

In OPAM a time frame can be defined how long a password can be checked out. The security admin can force a check-in at any given time.

18. is MySQL supported?

Yes, supported DB version are listed in the "certified component section" of the DB connector guide here: http://docs.oracle.com/cd/E22999_01/doc.111/e28315/intro.htm#BABGJJHA

19. What happens when OPAM crashes and you need to use the password?

OPAM can be configured for high availability, but if required, OPAM data can be backed up/recovered.  See the OPAM admin guide.

20. Is OPAM Standalone product or does it leverage other components from IDM?

OPAM can be run stand-alone, but will also leverage other IDM components


Oracle Identity Management is a complete and integrated next-generation identity management platform that provides breakthrough scalability; enables organizations to achieve rapid compliance with regulatory mandates; secures sensitive applications and data regardless of whether they are hosted on-premise or in a cloud; and reduces operational costs. Oracle Identity Management enables secure user access to resources anytime on any device.


« July 2016