Declarative security-oes
- 1. <Insert Picture Here> Introducing Oracle Entitlements Server 11g
- 2. This document is for informational purposes. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described in this document remains at the sole discretion of Oracle. This document in any form, software or printed matter, contains proprietary information that is the exclusive property of Oracle. This document and information contained herein may not be disclosed, copied, reproduced or distributed to anyone outside Oracle without prior written consent of Oracle. This document is not part of your license agreement nor can it be incorporated into any contractual agreement with Oracle or its subsidiaries or affiliates. 2
- 3. Agenda <Insert Picture Here> • Oracle Entitlements Server Overview • Oracle Entitlements Server 11g – What’s New? • Planning Your Deployment (SENA Systems) 3
- 4. Homegrown Applications Pose Significant Risk • Vast Majority of Apps are Homegrown • 50% of applications budgets on in-house software * • Homegrown Apps often host sensitive information • Homegrown Apps are more vulnerable to security breaches * For large companies in competitive, fast-moving industries such as telecommunications, financial services, high tech, pharmaceuticals, and media, those outlays can run into hundreds of millions of dollars. 4
- 5. State of Security Solutions Today Homegrown Apps, Cloud Applications Mobile Computing SOA, and Portals • Evolving security • Modern IT initiatives needs and compliance require enforcement of • Security policies are mandates require granular access fragmented constant application privileges • Often host sensitive retooling resulting in • Insufficient tooling and information that is higher costs and support for developing vulnerable to security diminished service apps that require fine- risks. levels. grained authorization 5
- 6. Declarative Security Examples Users Roles Privileges Resource Context Equity Trades Mortgage Equity • NASDAQ trading 10am-4pm Fund • Restrict Trade Sizes to < $100K • By Geography Municipal Equity • Daily trading limit of $5M • By Trade limit Fund Amy Harris Junior Traders • Unauthorized for trading Equity Research Oil & Gas • Authorized for Review of Energy • By Vertical industry Semiconductors Companies listed on NYSE • By Line of Business • Authorized for access to research reports Ellen Stewart Equity Analyst Mortgage Equity • Authorized for 24x7 Trading Equity Trades Fund • Rebalancing of Small-Cap Funds Rebalance Funds Municipal Equity • Daily Trading Limit of $1B Fund Steve Jackson Fund Manager
- 7. Oracle Entitlements Server Fine-grained Authorization for Web Applications, Portals, Middleware & Databases
- 8. Oracle Entitlements Server Sample Fine-grained Authorization Policies • Example Policies • Junior Traders can submit nstock trades / day with a total value of $5M, during regular trading hours, if market volatility is low • Sensitive patient information should not be visible to clerical workers but allowed for Specialists as long as consent has been given or an emergency • Call Center Reps need approval from a Supervisor to transfer a support case to Engineering • Documents of a given type, sensitivity, and content is only available to employees of (x,y,z) with sufficient clearance, grade, and authentication level 8
- 9. Announcing Standards-based, Real-time External Authorization 9
- 10. Oracle Entitlements Server 11g Key Design Themes Real-time Rapid Application Comprehensive Authorization Integration Standards Support 10
- 11. Real-time Authorization with Oracle Entitlements Server 11g • Massively scalable External Authorization Management • Scales easily to large number of protected resources • Hundreds of millions of users • Thousands of roles • From small workgroups to mission-critical deployments • Authorization checks enforced with real-time latency 11
- 12. Oracle Entitlements Server 11g Key Design Themes Real-time Rapid Comprehensive Authorization Application Standards Support Integration 12
- 13. Fine-grained Authorization for SOA & Web Services isAuthorized(user = Bob Doe, userOrg = Acme Corp Request userRole = Marketing Manager customerId = 99999 HTTP GET/POST action =getCustomerDetail) Web Client REST XML Web SOAP Web REST/SOAP Service Service Client JMS <SOAP:Envelope> … <SOAP:Body> <getCustomerDetailResponse> <customerID>99999</customerID> <name> Sally Smith </name> Oracle Entitlements Server <phone> 555-1234567 </phone> <SSN>***********</SSN> <creditCardNo>@^*%&@$#%!</creditCardNo> <purchaseHistory> … </purchaseHistory> •Selective Data Redaction & Encryption of the Response </getCustomerDetailResponse> response payload </SOAP:Body> </SOAP:Envelope> •OES authorization decision returns an “Obligation” with information on what to redact and/or encrypt 13
- 14. Data Security withOracle Entitlements Server Security Module Security Module Oracle Entitlements Security Module Server (Admin Security Module Server) • Enforcement of data security for heterogeneous data sources - RDBMS, Object Relational, XML, Multi-Dimensional Cubes • Enforcement of security at Data, Business Logic and Presentation tiers • Integrates with Oracle and non-Oracle Databases, Hibernate, TopLink 14
- 15. Native & Custom Integrations Portals and Content Management Identity Management App Servers & Dev Frameworks XML Gateways Middleware Data Sources 15
- 16. Oracle Entitlements Server 11g Key Design Themes Real-time Rapid Application Comprehensive Authorization Integration Standards Support 16
- 17. Comprehensive Standards Support with Oracle Entitlements Server 11g • Supports modern authorization standards • Attribute based Access (ABAC, XACML, OpenAZ) • Role based Access (NIST RBAC, Enterprise RBAC) • Java security frameworks (JAAS) • Choice and flexibility ensures protection of existing investments • Supports different IT maturity levels for externalizing authorization • Commitment to innovation, contribution and implementation of open standards. 17
- 18. 18| © 2011 Oracle Corporation – Proprietary and Confidential
Editor's Notes
- #5: The problem is that some of the most mission critical applications are still home grown. This is especially true in industries where the line of business applications can provide a competitive advantage. Today 50% of application budgets are spent on Home grown apps.In Financial services – trading platforms and wealth management applications are a competitive advantage and are typically home grown In health care – the claims management and optimization systems These applications also hold the most critical information for a business – This would be consumer information, product data and market information. These applications are usually at the top of the audit list for most regulated companies. These apps are also the most vulnerable because the security is typically hard coded into the application and difficult to change. Most of these applications have the toughest audit constraints.When new regulations come out companies have to spend millions of dollars to retool the applications and developers re-invent security policy within the application. In cases like Societe General its just a matter of time before an insider outsmarts the system.To reduce the risk companies need a solution that will separate access to data and transactions in a policy driven solution that can change without re-tooling the application and provide high scale authorization to grow with the business