Oracle Open World S308250 Securing Your People Soft Application Via Idm

S308250 Securing Your PeopleSoft Application Greg Kelly Product Strategy Manager, PeopleTools Edwin Lorenzana IDM Program Manager, City of Boston

The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.

Agenda City of Boston Experience New Security Features in PeopleTools 8.50

City of Boston PeopleSoft /Identity Management Implementation

Definitions Identity Management (IDM): IDM is the process by which various components in an identity management system manage the account life cycle for network entities in an organization, and most commonly refers to the management of an organization’s application users Provisioning refers to a technology and process based solution for enforcing and managing the creation, read, update, and deletion of user accounts based on a defined security policy. Provisioning is also a means of propagating security policy, for example by setting access rights on management systems based on group memberships and/or role assignments Authentication : The process of verifying the identity claimed by an entity based on its credentials Authorization : Authorization is the process of determining if a user has the right to access a requested resource Authorization Policies : Declarations that define entitlements of a security principal and any constraints related to that entitlement Account Life Cycle : The steps that are taken to provision access for a user to a given system resource RBAC – Role based access: Providing access to a system resource based on programmatic logic based on roles Authoritative Resource: System of reference for employment status and position description Target System Resource: System/application where the automated provisioning will occur LDAP: The Lightweight Directory Access Protocol is an application protocol for querying and modifying directory services running over TCP/IP Single Sign On: is a property of access control of multiple, related, but independent software systems. With this property a user logs in once and gains access to all systems without being prompted to log in again at each of them. Single sign-off is the reverse property whereby a single action of signing out terminates access to multiple software systems

What is IDM ? Identity and Access as a Service Policy Managers DBAs Self- Service Delegated Administration Identity & Role Lifecycle Management Identity Analytics Authentication & Authorization Monitoring Fraud Prevention Workflow RBAC & SoD End Users Apps & Services Benefits Trusted and reliable security Efficient regulatory compliance Lower administrative and dev costs Enable online business networks Better end-user experience

Account Life Cycle What are we capturing?? Manual-New Hire-Employee Provisioning Process

Account Life Cycle What about removal of access? Manual – Employee De-Provisioning Process

Phase 1 PeopleSoft Integration In an IDM Integration PeopleSoft plays two roles Authoritative Resource Target System/Resource

Business Requirement In fiscal year 2007-2008 the City of Boston (COB) contracted Oracle Identity Management consultants, KPMG auditors and independent security consultants to assess COB’s various MIS environments. One of the focused areas was the current lifecycle of user identities across the enterprise and the existence of data security controls on COB’s user stores and applications. The findings developed two sets of goals: The first set goals are driven by business demands to provide a single sign on solution that will streamline the account lifecycle by providing an automated provisioning solution along with improvements of the current authentication and authorization methods A secondary set of goals have been set by the regulatory and audit findings from the 07 KPMG audit of COB’s Financial and MIS systems. These audit findings require COB to establish a security and risk management strategy that provides controls that will satisfy regulatory compliance requirements. The solution needs to safeguard the privacy data of City of Boston residents and employees found in the various user account repositories and applications managed by the COB MIS teams

PeopleSoft/IDM Integration Goals Address the City of Boston’s tactical need to provision PeopleSoft HCM user accounts to support its rollout of PeopleSoft Portal and Employee Self-Service by implementing the following solutions: An Authoritative Resource for user data Centrally managed LDAP directory Automated provisioning of PeopleSoft user accounts Access control to PeopleSoft Portal/Self-Service

PeopleSoft Integration Challenges Define an Authoritative Resource for user data Discover which user directory/user store contains all user data The directory must provide data that is related to the users employment status and describe the users position Define the account life cycle for employees and non-employees Data required for an IDM integration is usually not collected by an organization in a centralized location The directory/user store must be able to communicate with the IDM suite

PeopleSoft Integration Challenges Centrally Managed LDAP Directory An enterprise user directory containing all users does not exist The current Active Directory LDAP environment is highly decentralized and accounts are managed independently across departments within City of Boston. Active Directory domain trusts are not implemented. Decentralization, while sensible within the distributed, autonomous culture of the City’s departments, inevitably leads to inconsistent levels of security across the Active Directory domain. The absence of a centrally managed LDAP directory will need to be addressed before a Single sign-on solution could be implemented.

PeopleSoft Integration Challenges Automated provisioning of PeopleSoft user accounts The primary obstacle to the initial rollout is the fact that thousands of new user accounts must be provisioned in a secure and efficient manner Ensure that access to employee data is limited to the given employee Provide non-employee access to the portal Ensure that accounts are disabled at termination of employment Provide a roadmap to meeting audit & compliance goals

PeopleSoft Integration Challenges Access control to PeopleSoft Portal/Self-Service Integrate with existing PeopleSoft authentication Provide Web Single Sign On Centralize Password Self Service Delegate Administration by non IT/MIS staff Integrate with the Enterprise Directory Provide enforcement of the password policy

Proposed Architecture IDM/PeopleSoft Integration - Server Topology Diagram

PeopleSoft Integration Solutions Define an Authoritative Resource for user data PeopleSoft HR The PeopleSoft HR database will serve as the authoritative source for all identity data within the City of Boston as it contains all employee data Programmatic authentication/access decisions will be made by the IDM system based on user status & job data received from PeopleSoft PeopleSoft will be responsible for triggering the updates of an account status within the IDM provisioning system PeopleSoft can be configured to maintain the account lifecycle for employees and non-employees PeopleSoft can be configured to collect user & job data required by an IDM implementation PeopleSoft is compatible with the messaging and LDAP requirements of the IDM suite

PeopleSoft Integration Solutions Centrally managed LDAP directory Oracle Internet Directory (OID) OID is the enterprise directory for all user accounts OID provides a secure industry standard protocol (LDAP) for authentication A centralized enterprise directory simplifies the integration of applications The enterprise directory provides applications the ability to authenticate all users that currently exist across the various Active Directory environments Provides integration with Oracle Identity Management (OIM) for automated account provisioning employees and non-employees Integration with Oracle Access Manager will lead to single sign on

PeopleSoft Integration Solutions Automated provisioning of PeopleSoft user accounts Oracle Identity Management (OIM) OIM provides automated account provisioning of users/employees OIM receives real time user status messages from PeopleSoft The access logic is based on user job data from PeopleSoft Automated provisioning targets the HCM, Portal & OID system Non-employees are created manually & given role based access in OIM Integration with OIM provides the ability to enforce IDM policies & controls Integration with OIM lays the foundation for audit and compliance OIM can be configured to maintain the account lifecycle for employees and non-employees based on PeopleSoft data

PeopleSoft Integration Solutions Access control to PeopleSoft Portal/Self-Service Oracle Access Manager (OAM) Application single sign-on allows users who have been authenticated by OAM to access applications without being re-authenticated. OAM integrates with PeopleSoft’s Single Sign technology via secured headers and/or cookies OAM when integrated with OID also provides an option for LDAP authentication for PeopleSoft applications Self service password reset can be provided by OAM or OIM OAM allows for delegated administration

Implementation Issues Governance IT Security Policies Data Standards Account Standards Business Process Account Lifecycle Data Standards Technology Architecture (deployment of firewalls & web-gates) Introduction of Reverse Proxy Database Encryption for account data Role Based Access – (AD groups vs OVD groups) Software Development Lifecycle Support Internal IDM Support Knowledge Transfer from implementation Help Desk Support Branding Training

Lessons Learned Governance IT Security Policies Assign a Data Steward Business Process Account Lifecycle Development Lifecycle Uses cases Test Scripts Technology Architecture (deployment of firewalls & web-gates) Group assignment (roles) (AD groups vs OVD groups) Architecture Security (firewall/web gates) Data & Password encryption (OIM/OID) Support Oracle Support / Integration Partner Architecture direction – stay on the oracle roadmap Proper internal support Java developer LDAP admin Integration support (web) Integration support (servers

Next Steps Continuous Improvement Infrastructure Expansion Enhanced authentication and single sign-on for applications authenticated via the Enterprise Directory Oracle Virtual Directory Provides real time change of access as employees change positions Active Directory Integration Automated Account Provisioning for windows logins Active Directory Password Sync Audit & Compliance Attestation/Recertification for non-employee accounts Attestation/Recertification for service accounts

Next Steps – Enterprise Directory Colors By Jessie

Next Steps – Enterprise Directory Service Model

<Insert Picture Here> PeopleTools 8.50 Security

Oracle Open World S308250 Securing Your People Soft Application Via Idm

Market Drivers/Business Needs Security Administration Market Drivers Industry Requirements Government Mandates Business Need Customer Adoption of Standards Reduce Audit Impact Value Proposition With every release of PeopleTools, we strengthen existing, or add new, security features .

New and Changed Features Security Administration We are taking steps to increase the infrastructure security for those customer who have invested in Oracle and are able to take advantage of Oracle Technology security features. Auditors are requiring and customers are requesting the capability of protecting data at rest in the database, establishing segregation of duties in database administration and more granular auditing of PeopleSoft across the enterprise. Support for Transparent Data Encryption (TDE) and Oracle Data Vault (ODV) Support for Oracle Audit Vault

New and Changed Features Security Administration We are also extending the available resources for the Identity Lifecycle by facilitating the adoption of resources and disciplines to protect user access and file transfer and to reduce the cost of deployment. Preconfigured integration with Oracle Access Manager Support for FTPS (FTP security) Support for Microsoft ADAM (AD LDS) Use of JNDI libraries for LDAP support

New and Changed Features Security Administration We continue to deliver increased protection for system to system or services based communication by extending the web service security option available. This protection is also based on open standards. SAML for web services security (note: NOT federated identity) Extended WS-Security support

New and Changed Features Security Administration In PeopleTools 8.50 we have added additional hardening features to mitigate abusive access attempts and to reduce data leakage. Decoupled PS_HOME Server based anti-virus Background tasks to remove orphan files on the web server/app, server mitigating data leakage Mitigation of abusive access attempts (bot based) Configurable error messages for incorrect login, reduces data leakage (some hackers use the error messages to modify their attempts) Throttling invalid access attempts Reducing false positives from threat analysis (customers are using more of these threat analysis tools)

User-Level SAML Security For Web Services

SAML Security Support Description Business Need and Benefits Setup and Process

SAML Support Description With PeopleTools 8.50, you can now secure web services using SAML, providing greater flexibility and granularity. This is based on node to node certificate trust . Note: This is NOT SAML support for user authentication or an integration with identity federation. SAML is a token based on standards, NOT a standard token. SAML is not synonymous with Identity Federation

SAML Support Business Need and Benefits PeopleSoft can now verify user IDs included in the SOAP header or associated with a node definition before invoking a web service request. The user ID must be defined in the system as a valid PeopleSoft ID, and, as with any other user ID in the PeopleSoft system, the user ID gains access to system resources through permission lists. The Web Services page in the permission lists component enables you to assign web service permissions to user IDs.

SAML Support Setup and Process Go to SAML Inbound Setup: PeopleTools > Security>SAML Administration Setup > SAML Inbound Setup

<Insert Picture Here> Support For Secured FTP (FTPS)

FTPS Support Description Business Need and Benefits Setup and Process

FTPS Support Description In PeopleTools 8.50 we will be introducing support for FTPS using file transfer libraries. SFTP is still facilitated using the ftpunx script customization So when will SFTP be supported … ?

FTPS Support Business Need and Benefits This will provide secured file transfer capability on all platforms Although PeopleSoft always considered that FTP servers would be protected behind corporate firewalls customers and their auditors have raised concerns Corporations are insisting on building security into their infrastructures

FTPS Support Setup and Process Certificate Alias The Certificate Alias must be an alias name of a certificate stored in thedatabase (using the PeopleTools Digital Certificates page). Verify Host 0: Do not verify the server for host name. 1: Checks if there exists any value in the common name field in the server certificate. Does not verify if it matches with what the client specifies. 2: (Default) Checks for a match with the hostname in the URL with thecommon name or Subject Alternate field in the server certificate. Verify Peer False: Do not verify the Peer. True: (Default) Verify Peer. This will authenticate the certificate sent by the server. SSL Usage Level 0 - No SSL: No SSL will be used. 1 - Try SSL: Try using SSL, proceed as normal otherwise. 2 - SSL for Control: Require SSL for the control connection.

<Insert Picture Here> Native Integration Oracle Access Manager

Oracle Access Manager PeopleSoft Native Support Business Benefits This feature provides check box configuration for OAM with PeopleSoft Business Need/Business Benefits This feature will simplify adoption by PeopleSoft customers of OAM Note: With the release of PeopleTools 8.50, PeopleSoft will be dropping native support for OSSO

<Insert Picture Here> Support for Transparent Data Encryption (TDE) and Data Vault

TDE and Data Vault Support While customers have implemented TDE and Data Vault with PeopleSoft, this feature provides support for install and Upgrade Transparent Data Encryption Oracle Data Vault

Data Encryption Challenges Meeting Regulatory Requirements surrounding Data protection of PII data. In recent years there have been numerous incidents of identity theft and credit card fraud resulting in damages reaching into the tens of millions of dollars. Protecting against these types of threats requires security solutions that are transparent by design. Universities and health care organizations are tightening security around personally identifiable information (PII) such as social security numbers while retailers are working to comply with PCI-DSS requirements.

Transparent Data Encryption -TDE Benefits What are the benefits of using the Transparent Data Encryption (TDE)? TDE Is Application Transparent: No Views Required Application logic performed thru SQL will continue to work Transparent Key Management and Separation of Duty Manages the encryption keys transparently Encrypts the index value associated with a given application table Regulatory compliance Media protection: (For data at rest ) Disk drive replacement or backup tapes Low implementation costs: No database triggers or views required Index support for equality searches

Database Vault Support There is no explicit integration between PeopleSoft and the Oracle DB Vault feature. Templates for DB Vault Rule-sets which can be used with a PeopleSoft installation have been developed and posted on the Oracle technology network (OTN). http://www.oracle.com/technology/software/products/database_vault/index.html Database Vault 9.2.0.8 security policies for PeopleSoft Database Vault 10.2.0.3 security policies for PeopleSoft Database Vault 10.2.0.3 security policies for PeopleSoft can also be used for 11g Separate templates exist for each version of Oracle where DB Vault is supported. These templates are applicable to the following PeopleSoft releases: PT8.2x, PT8.4x and beyond

Data Vault Support PeopleSoft Realm This realm protects against unauthorized access by privileged users to business data. It protects all objects owned the PeopleSoft Access Id in addition to some PeopleSoft database roles. Access to this Realm is granted to PeopleSoft Access Id as well as the user PSFTDBA. The user PSFTDBA is a new user designed to do administration activities on the PeopleSoft applications (such as patching) but it is not allowed to access business data inside the PeopleSoft applications. The PeopleSoft Access Id authorization is restricted to specific processes. This is enforced through the PeopleSoft Access Rule Set. http://www.oracle.com/technology/software/products/database_vault/index.html (see link for “ Database Vault 10.2.0.3+ and 11.1.0.6+ security policies for PeopleSoft” )

Data Vault Support PeopleSoft Realm Oracle Database Vault can be used to help fulfill various compliance related requirements, such as the following:

<Insert Picture Here> Decouple and Secure PS_HOME

Feature Overview AppServer and PRCS domain configuration outside PS_HOME Support existing behavior but not as default Allows customer to: Deploy secure-by-default environment Minimize disk-space by PS_HOME sharing Apply patches easier Reduce administration overhead No impact to Web Server – PIA deployment

Secure PS_HOME Overview Install PeopleTools using admin account making directory tree read-execute only Create and start domains using a restricted account which cannot write to PS_HOME Achieved using: Management of users and groups Root / sudo access Network drives on Windows Technique used should be suited to the security processes for the organization in question

Secure PS_HOME PeopleSoft Applications no longer write to PS_HOME at runtime - all writes now outside PS_HOME Installation should be performed by an admin user who can restrict write-access access to the PS_HOME directory tree On UNIX this may be achieved using umask settings On Windows this is achieved by installing with an admin account Due to differences between user and security models on UNIX and Windows steps taken are quite different

Sys Admins – Action Items Review System and Server Administration PeopleBooks Identify post-installation customizations required => ensure these are done using the installer admin account Decide on whether to deviate from the default PS_CFG_HOME Test the environment to verify security Identify and resolve any problems

<Insert Picture Here> Security Other Features

Other Features ADAM (AD LDS) Support JNDI Replacing LDAP libraries Securing Server Based File Directories PIA Hardening MCF/CTI Presence UAD CTI Applet Genesys

<Insert Picture Here> More Information

More Information PeopleTools Strategy eMail [email_address] PeopleTools on Oracle Wiki http:// wiki.oracle.com /page/PeopleSoft PeopleSoft discussion forums http:// forums.oracle.com/forums/category.jspa?categoryID =152 PeopleTools Blog landing page http:// blogs.oracle.com/peopletools Open Group Jericho Forum "de-perimeterization": http:// www.opengroup.org/jericho/deperim.htm Oracle's Critical patch Update http://www.oracle.com/security/critical-patch-update.html

Not getting Security and other Alerts? Go to OTN - Oracle Technology Network http:// www.oracle.com/technology/index.html Look at the upper right hand corner ( Account | Manage Subscriptions | Sign Out ) Make sure you're logged in, then Click on “ Manage Subscriptions ” Scroll down to “ Opt-in to Oracle Communications ” Check box for “ Oracle Security Alerts - Get the latest Security Alerts issued by Oracle as they become available ” ... and any other alert or newsletter you want to receive Scroll down to the end of the page and " Confirm "

More Information FMW Best Practice Center for Peoplesoft http://www.oracle.com/technology/tech/fmw4apps/peoplesoft PeopleSoft Tools and technology http://www.oracle.com/technology/products/applications/peoplesoft_ent/ PeopleSoft Technology Blog http://blogs.oracle.com/peopletools/ Fusion Middleware @ oracle.com http:// www.oracle.com /fusion Fusion Middleware @ OTN http:// www.oracle.com /technology/products/middleware FAQ: Using PeopleSoft Enterprise with Oracle Technology Components http:// www.peoplesoft.com/corp/en/iou/red_papers/index.jsp

Additional Resources For more information about Oracle Applications http://www.oracle.com/us/products/applications/peoplesoft-enterprise/index.htm For more information about Education http:// www.oracle.com/education/index.html For more information about Support http:// www.oracle.com /support/ For MetaLink information https:// metalink.oracle.com/CSP/ui/index.html For Oracle Product documentation : http://www.oracle.com/applications/peoplesoft/tools_tech/ent/index.html Certification Information Https://metalink3.oracle.com/od/faces/secure/km/DocumentDisplay.jspx?id=747587.1 Technical Updates https://metalink3.oracle.com/od/faces/secure/km/DocumentDisplay.jspx?id=764222.1

Oracle Open World S308250 Securing Your People Soft Application Via Idm

More Related Content

What's hot (19)

Viewers also liked (20)

Similar to Oracle Open World S308250 Securing Your People Soft Application Via Idm (20)

Oracle Open World S308250 Securing Your People Soft Application Via Idm

Editor's Notes