Post on 08-Jun-2015
<Insert Picture Here>
Introducing Oracle Entitlements Server 11g
This document is for informational purposes. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described in this document remains at the sole discretion of Oracle. This document in any form, software or printed matter, contains proprietary information that is the exclusive property of Oracle. This document and information contained herein may not be disclosed, copied, reproduced or distributed to anyone outside Oracle without prior written consent of Oracle. This document is not part of your license agreement nor can it be incorporated into any contractual agreement with Oracle or its subsidiaries or affiliates.
2
<Insert Picture Here>
Agenda
• Oracle Entitlements Server Overview• Oracle Entitlements Server 11g – What’s New?• Planning Your Deployment (SENA Systems)
3
Homegrown Applications Pose Significant Risk
• Vast Majority of Apps are Homegrown
• 50% of applications budgets on in-house software *
• Homegrown Apps often host sensitive information
• Homegrown Apps are more vulnerable to security breaches
* For large companies in competitive, fast-moving industries such as telecommunications, financial services, high tech, pharmaceuticals, and media, those outlays can run into hundreds of millions of dollars.
4
Homegrown Apps, SOA, and Portals
Cloud Applications Mobile Computing
State of Security Solutions Today
• Modern IT initiatives require enforcement of granular access privileges
• Insufficient tooling and support for developing apps that require fine-grained authorization
• Evolving security needs and compliance mandates require constant application retooling resulting in higher costs and diminished service levels.
• Security policies are fragmented
• Often host sensitive information that is vulnerable to security risks.
5
Declarative Security Examples
Roles Privileges Context
Junior Traders
Equity Analyst
Fund Manager
Equity Trades
• By Geography
• By Trade limit
Equity Research
• By Vertical industry
• By Line of Business
Equity Trades
Rebalance Funds
• NASDAQ trading 10am-4pm
• Restrict Trade Sizes to < $100K
• Daily trading limit of $5M
• Unauthorized for trading
• Authorized for Review of Energy Companies listed on NYSE
• Authorized for access to research reports
• Authorized for 24x7 Trading
• Rebalancing of Small-Cap Funds
• Daily Trading Limit of $1B
Users Resource
Mortgage Equity Fund
Municipal Equity Fund
Oil & Gas
Semiconductors
Mortgage Equity Fund
Municipal Equity Fund
Amy Harris
Steve Jackson
Ellen Stewart
Oracle Entitlements Server
Fine-grained Authorization for Web Applications, Portals, Middleware & Databases
Oracle Entitlements ServerSample Fine-grained Authorization Policies
• Example Policies• Junior Traders can submit n stock trades / day with a total value of $5M, during regular
trading hours, if market volatility is low
• Sensitive patient information should not be visible to clerical workers but allowed for Specialists as long as consent has been given or an emergency
• Call Center Reps need approval from a Supervisor to transfer a support case to Engineering
• Documents of a given type, sensitivity, and content is only available to employees of (x,y,z) with sufficient clearance, grade, and authentication level
8
Announcing Standards-based, Real-time External
Authorization
9
Real-time Authorization
Rapid Application Integration
Comprehensive Standards Support
Oracle Entitlements Server 11gKey Design Themes
10
Real-time Authorizationwith Oracle Entitlements Server 11g
• Massively scalable External Authorization Management
• Scales easily to large number of protected resources
• Hundreds of millions of users
• Thousands of roles
• From small workgroups to mission-critical deployments
• Authorization checks enforced with real-time latency
11
Real-time Authorization
Rapid Application Integration
Comprehensive Standards Support
Oracle Entitlements Server 11gKey Design Themes
12
isAuthorized(user = Bob Doe, userOrg = Acme Corp userRole = Marketing Manager customerId = 99999 action = getCustomerDetail)
<SOAP:Envelope> …<SOAP:Body> <getCustomerDetailResponse> <customerID> 99999 </customerID> <name> Sally Smith </name> <phone> 555-1234567 </phone> <SSN> *********** </SSN> <creditCardNo> @^*%&@$#%! </creditCardNo> <purchaseHistory> … </purchaseHistory> </getCustomerDetailResponse> </SOAP:Body></SOAP:Envelope>
•Selective Data Redaction & Encryption of the response payload
•OES authorization decision returns an “Obligation” with information on what to redact and/or encrypt
SOAP Web Service
Fine-grained Authorization for SOA & Web Services
Oracle Entitlements Server
HTTP GET/POST
REST
XML
JMS
Web Client
Web Service Client
REST/SOAP
Request
Response
13
• Enforcement of data security for heterogeneous data sources- RDBMS, Object Relational, XML, Multi-Dimensional Cubes
• Enforcement of security at Data, Business Logic and Presentation tiers• Integrates with Oracle and non-Oracle Databases, Hibernate, TopLink
Oracle Entitlements
Server (Admin Server)
Security Module
Security Module Security Module
Security Module
Data Security with Oracle Entitlements Server
14
Portals and Content Management
App Servers & Dev Frameworks
Middleware
Identity Management
XML Gateways
Native & Custom Integrations
Data Sources
15
Real-time Authorization
Rapid Application Integration
Comprehensive Standards Support
Oracle Entitlements Server 11gKey Design Themes
16
Comprehensive Standards Supportwith Oracle Entitlements Server 11g
• Supports modern authorization standards
• Attribute based Access (ABAC, XACML, OpenAZ)
• Role based Access (NIST RBAC, Enterprise RBAC)
• Java security frameworks (JAAS)
• Choice and flexibility ensures protection of existing investments
• Supports different IT maturity levels for externalizing authorization
• Commitment to innovation, contribution and implementation of open standards.
17
18 | © 2011 Oracle Corporation – Proprietary and Confidential