Declarative security-oes

<Insert Picture Here>

Introducing Oracle Entitlements Server 11g

This document is for informational purposes. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described in this document remains at the sole discretion of Oracle. This document in any form, software or printed matter, contains proprietary information that is the exclusive property of Oracle. This document and information contained herein may not be disclosed, copied, reproduced or distributed to anyone outside Oracle without prior written consent of Oracle. This document is not part of your license agreement nor can it be incorporated into any contractual agreement with Oracle or its subsidiaries or affiliates.

2

<Insert Picture Here>

Agenda

• Oracle Entitlements Server Overview• Oracle Entitlements Server 11g – What’s New?• Planning Your Deployment (SENA Systems)

3

Homegrown Applications Pose Significant Risk

• Vast Majority of Apps are Homegrown

• 50% of applications budgets on in-house software *

• Homegrown Apps often host sensitive information

• Homegrown Apps are more vulnerable to security breaches

* For large companies in competitive, fast-moving industries such as telecommunications, financial services, high tech, pharmaceuticals, and media, those outlays can run into hundreds of millions of dollars.

4

Homegrown Apps, SOA, and Portals

Cloud Applications Mobile Computing

State of Security Solutions Today

• Modern IT initiatives require enforcement of granular access privileges

• Insufficient tooling and support for developing apps that require fine-grained authorization

• Evolving security needs and compliance mandates require constant application retooling resulting in higher costs and diminished service levels.

• Security policies are fragmented

• Often host sensitive information that is vulnerable to security risks.

5

Declarative Security Examples

Roles Privileges Context

Junior Traders

Equity Analyst

Fund Manager

Equity Trades

• By Geography

• By Trade limit

Equity Research

• By Vertical industry

• By Line of Business

Equity Trades

Rebalance Funds

• NASDAQ trading 10am-4pm

• Restrict Trade Sizes to < $100K

• Daily trading limit of $5M

• Unauthorized for trading

• Authorized for Review of Energy Companies listed on NYSE

• Authorized for access to research reports

• Authorized for 24x7 Trading

• Rebalancing of Small-Cap Funds

• Daily Trading Limit of $1B

Users Resource

Mortgage Equity Fund

Municipal Equity Fund

Oil & Gas

Semiconductors

Mortgage Equity Fund

Municipal Equity Fund

Amy Harris

Steve Jackson

Ellen Stewart

Oracle Entitlements Server

Fine-grained Authorization for Web Applications, Portals, Middleware & Databases

Oracle Entitlements ServerSample Fine-grained Authorization Policies

• Example Policies• Junior Traders can submit n stock trades / day with a total value of $5M, during regular

trading hours, if market volatility is low

• Sensitive patient information should not be visible to clerical workers but allowed for Specialists as long as consent has been given or an emergency

• Call Center Reps need approval from a Supervisor to transfer a support case to Engineering

• Documents of a given type, sensitivity, and content is only available to employees of (x,y,z) with sufficient clearance, grade, and authentication level

8

Announcing Standards-based, Real-time External

Authorization

9

Real-time Authorization

Rapid Application Integration

Comprehensive Standards Support

Oracle Entitlements Server 11gKey Design Themes

10

Real-time Authorizationwith Oracle Entitlements Server 11g

• Massively scalable External Authorization Management

• Scales easily to large number of protected resources

• Hundreds of millions of users

• Thousands of roles

• From small workgroups to mission-critical deployments

• Authorization checks enforced with real-time latency

11





12

isAuthorized(user = Bob Doe, userOrg = Acme Corp userRole = Marketing Manager customerId = 99999 action = getCustomerDetail)

<SOAP:Envelope> …<SOAP:Body> <getCustomerDetailResponse> <customerID> 99999 </customerID> <name> Sally Smith </name> <phone> 555-1234567 </phone> <SSN> *********** </SSN> <creditCardNo> @^*%&@$#%! </creditCardNo> <purchaseHistory> … </purchaseHistory> </getCustomerDetailResponse> </SOAP:Body></SOAP:Envelope>

•Selective Data Redaction & Encryption of the response payload

•OES authorization decision returns an “Obligation” with information on what to redact and/or encrypt

SOAP Web Service

Fine-grained Authorization for SOA & Web Services

Oracle Entitlements Server

HTTP GET/POST

REST

XML

JMS

Web Client

Web Service Client

REST/SOAP

Request

Response

13

• Enforcement of data security for heterogeneous data sources- RDBMS, Object Relational, XML, Multi-Dimensional Cubes

• Enforcement of security at Data, Business Logic and Presentation tiers• Integrates with Oracle and non-Oracle Databases, Hibernate, TopLink

Oracle Entitlements

Server (Admin Server)

Security Module

Security Module Security Module

Security Module

Data Security with Oracle Entitlements Server

14

Portals and Content Management

App Servers & Dev Frameworks

Middleware

Identity Management

XML Gateways

Native & Custom Integrations

Data Sources

15





16

Comprehensive Standards Supportwith Oracle Entitlements Server 11g

• Supports modern authorization standards

• Attribute based Access (ABAC, XACML, OpenAZ)

• Role based Access (NIST RBAC, Enterprise RBAC)

• Java security frameworks (JAAS)

• Choice and flexibility ensures protection of existing investments

• Supports different IT maturity levels for externalizing authorization

• Commitment to innovation, contribution and implementation of open standards.

17

Declarative security-oes

Technology

Transcript of Declarative security-oes