320 likes | 336 Views
OEA Executive Reference Architecture Identity as a Service. What is Identity as a Service ?.
E N D
OEA Executive Reference Architecture Identity as a Service Oracle Confidential – Internal/Restricted/Highly Restricted
What is Identity as a Service ? Provide an centralized service which will improve customer/citizens experience through seamless authentication and simplified identity management for Consumers, Partners and Employees irrespective where application is hosted
Digital Economy Transformation Trends IDaaS is now more maters with these Trends DATA EXPLOSION RISE OF MOBILITY SOCIAL IS BUSINESS MODERNIZE TO SURVIVE Consumers Driving Experience 26% Post negative comments 86% Now stop doing business 94% Will pay more for great experience 90% Created within Last Two Years 50X Growth by 2020 6 Billion Mobile Subscribers 87% of World‘s Population Mobile Data Growing 78%CAGR Lots of 20 year-old Legacy Applications
New Challenges with enablement of Cloud based model • Seamlessly connect public cloud, private cloud and on-premise applications • Extend Business Processes to Cloud Apps and vice versa • Simplify Access to Apps from Any Device from any facility • Expand Private Cloud Services CLOUD
Access Management in the New Digital Economy Customer Key Requirements Seamless multi-channel access Integrated riskmanagement and fraud prevention Increased agility with externalized authorization Access any application, From any device, anywhere Standards-based, modulararchitecture Scalable for today’s Internet needs
Opportunities and Challenges for Identity Management Oracle Confidential – Internal/Restricted/Highly Restricted
Guiding Architecture Principles to Consider to create IDaaS Oracle Confidential – Internal
Oracle Enterprise Security Reference Architecture • Oracle Security Capability Model – IDaaS Focus Area Web Service / Integration Perimeter Security Transport Security SQL Firewall Interface Security Identity Management Strong Authentication Identity Propagation Self Service Administration API / JMS Authentication Identity Federation Social Identity Web Services Security Single Sign-on Web and Desktop Authorization Mobile Security Fraud Prevention Contextual Authorization Classification Authorization Access Management Services Role Management Workflow Management Separation of Duties Least Privilege Access Data Security Policy Based Access and Audit Session Management ID Context Security Token Services Risk Analytics Workflow Rules Privacy and Risk Monitoring Policy Engine Policy Entitlement Engine Audit Virtual Identity Configuration Role Based Access Classification Based Access Application Platform Security Provisioning Reconciliation Data Encryption Data Redaction and Masking Attestation Audit Platform Security Services Identity Adapters Encrypted Backup Crypto-Key Management Unified Security Stores User Stores Policy Stores Policy Database Adaptive Transactions Directory Services Directory Virtualization User / Roles Identity Integration Hardware Security Modules Hardware Cryptographic Services Privileged Account Management Enterprise Single Sign-on Secure Audit OS / Server Virtualization Platform Security
Oracle Enterprise Security Reference Architecture • Oracle Security Capability Model – IDaaS Focus Area – Product Mapping Web Service / Integration Perimeter Security Transport Security SQL Firewall Interface Security Identity Management Strong Authentication Identity Propagation Self Service Administration API / JMS Authentication Identity Federation Social Identity Web Services Security Single Sign-on Web and Desktop Authorization Mobile Security Fraud Prevention Oracle Mobile and Social Access Mgmt OIF – Federation Server Oracle Mobile Security Suite Oracle Adaptive Access Manager Contextual Authorization Classification Authorization Access Management Services Oracle Identity Manager Administration and User Services Oracle Access Mgr Oracle Access Mgr Role Management Workflow Management Separation of Duties Least Privilege Access Data Security Policy Based Access and Audit Session Management ID Context Security Token Services Risk Analytics Workflow Rules Oracle Identity Manager Privacy and Risk Monitoring Policy Engine Policy Entitlement Engine Audit Virtual Identity Configuration Role Based Access Classification Based Access Application Platform Security Provisioning Reconciliation Data Encryption Data Redaction and Masking Attestation Audit Platform Security Services Identity Adapters Encrypted Backup OIM App and System Adapters Crypto-Key Management Unified Security Stores User Stores Policy Stores Policy Database Adaptive Transactions Directory Services Directory Virtualization User / Roles Identity Integration Hardware Security Modules Hardware Cryptographic Services Privileged Account Management Enterprise Single Sign-on Secure Audit OS / Server Virtualization Platform Security
Cloud Security Architecture Design Considerations Security Layering and Cloud Technology Integration Identity & Access Management Identity & Access Mgmt Private Cloud Private Cloud Public Cloud Security Governance, Risk Management, & Compliance Security Management, & Monitoring Data Data SaaS Application / Service PaaS Application Host IaaS VMs Defense inDepth Internal Network Host Perimeter Internal Network Physical Cloud Provider On-premise Policies & Procedures Perimeter Physical IDaaS and Monitoring Security Governance, Risk Management & Compliance Policies, Procedures, & Awareness Planning & Reconciliation
IDaaS - Conceptual Architecture Oracle Confidential – Internal/Restricted/Highly Restricted ISTORE Consumers Employee Branch
Oracle Cloud Identity Initiatives Models ORACLE MANAGED IDENTITYSERVICES ORACLE PUBLIC CLOUD IDENTITY SERVICES ORACLE ON-PREMISE IDENTITY SERVICES • Pre-configured, Oracle Managed Identity Service • Full Enterprise IDM functionality • Manage access to Enterprise and SaaS Apps • Identity as a Service - hosted in the Oracle Public Cloud • Integrated SSO and User Management • Pre-configured for all major Cloud / SaaS APPS • Integrated with Enterprise IDM • On-premise or Private Cloud • Identity Governance • Access Management • Mobile Security • Directory
Oracle Cloud IDaaS Architecture Vision Models to implement IDaaS – Managed Cloud,On-Premise & Public Cloud
Oracle Cloud IDaaS – Physical Architecture Oracle Public Cloud IDaaS Model
Value Proposition Provide Seamless Access Experience – With Limited Architecture Impact Oracle Confidential – Internal/Restricted/Highly Restricted
Appendix Use Cases Appendix – Supporting Models and Use Cases – Use Cases to Demonstrate Specific Solutions Oracle Confidential – Internal
Oracle Cloud IDaaS – Key Services Public Cloud IDaaS Services – Identity, Access and Administration
Oracle Cloud IDaaS – Value Proposition Public Cloud IDaaS Model Value • Oracle IDaaS hosted at Oracle Public Cloud • Provides seamless integration with enterprise Identity stores and authentication services • Single-tenant software, dedicated hardware • Eliminate need to install and maintain supporting infrastructure • Eliminate need to hire specialized resources • Rapid implementation • OPEX Model
Oracle Cloud IDaaS – Value Proposition Managed Cloud IDaaS Model Value • Oracle IDM, hosted by Oracle Managed Cloud Services (OMCS): Pre-packaged, Pre-sized and Rapid deployment with room to scale • Fully functional, customizable products • Single-tenant software, dedicated hardware • Seamless integration with On-premise/hosted/SaaS applications • Eliminate need to install and maintain supporting infrastructure • Eliminate need to hire specialized resources • Available in both CapExand OpEX model
IDaaS Use Case Oracle Confidential – Internal
Use Case - Current State of Architecture No Common Model for Identity and Access Management to Applications and Data Application Authentication Provider Authentication Integrated Authentication / Identity Consumer Portal Self Registrations FIM / ADFS Integrated Public Cloud FIM / ADFS Integrated On-Premises Local Identity Stores On-Premises Remote Identity Stores Cloud AD FIM SharePoint Jabber MS 365 Azure PeopleSoft RightNow VPN ITSM AD WebEx Employee Employee Eloqua OBIEE PPM Others Employee Employee /Consumer Analytics Hyperion OID eBusiness Suite Web Center Portal OBIEE Multiple Authentication Points / Manual and Automated User Mgmt/ Multiple Users Employee User Integrated Access / Automated User Management / Multiple Identity Stores Employee /Contractor/Partner Consumer Essbase Web C enter Content My Customer Local DB Users Visualizer SWC ISTORE Consumers Employee /Consumer Employee Branch EBS FND_USER Oracle Confidential – Internal/Restricted/Highly Restricted
Use Case - Current State Architecture Multiple Identity Sources, Identity Provisioning Flows, and Authentication Methods FIM AD PeopleSoft Employee AD Branch Employee, Affiliate, Contractor OID SWC Consumer Consumer Employee /Consumer Oracle Confidential – Internal/Restricted/Highly Restricted
Use Case - On-premise IDaaS Deployment Model • Primary web authentication, web SSO, coarse-grained authorization (optionally, Mobile and Social service if mobile clients are involved) • Lightweight Cloud SSO proxy • Identity Federation: Support for SAML, OAuth, OpenID • Web services and API security: First line of defense on-premise and / or in the Cloud • SOA Security: First-mile and last-mile security on-premise and / or in the Cloud
Use Case – Managed Cloud IDaaS Deployment Model Dedicated Datacenter Extension
IDaaS Model Comparison Public Private Leased, Dedicated IaaS / PaaS (VPN) IT-Managed Shared SaaS Technical Controls Applied to Cloud Computing * Provider-Managed Dedicated SaaS Shared IaaS/PaaS Provider- Located Description Access Control Remote Network Access, Wireless Access, Information Flow Separation of Duties, Least Privilege Host Acct Mgmt, Access Enforcement, Usage Notification, Termination Security Attributes and Entitlements Segregation of Audit Information Audit and Accountability Audit Generation, Confidentiality, Integrity, Retention, and Review Audit Content, Correlation, and Timestamps Audit Record and Report Availability User & Device Identification and Authentication Identification and Authentication Identity Management Application and Information System Partitioning System and Communications Protection Denial of Service Prevention Network Interface Boundary Protection Network Confidentiality and Integrity Key Management, PKI Session Authenticity (Man-in-the-Middle Protection) Honeypots Mechanisms, Policies, Procedure to Protect Information At Rest Virtualization Security and Strategy Covert Channel Analysis * Oracle Cloud Enterprise Hosting and Delivery Policies defines these controls and service levels in greater detail. A signed contract or NDA is required to request copy of the policies.
IDaaS Model Comparison Public Private Leased, Dedicated IaaS / PaaS (VPN) Operational Controls Applied to Cloud Computing * IT-Managed Shared SaaS Partner-Managed Dedicated SaaS Shared IaaS/PaaS Partner- Located Description Awareness and Training Security Awareness and Training Configuration Management Configuration Management, Change Control, Impact Analysis, Access Contingency Planning Contingency Planning Contingency Testing, Training, and Exercises Backup, Recovery, and Reconstitution Capabilities Incident Response Incident Response Policies, Training, Handling, Monitoring, Reporting Maintenance System Maintenance Plan, Control, Tools, Schedules, Review Remote Maintenance Media Marking and Sanitation Media Protection Media Protection Policies, Procedures, Control, Storage, Transport Physical Environment Access, Monitoring, and Visitation Physical and Environmental Protection Capabilities, Enviromentals, Location, Emergency Systems Personnel Security Personnel Screening, Agreements, Roles, Transfer, Termination System and Information Integrity Information Input Restriction and Validation Integrity Protection, Malicious Code Protection, and Monitoring Error Handling, Failure Prevention, Flaw Remediation * Oracle Cloud Enterprise Hosting and Delivery Policies defines these controls and service levels in greater detail. A signed contract or NDA is required to request copy of the policies.
IDaaS Model Comparison Management Controls Applied to Cloud Computing * Public Private Leased, Dedicated IaaS / PaaS (VPN) IT-Managed Shared SaaS Partner-Managed Dedicated SaaS Shared IaaS/PaaS Partner- Located Description Security Assessment and Authorization Security Assessment and Continuous Monitoring Security Authorization (managed sign-off) External Domain Integration Planning Security Plan Development and Review Security Categorization Risk Assessment Vulnerability Scanning Risk Assessments System and Services Acquisition Documentation of Secure Configuration, Installation, and Operation Software Installation and Usage Restrictions SDLC Support, Software Testing, and Configuration Management Policies & Procedures (for all of the categories) ALL * Oracle Cloud Enterprise Hosting and Delivery Policies defines these controls and service levels in greater detail. A signed contract or NDA is required to request copy of the policies.
Comments/Recommendations IDaaS Reference Architecture • Please provide any comments or recommendations to • Maharshi Desai maharshi.desai@oracle.com • Al Kiessel al.kiessel@oracle.com Oracle Confidential – Internal