280 likes | 467 Views
Integrating BI Architecture Security and Identity Management. Steve Deitrick Sr. Director. First Things First. Information Security Dictionary Definitions Database A collection of data arranged for ease and speed of search and retrieval. Also called a data bank. Data Warehouse
E N D
Integrating BI ArchitectureSecurity and Identity Management Steve Deitrick Sr. Director
First Things First Information Security Dictionary Definitions • Database • A collection of data arranged for ease and speed of search and retrieval. Also called a data bank. • Data Warehouse • A large specialized database, holding perhaps hundreds of terabytes of data. A database specifically structured for easy information access and reporting. “I rob banks because that’s where the money is.” - Willie Sutton i.e. A verylarge bank conveniently prioritized already by the business to hold it’s most valuable information. • Business Intelligence • Software that enables hackers to obtain enterprise-wide information more easily.
Agenda Introduction Objectives and Goals The Landscape Enterprise Security Enterprise Business Intelligence The Intersection Positioning Integration Summary Appendix <Insert Picture Here>
OracleSecurity and Identity Management:Key Differentiation for BI/DW Deals Overview
Security and Identity ManagementPositioning • Governance, Risk Management and Compliance • “It’s the framework, stupid” • GRC is 80% people/process and 20% technology • Solution differentiation through breadth/depth • Database Vault Competitive Differentiation • Business Efficiency • Automation • Centralization • Simplification • Consistency • Leverage current investments • Consolidation • Stronger preventive controls • Centralized detective controls • Data lifecycle protection • Compliance Enabling Framework
Real-world examples February 2005 to December 2006 Total # of Records with Sensitive Personal Data Involved in Security Breaches: over 100 million Dishonest employee had access to Social Security numbers of donors to call urging them to give blood again. The employee misused the personal information of at least 3 people to perpetrate identity theft and had access to the personal information of 1 million donors. May 2006 Dishonest insider accessed confidential information, including names, Social Security numbers, birth dates and property addresses on foreclosure properties she was interested in buying. April 2006 A report was stolen from the car of the bank's VP/CFO while employees were celebrating an award received by the bank. The document contained names and accountnumbers of 1800 customers. Dec. 2006
Process Management Identity Management Internal Controls Security Management Business Intelligence Service Architecture Risk Management Analytics Operational Transparency Heuristics Systems Management Dashboard Grid Control Data Transaction Structured Data Management Trusted Sharing Information Lifecycle Management Database Access Control Unstructured Data Management Content Management Search Record Retention Governance, Risk Management, And Compliance
SOA Applications Employees Partners/ Customers LDAP environment Customers Database Environment GRC Identity ManagementSolution Definition Secure your web services with Oracle Web Services Manager Provide cross-domain SSO with Oracle Identity Federation Can’t securely extend identities to other domains Separate Domain OWSM $800 per named user, $40k per CPU Manual controls for securing Web services OIF $30k per CPU Middle Tier Environment Provide SSO and protect your apps with Oracle Access Manager & Oracle eSSO Lack of accountable access control OAM $20 per emp. $5 per non-emp. eSSO suite $60 per user OVD $600 per named user, $30k per CPU No single source of truth for identities Identity Data unified with Oracle Virtual Directory Create, modify & delete users automatically with Oracle Identity Manager OIM $60 per emp, $5 per non-emp $40k per connector No Identity Lifecycle Management and accountability
Database Vault $400 per named user, $20K per CPU Database VaultProtects Against Insider Threats and enables consolidation KING KING 18031 18031 sfNG sfNG SCOTT SCOTT 14220 14220 SCOd SCOd DBA SMITH SMITH 17170 17170 ByAg ByAg uthenticate uthenticate Middle-Tier Unable to classify data and control access to it Audit Vault Pricing TBD Consolidation, Analysis & Reporting of Audit Data with Audit Vault Lack of user accountability Sensitive Private Public GRC Information SecuritySolution Definition Can’t enforce separation of duties for “Super Users” Alter table …. Select ssn from cust; Advanced Security Option (ASO) Protects Data in Motion ASO $200 per named user, $10K per CPU Need to protect sensitive data over network (HIPAA) Transparently Encrypt data with ASO (TDE) Protect Data at Rest ASO $200 per named user, $10K per CPU Need to protect “crown jewels” Backups of DB and Flat Files Encrypted on Tapes withOracle Secure Backup Data unprotected on backup tapes, no protection from loss/theft Secure Backup $3K per tape drive Oracle Label Security controls access based on user sensitivity and data classification OLS $200 per named user $10k per CPU EUS Licensed through AppServer (requires OID) Enterprise User Security centralizes management of Database Users Insufficient access control for DB users
SOA Applications Employees Partners/ Customers LDAP environment Customers Database Environment Business InefficienciesSolution Definition OWSM $800 per named user, $40k per CPU Secure your web services with Oracle Web Services Manager Separate Domain Inconsistent approach to securing Web services Provide cross-domain SSO with Oracle Identity Federation How to securely extend identities to other domains OIF $30k per CPU Middle Tier Environment OVD $600 per named user, $30k per CPU Identity Data appears unified with Oracle Virtual Directory Too many data sources for identities OAM $20 per emp. $5 per non-emp. eSSO suite $60 per user Provide SSO and secure your apps with Oracle Access Manager & Oracle eSSO suite Inconsistent approach to access control & too many logons for applications OIM $60 per emp, $5 per non-emp $40k per connector Create, modify & delete users automatically with Oracle Identity Manager Inefficient process for creating, deleting & modifying users EUS Licensed through AppServer (requires OID) Enterprise User Security centralizes management of Database Users Too many data databases to manage DBAs
Database Vault $400 per named user, $20K per CPU Database VaultProtects Against Insider Threats & Helps with Compliance KING KING 18031 18031 sfNG sfNG SCOTT SCOTT 14220 14220 SCOd SCOd DBA SMITH SMITH 17170 17170 ByAg ByAg uthenticate uthenticate Middle-Tier Sensitive Private Consolidation, Analysis & Reporting of Audit Data with Audit Vault Audit Vault Pricing TBD Need to monitor & analyze access Public ConsolidationSolution Definition Concerned about “highly privileged” users and separation of duties Alter table …. Select ssn from cust; ASO $200 per named user, $10K per CPU Concerned about sensitive data traveling over network Network Encryption with Advanced Security OptionProtects Data in Motion Transparently Encrypt data with Advanced Security Option (TDE) & Protect Data at Rest ASO $200 per named user, $10K per CPU Concerned about sensitive data being compromised Secure Backup $3K per tape drive Concerned of security breach due to loss or stolen backup tapes Backups of Database and Flat Files Encrypted on Tapes withOracle Secure Backup Concerns about “who” is accessing “what” data Oracle Label Security controls access based on user sensitivity and data classification OLS $200 per named user $10k per CPU Data Classification Requirements
Security has to be built into the system, not bolted on afterwards • Defense in depth • Security in layers for higher assurance • Abide by Least Privilege Principle • Be Proactive: Reality is risk mitigation not risk avoidance Security Tenets Car Analogy: Door Locks Locks + Alarms + Lojack Valet Key
Key Trends for BI • Pervasive BI • BI integration with Operational Processes • Move to Prepackaged Apps Enable this with a Security/IDM framework for • Controls and Compliance • Risk Mitigation • Business Protection
Enterprise Bus. Intelligence SuiteIntegrating & Unifying Technology Oracle Applications Technology Fusion Middleware Technology Oracle Database Technology Siebel Analytics Technology • Portal • Reports • Discoverer • BAM • BPEL • BI Beans • OWB • OLAP • M Views • Analytic Workspaces • Partitioning • RAC • Analytic Server • Answers • Dashboards • Delivers • Mobile Analytics • XMLPublisher • Balanced Scorecard Unified Business Intelligence Infrastructure
Hot PluggableOpen, Integrates with Existing Investments Portals Analytic Tools Reporting Desktop Tools Any JSR 168 Portal BOBJ, COGN MSTR Actuate, Oracle Apache FOS Excel, Outlook, Lotus Notes Oracle BI Server Security Data Access ETL Oracle MSFT AD iPlanet Novell Others .. Oracle DB2 MS SQL Teradata Red Brick SQL Anywhere XML, Excel Others .. Oracle Informatica Ascential Sunopsis Others ..
Pre-Packaged ApplicationsApplications exploit Technology Capabilities Siebel Analytic Apps PSFT EPM EBS DBI Pre-Packaged Reports Pre-Packaged Dashboards Pre-Packaged Semantic Objects E-Bus Suite PeopleSoft Siebel SAP Custom Schema In-Place Schema Warehouse Schema Packaged ETL Maps
Relationship to Apps: • PSFT HR = ID Provisioning Opportunity • e Biz, PSFT, Siebel = Sensitive Financial, LOB, IP, Privacy and Customer Data: • Compliance and Business Protection/Risk issues • Apps/DB Consolidation Efforts: • Enforce policies for access and visibility • Enable controls and compliance • DBA’s can do their jobs (manage and index tables, etc.), but don’t see biz owner data…
Native BI Security • Robust and Leveraged • Generic, flexible integration with SSO and LDAP systems (including Oracle) • Database based authentication and authorization • Object level security (at user or group level) to control which users can see which metadata constructs like Subject Areas, Folder, Attributes, etc… • Internal, BI EE metadata driven record level security filtering (at user or group level). Acts in some ways similarly to VPDs. • Query Limits (at user or group level) to control maximum rows returned or time of day restrictions a user can execute requests • Pass through of database account credentials (as alternative to shared logon) for query enforcement at database level
Reality Check: The What If’s • Must adhere to Enterprise Security Policy, Procedures and Standards for User Management, Access Management, Common Security Model, External Regulatory Drivers? • Highly Privileged Users (Administrator) still see too much information? • Require a Single source of Identity Truth? (HR) • Any new solution must be able to interface with the Provisioning system due to audit/cost considerations? • Need to extend access to vendor/partner channels? • Must integrate with Centralized Compliance and Audit Infrastructure and Process? • Requirements mandate multi-layer protection?
What If = Opportunity • Security and Identity Management become your Oracle Solution Differentiation • Good news is that open interoperable design principles pave the way • Built on Oracle technology allows leverage of core security and identity infrastructure components
Stored Data EncryptionProtect ultra-sensitive data Encryption Virtual Private Database Oracle Label SecurityEnforce row level security Security andPrivacy Data Security Fine-Grained AuditingIdentify misuse of data access rights Auditing Snooping Encrypt All Protocols into the Database Prevent wire tapping and tampering Network Security Tampering Authentication PKI and LDAP Centralized Management, Strong Authentication Unified User Identity Management Secure Data Protection
Security and BI: The Plan • Secure Information at its source • Protect from Administrators/Super-users abuse • Create a Security Infrastructure • Identity Management • Access Management • Provisioning • Extend security to new business models (SOA) • Share and extend data securely i.e., Federate • Link it all together • Databases, E-Business Applications, Custom Applications • Audit and Report
So, for Analytics, BI and DW Deals, ask… • How do you plan to control access to the information you collect, analyze and use in your business? • What would the impact be if someone stole, altered or compromised your marketing (or sales, financial, supply chain, IP) data? • How valuable would it be if you were able to prove that appropriate access, audit and reporting controls are in place? How do the other solutions you’re comparing prevent inappropriate access from end-to-end throughout your systems?
For More Information • Security and Identity • Security Solutions from Oracle • Secure BI Customer References • Analyst Reports • Oracle Security Strategy Briefing – NYC • Roadmap to Security framework • Security and Compliance Partner Initiative • X-Week Online • X-Workshop: End to End Security • Customer Xtreme Workshop: Security/Oracle Access Manager • Database Vault Deep Dive
The preceding is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions.The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.