S105465GC10 Mod05 PDF
S105465GC10 Mod05 PDF
S105465GC10 Mod05 PDF
Student Guide
S105465GC10
This document contains proprietary information and is protected by copyright and other intellectual property laws. You may copy and print this document solely for your own use in an Oracle training
course. The document may not be modified or altered in any way. Except where your use constitutes "fair use" under copyright law, you may not use, share, download, upload, copy, print, display,
perform, reproduce, publish, license, post, transmit, or distribute this document in whole or in part without the express authorization of Oracle.
The information contained in this document is subject to change without notice and is not warranted to be error-free. If you find any errors, please report them to us in writing.
If this documentation is delivered to the United States Government or anyone using the documentation on behalf of the United States Government, the following notice is applicable:
U.S. GOVERNMENT END USERS: Oracle programs (including any operating system, integrated software, any programs embedded, installed or activated on delivered hardware, and modifications of
such programs) and Oracle computer documentation or other Oracle data delivered to or accessed by U.S. Government end users are "commercial computer software" or "commercial computer software
documentation" pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such, the use, reproduction, duplication, release, display, disclosure,
modification, preparation of derivative works, and/or adaptation of i) Oracle programs (including any operating system, integrated software, any programs embedded, installed or activated on delivered
hardware, and modifications of such programs), ii) Oracle computer documentation and/or iii) other Oracle data, is subject to the rights and limitations specified in the license contained in the applicable
contract. The terms governing the U.S. Government's use of Oracle cloud services are defined by the applicable contract for such services. No other rights are granted to the U.S. Government.
Trademark Notice
Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners.
Intel and Intel Inside are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc.
AMD, Epyc, and the AMD logo are trademarks or registered trademarks of Advanced Micro Devices. UNIX is a registered trademark of The Open Group.
This documentation may provide access to or information about content, products, and services from third parties. Oracle Corporation and its affiliates are not responsible for and expressly disclaim all
warranties of any kind with respect to third-party content, products, and services unless otherwise set forth in an applicable agreement between you and Oracle. Oracle Corporation and its affiliates will not
be responsible for any loss, costs, or damages incurred due to your access to or use of third-party content, products, or services, except as set forth in an applicable agreement between you and Oracle.
Module 5 – Cloud Security, Identity, and
User Management
Oracle Cloud Project Management Training for Partners
The following is intended to outline our general product direction. It is intended for information
purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any
material, code, or functionality, and should not be relied upon in making purchasing decisions. The
development, release, timing, and pricing of any features or functionality described for Oracle’s
products may change and remains at the sole discretion of Oracle Corporation.
Statements in this presentation relating to Oracle’s future plans, expectations, beliefs, intentions and
prospects are “forward-looking statements” and are subject to material risks and uncertainties. A
detailed discussion of these factors and other risks that affect our business is contained in Oracle’s
Securities and Exchange Commission (SEC) filings, including our most recent reports on Form 10-K and
Form 10-Q under the heading “Risk Factors.” These filings are available on the SEC’s website or on
Oracle’s website at http://www.oracle.com/investor. All information in this presentation is current as of
September 2019 and Oracle undertakes no duty to update any statement in light of new information or
future events.
Analyze & Plan & Configure & Validate & Transition & Sustain &
Prepare Design Build Test Go Live Realize
Analyze & Plan & Configure & Validate & Transition & Sustain &
Prepare Design Build Test Go Live Realize
Major Activities
‒ Analyze application(s) deployment ecosystem (on-premises and/or cloud) and identify the best
security scenario.
‒ Provide an orientation to overall cloud security and shared responsibility.
‒ Review the third-party audit, certifications, and attestations (if required).
‒ Understand and evaluate cloud usage and security risk.
‒ Review Oracle Cloud Security policies.
‒ Review and assess the need of SaaS service entitlements (VPN, IP White listing, TDE, SSO).
‒ Verify the connectivity requirements (VPN, hybrid, Intra domain, third party applications, and so
on).
‒ Determine user management and access type (federated/SSO/application only).
‒ Evaluate the sensitivity of the data (to be shared, encrypted, and so on).
‒ Identify additional cloud security services required (CASB, WAF, IDCS, and so on).
‒ Conduct a “core to edge” exercise to identify any security gaps and requirements for protection.
Multiple clouds
Data management
Contract
privacy – GDPR
information
Security of
Data residency
financial
(Global companies)
reporting systems
✓ Compliance
Order
information
Network
IaaS
On-Premises
PaaS
SaaS
Identity | Security Identity | Security Identity | Security Identity | Security
GRC | Configurations GRC | Configurations GRC | Configurations GRC |Configurations SECURITY IN
THE CLOUD
Data Data Data Data
Application Application Application Application
Runtime Runtime Runtime Runtime Responsibility
Middleware Middleware Middleware Middleware Customer
Database Database Database Database Shared
OS OS OS OS Cloud Provider
Virtualization Virtualization Virtualization Virtualization
Server Server Server Server
Storage Storage Storage Storage
SECURITY OF
Network Network Network Network THE CLOUD
Datacenter Datacenter Datacenter Datacenter
Physical Physical Physical Physical
Application Compliance
Application Data Security
Identity Access Security
VCN Security
DBaaS Security
Storage Security Customer controlled and
Compute Security Oracle supported
Infrastructure Compliance
Data Security
Operator Access Security
Console and API Security
Control Plane Host Security
Server Hardware Security
Oracle Network Security
Controlled Data Center Security
DoD DISA SRG IL2 Moderate – Agency ATO VPAT – Section 508 G-Cloud 11 - UK Model Clauses - EU
Industry
Level 1
HIPAA PCI DSS FISC - Japan IG Toolkit - UK
Regional
Top-Down Threats
Isolated Network
Virtualization
Internal Threats
External Threats
Root of Trust
Bottom-Up Threats
Container (Optional)
Hypervisor
VM/
VM/ VM/ VM/
VM/ VM/ VM/ VM/
Guest
Guest Guest Guest
Guest Guest Guest Guest
OS
OS OS OS
OS OS OS OS
VM/
VM/ VM/ VM/ VM/
VM/ VM/ VM/
Guest Guest Guest VM/
VM/ VM/ VM/
VM/ VM/ VM/ VM/
Guest Guest Guest Guest Guest
OS OS Guest
Guest Guest Guest
Guest Guest Guest Guest
OS OS OS OS OS OS
VM/ VM/ VM/ OS
OS OS OS
OS OS OS OS
VM/
VM/ VM/
VM/ VM/
VM/ VM/ VM/
Guest
Guest Guest
Guest Guest
Guest Guest
Guest Guest Guest
Guest
OS
OS OS
OS OS
OS OS
OS OS OS
OS
Manageability
Manageability
Security
Security
Networking
Networking
Secure the cloud platform Secure identity, apps. and data Protections and monitoring
on the cloud platform between clouds and premises
Visibility and
Monitoring
22Copyright
Copyright © 2020,
© 2020 Oracle and/or its affiliates.
Oracle
Leveraging the Advanced Controls for Cloud
Defense in depth and breadth
Authoritative
OCI IAM DNS
with
CASB Internet
Subnet Service Intelligence
FastConnect OCI Region Level
w/ IPSec option Virtual
Virtual Cloud Network
Firewalls
AD1
IGW
AD2
IPSec VPN WAF with Automated,
Proactive DDoS
AD3 Threat Protection
Detection
▪ vFirewalls – access control in/out
▪ Distributed Denial of Service (DDoS) – network layer attack protection
▪ Web Application firewall (WAF) – application layer attack protection
▪ Cloud Access Security Broker (CASB) – visibility, compliance, control drift alerting
▪ Virtual Private Network (VPN) – protection/encryption in transit over Internet & private links
▪ Domain Name Service (DNS) – managed DNS from Oracle for OCI customers
▪ Identity & Access Management (IAM) – control who can access and manage OCI resources
Major Activities
Full isolation from other tenants and Oracle’s staff, and between a tenant’s
1 Customer Isolation workloads
Provide log data and security analytics for auditing and monitoring actions on
4 Visibility customer assets.
Enable customers to use their existing security assets | Integrate with on-
5 Secure Hybrid Cloud premise security solutions | Support for third-party security solutions
5 Secure Hybrid Cloud Identity Federation third-party security solution, IPSEC VPN, FastConnect
7
Verifiably Secure Security operations, compliance certification and attestation, customer
Infrastructure penetration and vulnerability testing
REGION 1 REGION 2
AD1 AD1
Secure
AD2 AD2
AD3 AD3
IAM
• Identity and Access Management (IAM) service enables you to control what
type of access a group of users have and to which specific resources.
• Each OCI resource has a unique, Oracle-assigned identifier called an Oracle
Cloud ID (OCID).
• IAM uses traditional identity concepts such as principals, users, groups,
policies, compartments, and tenants.
WAF
▪ Enterprise-grade, cloud-based, globally deployed security solution designed to
protect business-critical web applications from malicious cyber-attacks
▪ Web application security for OCI workloads and more: Simultaneously protects
web applications located on OCI, on-premises, and/or within multi-cloud
environments
Telemetry
Virtual Object Block Database File
Machines and Storage Storage Systems Sharing • Audit all activity levels
Containers • Telemetry services for
visibility and analysis
Customer Applications
Oracle Cloud Infrastructure
32 Copyright © 2020, Oracle and/or its affiliates.
Oracle Cloud–Based WAF: Protecting Data Wherever it Resides
Layered approach to protect web applications against cyber attacks.
Bad Bots
Hackers
Cloud-based
Data
Good On-Premises
Visitors Database
OCI Cloud-based
Data
Good Bots
Layered approach to protect web
applications against cyber
attacks
Spammers
3434 Copyright
Copyright©©
2020,
2020,Oracle
Oracleand/or
and/oritsits
affiliates.
affiliates.
4. Visibility
Cloud Access Security Broker
SECURITY,
STORAGE & NETWORK &
COMPUTE IDENTITY &
DATABASE CONTENT
COMPLIANC
DELIVERY
E
Cloud Infrastructure
Policy Alerts
• Policy Alerts
▪ Alerting and notifications on policy changes to resources
Security Controls
• Security Controls
▪ Detection of insecure settings of OCI resources
• Threat Detection Threat Detection
▪ Detection of user risks and threats using ML analytics
• Key Security Indicator Reports
▪ Report generation for key security indicators Security Reports
Oracle Cloud
Infrastructure
WAF Policies
Can be unique per domain,
per app, per cloud
AD and application
servers
on premises
Common
Telemetry
• Identity Federation: SAML 2.0 Federation via IDCS and Microsoft Active Directory
Federation Service (ADFS) and any SAML 2.0 compliance identity provider
• Third-party Security tools: Oracle collaborates with various third-party
security vendors to make their solutions accessible on Oracle Cloud
Infrastructure to enable customers to use their existing security tools when
securing data and applications in the cloud.
• Secure your Oracle Cloud Infrastructure security credentials (don’t hard-code them
in public files).
• Use key-based SSH only. Don’t use passwords for SSH access.
• Use IAM users/groups and compartments for least-privilege access to resources.
• Use VCN security lists to limit instance network access to authorized IPs only.
• Use VCN public and private subnets to isolate internal hosts (DB) from public-
facing entities (web servers, load balancers, and so on).
• Don’t make object store buckets public, unless necessary.
• Use multiple-AD deployment and load balancers for high availability of
applications.
• Leverage bare metal instances for enhanced security of roots of trust (keys,
secrets, and so on).
Database
Security
OCI
Security
Identity Lifecycle
Oracle Identity API Security Management
MFA Single
Sign On
Adaptive
Authentication
*******
Single Sign On Self Service Cloud Directory
PaaS IaaS
With Oracle Identity Cloud Service, you can implement federated SaaS Apps Oracle Apps Enterprise Apps
SSO with other solutions. With this integration, your on-premises
users, partners, and cloud users can access on-premises and cloud On-premises
applications with a single login from anywhere, at any time:
Or
▪ SAML SSO: Implement federated SSO with SAML Identity web apps
Providers located on your premises or on your partners’
premises.
*******
Support for standards: SAML, WS-Fed, Open Use authorization policies for fine-
ID Connect grained access control on APIs and
web resources.
Password-less: Eliminate the use of passwords
using Oracle Mobile Authenticator or a magic Migrate from legacy WAM solutions
link. and simplify and modernize security.
Use Adaptive MFA policies to enforce Get real-time visibility through
authentication options and control access to operational reports and SIEM
apps. integration.
Enforce session controls on users based on
context and apps.
Firewall
OID
Custom
OUD Apps
LDAP
Policies
Apps unlimited, SAP
and other Enterprise apps
Identity Cloud
Provisioning Service
Custom Apps SaaS
Gateway Apps
Managed?
Trusted?
Jail Broken?
Device
Custom Attributes
Allow
Deny
Re-authenticate
MFA
Fusion Apps
Customer
AD Identity
Firewall
Bridge Active Directory
Supply
Chain
Service
IDCS
ERP HCM
Sales Marketing
Federated IDP
Federated Hub
Active Directory.
• Integrate with any external IDP and Social Social IDP
Identity Providers via IDCS as Federation Hub.
• Manage B2B, B2C, and B2E relationships via
local , delegated, and federated authentication.
Active Directory
Federation Service
50 Copyright © 2020, Oracle and/or its affiliates.
Use Case 4: Enhancing Developer Productivity
APIs
Mobility
Supply
Chain Service
JAVA
ERP HCM
OIC
Analytics Bots Marketing
Sales
Oracle API Gateway
Other Strong Security
Devices Fusion Apps
• API Security
IDCS • OAuth Policies
Partner Apps • Consent Management
• Token Management
• Token Policy
• Authorization Policies
• Session Management
• Sing Pane of Glass for Users and Roles • Custom Claims
cross SaaS and extended Apps. • Identity Propagation
Cloud Account Management: It comes bundles with the PaaS Security Features
Identity Cloud Service with universal credits for security and
user management. • Group Management
The following types of users can be created depending on the • Assignment of Groups
security design: • Password Management
• Cloud Account Administrator
• Federation between OCI
• Service Administrator
IAM Software with IDCS
• Business Administrator
• Identity Domain Administrator
• Create a Non-Administrator
The following PaaS Services also have capabilities that can be configured as per the security needs:
Dynamic
Routing
Gateway
Oracle Cloud
Infrastructure
Shared Responsibility
On Premises
Own Lack of
Visibility
Poor Inconsistent Wide Threat
Compliance Policies Surface
Responsibility
Key Operational Challenges
54 Copyright © 2020, Oracle and/or its affiliates.
Providing Visibility Across Applications
Leverage CASB
AP Specialist
Role
Propagates
Changes role to AP Manager
HR Business
Partner
Oracle CASB
Cloud Service
Auditor/
InfoSec
58 Copyright © 2020, Oracle and/or its affiliates.
Use Case 3: Behavioral Analytics and Machine Learning
Leveraging CASB
Abnormal =
10 Salary changes per day
Normal/Baseline =
5 Salary changes per day
HR Business
Partner
Oracle CASB
InfoSec Cloud Service
Role-based access
SaaS
Global access controls
Backup and redundancy in global
PaaS
data center regions
Certificates Administration
Roles • Generate, export, or import • Establish rules for the generation of usernames.
PGP or X.509 certificates,
• Create roles. • Set password policies.
which establish encryption
• Edit custom roles. keys for data exchanged • Create standards for role definition, copying, and
• Copy roles. between Oracle Cloud visualization.
• Compare roles. applications and other • Review the status of role-copy operations.
applications. • Define templates for notifications of user-account
• Visualize role hierarchies and
assignments to users. • Generate signing requests events such as password expiration.
for X.509 certificates.
• Review Navigator menus
available to roles or users, Analytics
identifying roles that grant
Users
• Review statistics concerning role categories, the
access to Navigator items • Create user accounts. roles belonging to each category, and the
and privileges required for • Review, edit, lock, or delete components of each role.
that access. existing user accounts. • View the data security policies, roles, and users
• Assign roles to user accounts. associated with each database resource.
• Reset users' passwords.
66 Copyright © 2020, Oracle and/or its affiliates.
Role-Based Access Control
In an RBAC model, users are assigned roles, and roles are assigned access privileges to
protected resources.
When roles are loaded in a session repository, the user is granted the most permissive level of
access.
User session
Authentication
established
Roles loaded in
session repository
• Data roles: Set of data that users with the role can access when performing the
function
• Duty roles: A logical grouping of privileges and security policies specific to a duty a
user can do as part of their job (Sales Lead Follow up, Service Availability
Management, Service Request Troubleshooter, Opportunity Partner Administration)
All modules are delivered with predefined roles based on best industry practices and logical
organizational hierarchy (ORA_).
Sales VP
Customer Data
Steward
Each role is a hierarchy of other roles and duties that are linked to each other in a parent-child
relationship.
Other duty roles, functional security privileges and data security policies
Functional privileges: Access different user interface elements,
Web services, tasks flows, and other functions:
• Create Opportunity Data
• Delete Opportunity security
• Convert Lead
• Update Sales Organization
Data
Data security privileges: Specify the roles that can perform a security
specified action on an object, and the conditions under which the
action can be carried out
Functional
Exact combination of object, role, actions (functional privileges) and security
condition in which the user can perform the specified actions on the
subset of records of the specified object when user meets the
condition
Recommendation: From the defined CRUD metric, map the application security requirement to
the closest “out-of-the-box” job role.
Major Activities
‒ Analyze and implement Application Security Matrix through RBAC for SaaS applications.
‒ Deploy SaaS security through service entitlements (VPN, IP white listing, data masking
on test environment).
‒ Configure security for the PaaS components.
‒ Configure the assessment of security considerations (Isolation, Network, Encryption,
Access) and policies.
‒ Configure the security of the PaaS components in scope on DEV/TEST environment
(Integration, Analytics, Apps development, Data Management Content and Experience).
‒ Configure access control (IDCS and OCI IAM).
‒ Review Security Compliance certification and attestation, and customer penetration and
vulnerability testing requirements.
Major Activities
Major Activities
Major Activities
‒ Review production security and identify any additional SaaS service entitlements (if not enabled Like
VPN IP white listing, data masking, and so on).
‒ Monitor and audit user activities to conduct data integrity checks, maintain traceability and visibility
info infrastructure.
‒ Keep software up-to-date. This includes the latest product release and any patches that apply to it.
‒ Limit privileges as much as possible. Users should be given only the access necessary to perform
their work. User privileges should be reviewed periodically to determine relevance to current work
requirements.
‒ Monitor system activity. Establish who should access which system components, and how often, and
monitor those components.
‒ Learn about and use the Oracle Cloud Infrastructure security features.
‒ Keep up-to-date on security information. Oracle regularly issues security-related patch updates and
security alerts. Install all security patches as soon as possible.
Now that you have completed this module, you should be able to:
• Explain why customer should care about cloud security
• Describe the shared security model and responsibilities
• Identify the 7 pillars of a Trusted Enterprise Cloud Platform
• Provide an overview of security and positioning of Oracle Cloud Services
• Describe the SaaS security patterns: Protecting mission-critical business applications in
the cloud
• Plan role-based access control in SaaS
• List the different types of security entitlements