Web 2.

0 for the Enterprise

Enabling and Securing Web 2.0

Presented by
Antony Krilis

www.agreon.com
Agenda

Wild West Web

Enterprise Identity

Trust at the speed of change

Web 2.0 for the Enterprise

Wild West Web

 What is Identity Management?

Integrated system of business processes, policies and

technologies that enable organisations to facilitate and
control access by their users to
critical online applications and resources
Source: Wikipedia “Identity Management”
Feudalism 2.0

You and Me

You and Me
 Symptoms of the Silos

 Proliferation of user names and

passwords
 Repeated User Registration
 Lack of Identity Verification and
Assurance
 Poor Security, Trust and Privacy
 Lack of Portability and
consistency
 Identity Threats

 Identity Theft: Explosion of personal data on

the web in last 18 months from Web 2.0. has
resulted in an equivalent rise in ID theft.

 Identity Fraud: With many sources of

information is easy to do; low capital requirement;
low risk of getting caught, light punishment; high
returns.

 Reputation: The threat posed is not only

financial but includes risks associated with brand
reputation and consumer confidence through the
actions of malicious employees
“Victims of identity theft are the collateral
damage of this diabolical business model.”
Beth Givens,
Executive Director, Privacy Rights Clearinghouse
 Privacy

 Consent: Identity Management is core, securing

user information, obtaining required consent,
achieving transparency in security practices, and
ensuring privacy.
 Data Breaches: More than 220 million records
containing sensitive personal information have been
leaked in security breaches in the United States since
January 2005.
 Australian Privacy Act: Proposal to make
notification of information security breaches
mandatory.
 Access control for Web 2.0

 Relationship Based – New paradigm evolving based on interpersonal

relationships release of information based on relationship e.g. friend, work
colleague, family member
 Fine Grained – The ability to protect for example individual blog entries,
particular personal information or specific photos
 Interoperability – Access control policies should be portable and consistent
e.g. relationship groups defined by the user should follow the user rather than
be recreated for each site.
 Policies – Security in Web 2.0 should be a user driven process one that
enables users to determine which information is personal and protect it
consistently
Web 2.0 for the Enterprise

Enterprise Identity
Identity Drivers
 Perception Gap

Quality of Service Information Security

Differentiation Risk Management
Web 2.0 Privacy
Openness and Freedom Audit Compliance
Cost Reduction Legislation

Identity
Applications Management Security

Infrastructure

D.C. Security Spectrum A.R.

 Oracle Identity Management

Web Sites and

Applications
Identity Oracle Access
Services Management

• Self-Service
Workflow
• Single Sign-On Oracle
Identity Oracle
• Self-Registration Services Internet
• Delegated Management Directory
• Password Management Oracle Identity
• Auditing & Compliance Management

• X-Pages Oracle Directory Data

Services Sources

HR Applications OS Mainframes Office Web

Devices Applications
 Web 2.0 for the Enterprise

Trust at the speed of Change

 Application Centric Identity

Directory IdMproducts Suites Services Inherent

 Standards Based Approach

RBAC

SAML 2.0 WS-BPEL 2.0

WS-*
XACML 2.0
SPML

User Centric Identity Systems Standards

 Oracle Service Orientated Security
 Development – IGF is a service-oriented, privacy-aware framework for developers to
access identity data while adhering to usage policies.
 Deployment – Models, defines and manages a repository for business roles and
relationships, which can then be used to drive role-based access control, provisioning and
approvals across business applications.
 Administration – Externalization of hard-coded authorization policies from heterogeneous
enterprise applications. enable customers to administer the access rights of users as they
interact with business applications today.
 Governance - Real-time monitoring policy enforcement for critical business processes
automated application controls in the areas of access, setup and transaction monitoring
 Development

Identity Governance Framework (IGF)

 Part of the Liberty Alliance Project, IGF is an open multi-vendor initiative established and lead
by Oracle to address governance of identity related information across enterprise IT systems.

 Common framework for defining usage policies, attribute requirements, and developer APIs
pertaining to the use of identity related information.

 IGF will assist corporations with increased transparency and demonstrable compliance with
respect to policies for identity-related data.
 Deployment

Oracle Role Manager

 Context-Aware, Polyarchy Enabled Role Engine: Role Manager helps you specify
business and IT roles and privileges and associated ownership and delegation models based
on organisation structure
 Dynamic Fine Grained Policy: Roles and permissions are made dynamic through support
of multi-dimensional hierarchies (e.g., hierarchies that crossed with matrixes) and event-
based features that trigger changes to permissions.
 Configurable and Extensible Role and Relationship Model: Easy to model unique
business structures and relationships that exist within a department, within a division and
across the extended enterprise

People Resources
Business Roles IT Roles
What part do I play in Map What resources do I have
the organisation? access to?
Business
Responsibilities What Roles to Privileges
amI accountable for? What rights do I have?
IT Roles
Business Rules IT Rules
Define operations – “If then else”rules that
Who can do what and when represent business
decision processes
 Managing Complex Relationships

Oracle Role Manager

 Configurable and Extensible Role and Relationship Model: Easy to model unique
business structures and relationships that exist within a department, within a division and
across the extended enterprise
 Administration

Oracle Fine Grained Authorisation

 Externalize Policy: Designed to externalize hard-coded authorization policies from
heterogeneous enterprise applications..

 Fine Grained Policy: Allows the security model to extend from RBAC model to other security
principles such as Attribute Base Access Control (ABAC),

 Central Authorisation Policy Store: Access control based on temporality (such as start
date/end date) or IP-based can now be centralized into a single authorization model with
centralized storage and administration of the policies.
 Adaptive Authentication
 Oracle Adaptive Strong Authenticator - Agnostic security mechanism protects sensitive
credentials from Phishing, Pharming, Trojans attacks and a range of online threats

 Oracle Adaptive Risk Manager - Real-time fraud detection enables real-time actions (block,
challenge, etc.) and alerts to effectively combat fraud while also arming investigators with valuable
fraud-related data

 Enterprise-Wide Interoperability - Can be implemented as a service that can be leveraged by

various client applications in a consistent manner; integrates with a variety of systems through open
APIs

Authenticates Access

Strong Authentication

Workflow &
Authorisation
Behaviour
Devices Authentication
Directories
Workflow
& History

Location
Oracle Adaptive Strong Authenticator
Oracle Adaptive Risk Manager
 Conclusions

 Woven-In versus Bolted-On: Security is integrated into applications from the start
and not force-fitted on afterwards, ensuring improved security, easier development, and
lower administrative costs.

 Standards-based versus Proprietary: An open heterogeneous solution assures

interoperability and co-existence with all current and possible future platforms and
architectures.

 Identity as a Service: Exposing identity management as a reusable service for all

applications drives the realization of significant business efficiencies, providing
strengthened network security, improved enterprise compliance, and lower administrative
and development costs.

 Rapid Deployment: An integral component of a wider application development and

deployment framework that seamlessly works together, so that identity management is
always ready for new applications and thus can be rapidly deployed
Questions

Identity is a Journey
 Web 2.0 for the Enterprise

Enabling and Securing Web 2.0

Presented by
Antony Krilis

www.agreon.com