ODD _Session3_제출용.ppt - PDF Free Download

계정관리자동화를위한통합솔루션 Oracle Xellerate Identity Provisioning Oracle Virtual Directory Oracle Korea Hong Young hun

Agenda Oracle Xellerate Identity Provisioning(OXIP) Identity Provisioning 이란? Oracle Xellerate Identity Provisioning 의기능및특장점 데모 Oracle Virtual Directory (OViD) Oracle Virtual Directory 소개 Oracle Virtual Directory 사용예 데모

Oracle Xellerate Identity Provisioning(OXIP) Oracle Virtual Directory (OViD) IT 관리자 /End User 에게편의성제공 보안강화 ( 규정준수 ) 계정관리자동화 사용자계정및권한 lifecycle 관리 애플리케이션관점에서간편성제공 LDAP 서비스통합 비 LDAP entry 를 LDAP entry 로가상화 2 개이상의 entry 를하나의 entry 로 remapping Oracle Xellerate Identity Provisioning Oracle Virtual Directory

Identity Provisioning 의정의 신입사원이입사하거나조직내에인사이동이나직무변경이발생해사용자가접근하는자 원 (Resource) 의범주가변경되었을때HR 담당자와 IT관리자는적절한승인절차밟은후 e메일, 그룹웨어, ERP 등다양한애플리케이션에필요한계정을생성하거나접근권한을 변경해주는데이러한일련의과정을 Identity provisioning 이라고함. ID,PASSWORD,Access Policy Approval Manager OPERATING SYSTEMS CICS/IMS DATABASES CRM/ERP SYSTEMS LEGACY SYSTEMS

Identity Provisioning 솔루션의필요 기업 IT 의진화 계정관리가점점어려워짐 수작업에의한계정 Provisioning 의사례 한사람의운영자는 300-500 명의요구사항만을처리할수있음 소요시간 : 사용자당평균 12 일정도 30~ 60% 계정은불필요한정보출처 : NETWORKTIMES 2004 년 2 월호

Identity Provisioning 해결과제 IT 자원에대한신규계정생성또는접근권한변경의처리시간단축 OXIP 고객인 Mphasis( 직원수 >7000) 는평균처리시간을 10 ~12 일에서 15 분으로단축 잦은인사발령또는부서변경으로인한개별계정의접근권한변경 History 관리필요 회사는임직원들의역할변경에따른권한변경이시스템에정확히반영되어있음을언제나확신할수있어야하고오류가있을경우실시간으로통보될수있어야함 특히업무부정 ( 회계또는특혜 ) 으로감사가필요한경우감사대상업무담당자 ( 특히 10년장기근속자 ) 들에대한역할및권한변경이력은문제를해결하는데중요한요소가됨. 저비용, 고효율의상시계정변경감시및통보 퇴사자의계정이모든시스템에서확실히제거 퇴사한사용자가여전히조직의일부시스템에접속할수있음. Identity Provision solution을사용해서 1-touch de-provisioning 구현 한사용자가가지고있는다양한 IT자원에대한계정 (ID/PASSWORD) 들에대한체계적인추적관리 헬프데스크의효율증대

Identity Provisioning 해결과제 기업의보안정책준수 회사는점점증가하는국제적, 국가적, 업종별규약, 법규, 표준을준수함을보여야함 회사는규범을준수하는솔루션을사용하지않음으로해서자사의시스템이규범을준수하는지주기적으로증명 (demonstration) 를해야하는데이것은일반적으로비효율적고고비용의수작업요함 Ex) Sarbanes-Oxley, HIPAA, Gramm-Leach-Bliley $$15.5 billion - Amount organizations will spend on compliance related activities in 2005 Source: AMR Research, 2005 고비용 $70,000 - Additional man-hours spent by large firms on SOX compliance Source: Deloitte $2/3 - Portion of compliance budgets spent on internal staff and external consultants Source: AMR Research (April 2005) $$2.4 million - Average amount paid by companies for audits, in excess of what they had anticipated

Oracle XIP 특장점 Identity 관리에최적화된 Enterprise Provisioning 솔루션 코딩불필요 기존의 business rules and workflow 재사용 approval flow, provisioning logic and resource integration 을분리하여융통성제시 체계적이고구조적인 provisioning 실현 GUI 를통한디자인, 구현, 운영의용이성제공

Oracle XIP 구성도

Oracle XIP 의주요기능 다수의계정소스에대한계정충돌중재 지능형사용자프로파일정의 관리위임 롤및룰기반접근권한결정 다양하고융통적인웍플로우지원 상태유지및동적웍플로우처리 Adapter Factory 와의연계하여다양한시스템에대한프로비져닝자동화 강력한분석및감사기능

ProvisionManager Provision Manager 는 GUI design console 로코딩없이 Provision business process 를디자인하고정의할수있는도구 User profiles ex) inetpersonorg class id,password, 이름, 전화번호,email, etc. Resources - Real world system or application ex) ERP,CRM, OS, RDBMS, Group Ware,PC, PDA, etc Access policies - Resource 에대한접근권한정책 - 주로 Group 에 Assign 함 Rules - role 을만족하는사용자를특정 Group 에추가하는규칙 - Resource 와 Business workflow process 를연결시켜주는규칙 Business workflow processes - 특정 rule 을만족하는사용자가특정 group 에속하게되고 - 결국 Access Policies 에합당한 resource 를얻게되는승인절차를포함한일련의과정 Forms for business users

Oracle XIP Data Model User Record Data(User profile) Structure Organization Manager Contact Information Oracle XIP User User Defined Fields Rules 특정 Group 에속하기위한룰 Location Approval Process Provisioning User Process Group

Oracle XIP Data Model user data & resource Object Data Structure Access & Passwords Policies IT Resource IT Resource Type Resource Object Intelligent Form Rules Rules Policy 와 Rule 에의해 Provisioning 이수행됨 Adapters 는자동적으로 provisioning 이타켓시스템에반영되게됨 Approval Approval Process Process Task 1 Task 2 Provisioning Provisioning Process Process Task 1 Task 2 Adapter 1 Adapter 2 Task n Task n Adapter 3

Oracle XIP Data Model Provisioning Approaches Request Via Request Xellerate User Direct Provisioning Resource Object Rules Provisioning User Process Group Through Access Policy Access Policy

Access Control 진화과정 Efficiency Cost Savings Increased Security Reduced Implementation Compliance and Audit Rules 기반 Context 기반 Roles 기반 임의방식 Time

Access Control: 임의방식 Permissions이각개인 user에별도로할당됨 관리가어렵고심각한보안위험 회사차원의 policies를적용하기어려움 Application Permissions Business Users Database Permissions New User Requests Permission Assignment OS Permissions IT Administrators

Access Control: Roles 기반 업무별로 Roles 을정의함 사용자에게특정 role 을지정함 특정 role 이어떠한권한 (privilege) 를가지고있는지여부를분석해야함 임의방식보다는효과적이나업무가세분화되고많아질수록 role 이많아져서관리하기어려움. Application Permissions Business Users Roles Database Permissions New User Requests Role Assignment Permission Assignment OS Permissions IT Administrators

Access Control:Rules 기반 사용자의 permissions은 role과 rule에의해자동할당됨 Access control에대한관리를최소화시킬수있음 Role과 rule에대한분석만을요함 More granular access control Self Service Early Binding Late Binding Application Permissions Business Users Direct Provision Rules Roles Rules Database Permissions New User Requests Automated Role Assignment Permission Assignment OS Permissions

Access Control: Contextual 기반 승인자의인가여부에따른사용자 permission 할당 Context 는 permission 에대한인가외에따른속성을포함함 관리및권한을이임할수있음 Real world의비즈니스따른접근권한을논리적으로쉽게구현할수있음 Finely grained access control Application Permissions Self Service Business Approvers Business Users Direct Provision Rules Roles Rules Database Permissions HR Application New User Automated Role Assignment Context Permission Assignment OS Permissions

Access Control Model Employee Profile Policy Definition Target Resource

Automated Provisioning Context 기반의 Access control provisioning 구조

Oracle XIP Provisioning Process Mapping Adapter Data Process Task Adapters IT Resource: myad Server Name: win2k AdminID: Administrator Password: ********* Users Definition First Name Role Last Name Manager UID Password Organizations Def. Name Type Parent ID Request Info ID Targ. User Action Req. Target Req. User Generic Data Objects AD AD Process Process Tasks Tasks 1. Check If Org Exists 1. Check If Org Exists 2. Check if User Exists 2. Check if User Exists 3. Create User 3. Create User 4. Assign User to Groups 4. Assign User to Groups 5. Set User Password 5. Set User Password.. AD Intelligent Form AD Server myad User ID jbloggs Password ********* Account Expiration 11-Nov-2004 Groups Group1 Group2 Resource Specific Data Domain Users Internet Inputs: {AD Server, Org Name} Inputs: Task {AD Adp Server, 1 User ID} Task Adp 2 Task Adp 3 Inputs: {Server, First, Last, UID, Pwd, Groups} Active Directory

Xellerate Provisioning Process Pre-Populating Data IT Resource: myad IT IT Server Resource: Resource: Name: myad myad Server Name: win2k win2k Server AdminID: AdminID: Name: Administrator Administrator win2k AdminID: Password: Password: Administrator ********* ********* Password: ********* Users Definition First Name Role Last Name Manager UID Password Rule PrePop Adp 1 PrePop Adp 1 PrePop Adp 1 Copy Value PrePop Adp 2 Concat Values AD Process Tasks 1. Check If Org Exists 2. Check if User Exists 3. Create User 4. Assign User to Groups 5. Set User Password. Organizations Def. Name Type Parent ID Request Info ID Targ. User Action Req. Target Req. User Generic Data Objects PrePop Adp 3 Random Pwd AD Intelligent Form AD Server myad User ID jbloggs Password ********* Account Expiration 11-Nov-2004 Groups Group1 Group2 Domain Users Internet Resource Specific Data

Xellerate Provisioning Process Process Triggers Provisioning Processes Xellerate User User ID jbloggs First Name josephine Last Name miller Password ********** Manager jsmith Type End-User Employee changes their last name Provisioned Resources Active Directory RSA ClearTrust IBM RACF AD Process Tasks 5. Set User Password 6. Change Last Name 7. Change User Password CT Process Tasks 4. Create User 5. Change User Password 6. Change User Manager 7. Change User Type RACF Process Tasks 7. Assign Groups 8. Change User Login 9. Change User Password Adapter

Xellerate Provisioning Process Process Triggers Provisioning Processes Xellerate User User ID jmiller First Name josephine Last Name miller Password ********** Manager jsmith Type End-User User ID is changed Provisioned Resources Active Directory RSA ClearTrust IBM RACF AD Process Tasks 5. Set User Password 6. Change Last Name 7. Change User Password CT Process Tasks 4. Create User 5. Change User Password 6. Change User Manager 7. Change User Type RACF Process Tasks 7. Assign Groups 8. Change User Login 9. Change User Password Adapter

Xellerate Provisioning Process Process Triggers Provisioning Processes AD Process Tasks Provisioned Resources Active Directory 5. Set User Password 6. Change Last Name 7. Change User Password Adapter Xellerate User User ID jmiller First Name josephine Last Name miller Password ***************** Manager jsmith Type End-User RSA ClearTrust CT Process Tasks 4. Create User 5. Change User Password 6. Change User Manager 7. Change User Type Adapter Self-Service change of password IBM RACF RACF Process Tasks 7. Assign Groups 8. Change User Login 9. Change User Password Adapter

Adapter Factory Functionality 설정한업무규칙을 target 시스템에적용 75개의 adapter가 out-of-box 로지원됨 Customizing 요구에대한확장가능한구조

중재 (Reconciliation) 엔진 2 개이상의 trusted resources 에대한계정들의일관성중재 외부데이터변경감시 변경탐지시자동으로 Provisioning process 실행 (triggering) 실시간또는스케줄링가능 (polling) 배치처리가능 (Bulk import) Out Of the Box 중재 adaptors ( ex: PSFT, Oracle 11i, SAP R/3, AD) Manual Updates (HR Staff) HR Database (Oracle) Reconciliation Polling Process Event Data Xellerate User Take Action Target Systems (e.g. AD) (e.g. Mainframe) Xellerate Intelligent Form Workflow Evaluate Data Target Systems

중재 (Reconciliation) 엔진을통한 Provisioning Latest Data Make Requests 기존의 HR source 로부터 XIP 의계정정책 workflow 로쉽게전달됨. HR Source Approval Complement Approve / Deny Auto Create Employee Records Xellerate User Auto Provision Target Resources Resource Object Evaluate Assign Rules Provisioning User Process Group Evaluate Access Policy

Exception Reports

LDAP Service 통합요구증대 Data 통합을위해 데이터중복및비용발생 시스템이증가할수록복잡도증가

What is a Killer Solution? Oracle Virtual Directory는 Raid Deployment Directory Middleware로업무에따라여러저장소 (LDAP,RDBMS.. Etc) 에분산된계정 / 권한정보를단일LDAP 서비스로제공해야할때, 계정정보를하나의저장소로동기화 ( 또는복제 ) 하지않고단일서비스로가상화해줌

Oracle Virtual Directory 구조 LDAP 을사용하는애플리케이션 CRM, ERP Web Access Control Portal Others 리스너서비스 데이터변환, 매핑, 라우팅, 보안, 감사 데이터어댑터 Identity Data Sources

Oracle Virtual Directory 사용예 #1 : 통합 문제점 사용자 profile 이여러디렉터리에존재 애플리케이션이필요한정보를여러디렉터리로다중요청함??? 애플리케이션별속성 Extend Enterprise Schema? 기업사용자데이터전사디렉터리 일반적으로계정정보가여러저장소에분산되어있는경우가많은데, 애플리케이션 (ex: 포탈 ) 은단일서비스로제공하는통합된완전한정보를필요로함 사용자별맞춤정보로컬디렉터리

Oracle Virtual Directory 사용예 #1 : 통합 해답 가상디렉터리엔진 (OViD) 단일서비스로통합된정보를실시간으로가상화 애플리케이션별속성 기업사용자데이터전사적디렉터리 애플리케이션관점에서간편성제공 사용자별맞춤정보국부적디렉터리

Oracle Virtual Directory 사용예 #2 : 조인뷰 문제점 그룹정보는 Database 에존재 사용자정보는 directory server 에존재 애플리케이션은 LDAP 프로토콜만로연동됨 해답 가상디렉터리엔진 LDAP 쿼리요청을실시간으로 DB 에전달해서처리 Read/Write Access 지원 Corporate SunOne LDAP VDE Server LDAP SQL OViD 는 DB 에있는 관계형 레코드와를 LDAP entry 를조인하여새로운 LDAP entry 로가상화함 ou=people O=Corp.com ou=groups Groups

Oracle Virtual Directory 사용예 #3 : 프락시 & 방화벽 문제점 엄격한보안이요구됨 ( 상이한 ACL) Intranet 인터넷클라이언트 제한된속성 ( 상이한 Schema) 데이터이중화 백업 / 관리 웹애플리케이션 (DMZ) 기업디렉토리 Extranet 인터넷클라이언트 Directory Replica 일부 entry 만필요 Entry 중일부속성만필요

Oracle Virtual Directory 사용예 #3 : 프락시 & 방화벽 해답 실데이터, 서버보안 ( 상이한 ACL) 제한된속성 ( 상이한 Schema) Activity Limits (DoS) 제로백업 데이터이중화불필요 감사기능 Intranet 인터넷클라이언트 웹애플리케이션 (DMZ) 기업디렉터리 Extranet 인터넷클라이언트 OViD Sub entry 가상화 프로파일중일부속성만가상화