S105465GC10 Mod05

Oracle Cloud Project
Management for Partners

Module 5 – Cloud Security, Identity, and
User Management
Student Guide
S105465GC10
Learn more from Oracle University at education.oracle.com

Copyright © 2020, Oracle and/or its affiliates.
Disclaimer
This document contains proprietary information and is protected by copyright and other intellectual property laws. You may copy and print this document solely for your own use in an Oracle training
course. The document may not be modified or altered in any way. Except where your use constitutes "fair use" under copyright law, you may not use, share, download, upload, copy, print, display,
perform, reproduce, publish, license, post, transmit, or distribute this document in whole or in part without the express authorization of Oracle.
The information contained in this document is subject to change without notice and is not warranted to be error-free. If you find any errors, please report them to us in writing.
Restricted Rights Notice
If this documentation is delivered to the United States Government or anyone using the documentation on behalf of the United States Government, the following notice is applicable:
U.S. GOVERNMENT END USERS: Oracle programs (including any operating system, integrated software, any programs embedded, installed or activated on delivered hardware, and modifications of
such programs) and Oracle computer documentation or other Oracle data delivered to or accessed by U.S. Government end users are "commercial computer software" or "commercial computer software
documentation" pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such, the use, reproduction, duplication, release, display, disclosure,
modification, preparation of derivative works, and/or adaptation of i) Oracle programs (including any operating system, integrated software, any programs embedded, installed or activated on delivered
hardware, and modifications of such programs), ii) Oracle computer documentation and/or iii) other Oracle data, is subject to the rights and limitations specified in the license contained in the applicable
contract. The terms governing the U.S. Government's use of Oracle cloud services are defined by the applicable contract for such services. No other rights are granted to the U.S. Government.
Trademark Notice
Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners.
Intel and Intel Inside are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc.
AMD, Epyc, and the AMD logo are trademarks or registered trademarks of Advanced Micro Devices. UNIX is a registered trademark of The Open Group.
Third-Party Content, Products, and Services Disclaimer
This documentation may provide access to or information about content, products, and services from third parties. Oracle Corporation and its affiliates are not responsible for and expressly disclaim all
warranties of any kind with respect to third-party content, products, and services unless otherwise set forth in an applicable agreement between you and Oracle. Oracle Corporation and its affiliates will not
be responsible for any loss, costs, or damages incurred due to your access to or use of third-party content, products, or services, except as set forth in an applicable agreement between you and Oracle.
Module 5 – Cloud Security, Identity, and
User Management
Oracle Cloud Project Management Training for Partners
Oracle Alliances & Channels

Safe harbor statement
The following is intended to outline our general product direction. It is intended for information
purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any
material, code, or functionality, and should not be relied upon in making purchasing decisions. The
development, release, timing, and pricing of any features or functionality described for Oracle’s
products may change and remains at the sole discretion of Oracle Corporation.
Statements in this presentation relating to Oracle’s future plans, expectations, beliefs, intentions and
prospects are “forward-looking statements” and are subject to material risks and uncertainties. A
detailed discussion of these factors and other risks that affect our business is contained in Oracle’s
Securities and Exchange Commission (SEC) filings, including our most recent reports on Form 10-K and
Form 10-Q under the heading “Risk Factors.” These filings are available on the SEC’s website or on
Oracle’s website at http://www.oracle.com/investor. All information in this presentation is current as of
September 2019 and Oracle undertakes no duty to update any statement in light of new information or
future events.
2 Copyright © 2020, Oracle and/or its affiliates.

Mihai Dragomir
Cloud Adoption and Implementation Consultant
Oracle Alliances & Channels

Learning Objectives
Cloud Security, Identity, and User Management
By the end of this module, you should be able to:

• Explain why customer should care about cloud security
• Describe the shared security model and responsibilities
• Identify the 7 pillars of a Trusted Enterprise Cloud Platform
• Provide an overview of security and positioning of Oracle Cloud Services
• Describe the SaaS security patterns: Protecting mission-critical business applications in
the cloud
• Plan role-based access control in SaaS
• List the different types of security entitlements

Oracle Cloud Delivery Framework
Analyze & Plan & Configure & Validate & Transition & Sustain &
Prepare Design Build Test Go Live Realize
Project Management and Governance

Cloud Provisioning & Cloud Security,
Continuous Testing Sustainment Plan &
High-Impact Cloud
Environments Identity & User

Knowledge Areas
Management Management Strategy & Plan Adoption Strategy
Project Management Implementation

Cloud Architecture Data Management
Plan & Delivery Approach for Cloud
Envisioning & Planning & Migration Plan
Approach Solutions in Scope
Organizational Change Training & Knowledge

Aligning Business Goals Cloud Risk
Management in Cloud Transfer Strategy &
& Project Objectives Management
Projects Plan
Project Artifacts, Deliverables, and Milestones
SaaS PaaS OCI

Oracle Cloud Delivery Framework
Knowledge Area: Cloud Security, Identity, and User Management
Analyze & Plan & Configure & Validate & Transition & Sustain &
Prepare Design Build Test Go Live Realize
Project Management and Governance
• To define and enable the different security

Cloud Security, rules, policies, and requirements at the specific
Identity & User cloud layers (SaaS, PaaS, OCI) including role-
Management
based access controls, user and identity
management, network, and data.
Project Artifacts, Deliverables, and Milestones
SaaS PaaS OCI

Part 1 – Cloud Security, Identity &
User Management

Analyze &
Prepare
Cloud Security, Identity, and User Management Cloud Security, Identity

& User Management
Major Activities
‒ Analyze application(s) deployment ecosystem (on-premises and/or cloud) and identify the best
security scenario.
‒ Provide an orientation to overall cloud security and shared responsibility.
‒ Review the third-party audit, certifications, and attestations (if required).
‒ Understand and evaluate cloud usage and security risk.
‒ Review Oracle Cloud Security policies.
‒ Review and assess the need of SaaS service entitlements (VPN, IP White listing, TDE, SSO).
‒ Verify the connectivity requirements (VPN, hybrid, Intra domain, third party applications, and so
on).
‒ Determine user management and access type (federated/SSO/application only).
‒ Evaluate the sensitivity of the data (to be shared, encrypted, and so on).
‒ Identify additional cloud security services required (CASB, WAF, IDCS, and so on).
‒ Conduct a “core to edge” exercise to identify any security gaps and requirements for protection.

Why Customers Should Care About Cloud Security
Multiple clouds
Data management
Contract
privacy – GDPR
information
Security of
Data residency
financial
(Global companies)
reporting systems
✓ Compliance
Order
information
Network
Open enrollment Global access

and benefits controls (IDM )
Compensation Roles and

and payroll territory visibility

Cloud Platform Security: Shared Responsibilities
IaaS
On-Premises
PaaS
SaaS
Identity | Security Identity | Security Identity | Security Identity | Security
GRC | Configurations GRC | Configurations GRC | Configurations GRC |Configurations SECURITY IN
THE CLOUD
Data Data Data Data
Application Application Application Application
Runtime Runtime Runtime Runtime Responsibility
Middleware Middleware Middleware Middleware Customer
Database Database Database Database Shared
OS OS OS OS Cloud Provider
Virtualization Virtualization Virtualization Virtualization
Server Server Server Server
Storage Storage Storage Storage
SECURITY OF
Network Network Network Network THE CLOUD
Datacenter Datacenter Datacenter Datacenter
Physical Physical Physical Physical

Shared Responsibility Model: Overview
Application Compliance
Application Data Security
Identity Access Security
VCN Security
DBaaS Security
Storage Security Customer controlled and
Compute Security Oracle supported
Infrastructure Compliance
Data Security
Operator Access Security
Console and API Security
Control Plane Host Security
Server Hardware Security
Oracle Network Security
Controlled Data Center Security

Shared Responsibility Model in Oracle Cloud Infrastructure
User credentials, other account information

Customer Data
Account Access Insecure user access behavior, strong IAM policies,

CUSTOMER management, Application patching
(Security in Management
the cloud) Network and Firewall Security list, route table, VCN configuration
Configuration
Client side Encryption Key management
Other Infra Services (LB,

WAF, CASB, DDoS protection)
ORACLE Protect hardware, software,
(Security of Compute, Network, Storage networking, and facilities
the cloud Isolation, IAM Framework
that run Oracle Cloud
Services.
Physical Security

Shared Responsibility Model
A clearly defined shared responsibility model is essential to maintaining a Trusted Enterprise Cloud Platform.
Responsibility Customer Oracle

Identity and Access Protect credentials and manage access. Provide effective and easy-to-use identity
Management management, authentication, authorization, and
auditing solutions.
Workload Security Patch apps and OS, configure OS, and protect Secure images and make it simple for customers to
against malware and network attacks. bring existing third-party security solutions.
Data Classification and Correctly classify and label data and meet Not applicable
Compliance compliance requirements; audit solutions to meet
compliance requirements.
Host Infrastructure Security Securely configure and manage compute (virtual Ensure that the service is optimally configured and
hosts, containers), storage (object, local storage, secured, including hypervisor security and the
block volumes), and platform services (database configuration of the permissions and network access
configuration). controls required to ensure that hosts can
communicate correctly and that devices are able to
attach or mount the correct storage devices.

Shared Responsibility Model
A clearly defined shared responsibility model is essential to maintaining a Trusted Enterprise Cloud Platform.
Responsibility Customer Oracle

Network Security Securely configure network elements such as Provide secure network infrastructure.
virtual networking, load balancing, DNS, and
gateways.
Client and End-Point Secure all clients and endpoints that are used to Not applicable
Protection access Oracle Cloud Infrastructure services.
Physical Security Not applicable Protect the global infrastructure (hardware, software,
networking, and facilities) that runs all of the
services in Oracle Cloud Infrastructure.

Reviewing Third-Party Audit, Certifications, and Attestations
Global
SOC 1 : SOC 2 : SOC 3 27001 : 27017 : 27018 Self-Assessment US Privacy Shield

Government
DoD DISA SRG IL2 Moderate – Agency ATO VPAT – Section 508 G-Cloud 11 - UK Model Clauses - EU
Industry
Level 1
HIPAA PCI DSS FISC - Japan IG Toolkit - UK
Regional
PIPEDA - Cyber Essentials My Number - Cloud Security

GDPR - EU BSI C5 - Germany TISAX - Germany Canada Plus - UK Japan Principles - UK
Conduct Core-to-Edge Verifications
To identify any security gaps and requirements for protection
Top-Down Threats
Isolated Network
Virtualization
Internal Threats
Access Credentials Encryption Data Access Application Traffic Volumetric

Integrity Protection Steering Attack
Protection
External Threats
Root of Trust
Bottom-Up Threats

Understanding the Key Architecture Concepts of OCI
In the context of Cloud Security
▪ Security-first approach: Innovative security in

the cloud
▪ Enabling compliance
▪ Built using the least-trust approach
▪ Hardware-powered security isolation and
network virtualization
▪ OCI’s security direction is about:
• Security automation
• Seamless integration with on-premises
security solutions
• Making security truly easy to use

A Tale of Two Clouds
Difference between the different cloud generations
1st Generation Clouds: 2nd Generation Cloud:

Most prevalent today Oracle Cloud Infrastructure
wide
VM/ VM/ VM/

Guest Guest Guest
OS OS OS
VM/ VM/ VM/
Guest Guest Guest
OS OS OS
Container (Optional)
Hypervisor
Server Virtualization Host OS/Kernel

Separates
Server Virtualization
Hypervisor network and
Hypervisor
Network Virtualization
Network
Network Virtualization
Virtualization tenant
environment
Host
Host OS/Kernel
OS/Kernel
Isolated Network
Virtualization
To / from other tenants To / from other tenants

Isolation: Threat Containment and Reduced Risk
Continuous evolution
1st Generation Cloud Oracle 2nd Generation Cloud
VM/
VM/ VM/ VM/
VM/ VM/ VM/ VM/
Guest
Guest Guest Guest
Guest Guest Guest Guest
OS
OS OS OS
OS OS OS OS
VM/
VM/ VM/ VM/ VM/
VM/ VM/ VM/
Guest Guest Guest VM/
VM/ VM/ VM/
VM/ VM/ VM/ VM/
Guest Guest Guest Guest Guest
OS OS Guest
Guest Guest Guest
Guest Guest Guest Guest
OS OS OS OS OS OS
VM/ VM/ VM/ OS
OS OS OS
OS OS OS OS
VM/
VM/ VM/
VM/ VM/
VM/ VM/ VM/
Guest
Guest Guest
Guest Guest
Guest Guest
Guest Guest Guest
Guest
OS
OS OS
OS OS
OS OS
OS OS OS
OS
Container (Optional) Container (Optional)

Hypervisor Hypervisor
Server Virtualization Server Virtualization Host OS/Kernel Host OS/Kernel

Server Virtualization
Hypervisor Server Virtualization
Hypervisor Isolated network
Hypervisor
Network Virtualization Hypervisor
Network Virtualization virtualization security
Network Virtualization Network Virtualization
prevents lateral
Host OS/Kernel Host OS/Kernel movement
Isolated Network Isolated Network
Virtualization Virtualization

Oracle Cloud Infrastructure
Security architecture
Compute
Compute
Bare metal Bare metal Virtual Virtual Containers

Bareservers
Metal Bare Metal+
servers Virtual
machines Virtual +
machines Containers
Servers Servers
GPU+ Machines Machines
GPUS+
GPU GPUs
Manageability
Manageability
Security
Security
Networking
Networking
Virtual Load DNS FastConnect VPN

Virtual
cloud Load
Balancers DNS FastConnect VPN
Cloud
networks Balancers
Networks
Storage
Storage
Local NVMe Block Object / File Backup

Local NVMe Block Object /
Archive File Backup
and
Archive and
transfer
Transfer

OCI Security Portfolio
Of, on, and cross-cloud
OF THE CLOUD ON THE CLOUD CROSS-CLOUD
Secure the cloud platform Secure identity, apps. and data Protections and monitoring
on the cloud platform between clouds and premises

Oracle Security Layered Cyber Defenses
Compliance Data Security

• Integrated security and services
• Cloud and on-premises Users
Applications
Data
Infrastructure
Application Security Identity and
and Resilience Access
Management
Visibility and
Monitoring
22Copyright
Copyright © 2020,
© 2020 Oracle and/or its affiliates.
Oracle
Leveraging the Advanced Controls for Cloud
Defense in depth and breadth
Authoritative
OCI IAM DNS
with
CASB Internet
Subnet Service Intelligence
FastConnect OCI Region Level
w/ IPSec option Virtual
Virtual Cloud Network
Firewalls
AD1
IGW
AD2
IPSec VPN WAF with Automated,
Proactive DDoS
AD3 Threat Protection
Detection
▪ vFirewalls – access control in/out
▪ Distributed Denial of Service (DDoS) – network layer attack protection
▪ Web Application firewall (WAF) – application layer attack protection
▪ Cloud Access Security Broker (CASB) – visibility, compliance, control drift alerting
▪ Virtual Private Network (VPN) – protection/encryption in transit over Internet & private links
▪ Domain Name Service (DNS) – managed DNS from Oracle for OCI customers
▪ Identity & Access Management (IAM) – control who can access and manage OCI resources

Plan &
Design
Cloud Security, Identity, and User Management Cloud Security, Identity

& User Management
Major Activities
‒ Develop security strategy and incorporate into project plan.

‒ Plan the protection of sensitive data (apply data protection policies, encrypt sensitive data, set limitation
on how data is shared, and so on).
‒ Note all the service entitlements considerations (application security, break glass, TDE, GDPR, SSO, VPN,
data residency, and so on).
‒ Conduct a CRUD analysis for the SaaS Applications Security Matrix.
‒ Identify the PaaS components to be provisioned and security to be configured for specific roles, group
assignments, management, and password policies.
‒ Design the enhanced deployment topology based on Oracle’s Gen2 cloud services security model (Lift
and Shift, Move and Improve, Replace with SaaS).
‒ Design the deployment and integration architecture and identify additional cloud resources needed.
‒ Plan the security and access rules for users and data.
‒ Plan the deployment and configuration of the PaaS services identified as necessary.
‒ Consider the security best practices for OCI (IaaS) adoption: Isolation, Network, Encryption, and Access.
7 Pillars of a Trusted Enterprise Cloud Platform
Discuss with the customer their information security policies and requirements
Full isolation from other tenants and Oracle’s staff, and between a tenant’s
1 Customer Isolation workloads
Meet compliance requirements regarding data encryption, cryptographic

2 Data Encryption algorithms, and key management.
Effective and easy-to-use security management to constrain access and

3 Security Controls segregate operational responsibilities | Secure application delivery
Provide log data and security analytics for auditing and monitoring actions on
4 Visibility customer assets.
Enable customers to use their existing security assets | Integrate with on-
5 Secure Hybrid Cloud premise security solutions | Support for third-party security solutions
Fault-independent data centers that enable high-availability scale-out

6 High Availability architectures and are resilient against attacks
Transparency about processes and internal security controls | Third-party
7
Verifiably Secure audits and certifications | Customer pen-testing and vulnerability scanning |
Infrastructure Jointly demonstrated compliance

Oracle Cloud Infrastructure Security Capabilities
Map the security requirements to the OCI services and products to be part of the scope
1 Customer Isolation Bare metal instance, VM instance, VCN IAM, compartments
2 Data Encryption Default encryption for storage, vault, DB encryption
User authentication and authorization, instance principals, network security

3 Security Controls control, web access firewall
4 Visibility Audit logs, CASB-based monitoring and enforcement
5 Secure Hybrid Cloud Identity Federation third-party security solution, IPSEC VPN, FastConnect
6 High Availability Fault-independent data center, fault domain, SLA
7
Verifiably Secure Security operations, compliance certification and attestation, customer
Infrastructure penetration and vulnerability testing

1. Customer Isolation
Use Case: Tenant- and resource-level isolation
Use case 1: Customer wants to Compute:

isolate cloud resources from other Network
tenants, Oracle staff, and external Data:
threat actors, to meet their Back-end Infrastructure
security and compliance
requirements.
Use case 2: Customer wants to
isolate different departments from Identity and Access Management:
each other, so visibility and access
to resources can be
compartmentalized.

2. Data Encryption
Data encryption at rest and in transit
• Oracle-managed OR customer-managed keys (KMS)
REGION 1 REGION 2
AD1 AD1
Secure
AD2 AD2
AD3 AD3
All data is encrypted at rest.

Vault
Leverage vault for projects with highly regulated security requirements
Oracle Key Management provides you with:

▪ Highly available, durable, and secure key storage. Encrypt your data using keys that you control.
▪ Centralized key management capabilities (Create/Delete, Disable/Enable, rotate)
▪ IAM policies for users/groups and OCI resources
▪ Key lifecycle management
▪ FIPS 140-2 Security Level 3 security certification.

3. Security Controls
Identity and Access Management (IAM) and Web Application Firewall (WAF)
IAM
• Identity and Access Management (IAM) service enables you to control what
type of access a group of users have and to which specific resources.
• Each OCI resource has a unique, Oracle-assigned identifier called an Oracle
Cloud ID (OCID).
• IAM uses traditional identity concepts such as principals, users, groups,
policies, compartments, and tenants.
WAF
▪ Enterprise-grade, cloud-based, globally deployed security solution designed to
protect business-critical web applications from malicious cyber-attacks
▪ Web application security for OCI workloads and more: Simultaneously protects
web applications located on OCI, on-premises, and/or within multi-cloud
environments

Identity and Access Management
Leverage the security controls provided by IAM
• Define administrators, • Control across all OCI

users, groups, services services and resources
• Authorization levels • Federations with other
• Enforce privilege levels identity providers
OCI Console
Authenticated
Access Customer
Console of Choice
OCI Service Enclave

OCI API
ID & Access
Management
Telemetry
Virtual Object Block Database File
Machines and Storage Storage Systems Sharing • Audit all activity levels
Containers • Telemetry services for
visibility and analysis

Web Applications Firewall (WAF)
How it works
• Restricts or controls access to

critical web applications, data,
• Identifies whether request are from
and service
a human or a machine
• Controls or blocks non-human
suspicious requests
• Hides the origin server
• Inspects traffic as it tries to
access the server or as it
leaves the server
Customer Applications
Oracle Cloud–Based WAF: Protecting Data Wherever it Resides
Layered approach to protect web applications against cyber attacks.
Bad Bots
Hackers
Cloud-based
Data
Good On-Premises
Visitors Database
OCI Cloud-based
Data
Good Bots
Layered approach to protect web
applications against cyber
attacks
Spammers

WAF Use Cases
Stopping attacks at the edge
Cyber-attack Protection System Integration

Over 250 Rule Sets to Machine-to-machine
protect against integration with existing
cyber-attacks back-end systems
Access Control Bot Management Multi-cloud Support

Restrict access to critical Let necessary good bots WAF for OCI, on-
web apps, data and in and keep bad bots out premises and other
services vendor cloud workloads
3434 Copyright
Copyright©©
2020,
2020,Oracle
Oracleand/or
and/oritsits
affiliates.
affiliates.
4. Visibility
Cloud Access Security Broker
Oracle CASB Cloud Service
Access Management | Data Loss Prevention | Compliance | Visibility
SECURITY,
STORAGE & NETWORK &
COMPUTE IDENTITY &
DATABASE CONTENT
COMPLIANC
DELIVERY
E
Cloud Infrastructure

CASB Cloud Service for OCI
Easily configurable to oversee all the security aspects of OCI services
Policy Alerts
• Policy Alerts
▪ Alerting and notifications on policy changes to resources
Security Controls
• Security Controls
▪ Detection of insecure settings of OCI resources
• Threat Detection Threat Detection
▪ Detection of user risks and threats using ML analytics
• Key Security Indicator Reports
▪ Report generation for key security indicators Security Reports
• Exporting Data and Threat Remediation

▪ Enterprise Integrations with SIEM or ITSM systems
Enterprise Integrations

36
Identity Cloud Service
5. Secure Hybrid Cloud Manage credentials for cloud and
data centers
Hybrid Support
Authoritative DNS
with Internet
Intelligence
Applied cross cloud
Oracle Cloud
Infrastructure
WAF Policies
Can be unique per domain,
per app, per cloud
AD and application
servers
on premises
Common
Telemetry

Reviewing Customer’s Existing Security Assets
Before activating any services
• Identity Federation: SAML 2.0 Federation via IDCS and Microsoft Active Directory
Federation Service (ADFS) and any SAML 2.0 compliance identity provider
• Third-party Security tools: Oracle collaborates with various third-party
security vendors to make their solutions accessible on Oracle Cloud
Infrastructure to enable customers to use their existing security tools when
securing data and applications in the cloud.

6. High Availability
Availability Domains (ADs): Multiple fault-decorrelated independent data centers
To design a high availability architecture, three

key elements should be considered:
• Redundancy: Multiple components can

perform the same task to overcome the single
point of failure of a component.
• Monitoring: Checks whether or not a

component is working properly
• Failover: The process by which a secondary

component becomes primary when a primary
component fails.

7. Verifiably Secure Infrastructure
Customer Penetration and Vulnerability Testing
• Customers can perform penetration and vulnerability testing

on customer components such as VMs.
• Customers can schedule penetration and vulnerability testing
via the My Services dashboard.
Check the: penetration and vulnerability testing

Security Best Practices
• Secure your Oracle Cloud Infrastructure security credentials (don’t hard-code them
in public files).
• Use key-based SSH only. Don’t use passwords for SSH access.
• Use IAM users/groups and compartments for least-privilege access to resources.
• Use VCN security lists to limit instance network access to authorized IPs only.
• Use VCN public and private subnets to isolate internal hosts (DB) from public-
facing entities (web servers, load balancers, and so on).
• Don’t make object store buckets public, unless necessary.
• Use multiple-AD deployment and load balancers for high availability of
applications.
• Leverage bare metal instances for enhanced security of roots of trust (keys,
secrets, and so on).

Part 2 – Cloud Security, Identity &
User Management

Oracle Security Services Portfolio
Leverage the services portfolio to meet customer requirements
Database
Security
▪ Uses ML / AI to automate and simplify security Identity Cloud

Service
▪ Protects sensitive data throughout life cycle
CASB Cloud
▪ Detects anomalous behavior, improves attack resilience Service
▪ Reduces identity risk with adaptive authentication
Web Application
▪ Enables a layered security strategy Firewall
OCI
Security

Cloud Directory
Identity Lifecycle
Oracle Identity API Security Management
Cloud Service Identity Cloud
MFA Single
Sign On
Adaptive
Authentication

Oracle Identity Cloud Services
Enable access by anyone, from anywhere, on any device
*******
Single Sign On Self Service Cloud Directory
Single Sign On Synch MFA SaaS

Synch
PaaS IaaS
Enterprise Identity Cloud Service Cloud
Employees Partners Consumers

SSO and Authorization
Identify the SSO prerequisites and requirements with the customer
With Oracle Identity Cloud Service, you can implement federated SaaS Apps Oracle Apps Enterprise Apps
SSO with other solutions. With this integration, your on-premises
users, partners, and cloud users can access on-premises and cloud On-premises
applications with a single login from anywhere, at any time:
Or
▪ SAML SSO: Implement federated SSO with SAML Identity web apps
Providers located on your premises or on your partners’
premises.
▪ OpenID Connect SSO: Configure OpenID Connect and OAuth

2.0-based SSO with trusted cloud providers. IDCS Portal
Web browser and
▪ Social Account SSO: Use federated SSO and social identity mobile login
providers to link social accounts with user accounts in Oracle
Identity Cloud Service.
Oracle Identity Cloud Service supports its native authentication in

parallel with federated SSO. You can take advantage of this feature
to implement heterogeneous authentication for each type of user.

Single Sign-On (SSO)
Key use cases
Enable employees, customers, and partners to access their

applications seamlessly by using a single authentication.
*******
Support for standards: SAML, WS-Fed, Open Use authorization policies for fine-
ID Connect grained access control on APIs and
web resources.
Password-less: Eliminate the use of passwords
using Oracle Mobile Authenticator or a magic Migrate from legacy WAM solutions
link. and simplify and modernize security.
Use Adaptive MFA policies to enforce Get real-time visibility through
authentication options and control access to operational reports and SIEM
apps. integration.
Enforce session controls on users based on
context and apps.

Use Case 1: Identity Provisioning
Provisioning gateway through IDCS
Firewall
OID
Custom
OUD Apps
LDAP
Policies
Apps unlimited, SAP
and other Enterprise apps
Identity Cloud
Provisioning Service
Custom Apps SaaS
Gateway Apps

Use Case 2: Adaptive Authentication
Adding more layers of security through IDCS
Add an additional layer of security by learning from the

user’s behavior, context, and external threat feeds.
Type
Managed?
Trusted?
Jail Broken?
Device
Custom Attributes
Allow
Deny
Re-authenticate
MFA
Network SIEM Country/City User actions

Ingestion Engine Risk Score Calculation Authentication and
Authorization Policies
UEBA IP Reputation Location Velocity of access

Use Case 3: Enabling Multi-Cloud and Hybrid Deployments
through IDCS
Local
Authentication
Fusion Apps
Customer
AD Identity
Firewall
Bridge Active Directory
Supply
Chain
Service
IDCS
ERP HCM
Sales Marketing
Federated IDP
• Enable Hybrid Deployment with on-premises
Federated Hub
Active Directory.
• Integrate with any external IDP and Social Social IDP
Identity Providers via IDCS as Federation Hub.
• Manage B2B, B2C, and B2E relationships via
local , delegated, and federated authentication.
Active Directory
Federation Service
Use Case 4: Enhancing Developer Productivity
APIs
Mobility
Supply
Chain Service
JAVA
ERP HCM
OIC
Analytics Bots Marketing
Sales
Oracle API Gateway
Other Strong Security
Devices Fusion Apps
• API Security
IDCS • OAuth Policies
Partner Apps • Consent Management
• Token Management
• Token Policy
• Authorization Policies
• Session Management
• Sing Pane of Glass for Users and Roles • Custom Claims
cross SaaS and extended Apps. • Identity Propagation
• Security Platform for API security

• Support Open Standards like OAuth
and OpenID Connect, JWT tokens
Users Roles Resources API

PaaS Security
PAAS Identity Management Features Common to All Services:
Cloud Account Management: It comes bundles with the PaaS Security Features
Identity Cloud Service with universal credits for security and
user management. • Group Management
The following types of users can be created depending on the • Assignment of Groups
security design: • Password Management
• Cloud Account Administrator
• Federation between OCI
• Service Administrator
IAM Software with IDCS
• Business Administrator
• Identity Domain Administrator
• Create a Non-Administrator

Security Capabilities Per Key PaaS Service
Manage configurations
The following PaaS Services also have capabilities that can be configured as per the security needs:
➢ Data Management ➢ Business Analytics

• Exadata Cloud Service • Big Data Cloud Service
• Autonomous Transaction Processing • Big Data Discovery Cloud Service
• Autonomous Data Warehouse
➢ Content and Experience
➢ Application Development • Oracle WebCenter Portal Cloud Service
• Java Cloud Services • Oracle Content and Experience Cloud
• Autonomous Mobile Cloud Service (AMC)
• Oracle Visual Cloud Builder ➢ Integration
• API Platform Cloud Service
➢ Security
• Oracle CASB Cloud Service
Detailed steps of the following configurations can be
found in https://docs.oracle.com

Making a Secure Transition to the Cloud with Oracle CASB Cloud Service
Key challenges
Dynamic
Routing
Gateway
Oracle Cloud
Infrastructure
Multi-Cloud (IaaS, PaaS and SaaS)
Shared Responsibility
On Premises
Own Lack of
Visibility
Poor Inconsistent Wide Threat
Compliance Policies Surface
Responsibility
Key Operational Challenges
Providing Visibility Across Applications
Leverage CASB
Oracle Cloud HCM
Oracle Platform Services
Benefits for LOB Benefits for InfoSec

▪ Identification of fraud ▪ Single pane of glass to monitor
▪ Simplified compliance ▪ Correlation of security events
▪ Data security

CASB for Securing Oracle SaaS
Top use cases
Oracle SaaS * Early

Access
Privileged Identities Privileged Actions

Securable •
•
Users
HCM admin roles
•
•
Configuration/role changes
PII/Payment information changes
Sensitive
• ERP admin roles • Transactional object changes
• Config. changes Visibility Data Protection

• Role/Privilege/Membership • HCM Employee data
• Business object monitoring • ERP data (bank, payables,
• Usage monitoring Compliance procurement, etc.)
• Users/groups • Monitor sensitive transactions
• Changes to objects
Threat Protection
• PII reports
• Role and privilege changes • Anomalous activities using ML
reports (Payroll manager, HCM • Changes to business objects
admin, etc.) Oracle • UEBA: User risk scores
• Historic audit reports • Risky Usage Patterns
CASB • Brute force attacks
• Suspicious access and logins
Use Case 1: User Access Behavior Monitoring
Leveraging CASB
Login from corporate location

Login from foreign location
HR Business
Partner
Generate Notifications Get Events

Anomalous user activity
Anomalous user activity
InfoSec
Oracle CASB
Cloud Service

Use Case 2: Role Monitoring
Leveraging CASB
AP Specialist
Role
Propagates
Changes role to AP Manager
HR Business
Partner
Oracle CASB
Cloud Service
Auditor/
InfoSec
Use Case 3: Behavioral Analytics and Machine Learning
Leveraging CASB
Abnormal =
10 Salary changes per day
Normal/Baseline =
5 Salary changes per day
HR Business
Partner
Oracle CASB
InfoSec Cloud Service

Use Case 4: Business Object Monitoring
Leveraging CASB
Changes Bank Information Financial Procurement

(Routing, Account or Check Cloud Cloud
ERP User Information)
Supported Business Objects

• Bank account and child objects
• External bank account and
child objects
• Supplier and child objects
Oracle CASB
Cloud Service
Auditor/
InfoSec
Multi-Layer Secure Cloud
Designed to be secure at every layer
Secure Features and Benefits
Role-based access
SaaS
Global access controls
Backup and redundancy in global
PaaS
data center regions
Hosting of data by region

IaaS
24x7 Oracle security experts
Data center man traps, biometric IDs, etc.

Global Access Controls
One common strategy for better control
Unified access controls across your business
• Centralized control to keep your data safe

no matter where it is
• Integrated Identity Management with
federated single-sign on
• RBAC saves time and reduces risk with ERP SCM HCM CX 3rd Party
consistent mapping rules for each job
function and auto provisioning. Centralized Identity Management
• VPN access across enterprise cloud
services to quickly and securely connect
to cloud applications.
• Multiple secure access options across
enterprise cloud services to quickly and
securely connect to cloud applications.

Advanced Data Security
Additional security options, powered by Oracle’s security products
• Transparent Data Encryption (TDE) prevents

unauthorized use of sensitive data by encryption
“at rest” for data files, secures data, temporary
files and backup through a separate set of keys
for each customer controlled through Oracle
Wallet.
• Data Vault enforces strong control and
segregation with additional controls over data
and administrator access to prevent
unauthorized use, views, changes or sharing of
application data.
• Data Masking protects Personally Identifiable
information (PII) or other sensitive company data, Advanced Security protects data in
making it safe to share or use in staging new motion with network encryption.
features uptake, testing updates, patches in
cloned or non-production databases.
IP Whitelisting and Oracle Break Glass
IP Whitelisting: This is the process of creating lists of IP addresses (or

ranges) from which Internet traffic is allowed to pass through a firewall.
With this setup, all IPs are denied access except for those included in the
whitelist.
Break Glass: This enables customers to have custom
restrictions on Oracle personnel accessing their cloud
environment with predefined and approved access control
windows. It enables customers to view audit reports for when
administrative access was leveraged.
Recommended for customers in highly regulated industries
64 Copyright © 2020, Oracle and/or its affiliates. http://www.ateam-oracle.com/fusion-cloud-ip-whitelisting/

Oracle Applications and GDPR
“Controller and processor” are key roles under GDPR.
• Oracle is a “processor” when it provides to its customers

cloud services (and hosts personal data on behalf of its
customers).
• Customers are the “data controllers” with regard to the
personal data to entrust to Oracle.
• Oracle is a technology provider when it provides solutions
(products and services) to help customers comply with
GDPR.
Key GDPR Requirements:

✓ Data Security
✓ Extended Rights of Individuals
✓ Documentation and Security Audits
✓ Data Breach Notification
Refer to the following link for details
www.oracle.com/applications/gdpr
Managing SaaS Through the Security Console
Managing Security through the IT Security Role in Fusion Applications
Certificates Administration
Roles • Generate, export, or import • Establish rules for the generation of usernames.
PGP or X.509 certificates,
• Create roles. • Set password policies.
which establish encryption
• Edit custom roles. keys for data exchanged • Create standards for role definition, copying, and
• Copy roles. between Oracle Cloud visualization.
• Compare roles. applications and other • Review the status of role-copy operations.
applications. • Define templates for notifications of user-account
• Visualize role hierarchies and
assignments to users. • Generate signing requests events such as password expiration.
for X.509 certificates.
• Review Navigator menus
available to roles or users, Analytics
identifying roles that grant
Users
• Review statistics concerning role categories, the
access to Navigator items • Create user accounts. roles belonging to each category, and the
and privileges required for • Review, edit, lock, or delete components of each role.
that access. existing user accounts. • View the data security policies, roles, and users
• Assign roles to user accounts. associated with each database resource.
• Reset users' passwords.
Role-Based Access Control
In an RBAC model, users are assigned roles, and roles are assigned access privileges to
protected resources.
USERS ROLES PRIVILEGES
Role provisioning Security

rules policies

Role-Based Access Control
When roles are loaded in a session repository, the user is granted the most permissive level of
access.
User session
Authentication
established
Roles loaded in
session repository
All privileges User access

Types of Roles
• Job roles: Job functions in your organization (Sales Manager, Service

Representative, HR Manager, and so on)
• Abstract roles: Users function in the enterprise, independent of job (Employee,

Resource)
• Data roles: Set of data that users with the role can access when performing the
function
• Duty roles: A logical grouping of privileges and security policies specific to a duty a
user can do as part of their job (Sales Lead Follow up, Service Availability
Management, Service Request Troubleshooter, Opportunity Partner Administration)

Standard Roles
Review the standard roles
All modules are delivered with predefined roles based on best industry practices and logical
organizational hierarchy (ORA_).
Sales VP
Sales Customer Service

Manager Manager
Sales Knowledge Customer Service

Salesperson
Administrator Analyst Representative
Customer Data
Steward

Role Hierarchy and Inheritance
Each role is a hierarchy of other roles and duties that are linked to each other in a parent-child
relationship.
Job • Sales Representative

Role • Sales Manager
Duty • Sales Party Management

Role • Opportunity Sales Manager
• Sales Party Review

Duty • Manage Opportunity Competitors
Role • Mass Update Opportunity

Duty Role Components
Other duty roles, functional security privileges and data security policies
Functional privileges: Access different user interface elements,
Web services, tasks flows, and other functions:
• Create Opportunity Data
• Delete Opportunity security
• Convert Lead
• Update Sales Organization
Data
Data security privileges: Specify the roles that can perform a security
specified action on an object, and the conditions under which the
action can be carried out
Functional
Exact combination of object, role, actions (functional privileges) and security
condition in which the user can perform the specified actions on the
subset of records of the specified object when user meets the
condition

Application Role Security Customization: Recommended Approach
Collect Security Analyze against Build customizable Implement the

Requirements OOTB to identify gaps role structure customization
• Identify Data Security • Use custom job role and
• Organize your security • Document your
Policies (DSP) and inherit OOTB or OOTB
requirement. changes (MOS Doc ID
Functional Security copied roles. 1607087.1).
• Limit number of a user’s Policies (FSP) that need to
job roles. be changed. • Keep in mind that it is • Test/debug
easier to expand than to customization for
• Use a single job role • Determine which remove privileges. functionality and
across multiple groups application roles need to
• Build customizable roles performance,
of users through be modified, from the
using copy throughout the cycle,
resource role mapping. identified DSP and FSP.
functionality. with test users that
• Stay as close to OOTB as • Leverage common scope have the customized
possible. of visibilities to implement • Stay as close to OOTB roles.
your customization. as possible to make it
• Review Security easier to uptake new
Reference Spreadsheets functionality on update.
(Doc ID 1677508.1).
Security Requirement Clearly Defined in a CRUD Metric
Define application (example: Engagement Cloud)
User's Role Scope of visibility Account Contact Opportunity Activity

Create Privilege Create Privilege Create Privilege Create Privilege
Sales Administrator All Y RUD Y RUD Y RUD Y RUD
Finance Territories Y RU Y RU N R Y R
Key Job Roles
Sales Management Owner Y RU Y RU Y RUD Y RUD

Territories R RU RU RU
Team RU RU RU RU
Subordinates R RU RU RU
Sales Representative Owner Y RU Y RU Y RUD Y RUD
Territories RU RU RU RU
Team RU RU RU RU
C = Create R = Read, U = Update, D = Delete
Recommendation: From the defined CRUD metric, map the application security requirement to
the closest “out-of-the-box” job role.

Configure &
Build
Configure and Build Life Cycle Cloud Security, Identity
& User Management
Major Activities
‒ Analyze and implement Application Security Matrix through RBAC for SaaS applications.
‒ Deploy SaaS security through service entitlements (VPN, IP white listing, data masking
on test environment).
‒ Configure security for the PaaS components.
‒ Configure the assessment of security considerations (Isolation, Network, Encryption,
Access) and policies.
‒ Configure the security of the PaaS components in scope on DEV/TEST environment
(Integration, Analytics, Apps development, Data Management Content and Experience).
‒ Configure access control (IDCS and OCI IAM).
‒ Review Security Compliance certification and attestation, and customer penetration and
vulnerability testing requirements.

Validate &
Cloud Security, Identity, and User Management Test
Validate and test life cycle Cloud Security, Identity

& User Management
Major Activities
‒ Test Application Security Matrix configured.

‒ Test SaaS security through service entitlements (VPN, IP white listing, data masking on test
environment).
‒ Configure the security of the PaaS components in scope on TEST environment (Integration,
Analytics, Apps development, Data Management Content and Experience) with specific roles
identified and the assign groups.
‒ Test the security considerations (Isolation, Network, Encryption, Access) and policies.
‒ Align with customers on Security Compliance certification and attestation and customer
penetration and vulnerability testing results.
‒ Configure and test WAF on the TEST environments.

Transition &
Cloud Security, Identity, and User Management Go Live
Transition and GO LIVE life cycle Cloud Security, Identity
& User Management
Major Activities
‒ Verify production and operational readiness of security.

‒ Configure production Application Security Matrix through RBAC.
‒ Configure the security of the PaaS components in scope on PROD instances (Integration, Analytics,
Apps development, Data Management Content and Experience)
‒ Configure access control (IDCS and OCI IAM) and WAF is available
‒ Enable SaaS security through service entitlements (VPN, IP white listing, SSO, Data Vault).
‒ Configure access control for production (IDCS and OCI IAM).
‒ Configure OCI security (Isolation, Network, Encryption, Access) and other policies.
‒ Configure data protection tools (CASB for Production instance).

Sustain &
Implementation Approach: Cloud Integrations Realize
Sustain and realize Implementation
Approach – Cloud
Integrations
Major Activities
‒ Review production security and identify any additional SaaS service entitlements (if not enabled Like
VPN IP white listing, data masking, and so on).
‒ Monitor and audit user activities to conduct data integrity checks, maintain traceability and visibility
info infrastructure.
‒ Keep software up-to-date. This includes the latest product release and any patches that apply to it.
‒ Limit privileges as much as possible. Users should be given only the access necessary to perform
their work. User privileges should be reviewed periodically to determine relevance to current work
requirements.
‒ Monitor system activity. Establish who should access which system components, and how often, and
monitor those components.
‒ Learn about and use the Oracle Cloud Infrastructure security features.
‒ Keep up-to-date on security information. Oracle regularly issues security-related patch updates and
security alerts. Install all security patches as soon as possible.

Monitor and Audit User Activities
Searchable via the console
• API calls are logged and made available to customers.

Includes calls made via the Console, CLI, and SDKs
• API for listing audit events
New events available within 15 minutes. 90 days of history by default
Configurable up to 365 days (affects all regions and compartments)

Oracle OCI Security and Compliance Resources
OCI Security References IDCS and FA – Identity Federation

• Security Technical white papers • Understanding the Integration Architecture —
• Oracle Cloud Infrastructure Security Guide Fusion Application with Platform services
• OCI Security Architecture • Enable Federation with Fusion Apps as
• Security Best Practices Configurations Identity Provider
• Oracle Architecture Center • Enable Federation with Identity Cloud Service
• OCI Security Overview detailed presentation as Identity Provider
• Setting up users and roles synchronization
between Fusion Apps and Identity Cloud
Key References for PaaS for SaaS Security Service
• Cloud Security: Seamless Federated SSO for PaaS
• 3-legged OAuth flow to invoke Fusion Apps
and Fusion-based SaaS
rest endpoints.
• IDCS Integrations Series Part II: Integrating Fusion
Application with IDCS

Conclusion
Now that you have completed this module, you should be able to:
• Explain why customer should care about cloud security
• Describe the shared security model and responsibilities
• Identify the 7 pillars of a Trusted Enterprise Cloud Platform
• Provide an overview of security and positioning of Oracle Cloud Services
• Describe the SaaS security patterns: Protecting mission-critical business applications in
the cloud
• Plan role-based access control in SaaS
• List the different types of security entitlements

Thank You
Oracle Cloud Project Management
Training
Oracle Partner Network

S105465GC10 Mod05

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

S105465GC10 Mod05

Încărcat de

Drepturi de autor:

Formate disponibile

Oracle Cloud Project

Management for Partners

Learn more from Oracle University at education.oracle.com

Restricted Rights Notice

Third-Party Content, Products, and Services Disclaimer

Oracle Alliances & Channels

2 Copyright © 2020, Oracle and/or its affiliates.

3 Copyright © 2020, Oracle and/or its affiliates.

By the end of this module, you should be able to:

4 Copyright © 2020, Oracle and/or its affiliates.

Project Management and Governance

Environments Identity & User

Management Management Strategy & Plan Adoption Strategy

Project Management Implementation

Organizational Change Training & Knowledge

Project Artifacts, Deliverables, and Milestones

SaaS PaaS OCI

Project Management and Governance

• To define and enable the different security

Project Artifacts, Deliverables, and Milestones

SaaS PaaS OCI

7 Copyright © 2020, Oracle and/or its affiliates.

Cloud Security, Identity, and User Management Cloud Security, Identity

8 Copyright © 2020, Oracle and/or its affiliates.

Open enrollment Global access

Compensation Roles and

9 Copyright © 2020, Oracle and/or its affiliates.

10 Copyright © 2020, Oracle and/or its affiliates.

11 Copyright © 2020, Oracle and/or its affiliates.

User credentials, other account information

Account Access Insecure user access behavior, strong IAM policies,

Client side Encryption Key management

Other Infra Services (LB,

12 Copyright © 2020, Oracle and/or its affiliates.

Responsibility Customer Oracle

13 Copyright © 2020, Oracle and/or its affiliates.

Responsibility Customer Oracle

14 Copyright © 2020, Oracle and/or its affiliates.

SOC 1 : SOC 2 : SOC 3 27001 : 27017 : 27018 Self-Assessment US Privacy Shield

PIPEDA - Cyber Essentials My Number - Cloud Security

Access Credentials Encryption Data Access Application Traffic Volumetric

16 Copyright © 2020, Oracle and/or its affiliates.

▪ Security-first approach: Innovative security in

17 Copyright © 2020, Oracle and/or its affiliates.

1st Generation Clouds: 2nd Generation Cloud:

VM/ VM/ VM/

Server Virtualization Host OS/Kernel

To / from other tenants To / from other tenants

18 Copyright © 2020, Oracle and/or its affiliates.

1st Generation Cloud Oracle 2nd Generation Cloud

Container (Optional) Container (Optional)

Server Virtualization Server Virtualization Host OS/Kernel Host OS/Kernel

19 Copyright © 2020, Oracle and/or its affiliates.

Bare metal Bare metal Virtual Virtual Containers

Virtual Load DNS FastConnect VPN

Local NVMe Block Object / File Backup

20 Copyright © 2020, Oracle and/or its affiliates.

OF THE CLOUD ON THE CLOUD CROSS-CLOUD

21 Copyright © 2020, Oracle and/or its affiliates.

Compliance Data Security

23 Copyright © 2020, Oracle and/or its affiliates.

Cloud Security, Identity, and User Management Cloud Security, Identity

‒ Develop security strategy and incorporate into project plan.