ISACA Webcast follow up: Managing High Risk Access and Compliance with a Platform Approach to Privileged Account Management
- by Darin Pendergraft
Last week we presented how Oracle Privileged Account Manager (OPAM) could be used to manage high risk, privileged accounts. If you missed the webcast, here is a link to the replay: ISACA replay archive (NOTE: you will need to use Internet Explorer to view the archive)
For those of you that did join us on the call, you will know that I only had a little bit of time for Q&A, and was only able to answer a few of the questions that came in. So I wanted to devote this blog to answering the outstanding questions. Here they are.
1. Can OPAM track admin or DBA activity details during a password check-out session?
Oracle Audit Vault is monitoring these activities which can be correlated to check-out events.
2. How would OPAM handle simultaneous requests?
OPAM can be configured to allow for shared passwords. By default sharing is turned off.
3. How long are the passwords valid? Are the admins required to manually check them in?
Password expiration can be configured and set in the password policy according to your corporate standards. You can specify if you want forced check-in or not.
4. Can 2-factor authentication be used with OPAM?
Yes - 2-factor integration with OPAM is provided by integration with Oracle Access Manager, and Oracle Adaptive Access Manager.
5. How do you control access to OPAM to ensure that OPAM admins don't override the functionality to access privileged accounts?
OPAM provides separation of duties by using Admin Roles to manage access to targets and privileged accounts and to control which operations admins can perform.
6. How and where are the passwords stored in OPAM?
OPAM uses Oracle Platform Security Services (OPSS) Credential Store Framework (CSF) to securely store passwords. This is the same system used by Oracle Applications.
7. Does OPAM support hierarchical/level based privileges? Is the log maintained for independent review/audit?
Yes. OPAM uses the Fusion Middleware (FMW) Audit Framework to store all OPAM related events in a dedicated audit database.
8. Does OPAM support emergency access in the case where approvers are not available until later?
Yes. OPAM can be configured to release a password under a "break-glass" emergency scenario.
9. Does OPAM work with AIX?
Yes supported UNIX version are listed in the "certified component section" of the UNIX connector guide at:http://docs.oracle.com/cd/E22999_01/doc.111/e17694/intro.htm#autoId0
10. Does OPAM integrate with Sun Identity Manager?
Yes. OPAM can be integrated with SIM using the REST APIs. OPAM has direct integration with Oracle Identity Manager 11gR2.
11. Is OPAM available today and what does it cost?
Yes. OPAM is available now. Ask your Oracle Account Manager for pricing.
12. Can OPAM be used in SAP environments?
Yes, supported SAP version are listed in the "certified component section" of the SAP connector guide here: http://docs.oracle.com/cd/E22999_01/doc.111/e25327/intro.htm#autoId0
13. How would this product integrate, if at all, with access to a particular field in the DB that need additional security such as SSN's?
OPAM can work with DB Vault and DB Firewall to provide the fine grained access control for databases.
14. Is VM supported?
As a deployment platform Oracle VM is supported. For further details about supported Virtualization Technologies see Oracle Fusion Middleware Supported System configurations here: http://www.oracle.com/technetwork/middleware/ias/downloads/fusion-certification-100350.html
15. Where did this (OPAM) technology come from?
OPAM was built by Oracle Engineering.
16. Are all Linux flavors supported? How about BSD?
BSD is not supported. For supported UNIX version see the "certified component section" of the UNIX connector guide http://docs.oracle.com/cd/E22999_01/doc.111/e17694/intro.htm#autoId0
17. What happens if users don't check passwords in at the end of a work task?
In OPAM a time frame can be defined how long a password can be checked out. The security admin can force a check-in at any given time.
18. is MySQL supported?
Yes, supported DB version are listed in the "certified component section" of the DB connector guide here: http://docs.oracle.com/cd/E22999_01/doc.111/e28315/intro.htm#BABGJJHA
19. What happens when OPAM crashes and you need to use the password?
OPAM can be configured for high availability, but if required, OPAM data can be backed up/recovered. See the OPAM admin guide.
20. Is OPAM Standalone product or does it leverage other components from IDM?
OPAM can be run stand-alone, but will also leverage other IDM components
