|Oracle® Fusion Middleware Administrator's Guide for Oracle Adaptive Access Manager
Release 11g (11.1.1)
Part Number E14568-02
Oracle Adaptive Access Manager protects companies exposing Web applications and services, and their end users from online threats and insider fraud. Oracle Adaptive Access Manager provides risk-aware authentication, real-time behavior profiling, and transaction and event risk analysis.
Oracle Adaptive Access Manager contains functionality in two major areas as summarized in Table 1-1.
Table 1-1 Oracle Adaptive Access Manager Functionality
Real-time or offline risk analysis
Oracle Adaptive Access Manager provides functionality to calculate the risk of an access request, an event or a transaction, and determine proper outcomes to prevent fraud and misuse. A portion of the risk evaluation is devoted to verifying a user's identity and determining if the activity is suspicious.
Functionality that support risk analysis are:
End-user facing functionality to prevent fraud
Oracle Adaptive Access Manager protects end users from phishing, pharming, and malware. The virtual authentication devices secure credential data at the entry point; this ensures maximum protection because the credential never resides on a user's computer or anywhere on the Internet where it can be vulnerable to theft. As well, Oracle Adaptive Access Manager provides interdiction methods including risk-based authentication, blocking and configurable actions to interdict in other systems.
Functionality that supports end-user facing security are:
This chapter provides an overview of Oracle Adaptive Access Manager 11g and includes the following topics:
Oracle Adaptive Access Manager is a security solution to protect the enterprise and its end users of the Web applications and services it exposes.
Oracle Adaptive Access Manager provides:
Real-time and offline risk analytics
Flexible deployment options
Out-of-the-box integrations with single sign-on and identity management
Adaptive access systems can provide the highest levels of security with context-sensitive online authentication and authorization. Thus, situations are evaluated and proactively acted upon based on various types of data.
This section outlines key components used for fraud monitoring and detection.
The Oracle Adaptive Access Manager Dashboard is a unified display of integrated information from multiple components in a user interface that organizes and presents data in a way that is easy to read.
The Oracle Adaptive Access Manager dashboard present monitor data versions of key metrics. Administrators can easily see up-to-the-minute data on application activity from a security perspective. The reports that are presented help users visualize and track general trends.
Oracle Adaptive Access Manager provides a framework and set of tools for investigators and customer service representatives.
Users of the enterprise using Oracle Adaptive Access Manager can call the enterprise asking for assistance with customer-facing features of Oracle Adaptive Access Manager such as images, phrases, or challenge questions, or any issues with their account. The CSR uses Case Management to create a case which records all the actions performed by the CSR to assist the user as well as various account activities of the user.
The Case Management feature is also used by Fraud Investigators to investigate potentially fraudulent activity performed on user accounts.
Oracle Adaptive Access Manager provides out-of-the-box secondary authentication in the form of knowledge-based authentication (KBA) questions. The KBA infrastructure handles registration, answers, and the challenge of questions. Since KBA is a secondary authentication method, it is presented after successful primary authentication.
KBA is used to authenticate an individual based on knowledge of personal information, substantiated by a real-time interactive question and answer process.
Oracle Adaptive Access Manager's Rules Engine and organizational policies are responsible for determining if it is appropriate to use challenge questions to authenticate the customer.
The policy and rules are designed to handle patterns or practices, or specific activities that you may run across in the day-to-day operation of your business.
Using Oracle Adaptive Access Manager, you can define when the collection of rules is to be executed, the criteria used to detect various scenarios, the group to evaluate, and the appropriate actions to take when the activity is detected.
Java classes and action templates for certain configurable actions are provided out-of-the-box, but you have the option to create configurable actions based on business requirements.
With each type of transaction, different types of details are involved.
Before the client-specific transaction with its corresponding entities can be captured and used for enforcing authorization rules, fraud analysis, and so on, it must be defined and mapped. Oracle Adaptive Access Manager's Transactions feature allows administrators to perform this task.
With the Transaction Definition feature, an administrator is able to create entity and data element definitions and map them to the client-specific data (source data).
Oracle Identity Management BI Publisher Reports uses Oracle BI Publisher to query and report on information in Oracle Identity Management product databases. With minimal setup, Oracle Identity Management BI Publisher Reports provides a common method to create, manage, and deliver Oracle Identity Management reports.
The report templates included in Oracle Identity Management BI Publisher Reports are standard Oracle BI Publisher templates—though you can customize each template to change its look and feel. If schema definitions for an Oracle Identity Management product are available, you can use that information to modify and generate your own custom reports.
The audience for the Oracle Fusion Middleware Administrator's Guide for Oracle Adaptive Access Manager includes:
Table 1-2 Oracle Adaptive Access Manager User Roles
Security Investigators and Customer Service Representatives
Security investigators and customer service representatives (CSR) use Oracle Adaptive Access Manager's case management tools to handle security and customers cases daily. They have detailed knowledge about user activity and security issues. Analysts work with security investigators and CSRs to identify the policies that require adjustment and new policies that need to be created.
Analysts gather intelligence from various sources to identify business and security needs and develop requirements to address them. Their sources for intelligence include investigators, industry reports, antifraud networks, compliance mandates, and company policies.
Administrators plan, configure and deploy policies based on the requirements from analysts.
A system administrator configures environment-level properties and transactions.
Quality Assurance (QA) tests the policies to confirm that they meet requirements.
This section provides a brief summary for the following integrations:
The server portion of Oracle Adaptive Access Manager can be natively integrated with a web application. In the native integration, the application invokes the Oracle Adaptive Access Manager APIs directly to access risk and challenge flows.
The two flavors of native integration are:
The web application communicates with OAAM Admin using the Oracle Adaptive Access Manager Native Client API or through Web Services.
The native integration involves only local API calls and therefore no remote server risk engine calls. The integration embeds the processing engine for OAAM Admin with the application and enables it to leverage the underlying database directly for processing.
Both flavors use the same APIs, but during a checkpoint, the appropriate option can be chosen by configuring the properties.
A proxy intercepts site traffic and routes it through OAAM Admin for strong authentication and fraud detection and prevention.
Oracle Adaptive Access Manager is integrated or used along with an access management product. This option uses both OAAM Server and OAAM Admin applications.
Oracle Adaptive Access Manager can be installed in an n-tier deployment to allow horizontal as well as vertical scalability.
Figure 1-1 shows the relationship between the Internet, the Web/Application Server that hosts OAAM Admin and OAAM Server, and the database that stores Oracle Adaptive Access Manager's data. The Web server accepts requests from the browser and forwards all site traffic to the Oracle Adaptive Access Manager engine for processing. To store and retrieve configuration data, the processing engine of OAAM communicates with the database through the JDBC or JNDI driver. The Application Server is able to access and store data in the database at all times.
Figure 1-1depicts an architectural scenario for deployment.
In this scenario, Oracle Adaptive Access Manager is separated for performance and scalability, and horizontal scalability for the OAAM Admin and database.