Skip Headers
Oracle® Fusion Middleware Administrator's Guide for Oracle Adaptive Access Manager
Release 11g (11.1.1)

Part Number E14568-06
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Master Index
Master Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
View PDF

E The Discovery and OAAM Policy Development Processes

This appendix shows the security policy development process and the modeling process in which high-level requirements are translated into security policies.

It contains the following sections:

E.1 Security Policy Development Process

The process for developing policies are outlined in this section.

E.1.1 Overview

Table E-1 summarizes examples of actors who would take part in the security policy development process.

Table E-1 Example of Policy Development Actors

Actors Description

Investigators and Customer Service Representatives

Investigators and Customer Service Representatives (CSR) use Oracle Adaptive Access Manager's case management tools to handle security and customers cases day-to-day. They have detailed knowledge about user activity and security issues. Analysts work with investigators and CSRs to identify if policies need to be adjusted or new policies need to be created.

Business/Security Analyst

Analysts gather intelligence from various sources to identify needs and develop requirements to address them. Some sources for intelligence include Investigators, industry reports, antifraud networks, compliance mandates, and company polices.

Security Administrator

Administrators plan, configure and deploy policies based on the requirements from analysts.

System Administrator

A System Administrator configures environment-level properties and transactions.

Quality Assurance

Quality Assurance (QA) tests the policies to confirm that they meet requirements.


Edits to existing policy

Editing an existing policy involves the following tasks:

  • Research/Troubleshooting

  • Requirements and Planning

  • Configuration

  • Testing

  • Deployment to production

Creating a New Policy

Creating a new policy involves the following tasks:

  • Discovery/Research

  • Requirements and Planning

  • Configuration

  • Testing

  • Deployment to production

E.1.2 Edit Policy: Research/Troubleshooting

Business Analysts gather intelligence from various sources to identify issues and develop requirements to address them.

Table E-2 Edit Policy: Research/Troubleshooting

Source Details

OAAM Reports

In an existing OAAM deployment analysts can run reports using BIP to identify security or customer issues that need to be addressed.

Investigator/CSR feedback

Interviews with staff can reveal customer and security issues. Are customers complaining they are challenged too often without valid cause? Are there a number of fraud cases where the current policy was not strict enough to prevent access?

Industry Reports

There may be a new type of threat not covered by the current rules. Do thresholds need to be adjusted?

Anti-Fraud Networks

Are there new rule thresholds being suggested by peers/experts? Do they make sense for the business?


E.1.3 New Policy: Discovery/Research

Business and Security Analysts gather intelligence from various sources to identify needs and develop requirements to address them.

Table E-3 New Policy: Discovery/Research

Source Details

OAAM Reports

In an existing OAAM deployment analysts can run reports using BIP to identify security or customer issues that need to be addressed.

Investigator/CSR feedback

Interviews with staff can reveal customer and security issues. Are customers complaining they are challenged too often without valid cause? Are there a number of fraud cases where current policy was not strict enough to prevent access?

Industry Reports

There may be a new type of threat not covered by the current rules. Do thresholds need to be adjusted?

Anti-Fraud Networks

Are there new rule thresholds being suggested by peers/experts? Do they make sense for your business?

Compliance

Is there a new mandate for security measures not addressed by your current policies?

Company policy

Are there new requirements for employee access that can be addressed with OAAM?


E.1.4 Edit/New Policy: Requirements and Planning

Business/Security Analysts develop requirements to address needs identified during discovery.

  • What new policies are needed and why?

  • What are the use cases?

  • What are the expected outcomes (actions, alerts, score)?

  • What applications are involved?

  • What user groups are involved?

E.1.5 Edit/New Policy: Configuration

Security Administrators plan, configure and deploy policies based on the requirements from analysts.

  • What data points should be profiled by autolearning?

  • What rules need to be configured to fulfill use cases?

  • What thresholds should be defined for rules?

  • What rule outcomes are needed?

E.1.6 Edit/New Policy: Testing

QA tests the policies to confirm that they meet requirements.

  • Do the expected outcomes occur?

  • Are the rule thresholds triggering as expected?

  • Is the profiling working as expected?

  • Following common "normal" end user flows, do the new polices cause user experience issues? Too many challenges, users blocked, and so on.

  • Offline can be used to test new/edited policy based on historical control date.

E.1.7 Edit/New Policy: Deployment to Production

Security Administrator:

  • Deploy new policies to the production environment once QA has signed off.

  • Export policy set and groups from dev/QA environment

  • Import to production

E.2 Discovery Process Overview

The high-level steps involved in security policy development are as follows:

  1. Determine what you are trying to accomplish (problem statement).

  2. Break the problem statement into:

    • Inputs: What data is available to evaluate?

    • Rules: What types of evaluations do I need to perform on the data?

    • Outcomes: What should happen based on the analysis?

  3. Translate the wording of the problem statement into a security policy by mapping the data, evaluations, and outcomes to an OAAM configuration.

  4. Configure entities, transactions, patterns, groups, policies, rules, actions and alerts based on the above preparation.

E.3 Example Scenario: Transaction Security

In this scenario, a Security Administrator must configure OAAM to notify the security team if there are more than 4 orders to a shipping address in a 24 hour period.

E.3.1 Problem Statement

Notify the security team to perform a manual review if there are more than 4 orders placed to any single shipping address in a 24 hour period regardless of the number of users.

E.3.2 Inputs Available

The following data is required to perform the stated evaluation described in the problem statement:

  • Date/time of each order

  • Shipping address for each order

  • Count of orders using each shipping address

E.3.3 Evaluation

It is recommended to form a logical statement to describe the risk evaluation required by your problem statement.

The logical statement for this scenario is:

"For a shipping address, if total # of orders > 4 in last 24 hours, then review order."

E.3.4 Outcomes

The outcome required by the problem statement in this case is to generate a single Fraud Alert for the security team.

E.3.5 Translation

In the translation step, the problem statement that was broken down is mapped to the OAAM security policy components.

Table E-4 Problem Statement Mapping

Problem Statement Breakdown Oracle Adaptive Access Manager Security Policy Components

Notify the security team to perform a manual review

An alert with specific messaging

Shipping address

An address entity

Orders

A custom checkpoint for this transaction is needed

 

A policy scoped to the "order" checkpoint will contain any rules needed.

If there are more than 4 orders placed to any single shipping address in a 24 hour period

A rule configured using a generic transaction rule condition


E.3.6 Alert

The best practice is for every evaluation to have a separate alert message.

E.4 Example Scenario: Login Security

In this scenario, a Security Administrator wants users that login from a state they have used less than 5% of the time in the last month to answer a KBA challenge question before being allowed into the protected application.

E.4.1 Problem Statement

Profile users' login behaviors including the geographic locations they login from. Use their unique profile to determine how risky a login attempt is and challenge with a KBA question when required based on risk level. If the login is from a state the user have come from less than 5% of the time in the last month them with a KBA challenge before allowing them into the protected application.

E.4.2 Inputs Available

The following data is required to perform the stated evaluation described in the problem statement:

  • User

  • Time period

  • Geographic location

  • Percentage for total logins used for the comparison

  • Registration status

E.4.3 Evaluation

It is recommended to form a logical statement to describe the risk evaluation required by your problem statement.

The logical statement for this scenario is:

"For a user (logging in from state(s)), if % of logins < 5% of all his logins from this state in last month, then challenge user."

E.4.4 Outcome

The outcome required by the problem statement in this case is to challenge the user with a KBA question if the percentage of logins to a state is less than 5% of his total log ins to states in the last month.

E.4.5 Translation

In the translation step, the problem statement that was broken down is mapped to the OAAM security policy components.

Table E-5 Problem Statement Mapping

Problem Statement Breakdown Oracle Adaptive Access Manager Security Policy Components

if logins from a state

Pattern to track the user's logins from different states.

Multi-bucket pattern with user as actor and state as attribute and for each as the compare operator.

challenge user

An action group to KBA Challenge

with a KBA question

Is registered is an attributes and equals as the compare operator and yes as the compare value.

He has to have questions registered before the system can challenge him with a KBA question

percentage for state vs. percentage of total

Condition: "Entity: Entity is Member of Pattern Less Than Some Percent Time"

5%

Percentage basis specified in rule

last 1 month

Time period specified in rule

before allow to proceed to protected resource

Post-Authentication checkpoint policy

In best practices, KBA challenges occur in the Post-Authentication checkpoint.


E.4.6 Action

KBA challenge users logging in from a state that they do not log in from, specifically one that they use less than 5% of their total logins to states in a month