This appendix shows the security policy development process and the modeling process in which high-level requirements are translated into security policies.
It contains the following sections:
The process for developing policies are outlined in this section.
Table E-1 summarizes examples of actors who would take part in the security policy development process.
Table E-1 Example of Policy Development Actors
| Actors | Description |
|---|---|
|
Investigators and Customer Service Representatives |
Investigators and Customer Service Representatives (CSR) use Oracle Adaptive Access Manager's case management tools to handle security and customers cases day-to-day. They have detailed knowledge about user activity and security issues. Analysts work with investigators and CSRs to identify if policies need to be adjusted or new policies need to be created. |
|
Business/Security Analyst |
Analysts gather intelligence from various sources to identify needs and develop requirements to address them. Some sources for intelligence include Investigators, industry reports, antifraud networks, compliance mandates, and company polices. |
|
Security Administrator |
Administrators plan, configure and deploy policies based on the requirements from analysts. |
|
System Administrator |
A System Administrator configures environment-level properties and transactions. |
|
Quality Assurance |
Quality Assurance (QA) tests the policies to confirm that they meet requirements. |
Editing an existing policy involves the following tasks:
Research/Troubleshooting
Requirements and Planning
Configuration
Testing
Deployment to production
Creating a new policy involves the following tasks:
Discovery/Research
Requirements and Planning
Configuration
Testing
Deployment to production
Business Analysts gather intelligence from various sources to identify issues and develop requirements to address them.
Table E-2 Edit Policy: Research/Troubleshooting
| Source | Details |
|---|---|
|
OAAM Reports |
In an existing OAAM deployment analysts can run reports using BIP to identify security or customer issues that need to be addressed. |
|
Investigator/CSR feedback |
Interviews with staff can reveal customer and security issues. Are customers complaining they are challenged too often without valid cause? Are there a number of fraud cases where the current policy was not strict enough to prevent access? |
|
Industry Reports |
There may be a new type of threat not covered by the current rules. Do thresholds need to be adjusted? |
|
Anti-Fraud Networks |
Are there new rule thresholds being suggested by peers/experts? Do they make sense for the business? |
Business and Security Analysts gather intelligence from various sources to identify needs and develop requirements to address them.
Table E-3 New Policy: Discovery/Research
| Source | Details |
|---|---|
|
OAAM Reports |
In an existing OAAM deployment analysts can run reports using BIP to identify security or customer issues that need to be addressed. |
|
Investigator/CSR feedback |
Interviews with staff can reveal customer and security issues. Are customers complaining they are challenged too often without valid cause? Are there a number of fraud cases where current policy was not strict enough to prevent access? |
|
Industry Reports |
There may be a new type of threat not covered by the current rules. Do thresholds need to be adjusted? |
|
Anti-Fraud Networks |
Are there new rule thresholds being suggested by peers/experts? Do they make sense for your business? |
|
Compliance |
Is there a new mandate for security measures not addressed by your current policies? |
|
Company policy |
Are there new requirements for employee access that can be addressed with OAAM? |
Business/Security Analysts develop requirements to address needs identified during discovery.
What new policies are needed and why?
What are the use cases?
What are the expected outcomes (actions, alerts, score)?
What applications are involved?
What user groups are involved?
Security Administrators plan, configure and deploy policies based on the requirements from analysts.
What data points should be profiled by autolearning?
What rules need to be configured to fulfill use cases?
What thresholds should be defined for rules?
What rule outcomes are needed?
QA tests the policies to confirm that they meet requirements.
Do the expected outcomes occur?
Are the rule thresholds triggering as expected?
Is the profiling working as expected?
Following common "normal" end user flows, do the new polices cause user experience issues? Too many challenges, users blocked, and so on.
Offline can be used to test new/edited policy based on historical control date.
The high-level steps involved in security policy development are as follows:
Determine what you are trying to accomplish (problem statement).
Break the problem statement into:
Inputs: What data is available to evaluate?
Rules: What types of evaluations do I need to perform on the data?
Outcomes: What should happen based on the analysis?
Translate the wording of the problem statement into a security policy by mapping the data, evaluations, and outcomes to an OAAM configuration.
Configure entities, transactions, patterns, groups, policies, rules, actions and alerts based on the above preparation.
In this scenario, a Security Administrator must configure OAAM to notify the security team if there are more than 4 orders to a shipping address in a 24 hour period.
Notify the security team to perform a manual review if there are more than 4 orders placed to any single shipping address in a 24 hour period regardless of the number of users.
The following data is required to perform the stated evaluation described in the problem statement:
Date/time of each order
Shipping address for each order
Count of orders using each shipping address
It is recommended to form a logical statement to describe the risk evaluation required by your problem statement.
The logical statement for this scenario is:
"For a shipping address, if total # of orders > 4 in last 24 hours, then review order."
The outcome required by the problem statement in this case is to generate a single Fraud Alert for the security team.
In the translation step, the problem statement that was broken down is mapped to the OAAM security policy components.
Table E-4 Problem Statement Mapping
| Problem Statement Breakdown | Oracle Adaptive Access Manager Security Policy Components |
|---|---|
|
Notify the security team to perform a manual review |
An alert with specific messaging |
|
Shipping address |
An address entity |
|
Orders |
A custom checkpoint for this transaction is needed |
|
A policy scoped to the "order" checkpoint will contain any rules needed. |
|
|
If there are more than 4 orders placed to any single shipping address in a 24 hour period |
A rule configured using a generic transaction rule condition |
In this scenario, a Security Administrator wants users that login from a state they have used less than 5% of the time in the last month to answer a KBA challenge question before being allowed into the protected application.
Profile users' login behaviors including the geographic locations they login from. Use their unique profile to determine how risky a login attempt is and challenge with a KBA question when required based on risk level. If the login is from a state the user have come from less than 5% of the time in the last month them with a KBA challenge before allowing them into the protected application.
The following data is required to perform the stated evaluation described in the problem statement:
User
Time period
Geographic location
Percentage for total logins used for the comparison
Registration status
It is recommended to form a logical statement to describe the risk evaluation required by your problem statement.
The logical statement for this scenario is:
"For a user (logging in from state(s)), if % of logins < 5% of all his logins from this state in last month, then challenge user."
The outcome required by the problem statement in this case is to challenge the user with a KBA question if the percentage of logins to a state is less than 5% of his total log ins to states in the last month.
In the translation step, the problem statement that was broken down is mapped to the OAAM security policy components.
Table E-5 Problem Statement Mapping
| Problem Statement Breakdown | Oracle Adaptive Access Manager Security Policy Components |
|---|---|
|
if logins from a state |
Pattern to track the user's logins from different states. Multi-bucket pattern with user as actor and state as attribute and for each as the compare operator. |
|
challenge user |
An action group to KBA Challenge |
|
with a KBA question |
Is registered is an attributes and equals as the compare operator and yes as the compare value. He has to have questions registered before the system can challenge him with a KBA question |
|
percentage for state vs. percentage of total |
Condition: "Pattern (Authentication): Entity is Member of Pattern Less Than Some Percent Time" |
|
5% |
Percentage basis specified in rule |
|
last 1 month |
Time period specified in rule |
|
before allow to proceed to protected resource |
Post-Authentication checkpoint policy In best practices, KBA challenges occur in the Post-Authentication checkpoint. |