Oracle® Fusion Middleware Administrator's Guide for Oracle Adaptive Access Manager Release 11g (11.1.1) E14568-02 |
|
Previous |
Next |
Oracle Adaptive Access Manager protects companies exposing Web applications and services, and their end users from online threats and insider fraud. Oracle Adaptive Access Manager provides risk-aware authentication, real-time behavior profiling, and transaction and event risk analysis.
Oracle Adaptive Access Manager contains functionality in two major areas as summarized in Table 1-1.
Table 1-1 Oracle Adaptive Access Manager Functionality
Functionality | Description |
---|---|
Real-time or offline risk analysis |
Oracle Adaptive Access Manager provides functionality to calculate the risk of an access request, an event or a transaction, and determine proper outcomes to prevent fraud and misuse. A portion of the risk evaluation is devoted to verifying a user's identity and determining if the activity is suspicious. Functionality that support risk analysis are:
|
End-user facing functionality to prevent fraud |
Oracle Adaptive Access Manager protects end users from phishing, pharming, and malware. The virtual authentication devices secure credential data at the entry point; this ensures maximum protection because the credential never resides on a user's computer or anywhere on the Internet where it can be vulnerable to theft. As well, Oracle Adaptive Access Manager provides interdiction methods including risk-based authentication, blocking and configurable actions to interdict in other systems. Functionality that supports end-user facing security are:
|
This chapter provides an overview of Oracle Adaptive Access Manager 11g and includes the following topics:
Oracle Adaptive Access Manager is a security solution to protect the enterprise and its end users of the Web applications and services it exposes.
Oracle Adaptive Access Manager provides:
Risk-aware authentication
Authentication security
Real-time and offline risk analytics
Flexible deployment options
Out-of-the-box integrations with single sign-on and identity management
Adaptive access systems can provide the highest levels of security with context-sensitive online authentication and authorization. Thus, situations are evaluated and proactively acted upon based on various types of data.
This section outlines key components used for fraud monitoring and detection.
Dashboard
The Oracle Adaptive Access Manager Dashboard is a unified display of integrated information from multiple components in a user interface that organizes and presents data in a way that is easy to read.
The Oracle Adaptive Access Manager dashboard present monitor data versions of key metrics. Administrators can easily see up-to-the-minute data on application activity from a security perspective. The reports that are presented help users visualize and track general trends.
Case Management
Oracle Adaptive Access Manager provides a framework and set of tools for investigators and customer service representatives.
The Case Management feature of Oracle Adaptive Access Manager is used in two ways.
Users of the enterprise using Oracle Adaptive Access Manager can call the enterprise asking for assistance with customer-facing features of Oracle Adaptive Access Manager such as images, phrases, or challenge questions, or any issues with their account. The CSR uses Case Management to create a case which records all the actions performed by the CSR to assist the user as well as various account activities of the user.
The Case Management feature is also used by Fraud Investigators to investigate potentially fraudulent activity performed on user accounts.
Knowledge-Based Authentication
Oracle Adaptive Access Manager provides out-of-the-box secondary authentication in the form of knowledge-based authentication (KBA) questions. The KBA infrastructure handles registration, answers, and the challenge of questions. Since KBA is a secondary authentication method, it is presented after successful primary authentication.
KBA is used to authenticate an individual based on knowledge of personal information, substantiated by a real-time interactive question and answer process.
Oracle Adaptive Access Manager's Rules Engine and organizational policies are responsible for determining if it is appropriate to use challenge questions to authenticate the customer.
Policy Management
Policies and rules can be used by organizations to monitor and manage fraud or to evaluate business elements.
The policy and rules are designed to handle patterns or practices, or specific activities that you may run across in the day-to-day operation of your business.
Using Oracle Adaptive Access Manager, you can define when the collection of rules is to be executed, the criteria used to detect various scenarios, the group to evaluate, and the appropriate actions to take when the activity is detected.
Configurable Actions
Configurable actions are actions that are triggered based on the result action or risk scoring or both after a checkpoint execution.
Java classes and action templates for certain configurable actions are provided out-of-the-box, but you have the option to create configurable actions based on business requirements.
Transaction Definition
A transaction is any process a user performs after successfully logging in. Examples of transactions are making a purchase, bill pay, money transfer, stock trade, address change, and others.
With each type of transaction, different types of details are involved.
Before the client-specific transaction with its corresponding entities can be captured and used for enforcing authorization rules, fraud analysis, and so on, it must be defined and mapped. Oracle Adaptive Access Manager's Transactions feature allows administrators to perform this task.
With the Transaction Definition feature, an administrator is able to create entity and data element definitions and map them to the client-specific data (source data).
Reports
Reporting is available through Oracle Adaptive Access Manager. A limited license of Oracle Business Intelligence Publisher is included for customizable reporting capabilities.
Oracle Identity Management BI Publisher Reports uses Oracle BI Publisher to query and report on information in Oracle Identity Management product databases. With minimal setup, Oracle Identity Management BI Publisher Reports provides a common method to create, manage, and deliver Oracle Identity Management reports.
The report templates included in Oracle Identity Management BI Publisher Reports are standard Oracle BI Publisher templates—though you can customize each template to change its look and feel. If schema definitions for an Oracle Identity Management product are available, you can use that information to modify and generate your own custom reports.
The audience for the Oracle Fusion Middleware Administrator's Guide for Oracle Adaptive Access Manager includes:
Table 1-2 Oracle Adaptive Access Manager User Roles
This section provides a brief summary for the following integrations:
The server portion of Oracle Adaptive Access Manager can be natively integrated with a web application. In the native integration, the application invokes the Oracle Adaptive Access Manager APIs directly to access risk and challenge flows.
The two flavors of native integration are:
The web application communicates with OAAM Admin using the Oracle Adaptive Access Manager Native Client API or through Web Services.
Static Linked (In Proc) Integration
The native integration involves only local API calls and therefore no remote server risk engine calls. The integration embeds the processing engine for OAAM Admin with the application and enables it to leverage the underlying database directly for processing.
Both flavors use the same APIs, but during a checkpoint, the appropriate option can be chosen by configuring the properties.
The Oracle Adaptive Access Manager reverse proxy option is a proxy-based deployment of the OAAM Admin and OAAM Server that requires little or no integration with enterprise applications.
A proxy intercepts site traffic and routes it through OAAM Admin for strong authentication and fraud detection and prevention.
Oracle Adaptive Access Manager is integrated or used along with an access management product. This option uses both OAAM Server and OAAM Admin applications.
Oracle Adaptive Access Manager can be installed in an n-tier deployment to allow horizontal as well as vertical scalability.
Figure 1-1 shows the relationship between the Internet, the Web/Application Server that hosts OAAM Admin and OAAM Server, and the database that stores Oracle Adaptive Access Manager's data. The Web server accepts requests from the browser and forwards all site traffic to the Oracle Adaptive Access Manager engine for processing. To store and retrieve configuration data, the processing engine of OAAM communicates with the database through the JDBC or JNDI driver. The Application Server is able to access and store data in the database at all times.
Figure 1-1depicts an architectural scenario for deployment.
In this scenario, Oracle Adaptive Access Manager is separated for performance and scalability, and horizontal scalability for the OAAM Admin and database.