System of authentification of users of corporate repository with usage Oracle ESSO Suite, Enterprise User Security and Oracle Label Security
"Creating a system for user authentication for the VTB corporate data warehouse allowed for the secure storage of banking information and increased ease-of-use in the daily work of staff members regardless of their location", - Denis Guzovsky, Deputy Chief for Development of Information Systems, VTB Bank.
2. Client information
3. Background Information
4. Project Objectives
5. Progress of the Project
6. Results of the Project
7. Why Oracle?
8. Main results
Client: Bank VTB
Bank VTB is one of the largest Russian banks by size of equity capital. The Bank actively works both with corporate clients and with individuals, and also is a player in the market for investment banking services.
VTB is one of the leaders of the national banking sector and has taken a strong competitive position in all segments of the market for banking services.
Diversifying its activities, VTB is constantly expanding its range of operations in the Russian market and offers clients a wide range of services accepted in international banking practice.
The VTB Group today has 586 Offices in almost all regions of Russia.
In 2007, VTB Bank deployed a corporate data warehouse, built on the basis of Oracle Financial Services Applications (OFSA), adapted to the specific needs of the financial sector. This system automated the process of collecting and analyzing data for a variety of transactional systems, and also the presentation of the results of analysis to business users and to all branches of the bank.
The data warehouse became a key piece of the bank's IT landscape, combining data from heterogeneous operating and business systems into a coherent whole. At the same time, the project to create a data warehouse allowed the deployment of OFSA modules for budgeting and management accounting, financial risk management and preparation of mandatory reporting for the IFRS and for the Bank of Russia.
Because the information contained in the corporate data warehouse is used to support management decisions, ensuring its secure storage and use was one of the primary tasks of the project.
The project was intended to provide for the secure use of the VTB corporate data warehouse Bank VTB, in particular:
- Secure storage of data and presentation of the results of analysis to business users.
- Reliability of information security through centralized access control to confidential data.
- Authorization and a single user authentication.
- Secure access to corporate data warehouse both via web-interface and from conventional server applications.
- Separation of user access to data on the row level.
Progress of the Project
By March 2007, RDTEX had successfully completed a pilot project to create a corporate data warehouse at VTB Bank. Before its launch in trial operation, the developers faced the challenge of expanding the capabilities of the system by adding the secure storage of information and access control depending on the rights of users.
Because the basic platform for the data warehouse was Oracle Financial Services Applications (OFSA), to ensure data security data Oracle software was also used for this task.
The project for information security was conducted jointly by VTB Bank and RDTEX.
In the prototype system the following functions were implemented:
- Authorization and authentication of users
Solving the problem of end-to-end user authentication for the corporate data warehouse enabled access to information in the repository using a common mechanism throughout the bank.
Oracle Enterprise Single Sign-On Suite was used for the realization of end-to-end user authentication. This helped to simplify and improve security by ensuring that users do not need to remember, and technical support staff does not need to restore, many different logins and passwords from different applications. This system works with Oracle Database, Oracle Forms, Oracle Discoverer, Oracle E-Business Suite, Oracle PeopleSoft Enterprise applications and Oracle Siebel, as well as other applications.
- Access to corporate data warehouse via web-interface and via conventional server applications
To provide access to corporate data warehouse via a web-interface and via conventional server applications, RDTEX implemented the information security components of Oracle Application Server, as well as Oracle Enterprise User Security.
Oracle Enterprise User Security provides user authentication, using the unified directory service Oracle Internet Directory (OID). Reducing the cost of administration of user accounts was made possible through the OID centralized directory service, the LDAP v.3 protocol and stored information about users.
- Row Level Access Control
The deployment of Oracle Label Security allowed fine-grained classification of information in the data warehouse according to the levels of privacy and access control to data depending on per-user privileges.
Results of the Project
The project established an effective system for the secure storage of information in the VTB corporate data warehouse and a mechanism for unified user authentication and row-level access to data.
Working conditions for users were improved, administrative costs reduced, and risks associated with the use of a large number of passwords to access applications were reduced.
The following problems were addressed: redundancy and inconsistency of user information, risk of unauthorized access to information resources because of the growing number of applications that share the same data structure.
Oracle Enterprise Single Sign-On is one of the best solutions in its class, providing secure access to corporate information resources without having to remember separate passwords and user identification data for each system and each application.
If there are many logins and passwords users have the tendency to simplify them, or to use identical passwords. Oracle Enterprise Single Sign-On allows users to remember only one ID and password, which can be secure. In doing so, various complex passwords can be used in the target systems to improve overall security system.
Oracle Enterprise Single Sign-On provides customized flexible policies for recovery of lost or forgotten passwords using secure interfaces on MS Windows. It allows access control to applications throughout the enterprise and ensures compliance with HSPD-12 regulatory requirements for security through the combination of physical and software techniques to ensure information security. Fast secure access to applications is provided through information kiosks, when users are located in various places during the day.
Oracle Enterprise User Security and Oracle Label Security Option are extensions to Oracle server products and can be used without additional cost for the deployment of the system and training of administrators.
- Secure storage of corporate data and presentation of the results of analysis to business users.
- Improved reliability of information security through centralized access control to confidential data.
- Single user authentication and authorization.
- Secure access to the corporate data warehouse via web-interface and conventional server applications.
- Fine-grained control of access to data.
- Reduced administrative costs by reducing risks from the use of large numbers of passwords.