Embed Size (px)
Citation preview
<Insert Picture Here>
Identity Management Best Practices
Katerina Kalimeri, Senior Sales ConsultantOracle Hellas
Agenda
• IDM Defined
• Business Drivers for Complete Security
• Key Elements of Identity Management
• Oracle Approach to Identity Management
• Oracle IdM @ Work
• Summary
Agenda
• IDM Defined
• Business Drivers for Complete Security
• Key Elements of Identity Management
• Oracle Approach to Identity Management
• Oracle IdM @ Work
• Summary
What is Identity Management?Securing your IT assets from within
• Management of digital identities through their complete lifecycle
• IDENTITY LIFE CYCLE: JOIN / MOVE / LEAVE• Employee hire -> promotion -> departure
• Securing access to applications and information• Authentication: proving you are who you say you are• Authorization: what you have access to, when, where
• Scalable and available storage of identity information• Profile: roles and attributes about you
Agenda
• IDM Defined
• Business Drivers for Complete Security
• Key Elements of Identity Management
• Oracle Approach to Identity Management
• Oracle IdM @ Work
• Summary
Today’s Business Challenges
Operational efficiencies
Fool-proof security
Sustainable and efficient compliance
Challenge: Expanding Regulatory Requirements
•
AMERICAS • HIPAA• FDA CFR 21 Part 11• OMB Circular A-123• SEC and DoD Records Retention• USA PATRIOT Act• Gramm-Leach-Bliley Act• Federal Sentencing Guidelines • Foreign Corrupt Practices Act• Market Instruments 52 (Canada)
EMEA• EU Privacy Directives• EU Electronic Signature Laws• BSI• BASEL II• PCIDSS
APAC• J-SOX (Japan)• CLERP 9: Audit Reform and Corporate
Disclosure Act (Australia)• Stock Exchange of Thailand Code on
Corporate Governance
GLOBAL• International Accounting Standards• Basel II (Global Banking)• OECD Guidelines on Corporate
Governance
Common Control Deficiencies
1. Delays in terminating access
2. Maintaining privileges over time
3. Combination of user access to transactions in conflict
SOD (Aka Separation of Powers)
4. Managing access authorization is oftentimes manual (paper based or email)
5. Password policies not enforced across all systems
6. Periodic review of user entitlements
7. Proper reporting capabilities
IdM Addresses Compliance Deficiencies
Enforces segregation of duties
Restricts access
Automates access management
Automates attestation and audit reporting
Demonstrates controls are in place and working
Challenge: Managing Security Risks
• Majority of security breaches from within organization• Fragmented security policies
• Orphaned accounts
• Expired access rights
• Lack of aggregated audit and accountability
• Leaked passwords, social engineering • Manual provisioning requests prone to errors• Network administrators unaware of organizational and role
changes
IdM Strengthens Security
Centralized security and policy management• Consistent policies enforced across enterprise
• Enterprise wide visibility of users, access rights, audit data
Automated provisioning / de-provisioning• Role based user provisioning and de-provisioning
• Automated updates triggered by user status change
Single Sign-On, Delegated Administration• Reduce password compromises
• Delegate policy administration to business owners
Challenge: Operational Efficiencies
• Administrative costs• Administering access for tens of thousands of users
• Overwhelming volume of help desk calls
• Manual provisioning of accounts for new hires
• Manual aggregation and cross checking of audit data
• User Productivity • Long wait times acquiring access to requested systems
• Forgotten passwords
• No single password in use
• IT Productivity• Developers reinventing security for each app they build
IdM Streamlines Operations
Lower Administrative costs• Single Sign-On, Self-service password resets, Password
synchronization
• $420/year per user cost savings via reduced help desk calls
• Automated and aggregated audit reporting
Enhanced User Productivity • Reduce time to access systems from days to minutes
• Automated provisioning - $1250 per year per employee ROI1
Enhanced IT Productivity• Developers re-use centralized security functions
• Accelerated application deployments
• Externalization of authN and authZ from applications
1 - Burton Group Report August 20041 - Burton Group Report August 2004
Agenda
• IDM Defined
• Business Drivers for Complete Security
• Key Elements of Identity Management
• Oracle Approach to Identity Management
• Oracle IdM @ Work
• Summary
AccessAccessControlControl
Identity & Access Management
DirectoryDirectoryServicesServices
IdentityIdentityAdministrationAdministration
Strong Authentication Strong Authentication & Authorization & Authorization
Risk Based Access ControlRisk Based Access Control
Single Sign-OnSingle Sign-On
FederationFederation
Web Services SecurityWeb Services Security
Identity & OrganizationIdentity & OrganizationLifecycleLifecycle
AdministrationAdministration
Enterprise Enterprise Role Role
ManagementManagement
Provisioning &Provisioning &ReconciliationReconciliation
Compliance AutomationCompliance Automation
VirtualizationVirtualization
SynchronizationSynchronization
StorageStorage
Service Levels Risk Analysis Forensics Configuration Performance AutomationService Levels Risk Analysis Forensics Configuration Performance Automation
ManagementManagement
Audit Data Attestation Fraud Detection Segregation of Duties ControlsAudit Data Attestation Fraud Detection Segregation of Duties Controls
Audit & ComplianceAudit & Compliance
Agenda
• IDM Defined
• Business Drivers for Complete Security
• Key Elements of Identity Management
• Oracle Approach to Identity Management
• Oracle IdM @ Work
• Summary
Bridgestream (Fall 2007 IdM Acquisitions) Audit Vault (Spring 2007) Database Vault
Content DB, Records DB Secure Enterprise Search
Thor & Octet String (IdM Acquisitions) Phaos, Oblix, (IdM Acquisitions) Database CC Security Eval #18 (10g R1)
Transparent Data Encryption VPD Column Sec Policies Fine Grained Auditing (9i) 1st Database Common Criteria (EAL4) Oracle Label Security (2000 8.1.7) Virtual Private Database (1998) Enterprise User Security (8i)
Database Encryption API Kerberos Support (8i) Support for PKI Radius Authentication Network Encryption (Oracle7) Oracle Advanced Security introduced First Orange Book B1 evaluation (1993) Trusted Oracle7 MLS DB Government customer (CIA – Project Oracle)
30 Years of Security Leadership
1977 2007
Oracle Strategy: Acquisitions & Organic Growth
AccessAccessControlControl
Oracle IAM Products
DirectoryDirectoryServicesServices
IdentityIdentityAdministrationAdministration
Oracle Access ManagerOracle Access Manager
Oracle AdaptiveOracle AdaptiveAccess ManagerAccess Manager
Oracle ESSOOracle ESSO
Oracle Identity FederationOracle Identity Federation
Oracle WSMOracle WSM
Oracle Identity ManagerOracle Identity Manager
Oracle Enterprise Oracle Enterprise Role ManagerRole Manager
Oracle Virtual DirectoryOracle Virtual Directory
Oracle Internet DirectoryOracle Internet Directory(with Directory Integration(with Directory Integration
Platform)Platform)
Oracle Enterprise Manager for Identity ManagementOracle Enterprise Manager for Identity Management
ManagementManagement
Oracle Identity & Access Management SuiteOracle Identity & Access Management Suite
Audit & ComplianceAudit & Compliance
Leader in Magic Quadrants
User Provisioning, 2H 2007 Web Access Management, 2H 2006
Magic Quadrant Disclaimer: The Magic Quadrant is copyrighted by Gartner, Inc. and is reused with permission. The Magic Quadrant is a graphical representation of a marketplace at and for a specific time period. It depicts Gartner's analysis of how certain vendors measure against criteria for that marketplace, as defined by Gartner. Gartner does not endorse any vendor, product or service depicted in the Magic Quadrant, and does not advise technology users to select only those vendors placed in the "Leaders" quadrant. The Magic Quadrant is intended solely as a research tool, and is not meant to be a specific guide to action. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
Agenda
• IDM Defined
• Business Drivers for Complete Security
• Key Elements of Identity Management
• Oracle Approach to Identity Management
• Oracle IdM @ Work
• Summary
Case Study – Royal Bank of Scotland (RBS)
• Expect to meet compliance and audit requirements – both regulatory and internal.
• Dramatic improvement in accuracy via automation and workflow
• Lower cost and improve security by enabling business units to manage role grants without compromising security policy
BUSINESS CHALLENGE
• Looking to automate provisioning & role management mapping Business Roles to IT Roles
• Adding job-driven, position driven, team driven, and scoped roles to the role model
• Meet compliance requirements and mitigate risk
RESULTS
ORACLE SOLUTION
• Oracle Identity Manager and Oracle Enterprise Role Manager chosen on May 2006
• 140,000 Internal Users, plus 10 connectors
• POC performance and reference meetings were key differentiators
Case Study - Pfizer
• Built a security platform that allows new users to access the Pfizer applications based on their existing authentication factors – lowers cost of doing business with Pfizer.
• SSO allows end users to have a stronger, unique authentication method to all applications – increases security by doing away with sticky-note syndrome.
BUSINESS CHALLENGE
• Wanted a portal which allows end users to determine what form of credential they would like to use to authenticate
• Needed ability to enforce stronger authentication based on sensitivity of data being accessed
• Needed a centralized security service
• Needed zero downtime
RESULTS
ORACLE SOLUTION
• Oracle Access Manager and Oracle Virtual Directory are key components of Pfizer’s Identity and Access Management Infrastructure
Case Study – BAMF
• Reduced Administration costs and improved user experience around password management
• Efficient Account creation and cancellation
• Password sync between OID, AD (leading directory) and Oracle database
• Web Single Sign-On with Application Express Apps and J2EE Apps
BUSINESS CHALLENGE
• Have a complex IT environment consisting of multiple data stores
• Need of Delegated administration and group management for their applications
• Need of Password Sync from Active Directory to several OID data stores
• Governance compliance
RESULTS
ORACLE SOLUTION
• Oracle Access Manager and Identity Manager for 10,000 external & 2,000 internal users
• Identity Manager allows for delegated management of identities, Password sync (e.g. with MS AD)
Agenda
• IDM Defined
• Business Drivers for Complete Security
• Key Elements of Identity Management
• Oracle Approach to Identity Management
• Oracle IdM @ Work
• Summary
IDM the Oracle way…
• “Holistic” approach with Oracle IAM Suite• Staged model for fast results• Externalized to be used across systems and
applications• Value adding strategic partners• Evolve to remain ahead of pace• Support for life
AQ&
