Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal

  • View
    224

  • Download
    0

Embed Size (px)

Text of Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal

  • 8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal

    1/73

    Leap Forwardwith Oracle Identity Management

    Chris Fox, CISSP | Principal Security Consultant | [email protected]

    Leverage. Extend. Automate. Protect.

    mailto:[email protected]:[email protected]
  • 8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal

    2/73

    2

    The following is intended to outline ourgeneral product direction. It is intended for

    information purposes only, and may not beincorporated into any contract. It is not a

    commitment to deliver any material, code, orfunctionality, and should not be relied upon

    in making purchasing decisions.The development, release, and timing of any

    features or functionality described forOracles products remains at the sole

    discretion of Oracle.

  • 8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal

    3/73

    3

    Leap Forward withOracle Identity Management for

    Leverage Your Oracle Application investment

    Extend Its capabilities to solve common security problems,drive down costs and boost end user productivity

    Automate Costly and Time-Consuming User Management,User Access, Access Recertification and Reporting processes

    Protect Your Oracle Application to the Core with strongaccess controls, segregation of duties and data protection

    AutomateExtend ProtectLeverage

  • 8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal

    4/73

    4

    Oracle IDM Drives Productivity!

    Identity & Audit Tasks: User Administration Password Reset Internal Audit

    Annual Minutes Required for IdentityManagement & Related Audit Requirements

    -

    2,000,000

    4,000,0006,000,000

    8,000,000

    10,000,000

    12,000,000

    14,000,000

    Year 1 Year 2 Year 3 Year 4

    M i n u t e s

    Business-as-Usual Oracle IDM

    $7.4M Savings over 4 Years$3M Year-Over-Year Savings Year Once Fully

    Deployed!

    Annual Cost Comparison, Business-as-Usual vs.Oracle IDM

    $-$1,000,000$2,000,000$3,000,000$4,000,000$5,000,000$6,000,000$7,000,000$8,000,000

    Year 1 Year 2 Year 3 Year 4

    Business-as-Usual Oracle IDM

    Productivity

    UserSatisfaction

    Identity &Audit CostsDown 55%

    AutomateExtend ProtectLeverage

  • 8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal

    5/73

    5

    Todays Agenda

    Security + Compliance Issues Application Customers Face

    Solving Issues with Oracle Identity Management and Security Automating User & Password Management

    Simplifying Sign On & Centralizing Access Management Streamline Governance, Risk and Compliance

    Real World Case Studies

    Oracle Application customers using Identity Management today?

  • 8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal

    6/73

    6

    Leverage.

  • 8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal

    7/73

    7

    Oracle Applications are a GreatFoundation!

    DevelopMarket

    Sell

    OrderPlan

    Procure

    MakeFulfill

    Service

    Maintain

    FinanceHCM

    Projects

    Contracts

    AutomateExtend ProtectLeverage

  • 8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal

    8/73

    8

    Success of strategic business initiatives often depends onidentification, development, and ongoing management of

    work skills & professional expertise, leading to accelerated achievement of strategic objectives.

    -- Jennifer Volmer, Research Analyst

    Human Capital Management At-a-Glance

    ManagersEmployees

    LaborSourcing

    Demand ForecastingRecruiting

    Contractor HiringSupplier RelationsOffer Negotiations

    On-Boarding

    PostEmployment

    TerminationRe-HiresBenefits

    ReferencesRecords

    PeopleDeploymentDevelopmentCompensation

    Workforce Mgmt

    ServicesLabor Relations

    ComplianceOrganization

    ContractorsFormer Employees

  • 8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal

    9/73

    9

    Overall Business Pressures

    Aging & Retiring Workforce

    How can I attract workers withkey competencies & skills? How can I develop an agile

    workforce to support mychanging business?

    Governance & Compliance

    How can I keep pace withchanging privacy laws & safetyregulations?

    How can I gain greater control ofprocesses, data, and approvals?

    What is the best way to service anincreasingly global workforce?

    How can I simplify complexprocesses across the organization?

    Management

    WorkforceLabor

    SourcingPost

    Employment

    Where can I cut costs & improveworkforce mgmt efficiencies?

    How can I manage and improveworkforce utilization?

    Emerging Markets,New Organizations

    Reduce Costs WhileImproving HR Service

  • 8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal

    10/73

    10

    Top Security Issues

    User Accessand PasswordManagement

    Governance,Risk and

    Compliance

    ManagingUsers and

    Entitlements

    AutomateExtend ProtectLeverage

  • 8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal

    11/73

    11

    Issue #1: Managing Users and Entitlements

    Creating user accounts and granting fine-grained

    entitlements (Roles, Responsibilities) is manual and costly

    Transfers are hard to handle and removing excessiveprivileges doesnt happen fast enough

    Requesting new user access is a manual effort that takestoo long

    Access approvals are manual, email-driven, arent unique

    for the access request and arent auditable

    Removing user access and entitlements upon terminationtakes too long and has lots of spot issues

    1

    2

    3

    4

    5

    AutomateExtend ProtectLeverage

  • 8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal

    12/73

    12

    Issue #2: Access and Password Management

    We want to make access to applications easier byeither using SSO or the users AD password

    Users forget their passwords, we need a way for themto reset it themselves

    Wed like to use SSO, but have to be sure we know whothe user is and prevent fraud

    Wed like to expose our applications externally to allusers over the web vs. VPN but dont have confidence

    We need fine-grained access control of applicationdata (at the UI and database levels)

    AutomateExtend ProtectLeverage

    1

    2

    3

    4

    5

  • 8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal

    13/73

    13

    Issue #3: Governance, Risk and Compliance

    Who has and Who had access to what? and Why?reports are manual and sometimes impossible

    Segregation of Duties (SoD) within the application isdifficult to achieve even at a detective level

    Orphaned/ghost accounts are very hard detect andeliminate. There could be hundreds or thousands?

    We cant ensure the protection of our applicationsdatabase data and prove controls are working

    Out of all these issues, Periodic Access Reviews arethe most complex, costly and time-intensive task

    AutomateExtend ProtectLeverage

    1

    2

    3

    4

    5

  • 8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal

    14/73

    14

    We know the Real World Isnt Easy!

    AutomateExtend ProtectLeverage

  • 8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal

    15/73

    15

    Business Users

    Need User Accounts and Entitlements As Fast As Possible Want Simplified Access To ALL Applications Minimize or Synchronize the passwords

    What Application Customers Are Asking For

    Business Users

    Info Securityand Audit

    Information Security and Audit Need To Understand Risk And What To Protect Want to Protect Data From Compromise Looking to Review User Access in less time Need Reports For Who Has (And Had) Access To What?

    IT Personnel Needs Help Simplifying User Management For:

    Employees Customers Partners

    Want to workflow to automate manual processes Need Tools To Manage IT Systems With Less Effort

    IT Personnel

    AutomateExtend ProtectLeverage

  • 8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal

    16/73

    16

    Extend.

  • 8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal

    17/73

    17

    We Can Fix These Issues Today

    Web-BasedPeriodicAccessReview

    AutomateUser &

    Responsibility

    Manageme

    nt PreventativeSegregati

    on of Duties

    Controls

    Secure,Risk-Based

    Single SignOn

    Strong

    AccessControls andData

    Protection

    Self ServicePasswordReset and

    AccountRequests

    Automate Protect

    AutomateExtend ProtectLeverage

  • 8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal

    18/73

    18

    Securing, Automating and Auditing Oracle Applications

    Automaticallyon-board,

    transfer andoff-board users

    based on HRevents

    HR-Driven UserMgmt

    Automaticallygrant Userrights andgenerateauditableapproval

    workflows

    Role-BasedAccess

    Web-basedhome page forrequesting new

    access rightsand changing

    passwords

    UserSelf Service Preventative

    and DetectiveSoD ensure

    compliance andreports are

    generated foraudit

    Segregationof Duties

    PeriodicAccess Review

    Web-Based,Interface usedto schedule,

    delegate, track,complete and

    view reports for

    audit

    Risk-BasedSSO

    Users access toapps on Day 1using SSO and

    optional strongauthenticationthat employsrisk analytics

    Data Protection

    Edge to Coresecurity ofapplication

    data ensuresusers only getaccess to what

    they need

    G e t P r o d u

    c t i v e !

    G e t C o m p l i a n

    t !

    AutomateExtend ProtectLeverage

  • 8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal

    19/73

    19

    Oracle IdM is Certified and Ready

    Adaptive AccessManager

    IdentityFederation

    IdentityManager

    RoleManager

    InternetDirectory

    VirtualDirectory

    AccessManager

    Out-of-The-Box Connectors Certified Interoperability

    Enterprise SSOSuite

    EntitlementServer

    Web ServicesManager

    In Progress In Progress In Progress In Progress

  • 8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal

    20/73

    20

    Automate.

  • 8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal

    21/73

    21

    How Do We Automate Security?

    AutomateUser &

    Responsibility

    Manageme

    ntSecure,

    Risk-Based

    Single SignOn

    Web-BasedPeriodicAccessReview

    Preventative

    Segregation of

    DutiesControls

    StrongAccess

    Controls andData

    Protection

    Self ServicePassword

    Reset andAccount

    Requests

    Automate

    AutomateExtend ProtectLeverage

  • 8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal

    22/73

    22

    Automated User and Responsibility Management

    SolutionIssue to Address

    Oracle IdentityManager

    Creating user accounts and granting them theEntitlements they need is manual and costlyTransfers are hard to handle. Termination ofunused privileges isnt happing fast enough

    Removing access and entitlements upontermination takes too long and has spot issues

    Orphaned/ghost accounts are very hard detectand eliminate. There could be thousands?

    AutomateUser &

    Responsibility

    Manageme

    nt

    Option:Oracle Role

    Manager

    AutomateExtend ProtectLeverage

  • 8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal

    23/73

    23

    Certified EBS IntegrationCertified EBS Integration

    PasswordPasswordUpdate and SynchronizationUpdate and Synchronization

    Add and RemoveAdd and Remove

    EBS ResponsibilitiesEBS Responsibilities

    On-board, Transfer, Update,On-board, Transfer, Update,Off-board UsersOff-board Users

    OracleDatabase

    Automatic User and Responsibilities MgmtSingle Global Instance of All Users

    Oracle IdentityManager

    User Accountand Entitlements

    Created/Modified

    1. Pull lists of Who

    is in each system1. Periodically Check for

    Rogue Identities

    3. Remove Identitiesand/or Entitlements

    Other SourcesFlat FilesDatabases

    Directories

    HR & BizApplicationsEvent-Driven

    IdentityManagement

    AutomateExtend ProtectLeverage

    Databases

    Applications

    Directories

  • 8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal

    24/73

    24

    Automatic User and Entitlement MgmtSingle Global Instance of All Users

  • 8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal

    25/73

    25

    Automatic User and Entitlement MgmtSingle Global Instance of All Users

  • 8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal

    26/73

    26

    Manage Roles, Approvers & OrgsOracle Role Manager

    Who is the Approver?Who is the Approver?

    Organization and HierarchyOrganization and HierarchyManagementManagement

    Role ManagementRole Management

    Role MiningRole Mining

    Oracle RoleManager

    Approval WorkflowsApproval Workflows

    Entitlement ManagementEntitlement Management

    Account ProvisioningAccount ProvisioningAccountAccount ReconciliationReconciliation

    Oracle IdentityManager

    Applications Directories

    Re ports

    R ep ort s R ep ort s R ep ort s

    R ep or ts R ep or ts R ep or ts R ep or ts

    Org Hierarchies

    HR and OtherApplications

    MAPS:

    Business Roles TO

    IT/System Roles TO

    Entitlements TO

    Approvers

    Go To Identity MangersSelf-Service andApprove Chris

    Request?

    AutomateExtend ProtectLeverage

    DatabasesApplicationsDirectories

  • 8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal

    27/73

    27

    Manage Roles, Approvers & OrgsOracle Role Manager

    Who is the Approver?Who is the Approver?

    Organization and HierarchyOrganization and HierarchyManagementManagement

    Role ManagementRole Management

    Role MiningRole Mining

    Oracle RoleManager

    AutomateExtend ProtectLeverage

  • 8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal

    28/73

    28

    IDM Impact on User Management

    Key Takeaways

    Then: 10 business days foraccount creation/modificationand sometimes termination!

    Now: Under 1 day (could bereal-time without approvals)

    Results: Improved Customer Service Reduced Cost

    Business Days Prior to Beginning of Class thatEnrollement Closed

    0

    2

    4

    68

    10

    12

    Before Oracle IDMImplementation

    Today

    Business Days Required forNew Account Creation

  • 8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal

    29/73

    29

    Automated Security for Oracle Applications

    AutomateUser &

    Responsibility

    Manageme

    ntSecure,

    Risk-Based

    Single SignOn

    Self ServicePassword

    Reset andAccountRequests

    Automate

    AutomateExtend ProtectLeverage

  • 8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal

    30/73

    30

    Secure, Risk-Based, Single Sign On

    Solution

    Issue to Address

    OracleAccess Manager &Adaptive Access

    Manager

    We want to make access to Apps easier byeither using SSO or the users AD passwordWed like to use SSO, but have to be sure weknow who the user is and prevent fraud

    Wed like to expose more functionalityexternally but want higher levels of security

    Secure,Risk-

    BasedSingle Sign

    On

    Option #3:Enterprise SSO

    Suite

    Option #2:Other Access

    Suite Components

    Option #1:Oracle

    Directory Services

    AutomateExtend ProtectLeverage

  • 8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal

    31/73

    31

    Enable Single Sign-OnOracle Access Manager (with/without OSSO)

    Desktop Login

    Optional Bolt-OnOptional Bolt-OnStronger AuthenticationStronger Authentication

    Audit User AccessAudit User Access

    Self Service RegistrationSelf Service Registration

    Extranet & Intranet SSOExtranet & Intranet SSO

    Oracle AccessManager

    Corporate Directory

    Employees

    AutomateExtend ProtectLeverage

    Databases

    Applications

    Directories

  • 8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal

    32/73

    32

    Automating User Sign-On

    B l O F d P i d S A hN

  • 8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal

    33/73

    33

    Bolt-On Fraud Prevention and Strong AuthNOracle Adaptive Access Manager

    O r a

    c l eA

    c c e s s

    M an

    a g er

    Suppliers

    Employees

    Customers

    Where a UserWhere a User IsIs (Geo-Location Checking)(Geo-Location Checking)

    What a UserWhat a User DoesDoes (Behavior Pattern + Profiling)(Behavior Pattern + Profiling)

    What A UserWhat A User HasHas (Device Fingerprinting)(Device Fingerprinting)

    What A UserWhat A User KnowsKnows (Pin, Password, Challenge Questions)(Pin, Password, Challenge Questions)

    AdaptiveAccess

    Manager

    User

    Location Device

    Prevents: Phishing, Pharming, Trojans, Key logging, Proxy Attacks, Insider threats

    Computed

    RiskScore

    AutomateExtend ProtectLeverage

    Applications

  • 8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal

    34/73

    34

    Case Study Monster

    Expect to have a more secure site without altering end user experience Expect to restore brand image by providing stronger form of authentication

    BUSINESS CHALLENGE

    In August 2007, an automated attack was launchedon Monster using compromised recruitercredentials which captured info on nearly 1.3Musers.

    Monster has a current catalog of nearly 1M job adsand a database of 34M resumes. To preserve brand image without disrupting user

    behavior, Monster needed to protect users profileinformation and other phishing/pharming scams.

    Must support 18+ Million Users

    RESULTS

    ORACLE SOLUTION

    Oracle Adaptive Access Manager was chosenover RSA

    OAAM was able to focus on differentiatinghumans from automated (bot or trojan)authentication attempts and fraud

    detection Integrates into the Monster applicationframework

    Leverage black lists provided bySymantec DeepSight threat managementservice

    http://www.monster.com/
  • 8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal

    35/73

    35

    Automated Security for Oracle Applications

    AutomateUser &

    Responsibility

    Manageme

    ntSecure,

    Risk-Based

    Single SignOn

    Self ServicePassword

    Reset andAccountRequests

    Automate

    AutomateExtend ProtectLeverage

  • 8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal

    36/73

    36

    Self Service Password Reset & Account Requests

    SolutionIssue to Address

    Oracle IdentityManager

    Requesting new entitlements on each system isa manual effort that takes too longApproval for new entitlements is a manualeffort and isnt auditableApp users forget their password all the time, weneed a way for them to reset it themselves

    Self ServicePasswordReset and

    AccountRequests

    AutomateExtend ProtectLeverage

    W b B d U S lf S i

  • 8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal

    37/73

    37

    Self Service Password ResetSelf Service Password Reset

    Manager Self ServiceManager Self Serviceto complete Approvalsto complete Approvals

    Dynamic Approval RoutingDynamic Approval Routing

    per Responsibilityper Responsibility

    Self Request & Removal of Self Request & Removal of ResponsibilitiesResponsibilities

    OracleDatabase

    Web Based, User Self ServiceOracle Identity Manager

    Oracle IdentityManager

    Add Responsibilities

    Change Password

    RemoveResponsibilities

    EmployeesContractors

    Suppliers

    AutomateExtend ProtectLeverage

    Databases

    Applications

    Directories

  • 8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal

    38/73

    38

    Databases

    Applications

    Directories

    Options for Obtaining Responsibilities

    Employees

    Contractors

    Customers

    ViaWeb-Based Self Request

    Rules/RolesAutomaticallyvia Rules Engine

    AdminAdds/Removes

    ResponsibilitydirectlyFrom their site, usersreview who needs to

    approve each request

    ExampleManager and

    IT OwnerApproval

    Web-BasedApproval Policy

    Creation &Modification

  • 8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal

    39/73

    39

    Impact on Approvals for System Access

    Key Takeaways Then: User access

    approvals took 2-3 days Without access, user

    could not begin to work

    Now: Approving Useraccess takes30 minutes or less

    and is auditable!

    The decline in hours reflectsincreased process efficiency

    Average Time in Days to Grant Systems A ccess

    0

    0.5

    1

    1.5

    2

    2.5

    3

    Before Oracle IDM After Oracle IDM

  • 8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal

    40/73

    40

    The Impact of IDM!

    Key Takeaways

    $582,492 realized annually in cost savings or cost avoidance More than 13,000 staff hours recovered annually Significant improvements in user customer service &

    customer satisfaction

    Annual Value Realized Due to Oracle IDM

    Implementation

    $-

    $100,000

    $200,000

    $300,000

    $400,000

    $500,000

    Costs Eliminated Cost Avoidance

    Orphaned Accounts

    Password Reset

    Customer AccessManagement

    Annual Staff Hours Recovered Through Oracle IDM

    -2,000

    4,000

    6,000

    8,000

    10,000

    12,000

    14,000

    16,000

    Annual Hours Recovered

    Back to School

    Password Reset

    Customer AccessManagement

  • 8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal

    41/73

  • 8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal

    42/73

    42

    Lock Down and Protect Applications

    AutomateUser &

    Responsibility

    Manageme

    ntSecure,

    Risk-Based

    Single SignOn

    Self ServicePassword

    Reset andAccount

    Requests

    Automate

    AutomateExtend ProtectLeverage

    StrongAccess

    Controls andData

    Protection

    Web-BasedPeriodicAccessReview

    Preventative

    Segregation of

    DutiesControls

    Protect

  • 8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal

    43/73

    43

    Strong Access Controls and Data Protection

    Solution

    Issue to Address

    Oracle DatabaseDatabase Security

    IdM Suite

    We need fine-grained access control ofapplication data (at the UI and database levels)We cant ensure the protection of our App &database data and prove controls are working

    Unix Host OSOracle

    ApplicationServices for OS

    Application(Internal)Identity Managerand GRC Controls

    Web TierOracle Access

    Suite

    StrongAccess

    Controls andData

    Protection

    AutomateExtend ProtectLeverage

    Protecting Oracle Applications

  • 8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal

    44/73

    44

    Protecting Oracle ApplicationsTop to Bottom Security

    Linux/Unix

    OracleDatabase

    OracleApplications

    EnterprisePortals

    WebServer

    Centralize OS Usermanagement and SUDO

    Policies usingOracle AuthenticationServices for Operating

    Systems

    Secure sensitive datawithin the database withOracle Database Security

    Options

    Protect the FrontDoor and providestrong Fraud

    prevention usingOracles Access

    Management Suite

    Embed Fine-GrainedAccess controls downto the field level using

    Oracle ApplicationAccess Controls

    Governor

    Automatically add,modify and removeuser accounts and

    entitlements usingOracle IdentityManager

    AutomateExtend ProtectLeverage

    Protecting Application Data

  • 8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal

    45/73

    45

    John Doe

    123 Main StCenter City, NY 12345

    $ 53,000.00

    CancelOK

    Name

    Address

    Salary

    Employee Update

    XXX-XX-XXXXXSSN

    Supervisor Mary Smith

    Conceal SSN number ifUser is NOT from HR dept

    Employees can only view thesalary field (cant update)

    Disable Invoice Approval forInvoices created by same user

    Protecting Application DataGRC Controls Masking sensitive data & Restricting access to actions

    Embedded preventive controls restricts access to sensitive data

    and critical actions proactively using native application interfacesand workflow technology

    AutomateExtend ProtectLeverage

  • 8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal

    46/73

  • 8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal

    47/73

    47

    Lock Down and Protect Applications

    Web-BasedPeriodicAccessReview

    Preventative

    Segregation of

    DutiesControls

    StrongAccess

    Controls andData

    Protection

    Protect

    AutomateExtend ProtectLeverage

  • 8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal

    48/73

    48

    Issue to Address

    OracleIdentity ManagerSegregation of Duties (SoD) within Applications

    is difficult to achieve even at a detective level

    Oracle ApplicationAccess Controls

    Governor

    Preventative + Detective Segregation of Duties

    Solution

    We want both Preventative & Detective SoD ofApplication entitlements

    Web-BasedPeriodicAccessReview

    Preventative

    Segregation of

    DutiesControls

    AutomateExtend ProtectLeverage

    Wh t i S g g ti f D ti (S D)? EBS

  • 8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal

    49/73

    49

    What is Segregation of Duties (SoD)? EBS

    Role

    Application User

    Responsibility

    Menu

    Submenu

    FunctionSubMenu/Function

    Etc.

    SOD refers to the separationof business activities that asingle person may initiateand/or validate, in order tolimit or prevent erroneous orfraudulent activities

    Business activities areenabled through therespective access points within an application

    Examples:

    Create Invoices

    Post Journal Entries Make Payments

    AutomateExtend ProtectLeverage

  • 8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal

    50/73

    50

    Role

    Page

    PeopleSoft Access & SOD Challenges

    Permission List

    Menu

    User Profile

    EvaluateEvaluate User AccessUser Access Test by User ProfileTest by User Profile Test by PageTest by Page

    ManageManageSegregation of DutiesSegregation of Duties Identify incompatible PrivilegesIdentify incompatible Privileges

    (i.e. Pages)(i.e. Pages)

    Component

  • 8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal

    51/73

    51

    IDM and GRC Working TogetherSOD and Rogue Activity Detection and Remediation

    !!Account or

    Entitlement Added out-of-bounds

    DeprovisionEntitlementsto Remediatethe Violation

    AssignRemediation

    Task

    Event Analysis

    ViolationDetectionand Alert

    GRC IDENTITY MANAGEMENT

    AccountResponsibilityDeprovisioned

    Oracle IdentityManager

    Enforce SoD Policy

    Oracle Access ControlsGovernor

    AutomateExtend ProtectLeverage

    Out-of-bounds Account or

    Responsibility

    Removed

    L k D d P A li i

  • 8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal

    52/73

    52

    Lock Down and Protect Applications

    Web-BasedPeriodicAccessReview

    Preventative

    Segregation of

    DutiesControls

    StrongAccess

    Controls andData

    Protection

    Protect

    AutomateExtend ProtectLeverage

    W b B d P i di A R i

  • 8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal

    53/73

    53

    Issue to Address

    OracleIdentity Manager

    Who has & Who had access to what? andWhy? reports is manual and time consumingWe cant detect and eliminate orphaned/ghostaccounts. There could be thousands?

    Out of all these issues, periodic access reviewsare the most complex, costly & time consuming

    Option:GRC Suite

    Web-Based Periodic Access Review

    Web-BasedPeriodicAccessReview

    Solution

    AutomateExtend ProtectLeverage

  • 8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal

    54/73

    W b B d A i bl A R i

  • 8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal

    55/73

    55

    Web-Based Actionable Access Reviews

    Set UpPeriodic

    Review

    1 Automated Actionis taken based on

    Periodic Review

    3 Results areStored in DB

    4Reviewer Is NotifiedGoes to Attestation

    Web Site

    2

    Delegate

    Reject

    Certify

    Decline

    ReviewerSelections

    Comments

    Who ShouldReview It?

    What User orResponsibility

    Should be

    Reviewed?

    When Does ItStart and

    How Often?

    ArchiveAttested Data

    Attestation ActionsDelegation Paths

    Notify DelegatedReviewer

    Notify theProcess Owner

    AutomaticallyTerminate User

    Email Resultto User

    AutomateExtend ProtectLeverage

    22 Out of the Box Current State Reports

  • 8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal

    56/73

    56

    22 Out-of-the-Box Current State Reports

    AutomateExtend ProtectLeverage

    13 O f h B Hi i l R

  • 8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal

    57/73

    57

    13 Out-of-the-Box Historical Reports

    AutomateExtend ProtectLeverage

    Unified Compliance Reporting

  • 8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal

    58/73

    58

    Using Oracle BI Publisher

    OracleIdentity Mgmt

    OracleGRC Systems

    Oracle DatabaseSecurity Options

    Schedule and Burst ReportsSchedule and Burst Reports

    Publish Reports for AuditPublish Reports for Audit

    Edit/Design Reports usingEdit/Design Reports usingOffice tools and WebOffice tools and Web

    Pre-Built Identity ReportsPre-Built Identity Reports

    OracleBI Publisher

    Pull Datafrom Source

    1

    XML

    EDI

    EFT

    PDF

    RTF

    HTML

    Excel

    Output toDesiredFormats

    3 Send toDestinations

    4

    E-mail

    Printer

    Fax

    Storage

    Business User Creates/EditsLayout Using CommonOffice and Adobe Tools

    2

    Office WebAdobe

    AutomateExtend ProtectLeverage

  • 8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal

    59/73

    59

    Leverage.

  • 8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal

    60/73

    IdM + S it I St t gi T O l

  • 8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal

    61/73

    61

    IdM + Security Is Strategic To Oracle

    Oracle IdM is helping customers today!!

    IdM will be the core Security infrastructurefor Fusion Applications

    IdM + GRC + Database Security strategy enables ourcustomers to deploy a complete Oracle Security Stack

    IdM has Pre-Built, Out-of-the-Box integrations with: Core Business Systems E-Business Suite, Other ORCL & Non-ORCL Data Stores Databases, Directories, File Files, Etc Operating Systems - UNIX/Linux, Windows, Mainframe

    AutomateExtend ProtectLeverage

  • 8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal

    62/73

    62

    Oracles Security & Compliance Strategy

    What Do The Analysts Think?

    AutomateExtend ProtectLeverage

    Oracle is #1 in IDMwith Big 3 Analysts!!

  • 8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal

    63/73

    63

    Oracle is #1 in IDM with Big 3 Analysts!!

    Magic Quadrant

    for User Provisioning, 2H08March 2008 VantagePoint

    Identity and Privacy Trends inEnterprise IT

    The Forrester Wave

    Identity And AccessManagement, Q1 2008

    Oracle IDM is the Best and Safest Choice for Oracle customers

    AutomateExtend ProtectLeverage

  • 8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal

    64/73

    64

    Case Studies

    Customers Success with Oracle IDM

  • 8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal

    65/73

    65

    PeopleSoft HR as source of truth for identity Eliminated > 90% of ghost, orphaned and rogue accounts Self-service password management reduced help desk calls

    Over $750,000 annual savings in help desk cost Saving $500,000 (400 hours/month) on SAP administration High quality IT compliance data for core SOX applications

    Over 1,000 applications under centralized management Comprehensive Who has (and had) access to what database for

    compliance and process automation Near Zero wait for new resources

    Embedded Application Preventive, Detective and ContextualControls manage over 358 Business Processes 42% reduction in external auditor testing Less than 5 months payback period

    Benefits They Are Receiving

    Case Study Cisco Systems

  • 8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal

    66/73

    66

    Oracle IdM will tie the Apps to GRC, SOD & DB for compliance and reporting Oracle can help automate many manual provisioning tasks for ROI benefits

    Oracle can provide a strong Security Shared Services Framework for Cisco

    BUSINESS CHALLENGE

    Needed to move away from the multiple IdM siloswithin Cisco. Doing a complete re-architecture of current web and provisioning process due to recentacquisitions of WebEx, Linksys and Scientific Atlanta

    Cisco needed a single identity system to manageaccess to applications, provision users, and managethe user role and lifecycle across their variouscompanies, business partners and employee base.

    RESULTS

    ORACLE SOLUTION

    Oracle Identity Manager Q4FY07

    Oracle Access Manager and Oracle IdentityFederation - Oracle Access Manager replaces

    CA Siteminder Q3FY08 Cisco is building their entire next generation

    Enterprise Identity and Access Managementplatform around the Oracle IdM stack

    Case Study Cisco Systems

  • 8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal

    67/73

    67

    Summary

    Only Oracle Provides

  • 8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal

    68/73

    68

    y

    Most Comprehensive:End-to-End Security for Applications, Middleware and Databases !

    Industrys #1 IdM according to Gartner, Burton and Forrester reports

    Deepest Set of Capabilities:HR-Driven, Role-based Oracle Application user managementDeepest Integration for Management of Users, Roles and EntitlementsOut-of-the-Box Single Sign-On to Oracle Applications

    Self-service Home Page for requesting/removing access requestsOut-of-the-Box, Approval workflows per user access requests

    Unmatched Compliance Options: Actionable, Periodic Review of Users and fine-grained entitlementsPreventative and Detective SoD with remediation (IDM and GRC)Fine-Grained Access control down to the form/field levelDatabase Vault to secure sensitive application data in the databaseCurrent and Historical Reporting of Who has what responsibility?,When did they get it?, How did they get it? and Who approved it?

    AutomateExtend ProtectLeverage

  • 8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal

    69/73

  • 8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal

    70/73

    Learn More

  • 8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal

    71/73

    71

    Learn More

    Webcast Series on Identity for Applications Visit: Click Here to Register today!

    Try the Software Visit OTN: otn.oracle.com

    Download software, get technical information

    Ask Our Experts Speak with the Oracle Identity Team

    AutomateExtend ProtectLeverage

    Questions?

    https://conference.oracle.com/imtapp/app/conf_enrollment.uix?mID=124697906http://www.oracle.com/technology/products/id_mgmt/index.htmlhttp://www.oracle.com/technology/products/id_mgmt/index.htmlhttps://conference.oracle.com/imtapp/app/conf_enrollment.uix?mID=124697906
  • 8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal

    72/73

    72

    Questions?

    AutomateExtend ProtectLeverage

  • 8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal

    73/73