Transcription

“Leap Forward”with Oracle IdentityManagementLeverage. Extend. Automate. Protect.Chris Fox, CISSP Overview of Oracle IdM for Oracle Apps March18, 2009“Leap Forward” withOracle Identity Management for Leverage – Your Oracle Application investment Extend – Its capabilities to solve common security problems,drive down costs and boost end user productivity Automate – Costly and Time-Consuming User Management,User Access, Access Recertification and Reporting processes Protect – Your Oracle Application “to the Core” with strongaccess controls, segregation of duties and data protection3Leverage Extend Automate Protect1

Oracle IDM Drives Productivity!Annual Minutes Required for IdentityManagement & Related Audit RequirementsProductivityAnnual Cost Comparison, Business-as-Usual vs.Oracle IDM14,000,000UserSatisfactionMinutes12,000,000 8,000,00010,000,000 7,000,000 6,000,0008,000,000 5,000,0006,000,000 4,000,0004,000,000 3,000,000 2,000,0002,000,000 1,000,000 -Identity &Audit CostsDown 55%Year 1Year 1Year 2Year 3Year 2Business-as-UsualBusiness-as-UsualYear 4Year 3Year 4Oracle IDMOracle IDMIdentity & Audit Tasks: User Administration Password Reset Internal Audit 7.4M Savings over 4 Years 3M Year-Over-Year Savings Year Once Fully Deployed!4Leverage Extend Automate ProtectToday’s Agenda Security Compliance Issues Application Customers Face Solving Issues with Oracle Identity Management and Security Automating User & Password Management Simplifying Sign On & Centralizing Access Management Streamline Governance, Risk and Compliance ‘Real World’ Case Studies Oracle Application customers using Identity Management today?52

Leverage.6Oracle Applications are a Great verage Extend Automate Protect3

Overall Business PressuresEver-Changing Workforce How can I cost-effectivelymanage a mixed set of users? How can I develop an agileworkforce to supportchanging business?Governance & Compliance How can I keep pace withchanging privacy laws & safetyregulations? How can I gain greater control ofprocesses, data, and approvals?WorkforceManageAudit andComplianceManageUsers andAccessManagementGlobalizationand Emerging Markets What is the best way to service anincreasingly global workforce? How can I simplify complexprocesses across the organization?Reduce Costs WhileImproving Service Where can I cut costs & improveefficiencies? How can I manage and improveworkforce utilization?8“Top Security Issues”ManagingUsers andEntitlementsUser Accessand PasswordManagementGovernance,Risk andCompliance9Leverage Extend Automate Protect4

Issue #1: Managing Users and Entitlements1Creating user accounts and granting fine-grainedentitlements (Roles, Responsibilities) is manual and costly2Transfers are hard to handle and removing excessiveprivileges doesn’t happen fast enough3Requesting new user access is a manual effort that takestoo long4Access approvals are manual, email-driven, aren’t uniquefor the access request and aren’t auditable5Removing user access and entitlements upon terminationtakes too long and has lots of spot issues10Leverage Extend Automate ProtectIssue #2: Access and Password Management1We want to make access to applications easier byeither using SSO or the user’s AD password2Users forget their passwords, we need a way for themto reset it themselves3We’d like to use SSO, but have to be sure we know whothe user is and prevent fraud4We’d like to expose our applications externally to allusers over the web vs. VPN but don’t have confidence5We need fine-grained access control of applicationdata (at the UI and database levels)11Leverage Extend Automate Protect5

Issue #3: Governance, Risk and Compliance1“Who has” and “Who had access to what?” and “Why?”reports are manual and sometimes impossible2Segregation of Duties (SoD) within the application isdifficult to achieve even at a ‘detective’ level3Orphaned/ghost accounts are very hard detect andeliminate. There could be hundreds or thousands?4We can’t ensure the protection of our application’sdatabase data and prove controls are working5Out of all these issues, “Periodic Access Reviews” arethe most complex, costly and time-intensive task12Leverage Extend Automate ProtectWhat Application Customers Are Asking For Business UsersBusiness Users Need User Accounts and Entitlements As Fast As Possible Want Simplified Access To ALL Applications Minimize or Synchronize the passwords IT PersonnelIT Personnel Needs Help Simplifying User Management For: Employees Customers Partners Want to workflow to automate manual processes Need Tools To Manage IT Systems With Less Effort Information Security and AuditInfo Securityand Audit Need To Understand Risk And What To ProtectWant to Protect Data From CompromiseLooking to Review User Access in less timeNeed Reports For “Who Has (And Had) Access To What?”13Leverage Extend Automate Protect6

Extend.14We Can Fix These Issues TodayAutomateAutomateWeb-BasedUser &PeriodicResponsibilit Access le SignSegregatioOnn of DutiesControlsSelf ServiceStrong AccessPasswordControls andReset andData ProtectionAccountRequestsProtect15Leverage Extend Automate Protect7

“Securing, Automating and Auditing”t!plianmoCGetOracle ApplicationsGe!uctivdoret PRole-BasedAccessHR-DrivenUser MgmtAutomaticallyon-board,transfer andoff-board usersbased on HReventsAutomaticallygrant Userrights Users access toapps on Day 1using SSO andoptional strongauthenticationthat employsrisk analyticsUserSelf ServiceWeb-basedhome page forrequesting newaccess rightsand changingpasswordsSegregationof Duties“Preventativeand Detective”SoD ensurecompliance andreports aregenerated forauditPeriodicAccess ReviewWeb-Based,Interface usedto schedule,delegate, track,complete andview reports forauditDataProtection“Edge to Core”security ofapplication dataensures usersonly get accessto what theyneed16Leverage Extend Automate ProtectOracle IdM is “Certified and Ready”AccessManagerAdaptive AccessManagerIdentityFederationEntitlementServerIn ProgressIn ProgressIn ProgressIn ProgressEnterprise yVirtualDirectoryWeb ServicesManager17Out-of-The-Box ConnectorsCertified Interoperability8

Automate.18How Do We ‘Automate Security’?AutomateAutomateWeb-BasedUser &PeriodicResponsibilit Access le SignSegregatioOnn of DutiesControlsSelf ServiceStrong AccessPasswordControls andReset andData ProtectionAccountRequests19Leverage Extend Automate Protect9

Automated User and Responsibility ManagementAutomateUser &ResponsibilityManagementIssue to AddressSolutionCreating user accounts and granting them theEntitlements they need is manual and costlyOracle IdentityManagerTransfers are hard to handle. Termination ofunused privileges isn’t happing fast enoughRemoving access and entitlements upontermination takes too long and has spot issuesOption:Oracle RoleManagerOrphaned/ghost accounts are very hard detectand eliminate. There could be thousands?20Leverage Extend Automate ProtectAutomatic User and Entitlement Mgmt‘Single Global Instance’ of All UsersHR & BizApplicationsUser Accountand EntitlementsCreated/ModifiedOracle tOnOn-board, Transfer, Update,OffOff-board UsersApplicationsAdd and RemoveApplication EntitlementsPasswordUpdate and SynchronizationOther SourcesDirectories‘Certified’Certified’ Apps IntegrationFlat Pull lists of Whois in each system2.Periodically Check forRogue Identities3.Remove Identitiesand/or Entitlements21Leverage Extend Automate Protect10

Automatic User and Entitlement Mgmt‘Single Global Instance’ of All Users22Manage Roles, Approvers & OrgsOracle Role ManagerHR and OtherApplicationsOracle RoleManagerRole MiningMAPS:Role ManagementBusiness Roles TOIT/System Roles TOOrganization and HierarchyManagementEntitlements TOApprovers“Who is the Approver?”Approver?”Oracle IdentityManagerAccount ReconciliationAccount ProvisioningEntitlement ManagementApproval WorkflowsReportsReportsReport t sReportsGo To IdentityManger’s Self-Serviceand Approve Chris’Request?Org HierarchiesDirectories Applications Databases23Leverage Extend Automate Protect11

Manage Roles, Approvers & OrgsOracle Role ManagerOracle RoleManagerRole MiningRole ManagementOrganization and HierarchyManagement“Who is the Approver?”Approver?”24Leverage Extend Automate ProtectIDM Impact on User ManagementKey TakeawaysBusiness Days Prior to Beginning of Class thatBusiness Days Required forEnrollement ClosedNew Account Creation12108 Then: 10 business days foraccount creation/modificationand sometimes termination! Now: Under 1 day (could bereal-time without approvals) Results: Improved Customer Service Reduced Cost6420Before Oracle IDMImplementationToday2512

‘Automated Security’ for Oracle ApplicationsAutomateAutomateUser &ResponsibilityManagementSecure,Risk-BasedSingle SignOnSelf ServicePasswordReset andAccountRequests26Leverage Extend Automate ProtectSecure, Risk-Based, Single Sign OnSolutionOption #1:OracleDirectory ServicesSecure,Issue toRisk-BasedAddressSingle SignWe want to make access toOnApps easier byeither using SSO or the user’s AD passwordWe’d like to use SSO, but have to be sure weknow who the user is and prevent fraudWe’d like to expose more functionalityexternally but want higher levels of securityOption #2:Other Access SuiteComponentsOracleAccess Manager &Adaptive AccessManagerOption #3:Enterprise SSOSuite27Leverage Extend Automate Protect13

Enable Single Sign-OnOracle Access Manager (with/without OSSO)Desktop LoginOracle AccessManagerApplicationsExtranet & Intranet SSOSelf Service RegistrationDirectoriesAudit User AccessEmployeesOptional “BoltBolt-On”On”Stronger AuthenticationDatabasesCorporate Directory28Leverage Extend Automate ProtectAutomating User Sign-On2914

‘Bolt-On’ Fraud Prevention and Strong AuthNOracle Adaptive Access nagerWhat A User Knows(Pin, Password, Challenge Questions)(Device Fingerprinting)EmployeesWhat a User Does(Behavior Pattern Profiling)Where a User Is(Geo(Geo-Location Checking)Oracle AccessManagerComputedWhatA UserRiskScoreHasApplicationsCustomersPrevents: Phishing, Pharming, Trojans, Key logging, Proxy Attacks, Insider threats30Leverage Extend Automate Protect‘Automated Security’ for Oracle ApplicationsAutomateAutomateUser &ResponsibilityManagementSecure,Risk-BasedSingle SignOnSelf ServicePasswordReset andAccountRequests31Leverage Extend Automate Protect15

Self Service Password Reset & Account RequestsIssue to AddressSolutionRequesting new entitlements on each system isa manual effort that takes too longSelf ServiceOracle IdentityManagerApproval for new entitlementsPasswordis a manualeffort and isn’t auditableReset andApp users forget their passwordAccountall the time, weneed a way for them to reset itRequeststhemselves32Leverage Extend Automate ProtectWeb Based, User Self ServiceOracle Identity ManagerAdd ResponsibilitiesOracle IdentityManagerChange PasswordSelf Request & Removal ofResponsibilitiesApplicationsDynamic Approval Routingper ResponsibilityManager Self Serviceto complete elf Service Password 33Leverage Extend Automate Protect16

Options for Obtaining ResponsibilitiesWeb-BasedApproval PolicyCreation &ModificationExample‘Manager andIT OwnerApproval’ViaWeb-BasedSelf RequestApplicationsEmployeesAutomaticallyvia Rules emovesFrom their site, usersResponsibilityCustomers review who needs todirectlyDatabasesapprove each request34The Impact of IDM!Annual Staff Hours Recovered Through Oracle IDMAnnual Value Realized Due to Oracle IDMImplementation16,000 500,00014,000 400,000Orphaned Accounts 300,000Password Reset12,000Back to School10,000Password Reset8,0006,000 200,000Customer AccessManagem ent 100,000Custom er AccessManagement4,0002,000 -Costs EliminatedCost AvoidanceAnnual Hours RecoveredKey Takeaways 582,492 realized annually in cost savings or cost avoidance More than 13,000 staff hours recovered annually Significant improvements in user customer service &customer satisfaction3517

Protect.36‘Lock Down and Protect’ ApplicationsAutomateAutomateWeb-BasedUser &PeriodicResponsibilit Access le SignSegregatioOnn of DutiesControlsSelf ServiceStrong AccessPasswordControls andReset andData ProtectionAccountRequestsProtect37Leverage Extend Automate Protect18

Strong Access Controls and Data ProtectionSolutionWeb TierOracle AccessSuiteApplication(Internal)Identity Managerand GRC ControlsIssue to AddressWe need fine-grained access control ofapplication data (at the UI and database levels)Strong AccessandWe can’t ensure the protection of our App Controls&Data Protectiondatabase data and prove controls are workingOracle DatabaseDatabase SecurityIdM SuiteUnix Host OSOracle ApplicationServices for OS38Leverage Extend Automate ProtectProtecting Oracle ApplicationsTop to Bottom SecurityProtect the “FrontDoor” and providestrong Fraudprevention usingOracle’s AccessManagement SuiteWebServerEnterprisePortalsEmbed Fine-GrainedAccess controls downto the field level usingOracle ApplicationAccess ntralize OS Usermanagement and SUDOPolicies usingOracle AuthenticationServices for OperatingSystemsAutomatically add,modify and removeuser accounts andentitlements usingOracle IdentityManagerSecure sensitive datawithin the database withOracle Database SecurityOptionsLinux/Unix39Leverage Extend Automate Protect19

‘Lock Down and Protect’ ApplicationsWeb-BasedPeriodicAccess ReviewPreventativeSegregation of DutiesControlsProtectStrong AccessControls andData Protection40Leverage Extend Automate ProtectPreventative Detective Segregation of DutiesWeb-BasedPeriodicAccess ReviewIssue to AddressPreventativeSegregation of DutiesControlsSegregation of Duties (SoD) within Applicationsis difficult to achieve even at a ‘detective’ levelWe want both Preventative & Detective SoD ofApplication entitlementsSolutionOracleIdentity ManagerOracle ApplicationAccess ControlsGovernor41Leverage Extend Automate Protect20

IDM and GRC Working Together‘Proactive’ SoD Compliance means Simplified Compliance!HR & BizApplicationsIDENTITY MANAGEMENTGRCSTREOracle verSend RequestDetails! RunSimulationReturn ResultRun ConflictAnalysisApplicationConnector42‘Lock Down and Protect’ ApplicationsWeb-BasedPeriodicAccess ReviewPreventativeSegregation of DutiesControlsProtectStrong AccessControls andData Protection43Leverage Extend Automate Protect21

Web-Based Periodic Access ReviewWeb-BasedPeriodicAccess ReviewSolutionIssue to Address“Who has” & “Who had access to what?” and“Why?” reports is manual and time consumingWe can’t detect and eliminate orphaned/ghostaccounts. There could be thousands?OracleIdentity ManagerOut of all these issues, periodic access reviewsare the most complex, costly & time consumingOption:GRC Suite44Leverage Extend Automate ProtectPeriodic Reviews and Compliance ReportingComplete System Right Out-of-the-BoxOracle IdentityManagerEmployees &ContractorsManagers“WebWeb-Based & Actionable”Actionable”Periodic Access ReviewApplicationsReports – Current & Historic“Who Has Access to What?”What?”Reports – “Who ApprovedEach Access Request?”Request?”DirectoriesRogue Account Detection,Reporting & RemovalOracle BI Publisherfor Compliance ReportingDatabasesResourceOwnersSecurity &AuditorsOracleDatabase45Leverage Extend Automate Protect22

Web-Based “Actionable” Access Reviews1Set UpPeriodicReview2Reviewer Is NotifiedGoes to AttestationWeb Site3Automated Actionis taken based onPeriodic Review4Results areStored in DBReviewerSelectionsWhat User orResponsibilityShould beReviewed?CertifyEmail Resultto UserRejectAutomaticallyTerminate UserWho ShouldReview It?DeclineNotify theProcess OwnerDelegateWhen Does ItStart andHow Often?ArchiveAttested DataAttestation ActionsDelegation PathsNotify DelegatedReviewerComments46Leverage Extend Automate Protect22 Out-of-the-Box “Current State” Reports47Leverage Extend Automate Protect23

13 Out-of-the-Box “Historical” Reports48Leverage Extend Automate ProtectUnified Compliance ReportingUsing Oracle BI Publisher1Pull Datafrom Source2Business User Creates/EditsLayout Using CommonOffice and Adobe ToolsOracleBI PublisherOracleIdentity MgmtOracleGRC Systems3Output toDesiredFormats4Send toDestinationsPDFE-mailRTFPrePre-Built Identity ReportsHTMLEdit/Design Reports usingOffice tools and WebExcelPublish Reports for AuditXMLPrinterFaxSchedule and Burst ReportsOracle DatabaseSecurity OptionsEDIEFTOfficeAdobeWebStorage49Leverage Extend Automate Protect24

Leverage.50Provision & Access Accounts ‘Enterprise-Wide’HR & BizApplicationsDatabases & OS/LegacyE-MailPortalsOracle AccessManagerFlat FilesDatabasesDirectoriesSuppliersOracle IdentityManagerOther SourcesApplicationsEmployeesCustomersPhysical Items51Leverage Extend Automate Protect25

Customers Success with Oracle IDMBenefits They Are Receiving PeopleSoft HR as source of truth for identity Eliminated 90% of ghost, orphaned and rogue accounts Self-service password management reduced help desk calls Over 750,000 annual savings in help desk cost Saving 500,000 (400 hours/month) on SAP administration High quality IT compliance data for core SOX applications Over 1,100 applications under centralized management Comprehensive “Who has (and had) access to what” database forcompliance and process automation “Near Zero” wait for new resources Embedded Application “Preventive, Detective and Contextual” Controlsmanage over 358 Business Processes 42% reduction in external auditor testing Less than 5 months payback period52Summary5326

Oracle is #1 in IDM with “Big 3” Analysts!!The Forrester Wave :Identity And Access Management, Q1 200854Leverage Extend Automate ProtectOracle is #1 in IDM with “Big 3” Analysts!!55Leverage Extend Automate Protect27

Oracle is #1 in IDM with “Big 3” Analysts!!Oracle IDM is the “Best and Safest Choice” for Oracle customers56Leverage Extend Automate ProtectOnly Oracle Provides Most Comprehensive: End-to-End Security for Applications, Middleware and Databases! Industry’s #1 IdM according to Gartner, Burton and Forrester reportsDeepest Set of Capabilities: HR-Driven, Role-based Oracle Application user management Deepest Integration for Management of Users, Roles and Entitlements Out-of-the-Box Single Sign-On to Oracle Applications Self-service Home Page for requesting/removing access requests Out-of-the-Box, Approval workflows per user access requestsUnmatched Compliance Options: “Actionable”, Periodic Review of Users and fine-grained entitlements Proactive and Detective SoD with remediation (IDM and GRC) Fine-Grained Access control down to the form/field level Database Vault to secure sensitive application data in the database Current and Historical Reporting of “Who has what responsibility?”,“When did they get it?”, “How did they get it?” and “Who approved it?”57Leverage Extend Automate Protect28

“Leap Forward” withOracle Identity Management for Leverage – Your Oracle Application investment Extend – Its capabilities to solve common security problems,drive down costs and boost end user productivity Automate – Costly and Time-Consuming User Management,User Access, Access Recertification and Reporting processes Protect – Your Oracle Application “to the Core” with strongaccess controls, segregation of duties and data protection58Leverage Extend Automate ProtectOracle Identity Management ActivitiesCollaborate 09 - May 3 through May 7 in Orlando, FL Website: http://collaborate09.com/Sessions: May 6th, 11am-12pm – “Using Oracle Adaptive Access Manager toDetect and Prevent Fraud in Oracle Applications” May 6th, 4:30pm-5:30pm – “Using Governance, Risk and ComplianceSolutions to Achieve Segregation of Duties with Oracle IdentityManagement”Product Demonstrations Exhibit Hall, May 4 - 6Hands On Lab May 5th, 3:15pm – 5:15pm “Automate, Secure, and Audit Your E-Business Suite and PeopleSoftApplications with Oracle Identity Management” Click Here to Register NowMore Information: Viewlets and Whitepapers59 Oracle Fusion Middleware Best Practice Centers ex.html29

“Leap Forward” withOracle Identity ManagementforMini-Cast #1Simplify Userand PasswordManagementM Nein wSe i-Crie ass tMini-Cast #2Mini-Cast #3Simplify andStrengthenUser AccessSimplifyGovernance,Risk andCompliance60Leverage Extend Automate ProtectQuestions?Chris Fox, CISSPPrincipal Security ConsultantOracle Identity and Security [email protected] Extend Automate Protect30

626231

Business-as-Usual Oracle IDM 7.4M Savings over 4 Years 3M Year-Over-Year Savings Year Once Fully Deployed! Annual Cost Comparison, Business-as-Usual vs. Oracle IDM - 1,000,000 2,000,000 3,000,000 4,000,000 5,000,000 6,000,000 7,000,000 8,000,000 Year 1 Year 2 Year 3 Year 4 Business-as-Usual Oracle IDM Productivity User Satisfaction .