Professional Documents
Culture Documents
“Leap Forward”
with Oracle Identity Management
Chris Fox, CISSP | Principal Security Consultant | chris.fox@oracle.com
The following is intended to outline our
general product direction. It is intended for
information purposes only, and may not be
incorporated into any contract. It is not a
commitment to deliver any material, code, or
functionality, and should not be relied upon
in making purchasing decisions.
The development, release, and timing of any
features or functionality described for
Oracle’s products remains at the sole
discretion of Oracle.
2
“Leap Forward” with
Oracle Identity Management for
$6,000,000
8,000,000
$5,000,000
6,000,000 Identity &
$4,000,000
4,000,000
$3,000,000
Audit Costs
$2,000,000
2,000,000
Down 55%
$1,000,000-
$-
Year 1 Year 2 Year 3 Year 4 Identity & Audit Tasks:
Year 1 Year 2 Year 3 Year 4
• User Administration
Business-as-Usual Oracle IDM • Password Reset
Business-as-Usual Oracle IDM • Internal Audit
5
Leverage.
6
Oracle Applications are a Great
Foundation!
Develop
Contracts Market
Projects Sell
HCM Order
Finance Plan
Maintain Procure
Service Make
Fulfill
Managers Contractors
Employees Former Employees
Workforce
Labor Post
Sourcing Employment
Management
9
“Top Security Issues”
10
12
13
14
• IT Personnel
• Needs Help Simplifying User Management For:
• Employees
• Customers
IT Personnel • Partners
• Want to workflow to automate manual processes
• Need Tools To Manage IT Systems With Less Effort
• Information Security and Audit
• Need To Understand Risk And What To Protect
• Want to Protect Data From Compromise
• Looking to Review User Access in less time
Info Security
and Audit • Need Reports For “Who Has (And Had) Access To What?”
15
16
We Can Fix These Issues Today
Automate Web-Based
User & Periodic
Responsibili Access
ty Review
Manageme
Secure, nt Preventa
Automate Risk- tive Protect
Based Segregati
Single Sign on of
On Duties
Self Service Controls
Strong
Password
Access
Reset and
Controls and
Account
Data
Requests
Protection
17
c t i ve! Periodic
“Edge to Core”
ro d u Segregation
Access Review
security of
Get P User
of Duties Web-Based, application
Interface used data ensures
Self Service “Preventative to schedule, users only get
Risk-Based and Detective”
SSO delegate, track, access to what
Web-based SoD ensure
Role-Based complete and they need
Users access to home page for compliance and
Access view reports for
apps on Day 1 requesting new reports are audit
HR-Driven User Automatically using SSO and access rights generated for
Mgmt grant User optional strong and changing audit
rights and authentication passwords
Automatically
generate that employs
on-board,
auditable risk analytics
transfer and
approval
off-board users
workflows
based on HR
events
18
Access
Manager
Adaptive Access
Manager
Identity
Federation
Entitlement
Server
In Progress In Progress In Progress In Progress
Enterprise SSO
Suite
Identity
Manager
Role
Manager
Internet
Directory
Virtual
Directory
Web Services
Manager
19
20
How Do We ‘Automate Security’?
Automate Web-Based
User & Periodic
Responsibili Access
ty Review
Manageme
Secure, nt Preventa
Automate Risk- tive
Based Segregati
Single Sign on of
On Duties
Self Service Controls
Strong
Password
Access
Reset and
Controls and
Account
Data
Requests
Protection
21
Automate
User &
Responsibili
ty
Manageme
nt
Issue to Address Solution
Creating user accounts and granting them the
Entitlements they need is manual and costly
Transfers are hard to handle. Termination of Oracle Identity
unused privileges isn’t happing fast enough Manager
Removing access and entitlements upon
termination takes too long and has spot issues
Option:
Orphaned/ghost accounts are very hard detect Oracle Role
and eliminate. There could be thousands? Manager
22
User Account
and Entitlements
HR & Biz Oracle Identity Created/Modified
Applications Manager
‘Event-Driven’
Identity
Management
On-board, Transfer, Update,
Applications
Off-board Users
Add and Remove
EBS Responsibilities
Password Directories
Update and Synchronization
23
24
Automatic User and Entitlement Mgmt
‘Single Global Instance’ of All Users
25
Manage Roles, Approvers & Orgs HR and Other
Oracle Role Manager Applications
Oracle Role
Manager
Oracle Identity
Role Mining Manager
MAPS:
Account Reconciliation
Business Roles TO Role Management
Account Provisioning
IT/System Roles TO Organization and Hierarchy
Management Entitlement Management
Entitlements TO
Approval Workflows
Approvers “Who is the Approver?”
Reports
Go To Identity Manger’s
Reports Reports Reports Self-Service and
Approve Chris’
Reports Reports Reports Reports Request?
Applications Directories Org Hierarchies Directories Applications Databases
26
Oracle Role
Manager
Role Mining
Role Management
Organization and Hierarchy
Management
27
Key Takeaways
Business Days Prior to Beginning of Class that
Business Days Required for • Then: 10 business days for
Enrollement Closed
account creation/modification
New Account Creation
and sometimes termination!
12
• Now: Under 1 day (could be
10 real-time without approvals)
8 • Results:
• Improved Customer Service
6
• Reduced Cost
4
0
Before Oracle IDM Today
Implementation
28
‘Automated Security’ for Oracle Applications
Automate
User &
Responsibili
ty
Manageme
Secure, nt
Automate Risk-
Based
Single Sign
On
Self Service
Password
Reset and
Account
Requests
29
Solution
Option #1:
Oracle
Directory Services
Desktop Login
Oracle Access
Manager
Applications
Extranet & Intranet SSO
Corporate Directory
31
32
‘Bolt-On’ Fraud Prevention and Strong AuthN
Oracle Adaptive Access Manager
User
Adaptive
Access
Suppliers Location Device
Manager
What A User Knows
Computed
(Pin, Password, Challenge Questions)
Risk
Oracle Access
What A User Has
(DeviceScore
Fingerprinting)
Manager
Employees
What a User Does Applications
(Behavior Pattern + Profiling)
Where a User Is
(Geo-Location Checking)
Customers
Prevents: Phishing, Pharming, Trojans, Key logging, Proxy Attacks, Insider threats
33
• In August 2007, an automated attack was launched • Oracle Adaptive Access Manager was chosen
on Monster using compromised recruiter over RSA
credentials which captured info on nearly 1.3M • OAAM was able to focus on differentiating
users. humans from automated (bot or trojan)
authentication attempts and fraud
• Monster has a current catalog of nearly 1M job ads detection
and a database of 34M resumes. • Integrates into the Monster application
• To preserve brand image without disrupting user framework
behavior, Monster needed to protect users profile • Leverage “black lists” provided by
information and other phishing/pharming scams. Symantec DeepSight threat management
service
• Must support 18+ Million Users
RESULTS
• Expect to have a more secure site without altering end user experience
• Expect to restore brand image by providing stronger form of authentication
34
‘Automated Security’ for Oracle Applications
Automate
User &
Responsibili
ty
Manageme
Secure, nt
Automate Risk-
Based
Single Sign
On
Self Service
Password
Reset and
Account
Requests
35
36
Add Responsibilities
Oracle
Database
37
Employees
Automatically
Rules/Roles
via Rules Engine Directories
Contractors
Admin
Databases
Adds/Removes
From their site, users
Responsibility
Customers review who needs todirectly
approve each request
38
Impact on ‘Approvals’ for System Access
Annual Value Realized Due to Oracle IDM Annual Staff Hours Recovered Through Oracle IDM
Implementation
16,000
$500,000 14,000
12,000 Back to School
$400,000 Orphaned Accounts
10,000
$300,000 Password Reset
Password Reset 8,000
Key Takeaways
• $582,492 realized annually in cost savings or cost avoidance
• More than 13,000 staff hours recovered annually
• Significant improvements in user customer service &
customer satisfaction
40
Protect.
41
‘Lock Down and Protect’ Applications
Automate Web-Based
User & Periodic
Responsibili Access
ty Review
Manageme
Secure, nt Preventa
Automate Risk- tive Protect
Based Segregati
Single Sign on of
On Duties
Self Service Controls
Strong
Password
Access
Reset and
Controls and
Account
Data
Requests
Protection
42
Solution
Web Tier
Oracle Access
Suite
Application
(Internal)
Issue to Address Identity Manager
and GRC Controls
We need fine-grained access control of
application data (at the UI and database levels) Oracle Database
Strong Database Security
We can’t ensure the protection of our App & Access IdM Suite
database data and prove controls are working
Controls and
Data Unix Host OS
Protection Oracle
Application
Services for OS
43
44
Employee Update
SSN XXX-XX-XXXXX
Salary $ 53,000.00
OK Cancel
Employees can only view the Conceal SSN number if Disable Invoice Approval for
salary field (can’t update) User is NOT from HR dept Invoices created by same user
45
‘Clone
d’
LNAME Databa
SSN SALARY
se
LJOH 111-56-9876 $125,000
TDPQQ 111-76-1234 $229,500 Database Operational Data DBA /
TNJQI 111-78-2198 $ 53,700 Protect Data from Vault
DBA Manager
Protect Data View and Alteration
Anonymize in Motion with as well as Insider Select SALARY
from users;
X
sensitive Network Threat using
Test & Dev Alter system.
X
Encryption using Database Vault Alter table..
data using Advanced Security * Example roles and privs
Data Masking Option
Secured
Production
Databas Operational
Database
e
Alter table …. DBA
Consolidate
Database Audit Select SALARY from USERS;
data using
Audit Vault
Web-Based
Periodic
Access
Review
Preventa
tive Protect
Segregati
on of
Duties
Controls
Strong
Access
Controls and
Data
Protection
47
Web-Based
Periodic
Access
Review
Preventa
tive
Issue to Address Segregati
Solution
on of
Duties
Controls Oracle
Segregation of Duties (SoD) within Applications Identity Manager
is difficult to achieve even at a ‘detective’ level
We want both Preventative & Detective SoD of Oracle Application
Application entitlements Access Controls
Governor
48
• Examples:
• Create Invoices Function
SubMenu/
Function
49
Permission List
Menu
Manage Component
Segregation of Duties
• Identify incompatible Privileges Page
(i.e. Pages)
50
IDM and GRC Working Together
SOD and Rogue Activity Detection and Remediation
! Account or
Out-of-bounds
Entitlement Account or
Added out-of-bounds Responsibility
Removed
Account
Responsibility
Enforce SoD Policy Deprovisioned
Violation Event Deprovision
Detection Oracle Analysis
Assign
Access Controls Oracle Identity
Entitlements
Remediation
and Alert Governor Task toManager
Remediate
the Violation
51
Web-Based
Periodic
Access
Review
Preventa
tive Protect
Segregati
on of
Duties
Controls
Strong
Access
Controls and
Data
Protection
52
Web-Based
Periodic
Access
Review
53
Oracle Identity
Manager
Resource
Owners
Oracle
Security & Database
Auditors
54
Reviewer
Selections
55
56
57
PDF
Oracle Oracle E-mail
Identity Mgmt BI Publisher RTF
59
Provision & Access Accounts ‘Enterprise-Wide’
Oracle Access
Oracle Identity
Manager
Employees
Manager
Other Sources
Flat Files E-Mail
Databases
Directories
Portals
Customers
Physical Items
60
62
Oracle IDM is the “Best and Safest Choice” for Oracle customers
63
64
Customers Success with Oracle IDM
Benefits They Are Receiving
65
Case Study – Cisco Systems
RESULTS
• Oracle IdM will tie the Apps to GRC, SOD & DB for compliance and reporting
• Oracle can help automate many manual provisioning tasks for ROI benefits
• Oracle can provide a strong Security Shared Services Framework for Cisco
66
Summary
67
Only Oracle Provides…
Most Comprehensive:
End-to-End Security for Applications, Middleware and Databases!
Industry’s #1 IdM according to Gartner, Burton and Forrester reports
68
69
DECEMBER 3
Wednesday, November 19th
Noon EST / 9am PST
DECEMBER 17
Wednesday, December 3rd
Noon EST / 9am PST
JANUARY 7
Wednesday, December 17th
Noon EST / 9am PST
70
Learn More
71
72
73