leap forward - oracle idm for oracle apps - dec 11 2008 vfinal
TRANSCRIPT
-
8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal
1/73
Leap Forwardwith Oracle Identity Management
Chris Fox, CISSP | Principal Security Consultant | [email protected]
Leverage. Extend. Automate. Protect.
mailto:[email protected]:[email protected] -
8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal
2/73
2
The following is intended to outline ourgeneral product direction. It is intended for
information purposes only, and may not beincorporated into any contract. It is not a
commitment to deliver any material, code, orfunctionality, and should not be relied upon
in making purchasing decisions.The development, release, and timing of any
features or functionality described forOracles products remains at the sole
discretion of Oracle.
-
8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal
3/73
3
Leap Forward withOracle Identity Management for
Leverage Your Oracle Application investment
Extend Its capabilities to solve common security problems,drive down costs and boost end user productivity
Automate Costly and Time-Consuming User Management,User Access, Access Recertification and Reporting processes
Protect Your Oracle Application to the Core with strongaccess controls, segregation of duties and data protection
AutomateExtend ProtectLeverage
-
8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal
4/73
4
Oracle IDM Drives Productivity!
Identity & Audit Tasks: User Administration Password Reset Internal Audit
Annual Minutes Required for IdentityManagement & Related Audit Requirements
-
2,000,000
4,000,0006,000,000
8,000,000
10,000,000
12,000,000
14,000,000
Year 1 Year 2 Year 3 Year 4
M i n u t e s
Business-as-Usual Oracle IDM
$7.4M Savings over 4 Years$3M Year-Over-Year Savings Year Once Fully
Deployed!
Annual Cost Comparison, Business-as-Usual vs.Oracle IDM
$-$1,000,000$2,000,000$3,000,000$4,000,000$5,000,000$6,000,000$7,000,000$8,000,000
Year 1 Year 2 Year 3 Year 4
Business-as-Usual Oracle IDM
Productivity
UserSatisfaction
Identity &Audit CostsDown 55%
AutomateExtend ProtectLeverage
-
8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal
5/73
5
Todays Agenda
Security + Compliance Issues Application Customers Face
Solving Issues with Oracle Identity Management and Security Automating User & Password Management
Simplifying Sign On & Centralizing Access Management Streamline Governance, Risk and Compliance
Real World Case Studies
Oracle Application customers using Identity Management today?
-
8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal
6/73
6
Leverage.
-
8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal
7/73
7
Oracle Applications are a GreatFoundation!
DevelopMarket
Sell
OrderPlan
Procure
MakeFulfill
Service
Maintain
FinanceHCM
Projects
Contracts
AutomateExtend ProtectLeverage
-
8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal
8/73
8
Success of strategic business initiatives often depends onidentification, development, and ongoing management of
work skills & professional expertise, leading to accelerated achievement of strategic objectives.
-- Jennifer Volmer, Research Analyst
Human Capital Management At-a-Glance
ManagersEmployees
LaborSourcing
Demand ForecastingRecruiting
Contractor HiringSupplier RelationsOffer Negotiations
On-Boarding
PostEmployment
TerminationRe-HiresBenefits
ReferencesRecords
PeopleDeploymentDevelopmentCompensation
Workforce Mgmt
ServicesLabor Relations
ComplianceOrganization
ContractorsFormer Employees
-
8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal
9/73
9
Overall Business Pressures
Aging & Retiring Workforce
How can I attract workers withkey competencies & skills? How can I develop an agile
workforce to support mychanging business?
Governance & Compliance
How can I keep pace withchanging privacy laws & safetyregulations?
How can I gain greater control ofprocesses, data, and approvals?
What is the best way to service anincreasingly global workforce?
How can I simplify complexprocesses across the organization?
Management
WorkforceLabor
SourcingPost
Employment
Where can I cut costs & improveworkforce mgmt efficiencies?
How can I manage and improveworkforce utilization?
Emerging Markets,New Organizations
Reduce Costs WhileImproving HR Service
-
8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal
10/73
10
Top Security Issues
User Accessand PasswordManagement
Governance,Risk and
Compliance
ManagingUsers and
Entitlements
AutomateExtend ProtectLeverage
-
8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal
11/73
11
Issue #1: Managing Users and Entitlements
Creating user accounts and granting fine-grained
entitlements (Roles, Responsibilities) is manual and costly
Transfers are hard to handle and removing excessiveprivileges doesnt happen fast enough
Requesting new user access is a manual effort that takestoo long
Access approvals are manual, email-driven, arent unique
for the access request and arent auditable
Removing user access and entitlements upon terminationtakes too long and has lots of spot issues
1
2
3
4
5
AutomateExtend ProtectLeverage
-
8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal
12/73
12
Issue #2: Access and Password Management
We want to make access to applications easier byeither using SSO or the users AD password
Users forget their passwords, we need a way for themto reset it themselves
Wed like to use SSO, but have to be sure we know whothe user is and prevent fraud
Wed like to expose our applications externally to allusers over the web vs. VPN but dont have confidence
We need fine-grained access control of applicationdata (at the UI and database levels)
AutomateExtend ProtectLeverage
1
2
3
4
5
-
8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal
13/73
13
Issue #3: Governance, Risk and Compliance
Who has and Who had access to what? and Why?reports are manual and sometimes impossible
Segregation of Duties (SoD) within the application isdifficult to achieve even at a detective level
Orphaned/ghost accounts are very hard detect andeliminate. There could be hundreds or thousands?
We cant ensure the protection of our applicationsdatabase data and prove controls are working
Out of all these issues, Periodic Access Reviews arethe most complex, costly and time-intensive task
AutomateExtend ProtectLeverage
1
2
3
4
5
-
8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal
14/73
14
We know the Real World Isnt Easy!
AutomateExtend ProtectLeverage
-
8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal
15/73
15
Business Users
Need User Accounts and Entitlements As Fast As Possible Want Simplified Access To ALL Applications Minimize or Synchronize the passwords
What Application Customers Are Asking For
Business Users
Info Securityand Audit
Information Security and Audit Need To Understand Risk And What To Protect Want to Protect Data From Compromise Looking to Review User Access in less time Need Reports For Who Has (And Had) Access To What?
IT Personnel Needs Help Simplifying User Management For:
Employees Customers Partners
Want to workflow to automate manual processes Need Tools To Manage IT Systems With Less Effort
IT Personnel
AutomateExtend ProtectLeverage
-
8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal
16/73
16
Extend.
-
8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal
17/73
17
We Can Fix These Issues Today
Web-BasedPeriodicAccessReview
AutomateUser &
Responsibility
Manageme
nt PreventativeSegregati
on of Duties
Controls
Secure,Risk-Based
Single SignOn
Strong
AccessControls andData
Protection
Self ServicePasswordReset and
AccountRequests
Automate Protect
AutomateExtend ProtectLeverage
-
8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal
18/73
18
Securing, Automating and Auditing Oracle Applications
Automaticallyon-board,
transfer andoff-board users
based on HRevents
HR-Driven UserMgmt
Automaticallygrant Userrights andgenerateauditableapproval
workflows
Role-BasedAccess
Web-basedhome page forrequesting new
access rightsand changing
passwords
UserSelf Service Preventative
and DetectiveSoD ensure
compliance andreports are
generated foraudit
Segregationof Duties
PeriodicAccess Review
Web-Based,Interface usedto schedule,
delegate, track,complete and
view reports for
audit
Risk-BasedSSO
Users access toapps on Day 1using SSO and
optional strongauthenticationthat employsrisk analytics
Data Protection
Edge to Coresecurity ofapplication
data ensuresusers only getaccess to what
they need
G e t P r o d u
c t i v e !
G e t C o m p l i a n
t !
AutomateExtend ProtectLeverage
-
8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal
19/73
19
Oracle IdM is Certified and Ready
Adaptive AccessManager
IdentityFederation
IdentityManager
RoleManager
InternetDirectory
VirtualDirectory
AccessManager
Out-of-The-Box Connectors Certified Interoperability
Enterprise SSOSuite
EntitlementServer
Web ServicesManager
In Progress In Progress In Progress In Progress
-
8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal
20/73
20
Automate.
-
8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal
21/73
21
How Do We Automate Security?
AutomateUser &
Responsibility
Manageme
ntSecure,
Risk-Based
Single SignOn
Web-BasedPeriodicAccessReview
Preventative
Segregation of
DutiesControls
StrongAccess
Controls andData
Protection
Self ServicePassword
Reset andAccount
Requests
Automate
AutomateExtend ProtectLeverage
-
8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal
22/73
22
Automated User and Responsibility Management
SolutionIssue to Address
Oracle IdentityManager
Creating user accounts and granting them theEntitlements they need is manual and costlyTransfers are hard to handle. Termination ofunused privileges isnt happing fast enough
Removing access and entitlements upontermination takes too long and has spot issues
Orphaned/ghost accounts are very hard detectand eliminate. There could be thousands?
AutomateUser &
Responsibility
Manageme
nt
Option:Oracle Role
Manager
AutomateExtend ProtectLeverage
-
8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal
23/73
23
Certified EBS IntegrationCertified EBS Integration
PasswordPasswordUpdate and SynchronizationUpdate and Synchronization
Add and RemoveAdd and Remove
EBS ResponsibilitiesEBS Responsibilities
On-board, Transfer, Update,On-board, Transfer, Update,Off-board UsersOff-board Users
OracleDatabase
Automatic User and Responsibilities MgmtSingle Global Instance of All Users
Oracle IdentityManager
User Accountand Entitlements
Created/Modified
1. Pull lists of Who
is in each system1. Periodically Check for
Rogue Identities
3. Remove Identitiesand/or Entitlements
Other SourcesFlat FilesDatabases
Directories
HR & BizApplicationsEvent-Driven
IdentityManagement
AutomateExtend ProtectLeverage
Databases
Applications
Directories
-
8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal
24/73
24
Automatic User and Entitlement MgmtSingle Global Instance of All Users
-
8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal
25/73
25
Automatic User and Entitlement MgmtSingle Global Instance of All Users
-
8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal
26/73
26
Manage Roles, Approvers & OrgsOracle Role Manager
Who is the Approver?Who is the Approver?
Organization and HierarchyOrganization and HierarchyManagementManagement
Role ManagementRole Management
Role MiningRole Mining
Oracle RoleManager
Approval WorkflowsApproval Workflows
Entitlement ManagementEntitlement Management
Account ProvisioningAccount ProvisioningAccountAccount ReconciliationReconciliation
Oracle IdentityManager
Applications Directories
Re ports
R ep ort s R ep ort s R ep ort s
R ep or ts R ep or ts R ep or ts R ep or ts
Org Hierarchies
HR and OtherApplications
MAPS:
Business Roles TO
IT/System Roles TO
Entitlements TO
Approvers
Go To Identity MangersSelf-Service andApprove Chris
Request?
AutomateExtend ProtectLeverage
DatabasesApplicationsDirectories
-
8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal
27/73
27
Manage Roles, Approvers & OrgsOracle Role Manager
Who is the Approver?Who is the Approver?
Organization and HierarchyOrganization and HierarchyManagementManagement
Role ManagementRole Management
Role MiningRole Mining
Oracle RoleManager
AutomateExtend ProtectLeverage
-
8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal
28/73
28
IDM Impact on User Management
Key Takeaways
Then: 10 business days foraccount creation/modificationand sometimes termination!
Now: Under 1 day (could bereal-time without approvals)
Results: Improved Customer Service Reduced Cost
Business Days Prior to Beginning of Class thatEnrollement Closed
0
2
4
68
10
12
Before Oracle IDMImplementation
Today
Business Days Required forNew Account Creation
-
8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal
29/73
29
Automated Security for Oracle Applications
AutomateUser &
Responsibility
Manageme
ntSecure,
Risk-Based
Single SignOn
Self ServicePassword
Reset andAccountRequests
Automate
AutomateExtend ProtectLeverage
-
8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal
30/73
30
Secure, Risk-Based, Single Sign On
Solution
Issue to Address
OracleAccess Manager &Adaptive Access
Manager
We want to make access to Apps easier byeither using SSO or the users AD passwordWed like to use SSO, but have to be sure weknow who the user is and prevent fraud
Wed like to expose more functionalityexternally but want higher levels of security
Secure,Risk-
BasedSingle Sign
On
Option #3:Enterprise SSO
Suite
Option #2:Other Access
Suite Components
Option #1:Oracle
Directory Services
AutomateExtend ProtectLeverage
-
8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal
31/73
31
Enable Single Sign-OnOracle Access Manager (with/without OSSO)
Desktop Login
Optional Bolt-OnOptional Bolt-OnStronger AuthenticationStronger Authentication
Audit User AccessAudit User Access
Self Service RegistrationSelf Service Registration
Extranet & Intranet SSOExtranet & Intranet SSO
Oracle AccessManager
Corporate Directory
Employees
AutomateExtend ProtectLeverage
Databases
Applications
Directories
-
8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal
32/73
32
Automating User Sign-On
B l O F d P i d S A hN
-
8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal
33/73
33
Bolt-On Fraud Prevention and Strong AuthNOracle Adaptive Access Manager
O r a
c l eA
c c e s s
M an
a g er
Suppliers
Employees
Customers
Where a UserWhere a User IsIs (Geo-Location Checking)(Geo-Location Checking)
What a UserWhat a User DoesDoes (Behavior Pattern + Profiling)(Behavior Pattern + Profiling)
What A UserWhat A User HasHas (Device Fingerprinting)(Device Fingerprinting)
What A UserWhat A User KnowsKnows (Pin, Password, Challenge Questions)(Pin, Password, Challenge Questions)
AdaptiveAccess
Manager
User
Location Device
Prevents: Phishing, Pharming, Trojans, Key logging, Proxy Attacks, Insider threats
Computed
RiskScore
AutomateExtend ProtectLeverage
Applications
-
8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal
34/73
34
Case Study Monster
Expect to have a more secure site without altering end user experience Expect to restore brand image by providing stronger form of authentication
BUSINESS CHALLENGE
In August 2007, an automated attack was launchedon Monster using compromised recruitercredentials which captured info on nearly 1.3Musers.
Monster has a current catalog of nearly 1M job adsand a database of 34M resumes. To preserve brand image without disrupting user
behavior, Monster needed to protect users profileinformation and other phishing/pharming scams.
Must support 18+ Million Users
RESULTS
ORACLE SOLUTION
Oracle Adaptive Access Manager was chosenover RSA
OAAM was able to focus on differentiatinghumans from automated (bot or trojan)authentication attempts and fraud
detection Integrates into the Monster applicationframework
Leverage black lists provided bySymantec DeepSight threat managementservice
http://www.monster.com/ -
8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal
35/73
35
Automated Security for Oracle Applications
AutomateUser &
Responsibility
Manageme
ntSecure,
Risk-Based
Single SignOn
Self ServicePassword
Reset andAccountRequests
Automate
AutomateExtend ProtectLeverage
-
8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal
36/73
36
Self Service Password Reset & Account Requests
SolutionIssue to Address
Oracle IdentityManager
Requesting new entitlements on each system isa manual effort that takes too longApproval for new entitlements is a manualeffort and isnt auditableApp users forget their password all the time, weneed a way for them to reset it themselves
Self ServicePasswordReset and
AccountRequests
AutomateExtend ProtectLeverage
W b B d U S lf S i
-
8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal
37/73
37
Self Service Password ResetSelf Service Password Reset
Manager Self ServiceManager Self Serviceto complete Approvalsto complete Approvals
Dynamic Approval RoutingDynamic Approval Routing
per Responsibilityper Responsibility
Self Request & Removal of Self Request & Removal of ResponsibilitiesResponsibilities
OracleDatabase
Web Based, User Self ServiceOracle Identity Manager
Oracle IdentityManager
Add Responsibilities
Change Password
RemoveResponsibilities
EmployeesContractors
Suppliers
AutomateExtend ProtectLeverage
Databases
Applications
Directories
-
8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal
38/73
38
Databases
Applications
Directories
Options for Obtaining Responsibilities
Employees
Contractors
Customers
ViaWeb-Based Self Request
Rules/RolesAutomaticallyvia Rules Engine
AdminAdds/Removes
ResponsibilitydirectlyFrom their site, usersreview who needs to
approve each request
ExampleManager and
IT OwnerApproval
Web-BasedApproval Policy
Creation &Modification
-
8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal
39/73
39
Impact on Approvals for System Access
Key Takeaways Then: User access
approvals took 2-3 days Without access, user
could not begin to work
Now: Approving Useraccess takes30 minutes or less
and is auditable!
The decline in hours reflectsincreased process efficiency
Average Time in Days to Grant Systems A ccess
0
0.5
1
1.5
2
2.5
3
Before Oracle IDM After Oracle IDM
-
8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal
40/73
40
The Impact of IDM!
Key Takeaways
$582,492 realized annually in cost savings or cost avoidance More than 13,000 staff hours recovered annually Significant improvements in user customer service &
customer satisfaction
Annual Value Realized Due to Oracle IDM
Implementation
$-
$100,000
$200,000
$300,000
$400,000
$500,000
Costs Eliminated Cost Avoidance
Orphaned Accounts
Password Reset
Customer AccessManagement
Annual Staff Hours Recovered Through Oracle IDM
-2,000
4,000
6,000
8,000
10,000
12,000
14,000
16,000
Annual Hours Recovered
Back to School
Password Reset
Customer AccessManagement
-
8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal
41/73
-
8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal
42/73
42
Lock Down and Protect Applications
AutomateUser &
Responsibility
Manageme
ntSecure,
Risk-Based
Single SignOn
Self ServicePassword
Reset andAccount
Requests
Automate
AutomateExtend ProtectLeverage
StrongAccess
Controls andData
Protection
Web-BasedPeriodicAccessReview
Preventative
Segregation of
DutiesControls
Protect
-
8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal
43/73
43
Strong Access Controls and Data Protection
Solution
Issue to Address
Oracle DatabaseDatabase Security
IdM Suite
We need fine-grained access control ofapplication data (at the UI and database levels)We cant ensure the protection of our App &database data and prove controls are working
Unix Host OSOracle
ApplicationServices for OS
Application(Internal)Identity Managerand GRC Controls
Web TierOracle Access
Suite
StrongAccess
Controls andData
Protection
AutomateExtend ProtectLeverage
Protecting Oracle Applications
-
8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal
44/73
44
Protecting Oracle ApplicationsTop to Bottom Security
Linux/Unix
OracleDatabase
OracleApplications
EnterprisePortals
WebServer
Centralize OS Usermanagement and SUDO
Policies usingOracle AuthenticationServices for Operating
Systems
Secure sensitive datawithin the database withOracle Database Security
Options
Protect the FrontDoor and providestrong Fraud
prevention usingOracles Access
Management Suite
Embed Fine-GrainedAccess controls downto the field level using
Oracle ApplicationAccess Controls
Governor
Automatically add,modify and removeuser accounts and
entitlements usingOracle IdentityManager
AutomateExtend ProtectLeverage
Protecting Application Data
-
8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal
45/73
45
John Doe
123 Main StCenter City, NY 12345
$ 53,000.00
CancelOK
Name
Address
Salary
Employee Update
XXX-XX-XXXXXSSN
Supervisor Mary Smith
Conceal SSN number ifUser is NOT from HR dept
Employees can only view thesalary field (cant update)
Disable Invoice Approval forInvoices created by same user
Protecting Application DataGRC Controls Masking sensitive data & Restricting access to actions
Embedded preventive controls restricts access to sensitive data
and critical actions proactively using native application interfacesand workflow technology
AutomateExtend ProtectLeverage
-
8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal
46/73
-
8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal
47/73
47
Lock Down and Protect Applications
Web-BasedPeriodicAccessReview
Preventative
Segregation of
DutiesControls
StrongAccess
Controls andData
Protection
Protect
AutomateExtend ProtectLeverage
-
8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal
48/73
48
Issue to Address
OracleIdentity ManagerSegregation of Duties (SoD) within Applications
is difficult to achieve even at a detective level
Oracle ApplicationAccess Controls
Governor
Preventative + Detective Segregation of Duties
Solution
We want both Preventative & Detective SoD ofApplication entitlements
Web-BasedPeriodicAccessReview
Preventative
Segregation of
DutiesControls
AutomateExtend ProtectLeverage
Wh t i S g g ti f D ti (S D)? EBS
-
8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal
49/73
49
What is Segregation of Duties (SoD)? EBS
Role
Application User
Responsibility
Menu
Submenu
FunctionSubMenu/Function
Etc.
SOD refers to the separationof business activities that asingle person may initiateand/or validate, in order tolimit or prevent erroneous orfraudulent activities
Business activities areenabled through therespective access points within an application
Examples:
Create Invoices
Post Journal Entries Make Payments
AutomateExtend ProtectLeverage
-
8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal
50/73
50
Role
Page
PeopleSoft Access & SOD Challenges
Permission List
Menu
User Profile
EvaluateEvaluate User AccessUser Access Test by User ProfileTest by User Profile Test by PageTest by Page
ManageManageSegregation of DutiesSegregation of Duties Identify incompatible PrivilegesIdentify incompatible Privileges
(i.e. Pages)(i.e. Pages)
Component
-
8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal
51/73
51
IDM and GRC Working TogetherSOD and Rogue Activity Detection and Remediation
!!Account or
Entitlement Added out-of-bounds
DeprovisionEntitlementsto Remediatethe Violation
AssignRemediation
Task
Event Analysis
ViolationDetectionand Alert
GRC IDENTITY MANAGEMENT
AccountResponsibilityDeprovisioned
Oracle IdentityManager
Enforce SoD Policy
Oracle Access ControlsGovernor
AutomateExtend ProtectLeverage
Out-of-bounds Account or
Responsibility
Removed
L k D d P A li i
-
8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal
52/73
52
Lock Down and Protect Applications
Web-BasedPeriodicAccessReview
Preventative
Segregation of
DutiesControls
StrongAccess
Controls andData
Protection
Protect
AutomateExtend ProtectLeverage
W b B d P i di A R i
-
8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal
53/73
53
Issue to Address
OracleIdentity Manager
Who has & Who had access to what? andWhy? reports is manual and time consumingWe cant detect and eliminate orphaned/ghostaccounts. There could be thousands?
Out of all these issues, periodic access reviewsare the most complex, costly & time consuming
Option:GRC Suite
Web-Based Periodic Access Review
Web-BasedPeriodicAccessReview
Solution
AutomateExtend ProtectLeverage
-
8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal
54/73
W b B d A i bl A R i
-
8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal
55/73
55
Web-Based Actionable Access Reviews
Set UpPeriodic
Review
1 Automated Actionis taken based on
Periodic Review
3 Results areStored in DB
4Reviewer Is NotifiedGoes to Attestation
Web Site
2
Delegate
Reject
Certify
Decline
ReviewerSelections
Comments
Who ShouldReview It?
What User orResponsibility
Should be
Reviewed?
When Does ItStart and
How Often?
ArchiveAttested Data
Attestation ActionsDelegation Paths
Notify DelegatedReviewer
Notify theProcess Owner
AutomaticallyTerminate User
Email Resultto User
AutomateExtend ProtectLeverage
22 Out of the Box Current State Reports
-
8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal
56/73
56
22 Out-of-the-Box Current State Reports
AutomateExtend ProtectLeverage
13 O f h B Hi i l R
-
8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal
57/73
57
13 Out-of-the-Box Historical Reports
AutomateExtend ProtectLeverage
Unified Compliance Reporting
-
8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal
58/73
58
Using Oracle BI Publisher
OracleIdentity Mgmt
OracleGRC Systems
Oracle DatabaseSecurity Options
Schedule and Burst ReportsSchedule and Burst Reports
Publish Reports for AuditPublish Reports for Audit
Edit/Design Reports usingEdit/Design Reports usingOffice tools and WebOffice tools and Web
Pre-Built Identity ReportsPre-Built Identity Reports
OracleBI Publisher
Pull Datafrom Source
1
XML
EDI
EFT
PDF
RTF
HTML
Excel
Output toDesiredFormats
3 Send toDestinations
4
E-mail
Printer
Fax
Storage
Business User Creates/EditsLayout Using CommonOffice and Adobe Tools
2
Office WebAdobe
AutomateExtend ProtectLeverage
-
8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal
59/73
59
Leverage.
-
8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal
60/73
IdM + S it I St t gi T O l
-
8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal
61/73
61
IdM + Security Is Strategic To Oracle
Oracle IdM is helping customers today!!
IdM will be the core Security infrastructurefor Fusion Applications
IdM + GRC + Database Security strategy enables ourcustomers to deploy a complete Oracle Security Stack
IdM has Pre-Built, Out-of-the-Box integrations with: Core Business Systems E-Business Suite, Other ORCL & Non-ORCL Data Stores Databases, Directories, File Files, Etc Operating Systems - UNIX/Linux, Windows, Mainframe
AutomateExtend ProtectLeverage
-
8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal
62/73
62
Oracles Security & Compliance Strategy
What Do The Analysts Think?
AutomateExtend ProtectLeverage
Oracle is #1 in IDMwith Big 3 Analysts!!
-
8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal
63/73
63
Oracle is #1 in IDM with Big 3 Analysts!!
Magic Quadrant
for User Provisioning, 2H08March 2008 VantagePoint
Identity and Privacy Trends inEnterprise IT
The Forrester Wave
Identity And AccessManagement, Q1 2008
Oracle IDM is the Best and Safest Choice for Oracle customers
AutomateExtend ProtectLeverage
-
8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal
64/73
64
Case Studies
Customers Success with Oracle IDM
-
8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal
65/73
65
PeopleSoft HR as source of truth for identity Eliminated > 90% of ghost, orphaned and rogue accounts Self-service password management reduced help desk calls
Over $750,000 annual savings in help desk cost Saving $500,000 (400 hours/month) on SAP administration High quality IT compliance data for core SOX applications
Over 1,000 applications under centralized management Comprehensive Who has (and had) access to what database for
compliance and process automation Near Zero wait for new resources
Embedded Application Preventive, Detective and ContextualControls manage over 358 Business Processes 42% reduction in external auditor testing Less than 5 months payback period
Benefits They Are Receiving
Case Study Cisco Systems
-
8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal
66/73
66
Oracle IdM will tie the Apps to GRC, SOD & DB for compliance and reporting Oracle can help automate many manual provisioning tasks for ROI benefits
Oracle can provide a strong Security Shared Services Framework for Cisco
BUSINESS CHALLENGE
Needed to move away from the multiple IdM siloswithin Cisco. Doing a complete re-architecture of current web and provisioning process due to recentacquisitions of WebEx, Linksys and Scientific Atlanta
Cisco needed a single identity system to manageaccess to applications, provision users, and managethe user role and lifecycle across their variouscompanies, business partners and employee base.
RESULTS
ORACLE SOLUTION
Oracle Identity Manager Q4FY07
Oracle Access Manager and Oracle IdentityFederation - Oracle Access Manager replaces
CA Siteminder Q3FY08 Cisco is building their entire next generation
Enterprise Identity and Access Managementplatform around the Oracle IdM stack
Case Study Cisco Systems
-
8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal
67/73
67
Summary
Only Oracle Provides
-
8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal
68/73
68
y
Most Comprehensive:End-to-End Security for Applications, Middleware and Databases !
Industrys #1 IdM according to Gartner, Burton and Forrester reports
Deepest Set of Capabilities:HR-Driven, Role-based Oracle Application user managementDeepest Integration for Management of Users, Roles and EntitlementsOut-of-the-Box Single Sign-On to Oracle Applications
Self-service Home Page for requesting/removing access requestsOut-of-the-Box, Approval workflows per user access requests
Unmatched Compliance Options: Actionable, Periodic Review of Users and fine-grained entitlementsPreventative and Detective SoD with remediation (IDM and GRC)Fine-Grained Access control down to the form/field levelDatabase Vault to secure sensitive application data in the databaseCurrent and Historical Reporting of Who has what responsibility?,When did they get it?, How did they get it? and Who approved it?
AutomateExtend ProtectLeverage
-
8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal
69/73
-
8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal
70/73
Learn More
-
8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal
71/73
71
Learn More
Webcast Series on Identity for Applications Visit: Click Here to Register today!
Try the Software Visit OTN: otn.oracle.com
Download software, get technical information
Ask Our Experts Speak with the Oracle Identity Team
AutomateExtend ProtectLeverage
Questions?
https://conference.oracle.com/imtapp/app/conf_enrollment.uix?mID=124697906http://www.oracle.com/technology/products/id_mgmt/index.htmlhttp://www.oracle.com/technology/products/id_mgmt/index.htmlhttps://conference.oracle.com/imtapp/app/conf_enrollment.uix?mID=124697906 -
8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal
72/73
72
Questions?
AutomateExtend ProtectLeverage
-
8/14/2019 Leap Forward - Oracle IDM for Oracle Apps - Dec 11 2008 vFinal
73/73