oracle ebiz security top10 guide

8/10/2019 Oracle Ebiz Security Top10 Guide

1/9


2/9

Top 10 Ways to Increase Enterprise Security

While Reducing Costs

INTRODUCTION

The Internet continues to transform business processes at unprecedented speeds.

Even the most agile enterprises have found that they can do more with less by

rebuilding their business models around e-mail, Web-based commerce, and

network-centered applications. Moreover, they have revamped their once; closely

guarded business networks as new, collaborative environments connecting their

employees, customers, partners, and suppliers.

By linking everyone involved in their e-Business initiatives, these innovators have

harnessed the potential to increase revenue, reduce costs, and improve productivity.

But to realize this competitive advantage, companies must overcome a

technological challenge at the core of e-Business: how to securely and cost-

effectively manage the expanding number of people, in a wide variety of roles,

requesting access to information.

Based on Oracles experience addressing these challenges in various industries with

its Identity and Access Management solution, the list of concepts below

significantly contributes to improve security in a cost-effective manner:

1.

Identity is the core2. Borders dont matter

3. Adjusting to a changing world

4.

Its about security of inclusion

5.

Think privacy and compliance

6. Consistent business rules must be applied across the enterprise

7. Centralized security lowers costs

8.

Administrative costs can be equitably distributed among partners

9.

Automated approval processes save time and money

10. Infrastructure services can be re-used

1. Identity is the core.

Regardless of a companys area of business, its specific initiatives or how it

conducts transactions online, offline, or both one fact is always true: people are

Top 10 Ways to Increase Enterpris e Security While Reducing Cost Page 2


3/9

at the center. For people to interact, collaborate, and transact business they must be

able to identify who they are dealing with in a secure and reliable manner.

The concept of verifying identity is simple. We are familiar with this notion from

everyday life. A drivers license or passport is commonly used as a form of

identification. It is a trusted way to store and provide attributes about an individual

such as name, address, and age and to validate that persons access to certain

locations, services or privileges. However, when this simple concept is applied tothe electronic world, one used for conducing business across corporate boundaries,

it quickly becomes complex.

A key success factor for e-Business initiatives is to treat identities as a fundamental

piece of the infrastructure exposed and consumed by multiple applications or

systems, rather than focusing on identities on a per-application basis. The

investment made in building this part of the infrastructure, typically yields

sustainable returns in the long run.

2. Borders dont matter.

In todays environment the extended enterprise is comprised of a company, itsemployees, trading partners and key stakeholders. The distinction between "inside"

and "outside of" the company goes away.

Companies require a single architecture to manage users through the intranet and

the extranet. Organizations need a solution that enables one company with its own

security domain to seamlessly interact with another company also with its own

security domain.

So, while the breaking down of borders can certainly facilitate e-Business, it poses

its own set of problems. The key is a balance of control: to make information,

processes and systems available without compromising their security.

Adherence to known, proven standards in areas like Identity Federation and WebServices Security will prove wise, when requirements for integration beyond the

firewall boundaries proliferate. And whether the organization is a consumer or a

provider of services in such integrations should be easily accommodated flexibly.

3. Adjusting to a changing wor ld.

Nothing stays the same. There will always be new software, platforms and

applications, mergers and acquisitions that marry companies with different IT

environments, and regulatory legislation that will continue to evolve. Companies

need a flexible, interoperable solution that can serve as a foundation for a broad

Identity and Access Management infrastructure moving forward.

Solutions that do not offer the integration and interoperability required, or that do

not support open standards, and that require customers to lock-in to a technology

thats often not best of breed, will likely fail at addressing the long-term needs of

the organization.

Therefore, when selecting vendors to address Identity and Access Management

needs, Companies need to carefully weigh in not only the current standards being

supported, but also the commitment of the vendor to continue embracing and



4/9

supporting evolving standards. In the long run this strategy will maximize the

return on the overall IT infrastructure investment.

4. Its about security of inclusion.

The "old" security model was based on constructing a firewall to keep "outsiders"

out. In todays e-Business environment, a new model offers precise, authorized

entry to partners or individuals with different needs, roles, and levels ofresponsibility. Differentiation comes from providing the right level of access to the

right user, which is often referred to as security of inclusion.

The key is to create, for each authorized user, an individualized access control

scheme that:

Provides access to all company resources, or only to those resources that an

individual needs at the moment

Can instantaneously extend or block entry into specific resources when

either the individuals role or a business initiative changes

Can immediately and effectively withdraw access privileges when that

individual no longer has a legitimate connection to the company

Can confidently track and audit the operations and events that relate to a

specific identity, which in most cases enables Companies to achieve

regulatory compliance needs.

The most successful approach to providing security of inclusion is by leveraging a

tightly integrated Identity Management and Access Control infrastructure. With

these two functions tightly integrated, real-time security actually exists.

If a change is made to someones identity information, or if someone leaves the

company, that change is immediately reflected in their access to applications. For

example, if someone leaving the company subsequently attempted to accessinformation they would not be able to do so because control is entirely in the

hands of both the line of business executive and IT.

Some less sophisticated identity architectures store information in a cache that

periodically updates. This should not be confused with real- time.

5. Think privacy and compliance.

As Companies deploy application across different geographies (possibly different

countries), and deal with sensitive information (financial, personal, healthcare-

related), it is fundamental that the security infrastructure ensures privacy and

compliance.

The security infrastructure should eliminate the risk of exposing sensitive data,

whether this is by encrypting the network connections (say via SSL v3), encrypting

or hashing the particular data element in-flight or as it is stored in the backend

database or directory, or all of the above. Likewise, accessing sensitive applications

or data, should require stronger authentication mechanisms that mitigate identity

theft and non-repudiation risks.



5/9

Furthermore, the compliance requirements that most companies face, call for a

flexible security infrastructure that can audit each and every event at a granular

level, preserving the identity of the end user; and likewise can provide reporting and

mining tools that can analyze this audit data warehouse and produce business level

reports that can satisfy the needs of auditors or business stakeholders.

6. Consistent business rules are applied across the enterprise.

The issue of business rules is very important. A robust Identity and Access

Management solution will apply the same business rules and practices to its online

business that it applies to business conducted offline, providing the flexibility to

manage, evaluate and enforce access decisions to various applications via

enforcement points

Business rules are the core of your organizations operation, and should not change

as a result of technology limitations. Oracles best practice is to adopt a business

level, role-based security model that is abstracted from individual applications or

systems, and through well-defined rules of inclusion, exclusion and exception can

map to specific entitlements or rights within specific applications. The Identity and

Access Management solution should provide the framework to consistently manage

and apply these rules as a part of an enterprise wide infrastructure rather than as a

vertical security "silo." Identity and Access Management cannot be an add-on or

down the line decision when a company realizes that managing user identities could

spin out of control.

7. Centralized securi ty low ers costs.

The first and foremost benefit of implementing the correct Identity and Access

Management solution is cost reduction. How do companies achieve cost reduction?

Cost reduction is generated primarily as a result of creating the Identity and Access

Management infrastructure. In this model companies centralize IdentityManagement and Access Control for all Web-based applications. This means that

rather than each application using its own individual infrastructure to manage users,

roles and control access, it creates a single, centralized Identity and Access

Management infrastructure across the company, as well as the extended enterprise.

Once the Identity and Access Management infrastructure is in place it is much

quicker and less expensive to turn on and deploy new applications. The new

application can tie into a centralized architecture creating a cost-effective way to

ensure compliance. Furthermore, the same infrastructure can be leverage as a

collection of services in a Service-Oriented Architecture (SOA), where applications

can consume identity information or enforce access control rules by invoking

services of the Identity and Access Management infrastructure.

In addition, it is important to understand the cost savings of single sign-on. Single

sign-on across multiple domains allows users access to an entire suite of

applications after signing on only once. Single sign-on can be applied across portal

networks so the user can access any number of applications through a portal.



6/9

One Oracle customer, a large aerospace manufacturer, is saving close to $4 million

per month, consolidating 7 passwords down to one, and providing single sign on to

Web applications for more than 130,000 employees.

8. Administ rative costs must be equitably distributed among partners.

The Identity and Access Management infrastructure should provide systems,

controls, and practices required to keep the sheer magnitude of changes necessaryin a large, diverse, distributed environment. For example, Oracle Access Manager

features delegated administration for managing changes to personal identity

information for users, groups, and organizations.

Through delegated administration the responsibility of maintaining identity

information (such as a persons title and phone number) and security information

(such as different access rights for tier-1 and tier-2 partners) can be delegated

throughout a network of internal and external users. Delegated Administration also

gives companies maximum flexibility to align Identity and Access Management

practices with their established business processes. For example, Oracle Access

Manager allows e-Business to precisely control

Which individual attributes different people are allowed to control based on

business rules

Which interface different users see

And even the ability to assign temporary responsibilities while personnel are

out of the office

9. Automated approval processes saves time and money.

By having an automated workflow solution for approval processes, many formerly

manual processes become automated, again driving the savings of time and money.

The value of this functionality with regards to security is that these processes canultimately determine a users level of access to a system, and can be used to enforce

segregation of duties as it relates to managing user access.

Companies should be able to set up specific, easily scalable workflow processes

consisting of one or more related steps to implement, approve, and execute tasks.

These tasks may include creation, deletion, and modification of identities (user,

groups, accounts or roles); user self-registration, partner (company) self-registration,

subscribe/unsubscribe to groups or roles.

Because these workflows can be made available transparently to internal or external

users, e-Business constituents do not have to know where to send requests for

changes to their identity profiles.Furthermore, by exposing these processes as services in a SOA environment, in

which applications hosted within the intranet or outside the firewall can trigger

these workflows, further automates and integrates a consistent process for

managing user access throughout the enterprise, without imposing changes to

existing applications. For instance, several Financial Services customers leverage a

SOAP-based interface in Oracle Access Manager, called IdentityXML, to provide a

seamless experience of creating and updating user profiles from within their several



7/9

branded portals and applications, while following a consistent user and access

management process.

10. Infrastructure services can be re-used

By building an Identity and Access Management as a services infrastructure in a

SOA-enabled environment, companies can leverage the same framework used to

control and manage identity information within their Enterprise Services Bus,where integration and orchestration of commonly used services within greater

business services, not only saves money and time by re-using common services, but

it furthers the business value of the Identity and Access Management solution. At

the same time, this approach allows for consistency in authorization and auditing,

as the identity of the end actor is preserved throughout the service processing.

An insurance company is able to authenticate users logging into their extranet

portal, and provide them single sign-on to a number of applications through Oracle

Access Manager. As users interact with applications and trigger transactions, via

SOAP messages; the middleware layer servicing these transactions, understand the

user session thats part of the security header of the SOAP message and connects

to Access Manager to validate the session and verify that the user is indeed

authorized to perform the operation, after which is proceeds with the actual

transaction. Now the same service can be triggered by a different application hosted

in the internal portal. This model makes security ubiquitous and transparent to the

application, and application development is streamlined as it is basically re-using

and integrating common services.

Bottom line

Oracle customers have seen clear and tangible cost reduction after deploying

Oracles Identity and Access Management solution. For example, CUNA Mutual

provides a variety of financial services to 97% of the credit unions in the United

States. After they implemented Oracle Access Manager, they were able to reduce

annual costs $500,000 to support the identity administration needs of their 2000

employees. Perhaps more significantly, by leveraging the self-service and automated

aspects of Access Manager for managing the user rights of their client credit unions

and their consumers, they were able to save roughly $3-4 million in annual help

desk support calls.

Earlier we discussed a large aerospace manufacturer that is saving close to $4

million per month, consolidating 7 passwords down to one and providing single

sign-on to Web applications for worldwide employees.

Similarly, Southwest Airlines is seeing cost reductions in two very important ways.

First, the airline estimates a cost savings of nearly $1.2 million per month for

reduced password and identity administration costs for their employees. Next, they

have driven cost and achieved competitive advantage by allowing their mechanics

to have seamless access to plane maintenance information on their aircraft suppliers

Web portal by leveraging Oracle Identity Federation. Southwests IT administrators

do not have to duplicate the management of mechanics identities and access rights

at both Southwest and the aircraft supplier. This information can be managed and



8/9


9/9

Top 10 Ways to Increase Enterprise Security While Reducing Cost

November 2005

Auth ors : Wyn n Whi te , Frank Vi llav icencio , Hormazd Romer

Oracle Corporation

World Headquarters

500 Oracle Parkway

Redwood Shores, CA 94065

U.S.A.

Worldwide Inquiries:

Phone: +1.650.506.7000

Fax: +1.650.506.7200

oracle.com

Copyright 2005, Oracle. All rights reserved.

This document is provided for information purposes only and the

contents hereof are subject to change without notice.

This document is not warranted to be error-free, nor subject to anyother warranties or conditi ons, whether expressed orally or implied

in law, including impl ied warranties and conditions of merchantability

or fitness for a particular purpose. We specifically disclaim any

liability with respect to this document and no contractual obligations

are formed either directly or indirectly b y this document. This document

may not be reproduced or t ransmitted in any form or by any means,

electronic or mechanical, for any purpose, without our prior w ritten permission.

Oracle, JD Edwards, and PeopleSoft are registered trademarks of

Oracle Corporation and/or it s affiliates. Other names may be trademarks

of their respective owners.

oracle ebiz security top10 guide

Documents