oracle tech fmw-05-idm-neum-16.04.2010
TRANSCRIPT
Oracle Identity Management: Improving Security and Compliance
Duško VukmanovićSenior Sales Consultant
The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions.The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
Data Breach
More breaches than ever…
Once exposed, the data is out there – the bell can’t be un-rung
0
100
200
300
400
2005 2006 2007 2008
PUBLICLY REPORTED DATA BREACHES
630% Increase
Total Personally Identifying Information
Records Exposed (Millions)
Source: DataLossDB, Ponemon Institute, 2009 - http://datalossdb.org
http://www.privacyrights.org/ar/ChronDataBreaches.h tm
Average cost of a data breach $202 per record
Average total cost exceeds $6.6 million per breach
More threats than ever…
70% attacks originate inside the firewall
90% attacks perpetrated by employees with privilege d access
More regulations than ever…
• Federal, state, local, industry…adding more mandates every year!
• Need to meet AND demonstrate compliance
• Compliance costs are unsustainable
Report and audit ?
Source: IT Policy Compliance Group, 2007.
90% Companies behind in compliance
Higher Costs Than Ever…
• User Management Costs
• User Productivity Costs
• Compliance & Remediation Costs
• Security Breach Remediation Costs It Adds Up$
• Enforces Segregation of Duties
• Restricts Access
• Automates access management
• Automates compliance reports
• Automates attestation
IdM Delivers Sustainable Compliance
• Centralized security and policy management– Consistent policies enforced across enterprise– Accelerated compliance with evolving mandates
• Automated provisioning / de-provisioning– Role based user provisioning and de-provisioning– Automated updates triggered by user status change
• Single Sign-On, Delegated Administration, Risk-based Access– Reduce password compromises– Delegate policy administration to business owners – Proactively defend against sophisticated security
threats
IdM Centralizes & Strengthens Security
• Lower Administrative costs– Cost savings via reduced help desk calls
– Automated and aggregated audit reporting
• Enhanced User Productivity – Reduce time to access systems from days to minutes
– Automated provisioning – 212% ROI within 6 months1
• Enhanced IT Productivity– Developers re-use centralized security functions
– Accelerated application deployments
1 1 –– Forrester Research Report Forrester Research Report –– TEI Study of Oracle Identity Manager 2008TEI Study of Oracle Identity Manager 2008
IdM Streamlines IT Efficiency
Information Rights Management
• Encryption and Masking• Privileged User Controls• Multi-Factor Authorization• Activity Monitoring and Audit• Secure Configuration
Identity Management
Database Security
Databases
Applications
Content
Oracle Security Inside Out
Infrastructure
• User Provisioning • Role Management• Entitlements Management • Risk-Based Access Control • Virtual Directories
• Document-level access control• All copies, regardless of location
(even beyond the firewall)• Auditing and revocation
Information
Access Manager
Adaptive Access Manager
Enterprise Single Sign-On
Identity Federation
Entitlements Server
Access Management
Identity Manager
Role Manager
Identity Admin.
Internet Directory
Virtual Directory
Directory Services
Identity & Access Management Suite
Audit & Compliance
Enterprise Manager IdM Pack
Manageability
Oracle’s Identity ManagementComprehensive Suite of Best-Of-Breed Products
Identity & Role ReconciliationIdentity & Role Reconciliation
Other Sources
HR Applications
Directory Server
Applications
Physical Security
Databases & OS/Legacy
Identity Data
Oracle Identity AdministrationSustainable Compliance With High ROI
• Automate Roles Based Provisioning / Deprovisioning
• Identify orphaned accounts
• Report on “Who has access to what”
• Self-service requests
Role Based User Provisioning
HR System Approval
Workflows
Employee
Joins / Departs
Applications
GRANTREVOKE
GRANTREVOKE
GRANTREVOKE
Oracle Identity Manager
Automated De-Provisioning
Identity
StoreReconciliation
Engine
Terminated
Employee
HRMS
Identity Lifecycle Management
Revoked
Applications
ConnectorProvisioning
Workflow
Manual Task Revoked Cell Phone
Self Service and Delegated Admin
• Self Service Account Requests
• Delegated Administration
• Password Reset and Profile Management
Delegated Admin Self-Service
Manager assigning proxy user User doing password res et
Role Management
Business Role
Assigned Project
Location
General Ledger App
CRM App
UK Benefits App
• Centralized role management
• Role and rule-based provisioning
• Map business roles to IT roles & privileges
• Multi-dimensional role hierarchies
E-mail App
Packaged Apps
Custom Apps
Portals
Secure MutualAuthentication
Kerberos & Basic Auth.
Biometric
Smart Card
Entitlements Management
Risk-based Strong Authentication
Single Sign On Across Enterprise
Standards-based Federation
Oracle Access Management SuiteCentralized Security and Improved Business Agility
Oracle AccessManagement Suite
App
Entitlements Management
Before After
• Hard-coded security policies• Brittle policy management
• Application policy silos
• Externalized entitlements• Agile business policies
• Centralized policy management
App
licat
ion
App
App
App A
pp
Challenges With Entitlements
• Are subject to massive proliferation & “creep”• Need to rely upon lots of context before making a decision
• Must work hand-in-hand with your existing Identity Management and Provisioning solutions
• Should be consistent across implementations
• Policies can and do evolve independently from your application’s requirements
• Entitlements implemented inside your application code are hard to change
Bottom Line:
Changing your policies means changing your applicat ions
Risk-Based Access Control
Device
Geography
Time
Activity
Secure Mutual Authentication
Risk-Based Authorization
• Real time fraud prevention• “Auto Learning” behavior profiling• Pattern and anomaly detection
Oracle Access Management SuiteRisk Scoring
Multiple DBMS Multiple Directories HR Applications Mainframe/Legacy
Directory Services Mgr.
Oracle Virtual Directory
Any Application
Virtualizes Access to IdVirtualizes Access to Id--StoresStores
Dynamically binds at RuntimeDynamically binds at Runtime
Standard LDAP & Java APIsStandard LDAP & Java APIs
Oracle Directory Services Rapid Application Deployment Accelerates IT Agility
Audit And Compliance Features (1/2)
• Integrated architecture and data store– High performance– Integrate once for compliance and provisioning– Aggregated audit and compliance data– OOTB process automation integration
• Audit data capture– User profile and group history– User membership history– User entitlement history– Attestation review and action history– Form versioning– Workflow task status history
Audit And Compliance Features (2/2)
• Reporting framework– Pluggable and customizable architecture for standard reports– 3rd party reporting tools support– Out-of-the-box reporting DB with 37 reports
• Attestation– Entitlement review– User centric and/or application centric reviews– Out-of-the-box delegate and decline processes– Fully integrated to workflow engine
• Denial access policy– Prevention of non-compliant accounts and privileges
Report Built
And Results
Stored in DB
4
ArchiveAttested Data
Attestation Actions
Delegation Paths
Delegate
Reject
Certify
Decline
Reviewer Selections
Comments
Web-Based Attestation
Set Up Periodic
Review
1 Reviewer Is Notified
Goes to Self Service
2 Automated Action
is taken based on
Periodic Review
3
Who Reviews It?
What Is Reviewed
?
Start When? How Often?
Notify Delegated Reviewer
Notify the Process Owner
Automatically Terminate User
Email Resultto User
Attestation
� User Attributes
� Role Memberships
� Role Based Entitlement Grants
� Exception Entitlement Grants
� Role Definition
� Role Entitlement Mapping
Certification Data
� Periodic Scheduling
� Event Based Attestation for On-Boarding, Transfers & Termination
� Reminders & Escalations
� Spreadsheet Exports
Scheduling
� Business Glossary
� Audit Exceptions
� Historical Data
� Approval Data
� Attestation Dashboards for Compliance Officers
� Closed Loop Remediation with OIM Integration
360 Degree View
Information Rights Management
Identity Management
Database Security
Databases
Applications
Content
Oracle Security Inside Out
Infrastructure
• Document-level access control• All copies, regardless of location
(even beyond the firewall)• Auditing and revocationInformation
Oracle IRM ServerOracle RM Server
Applications
Oracle IRM Management Console
Business Managers
or IT AdminsAudit
Seal Distribute
Users
Secure offlinecache
Automaticsync of
rights/audit
Oracle Identity Management
Information Rights ManagementSecuring Data Beyond the Application
Oracle IRM Desktop
Information Centric Security Solutions
Databases
Applications
DATABASE SECURITY
Encryption and Data Masking
Access Control and Authorization
Activity Monitoring
IDENTITY AND ACCESS MANAGEMENT
IdentityAdministration
Directory Services
Access Management
INFORMATION
RIGHTS
MANAGEMENT
Centralized Document Access Control
Revocation (Digital Shredding)
Document Activity Monitoring and Audit
Content
Investing in Security Pays Off in Sustainable Compliance
Enforce Controls• Segregation of duties
• Access control
Streamline Processes• Attestation / Recertification
Automate Reporting• Out-of-the-box
compliance reports
• Customized reports
Monitor Controls• Who accessed what?
• Who changed what?Oracle
Security Solutions
ENFORCE
CONTROLS
STREAMLINEPROCESSES
MONITORCONTROLS
AUTOMATEREPORTING
Identity Management Market Leader
User Provisioning, H2 2008 Web Access Management, H2 2008
“Oracle assumes the No. 1 position”
- Earl Perkins, Perry Carpenter, Aug. 15 2008 (Research G00159740)
“Oracle is currently the IdM vendor to beat”
- Burton VantagePoint 2008: Identity and Privacy Trends
“Oracle has established itself as Leader.”
- The Forrester Wave: Identity And Access Management, Q1 2008
Questions
Quote AttributionTitle, Company
For More Information
• Visit the Oracle Fusion Middleware 11g web site at http://www.oracle.com/fusionmiddleware11g
• Oracle Fusion Middleware on oracle.com www.oracle.com/middleware
• Oracle Fusion Middleware on OTN http://otn.oracle.com/middleware
Get Started
• Visit the Oracle IdM Website at: http://oracle.com/identity
• Technical information available at: http://otn.oracle.com/
• Talk to an Oracle IdM Specialist: 1-800-633-0738
• View demos, videos, iseminars whitepapers: http://oracle.com/identity
Resources