neues von der oracle identity governance suite
TRANSCRIPT
2
The following is intended to outline our general product direction.
It is intended for information purposes only, and may not be
incorporated into any contract. It is not a commitment to deliver
any material, code, or functionality, and should not be relied
upon in making purchasing decisions. The development, release,
and timing of any features or functionality described for Oracle’s
products remains at the sole discretion of Oracle.
5
Complete Identity Governance
Collaborative Access Certification
Common Governance Infrastructure
Secure Privileged Account Management
Enhanced Performance
Websphere Certification
IDENTITY
GOVERNANCE
Automated
Provisioning
Privileged
Account
Management
Intuitive
Access
Request
Role
Management
Approvals
Workflow
6
Oracle Identity Governance Governance Platform
Access Catalog
Ownership, Risk & Audit Objectives
Catalog Management Accounts
Roles
Glossaries
Entitlements
Manage Access Monitor Access
Access
Request
Privileged
Account
Request
Role
Lifecycle
Management
Check-in/
Checkout
Identity
Certifications
IT Audit
Monitoring
Rogue
Detection &
Reconciliation
Reporting &
Privileged
Access
Monitoring
7
Oracle Identity Governance 11gR2 PS1 Overall Goals, Themes & Features
• Enable Access Request, Access Review & Provisioning on a common data model and eliminate the need for synchronization of common identity data
Single Catalog
• Enable Identity Certification features on the Common Data Model, while harnessing the power of Oracle technologies such as ADF, OES, SOA and other technologies to make it consistent with OIM
• Enable non-technical end users with ADF tools to perform business-friendly, patch-safe UI customizations
Converged Identity Certification, called “Identity Auditor”
• Further innovate the Certification feature to introduce workflow based sign-off and delegation capabilities for both business & technical reviewers, by leveraging the power of SOA
Business-IT Collaboration in Certifications
8
Usability Enhancements
• Universal SOA Inbox for organizing governance related tasks
• Customization/Personalization of Certification UI
• Inline Certification Analytics – Cert History, Action History and Risk Analytics using ADF Charts
• Further Assistance to deal with Massive Data
• MS Excel Export/Import
• Filter/Search/Sort on a consolidated table of all users and their access data
Workflow Enhancements
• Workflow Support to allow Business and IT to collaborate on same certification campaign
• Delegation Support at all levels – Full Certification, Subset of Users, Subset of Access
• Escalations, Notifications & Proxies using SOA
Business User Friendliness Identity Auditor in 11gR2PS1
9
ERP, DB
and Mainframes Fusion
Applications
Cloud
Applications
Reconciliation Provision Access
Request
Identity
Administration
Oracle Identity Analytics
Access
Certification
Role
Lifecycle
Monitoring Dashboards Segregation
of Duties
Oracle Privileged
Account Manager
Policy
Management
Password
Check-in/
Check-out
Oracle Identity Governance Platform Suite
Access
Certification
Oracle Identity Manager
11
Oracle Identity Governance Risk-based Certification
Mainframe
DB
Identity Data
Sources
Applications Identity Warehouse
Roles Certification
History Entitlements Provisioning
Events
Risk Factors
Risk Aggregation
Resources Policy
Violations
Bulk Certify Cert360
Approve
Reject Focused
Sign-off
Low Risk User High Risk User
12
Certification Process Business User Friendliness
• Universal SOA Inbox for organizing governance related tasks
• Customization / Personalization of Certification UI
• Inline Certification Analytics – Cert History, Action History and Risk Analytics using ADF Charts
• Further Assistance to deal with Massive Data
• MS Excel Export/Import
• Filter/Search/Sort on a consolidated table of all users and their access data
Enhanced Usability and Business User Friendliness
• Workflow Support to allow Business and IT to collaborate on same certification campaign
• Delegation Support at all levels – Full Certification, Subset of Users, Subset of Access
• Escalations, Notifications & Proxies using SOA
Business-IT Collaboration in Certifications
13
Oracle Identity Manager 11g R2 Identity Auditor Certification Configuration
• Familiar OIM interface for configuring certification campaigns
• Additional controls – optional 2-phase (business, IT / data owners) review, final
challenge stage and final sign-off
• Fine-grained control over entitlement certifications – e.g. privileged accounts…!
14
• Configuration Define Name for the certification
Define Type of Certification
User
Application Instance
Role
Entitlement
Certification
15
• Configuration Select the Base selection
Select the constraints which dictates which entity’s are included in certification
Certification
16
• Configuration Select if you want to include users with no accounts.
This will help identify orphan account
Select Roles
Select App Instances
Select Entitlements
Certification
17
• Configuration Displays the global definition first
You can modify the definition as you need.
Notice Prevent self certification.
Can enable multi phase review
Certification
18
• Configuration Select Phase 1 reviewer
Business Certification
Enable Phase 2 (Optional)
IT Certification
Enable Final Review (Optional)
Business Certification
Has view on both Phase 1 &2
Can Override Phase 2 decision.
Certification
19
• Configuration Enable incremental certification
Allows you to certify only changed items based on Date Range
Show Previous Values Enabling allows all the current values that existed in previous certifications are displayed with the last decisions taken for
those access.
Certification
20
• Multi-Phased Review
Business and IT collaborative access review for User certification.
o allows to combine within a single certification the perspectives of business-
oriented and technical reviewers.
o allows a certifier to retain overall responsibility while delegating decisions
to others.
o Phases are optional.
Certification
21
• Multi-Phased Review Business Review
o Required first phase of review.
o Typically the manager of each user.
Technical Review o Optional second phase of review.
o Typically the owner or an authorizer of each privilege.
Final Review o Optional final phase of review.
o Primary reviewer from the first phase.
o Can override decisions made in technical review.
Certification
27
With Great Power Comes Great Risks
Root
Access
Databases Directory Servers Unix Servers
• Privileged accounts are a key entry point for fraud
• Difficult to monitor shared accounts across multiple administrators
• Excessive access privileges is the number one attack vector against databases
29
• Secure vault to centrally manage passwords for privileged (exclusive
or shared) accounts
• Targets include Databases, Operating Systems and LDAP Directories,
Oracle FMW applications
• Multiple access points for OPAM users and administrator
• Automatic password change using Identity Connector Framework
• Policy based password check-out and check-in
• Flexible usage policies
• Customizable audit reports through BI Publisher and real time status
• Extension to Identity Governance – OIM and OIA integration for
complete governance
Introducing Oracle Privileged Account Manager
30 30
A Typical Use Case
LDAP Server DBA
HR Application Database
• User logs in as DBA
• Adds Table to DB
• System out of space
Verify OPAM User in HR DBA
Role
Set DBA password for HR App
Database based on password policy
for HR App Database
User checks in passwords
Oracle Privileged Account
Manager
• User logs in as superuser
• Adds disk space Unix Server
Return DBA password
Request DBA password
Return UNIX password
Request UNIX password
32
• Enforce internal security policies and eliminate potential security
threats from privileged users
• Cost-effectively enforce and attest to regulatory requirements
• Reduce IT costs through efficient self service and common
security infrastructure
• Real time usage reports
• Customizable audit reports
with BI Publisher
OPAM Benefits
33
www.facebook.com/OracleIDM
www.twitter.com/OracleIDM
blogs.oracle.com/OracleIDM
www.oracle.com/Identity