Neues von der Oracle

Identity Governance Suite

Dr. Stephan Hausmann

2

The following is intended to outline our general product direction.

It is intended for information purposes only, and may not be

incorporated into any contract. It is not a commitment to deliver

any material, code, or functionality, and should not be relied

upon in making purchasing decisions. The development, release,

and timing of any features or functionality described for Oracle’s

products remains at the sole discretion of Oracle.

3

Agenda

• Oracle Identity Governance

• Access Reviews

• Privileged Account Management

• Q & A

4

Overview Oracle Identity Governance

5

Complete Identity Governance

Collaborative Access Certification

Common Governance Infrastructure

Secure Privileged Account Management

Enhanced Performance

Websphere Certification

IDENTITY

GOVERNANCE

Automated

Provisioning

Privileged

Account

Management

Intuitive

Access

Request

Role

Management

Approvals

Workflow

6

Oracle Identity Governance Governance Platform

Access Catalog

Ownership, Risk & Audit Objectives

Catalog Management Accounts

Roles

Glossaries

Entitlements

Manage Access Monitor Access

Access

Request

Privileged

Account

Request

Role

Lifecycle

Management

Check-in/

Checkout

Identity

Certifications

IT Audit

Monitoring

Rogue

Detection &

Reconciliation

Reporting &

Privileged

Access

Monitoring

7

Oracle Identity Governance 11gR2 PS1 Overall Goals, Themes & Features

• Enable Access Request, Access Review & Provisioning on a common data model and eliminate the need for synchronization of common identity data

Single Catalog

• Enable Identity Certification features on the Common Data Model, while harnessing the power of Oracle technologies such as ADF, OES, SOA and other technologies to make it consistent with OIM

• Enable non-technical end users with ADF tools to perform business-friendly, patch-safe UI customizations

Converged Identity Certification, called “Identity Auditor”

• Further innovate the Certification feature to introduce workflow based sign-off and delegation capabilities for both business & technical reviewers, by leveraging the power of SOA

Business-IT Collaboration in Certifications

8

Usability Enhancements

• Universal SOA Inbox for organizing governance related tasks

• Customization/Personalization of Certification UI

• Inline Certification Analytics – Cert History, Action History and Risk Analytics using ADF Charts

• Further Assistance to deal with Massive Data

• MS Excel Export/Import

• Filter/Search/Sort on a consolidated table of all users and their access data

Workflow Enhancements

• Workflow Support to allow Business and IT to collaborate on same certification campaign

• Delegation Support at all levels – Full Certification, Subset of Users, Subset of Access

• Escalations, Notifications & Proxies using SOA

Business User Friendliness Identity Auditor in 11gR2PS1

9

ERP, DB

and Mainframes Fusion

Applications

Cloud

Applications

Reconciliation Provision Access

Request

Identity

Administration

Oracle Identity Analytics

Access

Certification

Role

Lifecycle

Monitoring Dashboards Segregation

of Duties

Oracle Privileged

Account Manager

Policy

Management

Password

Check-in/

Check-out

Oracle Identity Governance Platform Suite

Access

Certification

Oracle Identity Manager

10

Access Reviews

11

Oracle Identity Governance Risk-based Certification

Mainframe

DB

Identity Data

Sources

Applications Identity Warehouse

Roles Certification

History Entitlements Provisioning

Events

Risk Factors

Risk Aggregation

Resources Policy

Violations

Bulk Certify Cert360

Approve

Reject Focused

Sign-off

Low Risk User High Risk User

12

Certification Process Business User Friendliness

• Universal SOA Inbox for organizing governance related tasks

• Customization / Personalization of Certification UI

• Inline Certification Analytics – Cert History, Action History and Risk Analytics using ADF Charts

• Further Assistance to deal with Massive Data

• MS Excel Export/Import

• Filter/Search/Sort on a consolidated table of all users and their access data

Enhanced Usability and Business User Friendliness

• Workflow Support to allow Business and IT to collaborate on same certification campaign

• Delegation Support at all levels – Full Certification, Subset of Users, Subset of Access

• Escalations, Notifications & Proxies using SOA

Business-IT Collaboration in Certifications

13

Oracle Identity Manager 11g R2 Identity Auditor Certification Configuration

• Familiar OIM interface for configuring certification campaigns

• Additional controls – optional 2-phase (business, IT / data owners) review, final

challenge stage and final sign-off

• Fine-grained control over entitlement certifications – e.g. privileged accounts…!

14

• Configuration Define Name for the certification

Define Type of Certification

User

Application Instance

Role

Entitlement

Certification

15

• Configuration Select the Base selection

Select the constraints which dictates which entity’s are included in certification

Certification

16

• Configuration Select if you want to include users with no accounts.

This will help identify orphan account

Select Roles

Select App Instances

Select Entitlements

Certification

17

• Configuration Displays the global definition first

You can modify the definition as you need.

Notice Prevent self certification.

Can enable multi phase review

Certification

18

• Configuration Select Phase 1 reviewer

Business Certification

Enable Phase 2 (Optional)

IT Certification

Enable Final Review (Optional)

Business Certification

Has view on both Phase 1 &2

Can Override Phase 2 decision.

Certification

19

• Configuration Enable incremental certification

Allows you to certify only changed items based on Date Range

Show Previous Values Enabling allows all the current values that existed in previous certifications are displayed with the last decisions taken for

those access.

Certification

20

• Multi-Phased Review

Business and IT collaborative access review for User certification.

o allows to combine within a single certification the perspectives of business-

oriented and technical reviewers.

o allows a certifier to retain overall responsibility while delegating decisions

to others.

o Phases are optional.

Certification

21

• Multi-Phased Review Business Review

o Required first phase of review.

o Typically the manager of each user.

Technical Review o Optional second phase of review.

o Typically the owner or an authorizer of each privilege.

Final Review o Optional final phase of review.

o Primary reviewer from the first phase.

o Can override decisions made in technical review.

Certification

22

Certification – Phase 1 – Manager Review

23

Certification – Phase 2 – Technical Review

24

Certification – Final Review

25

Certification – Offline Mode

26

Privileged Account Management

27

With Great Power Comes Great Risks

Root

Access

Databases Directory Servers Unix Servers

• Privileged accounts are a key entry point for fraud

• Difficult to monitor shared accounts across multiple administrators

• Excessive access privileges is the number one attack vector against databases

28

IDENTIFYING

PRIVILEGED

ACCOUNTS

TRACKING

PRIVILEGED ACCOUNTS

Two Big Management Problems

29

• Secure vault to centrally manage passwords for privileged (exclusive

or shared) accounts

• Targets include Databases, Operating Systems and LDAP Directories,

Oracle FMW applications

• Multiple access points for OPAM users and administrator

• Automatic password change using Identity Connector Framework

• Policy based password check-out and check-in

• Flexible usage policies

• Customizable audit reports through BI Publisher and real time status

• Extension to Identity Governance – OIM and OIA integration for

complete governance

Introducing Oracle Privileged Account Manager

30 30

A Typical Use Case

LDAP Server DBA

HR Application Database

• User logs in as DBA

• Adds Table to DB

• System out of space

Verify OPAM User in HR DBA

Role

Set DBA password for HR App

Database based on password policy

for HR App Database

User checks in passwords

Oracle Privileged Account

Manager

• User logs in as superuser

• Adds disk space Unix Server

Return DBA password

Request DBA password

Return UNIX password

Request UNIX password

31

User Check-Out Password Screen

32

• Enforce internal security policies and eliminate potential security

threats from privileged users

• Cost-effectively enforce and attest to regulatory requirements

• Reduce IT costs through efficient self service and common

security infrastructure

• Real time usage reports

• Customizable audit reports

with BI Publisher

OPAM Benefits

33

www.facebook.com/OracleIDM

www.twitter.com/OracleIDM

blogs.oracle.com/OracleIDM

www.oracle.com/Identity

34

35