oracle identity and access management kwesi edwards principal industry architect, team lead oracle...
TRANSCRIPT
<Insert Picture Here>
Oracle Identity And Access Management
Kwesi EdwardsPrincipal Industry Architect, Team LeadOracle Higher
The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions.The development, release, and timing of any features or functionality described for Oracle’s products remain at the sole discretion of Oracle.
Agenda
• Introduction• Current state on Campus• How can IDM help• Oracle’s IDM Solution• Product strategy and roadmap• Commitment to our customers
5 Questions:to ask your Chief Security Officer
• How do you control access to your sensitive apps?– Usernames and passwords, HW Tokens.
• What determines your employee’s access?– Give Alice whatever Wally has
• Who is the most privileged user?– 3 time summer intern?
• How secure is your identity data?– It is in 18 different secured stores.
• How much are manual compliance controls costing?– Don’t ask!
Next Generation Security Challenges
Auditors & Regulators Identity Thieves
Rogue Employees Privileged Users
Next Generation Security Solutions
Auditors & Regulators Identity Thieves
Rogue Employees Privileged Users
Compliant Provisioning
Fraud Prevention
Entitlement M
anagement
Data-Center Security
State Of Security on Campus
• Incomplete• Multiple point solutions from many vendors• Disparate technologies that don’t work together
• Complex• Repeated point-to-point integrations• Mostly manual operations
• ‘Non-compliant’• Difficult to enforce consistent set of policies• Difficult to measure compliance with those policies
• User ‘un-friendly’• Solutions not user-centric but technology-centric• Processes not end-user friendly
It’s A Risky Business
Date Institution State Incident Number1/14/2008 Univ of Wisc Madison WI Accident 39,535
1/23/2008 Baylor University TX Hacking 39,535
1/29/2008 Georgetown Univ DC Stolen 38,000
2/12/2008 Long Island Univ NY Accident 30,000
3/28/2008 Antioch Univ OH Hacking 70,000
4/4/2008 Univ of CA Irvine CA Stolen 7,000
4/17/2008 Univ of Miami FL Stolen 2,100,000
5/4/2008 Staten Island Univ Hospital NY Stolen 88,000
5/14/08 Oklahoma State University OK Hacking 70,000
6/6/2008 Stanford Univ CA Stolen 72,000
6/10/2008 University of Utah Hospitals and Clinics UT Stolen 2,200,000
8/18/2008 The Princeton Review NY Accident 108,000
11/12/2008 Univ of Florida FL Hacking 330,000
2/13/2009 University of Alabama AL Hacking 37,000
2/19/2009 Univ of Florida FL Hacking 97,200
3/11/2009 Binghamton Univ NY Accident 100,000
5/7/2009 University of California - Berkeley CA Hacking 160,000
440,178
943,277
5,230,2785,985,297
Accident
Hacking
Lost
Stolen
Higher Ed # Incidents by Type 2005 - 2009
81 78
10713
Accident
Hacking
Lost
Stolen
Security Incidents by type
Higher Ed SSN Qty Breach by Type
2005 - 2009
Identity Threats
• Identity Theft• Consumers hesitate to embrace on-line self service• Stolen identity and credit cards used to pay for on-line
purchases
• Fragmented Application Security• Too Many privileged users• Silo’d and fragmented disjointed Security
• Data Center Security• Administer 100’s of Data stores
X• Enforce strong password policies via
synchronization or single sign-on (SSO)
• Implement strong authentication and risk based authorization for critical apps and web services
• Enforce minimal access rights based on roles, attributes, and requests
• Leverage federation technologies for cross-domain SSO
How Can Identity Management Help?Enforce Strong And Granular Security Policies
How Can Identity Management Help?Establish Enterprise Identity & Roles
• Consolidate or virtualize multiple, complex identity environments to a single enterprise identity source
• Automate linkage of employee records with user accounts
• Establish enterprise roles for automation, compliance and business continuity
• Eliminate rogue and orphaned accounts
? !X
• Deploy self-registration and self-service to reduce help desk cost and improve service level
• Manage the rich role information for a highly dynamic user base with multiple affiliations
• Implement on-boarding and off-boarding automation to deal with activity level driven by academic calendar
• Deploy secured identity repository to ensure user privacy and HIPAA compliance
How Can Identity Management Help?Scalable Security And Administration For Higher Ed.
• Deploy secured storage and control processes to guard patient’s data privacy
• Deploy audit and control mechanisms to ensure cost effective compliance to HIPAA
• Implement access control to ensure the security of shared workstations for single sign-on and sign-off
• Enable self-service and automated application provisioning for mobile healthcare workers
How Can Identity Management Help?Guarantee Patient Privacy For Healthcare
More Value Less Complexity
Comprehensive Industry Portfolio
CompleteComplete
More Flexibility Less Cost
Designed toWork Together
IntegratedIntegrated
Oracle Enterprise Software
More Choice Less Risk
Standards-Based Architecture
OpenOpen
Key Oracle Differentiators
• Complete suite of best-of-breed products
• Proven for large scale deployments
• Best long-term investment
Identity Admin. Directory Services
Audit & Compliance Manageability
Comprehensive IdM Solutions
Core Platform
“Identity Management 2.0”
Identity lifecycle
Organization lifecycle
Provisioning & Reconciliation
Password management
Role management
Role mining
Relationship management
Authentication
Authorization
Single sign-on
Federation
LDAP storage
LDAP synchronization
OS authentication
Strong authentication
Risk based authorization
Fine grained entitlements
Web Services security
Identity virtualization
Audit Reporting Analytics Fraud
Attestation Segregation of duties
Service level Performance
Configuration Automation
Access Management
Access Manager
Identity Federation
Enterprise Single Sign-On
Access Management
Identity Manager
Identity Admin.
Internet Directory
Authentication Service for OS
Directory Services
Identity Management Suite
Audit & Compliance
Enterprise Manager IdM Pack
Manageability
Oracle’s Identity Management Suite
Adaptive Access Manager
Entitlements Server
Web Services Manager
Role Manager Virtual Directory
Core Platform
“Identity Management 2.0”
Access Control & Single Sign-On
LDAP
AD
HRMS
Contractor
Student
Staff User
OracleAccess
Manager
Single sign-on w/ Federation
Directory synchronization
Personalization
For internal and external users
OracleIdentity
Federation
OracleInternet
Directory
OracleeSSOSuite
Access Management – Run-TimeAuthentication, Authorization, SSO, Federation
AuthenticationSession Management
User
Policy Management
Authorization
Federation& Trust
Web SSOeSSO
WebApplications
LegacyApplications
Partner Applications& Web Services
Fraud MonitoringRisk Profiling
WebService
Access Audit
WebGates
Oracle Access ManagerPolicy Enforcement
Points (PEP)
OAM Access Server
Policy Manager
Policy Decision Engine
Authentication & Authorization Request Applications
AccessGates
End User
Authentication & Authorization
Decisions
LDAP Store
User Data
Policy Data
Configuration Data
OAM Identity Server
DelegatedAdmin
Identity & GroupLifecycle Management
Self-Service
LDAP
AD
HRMS
Contractor
Student
Staff
Approver
Self-service and self-registration
Delegated administration
Password reset
For internal and external users
OracleIdentity
Manager
Provisioning
Customer
Internal User
Approver
Mainframe
Device
DB
ERP
Partner Admin
Role Based Policy
OracleIdentity
Manager
User Provisioning
Workflow
Rogue Account Detection
Compliant Role Based Provisioning
Role Management
Attester
Mainframe
DB
ERP
SIS/HRMS
Provisioning Platform
SoD Policy Engine
OracleIdentity
Manager
Oracle Role Manager
Oracle Application
Access Controls Governor
Align access to University roles
Automated & auditable attestation
Enforce SoD policies
Identity Admin. – Lifecycle Management Provisioning, Role Management, Self-Service
HRMS
CRM
LDAP
Self-ServiceSelf-Registration
DelegatedAdministration
Identity & RoleLifecycle Management
IdentityReconciliation
AccountProvisioning
AccountReconciliation
PasswordSync.
Applications
Infrastructure
DB
IdentityAudit
IDM Provisioning for PSFT
Identity Theft Protection
Mutual authentication
Knowledge based authentication
Key-logger-proof devices
Fraud analytics
Transaction monitoring
Device & location tracking
Behavior profiling
Device & Geo-location Forensics
Secure Mutual Authentication
Account Management
New PurchaseOracle
AdaptiveAccess
Manager
Scalable, Secured & Agile Infrastructure
LDAP
AD
LDAP
Finance DBA
CRM DBA
Finance
HR
CRM
Centralized Management of DBAs
Integration with Active Directory
SoD for Privileged DBA Access
DBAs
EnterpriseUser
Security
App A
App B
OracleVirtual
Directory DB Vault
Directory Services – InfrastructureIdentity Virtualization And Consolidation
HRMS
CRM
External LDAP
Schema AggregationSchema Transformation
Schema MappingData Synchronization
AggregatedSchema
VirtualSchema N
Applications
MetaDirectory
Internal LDAP
VirtualSchema 1
Applications
IdM And Data Security
• Enterprise User Security (EUS)• OVD enables EUS to run on Active Directory, SunOne, and OID• OIM further enables centralized DB user admin via EUS• ORM IT role management extends EUS role managment
• Database Vault• OIM provisions standard DB user + DB Vault privileges• DB Vault is used to protect DBA access to sensitive IdM data
• Transparent Data Encryption (TDE)• TDE encrypts data transparently for OID, OIM and ORM
Complete Enterprise Control
User On-Boarding Lifecycle Mgmt.
Account Provisioning & Remediation
Access & Role Attestation
Authentication, Authorization, SSO
Identity Management
GRC Process Management
Controls Monitoring & Enforcement
Best Practice Controls & Policies
Privilege Level SOD
Contextual SOD Authorization
GRC Application Controls
Apps, Systems & Data RepositoriesBusiness Applications
Policy Repository Evidence Management
Control Testing Risk & Compliance Reporting
Leader in Magic Quadrants
Magic Quadrant Disclaimer: The Magic Quadrant is copyrighted by Gartner, Inc. and is reused with permission. The Magic Quadrant is a graphical representation of a marketplace at and for a specific time period. It depicts Gartner's analysis of how certain vendors measure against criteria for that marketplace, as defined by Gartner. Gartner does not endorse any vendor, product or service depicted in the Magic Quadrant, and does not advise technology users to select only those vendors placed in the "Leaders" quadrant. The Magic Quadrant is intended solely as a research tool, and is not meant to be a specific guide to action. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
User Provisioning, H2 2008 Web Access Management, H2 2008
“Oracle assumes the No. 1 position”
- Earl Perkins, Perry Carpenter, Aug. 15 2008 (Research G00159740)
Standards Support
• Contribute and lead• SSTC (SAML Working Group) - Co-Chair• Liberty Alliance - President, Board Member• WSS, WS-SX (Web Services Security), JCP - Author• SPML - Author• XACML – Voting member
• Implement • Accelerate product development• Simplify product integration & minimize TCO
• Innovate• Enable Identity Governance Framework: CARML, AAPML• Standards for end-to-end security
Looking Ahead
• Oracle will broaden security product portfolio• Security is not just another line of business for Oracle• Security is strategic to Oracle’s entire product portfolio• Emerging areas: entitlement management, fraud, privacy,
governance, risk management… etc.
• From security silos to built-in security• Built into enterprise applications, middleware, DB, OS• Identity Services Framework
• Project Fusion• Single security model across Enterprise Applications Suite• Enforced uniformly at all parts of technology infrastructure• Across entire life-cycle from development to maintenance
Oracle IdM’s Customer Focus
• Customer Advisory Board• Collaboration with strategic customers on product roadmap and
technology directions
• Security Executive Forum• C-level executive helps to validate Oracle’s strategy and drive
future investments• Past attendees: Bank of America, British Telecom, Franklin
Templeton, JP Morgan Chase, Network Appliance, Royal Bank of Scotland, The Hartford, T-Mobile, Toyota, Wachovia, ….
• Best post-sale support in the industry• Product management sponsorship to ensure every deployment
and every upgrade is a success• Strong track record of customer upgrade success
Customer Advisory BoardShare, Communicate, Partner
Oracle’s Identity Management Strategy
• Complete solution• Integrated suite of best-of-breed components• Each component individually deployable
• Application centric• Integrated with business applications• Integrated to application life cycle
• Hot-pluggable• Standards-based• Works across leading platforms
OperateDevelop Deploy
Identity Services Framework
FMW Technologies
For More Information
search.oracle.com
or
oracle.com
Identity management
