Oracle Identity And Access Management

Transcription

<Insert Picture Here>
Oracle Identity And Access Management
Ed King
Senior Director, Product Management
The following is intended to outline our general
product direction. It is intended for information
purposes only, and may not be incorporated into any
contract. It is not a commitment to deliver any
material, code, or functionality, and should not be
relied upon in making purchasing decisions.
The development, release, and timing of any
features or functionality described for Oracle’s
products remain at the sole discretion of Oracle.
Agenda
•
•
•
•
•
•
•
•
Introduction
Problem statements
Value propositions
Products and partnerships
Industry validations
Product strategy and roadmap
Service oriented security
Customer case studies
Oracle’s IdM Business
Oracle Database Security
30 Years of Innovation
Oracle Audit Vault
Oracle Database Vault
DB Security Evaluation #19
Transparent Data Encryption
EM Configuration Scanning
Fine Grained Auditing (9i)
Secure application roles
Client Identifier / Identity propagation
Oracle Label Security (2000)
Proxy authentication
Enterprise User Security
Global roles
Virtual Private Database (8i)
1977
Database Encryption API
Strong authentication (PKI, Kerberos, RADIUS)
Native Network Encryption (Oracle7)
Database Auditing
Government customer
2007
Oracle Identity Management
Commitment to Leadership & Innovation
Id. Assurance Partner Alliance
Oracle Access Management Suite
Acquisition of BEA OES
Acquisition of Bharosa OAAM
Acquisition of Bridgestream ORM
Identity Governance Framework
Innovate
Market Leader in Forrester’s IAM Wave
Oracle IdM Eco-system
Oracle eSSO
Leader in Gartner’s UP & WAM Magic Quadrant
Oracle Identity and Access Management Suite
Identity Audit and Compliance offering
Lead
Acquisition of OctetString OVD
Acquisition of Thor OIM
Acquisition of Oblix OAM, OIF & OWSM
Acquisition of Phaos Federation and WS technologies
Oracle Internet Directory
Build
1999
2005
2006
2007
2008
Oracle IdM Key Success Factors
• Acquire best-of-breed products and talents
• Phaos, Oblix, Thor, OctetString, Bharosa, Bridgestream
• Each company had strong technical and management talents
• Retain and invest
• Still have > 90% retention rate of acquired employees
• Acquired employees hold key mgmt. and technical positions
• Team size grew organically by > 100% post 2005 acquisitions
• Customer focus
• Focus on low TCO architecture
• Focus on customer success
• Focus on long-term customer partnership
IdM Is Strategic To Oracle
• IdM is key security infrastructure for Fusion
• IdM is a key component of the GRC strategy
• Oracle has invested in 6 acquisitions in IdM since
2005
• Oracle has invested heavily in organic growth
•
•
•
•
> 350 developers
> 35 product managers
> 80 QA
> 90 support
Identity Management Innovation
• Integrated identity and role management
• 1st suite vendor to acquire and integrate business policies into an
enterprise class identity management solution
• Integrated access management and anti-fraud solution
• 1st suite vendor to offer comprehensive software solution that
thwarts the entire range of web-threats
• Identity virtualization for applications
• 1st suite vendor to provide a solution to unify identity data without
consolidating and re-use identity data without copying
• Comprehensive application audit framework
• 1st to integrate audit with provisioning for policy review
• Identity Governance Framework
• Comprehensive CARML/AAPML-based application development
• Hot-pluggable by design
Key Oracle Differentiators
• Complete suite of best-of-breed products
• Proven for large scale deployments
• Best long-term investment
Problem Statements
5 Questions
to ask your Chief
Information Security Officer
Q: How do you control access to
your sensitive applications?
a – Usernames and passwords
b – Contextual authentication
authorization
c – Hardware token
Q: What determines your
employee’s access?
a – Give Alice whatever Wally has
b – Base on her business roles
c – Whatever her manager says
Q: Who is the most privileged user
in your enterprise?
a – Security administrator
b – CFO
c – The 3-peat summer intern who is now
working for your competitor
Q: How secure is your
identity data?
a – It is in 18 different secured stores
b – We protect the admin passwords
c – Privacy? We don’t hold credit card
numbers
Q: How much are manual
compliance controls costing
your organization?
a – Nothing, no new headcount
b – Don’t ask
c – Don’t know
Today’s IT Challenges
More Compliant Business
• Increasing regulatory demands
• Increasing privacy concerns
• Business viability concerns
More Agile Business
More Secured Business
• More accessibility for employees,
customers and partners
• Higher level of B2B integrations
• Faster reaction to changing requirements
• Organized crime
• Identity theft
• Intellectual property theft
• Constant global threats
State Of Security In Enterprise
• Incomplete
• Multiple point solutions from many vendors
• Disparate technologies that don’t work together
• Complex
• Repeated point-to-point integrations
• Mostly manual operations
• ‘Non-compliant’
• Difficult to enforce consistent set of policies
• Difficult to measure compliance with those policies
• Business ‘un-friendly’
• Solutions not user-centric but technology-centric
• Processes not end-user friendly
Enterprise Applications Today
Customers & Partners
Admins
Business Users
• Mix of custom, legacy &
packaged applications
• Silo’ed and disjointed security
• Numerous identity stores and
policy administration points
• Too many users with
privileged access
• Highly evolving and regulated
business environment
Next Generation Security Challenges
Auditors & Regulators
Identity Thieves
Rogue Employees
Privileged Users
Next Generation Security Solutions
t
n
a
li
p
m
o
C
ng
i
n
io
s
i
v
o
r
P
on
i
t
n
e
v
re
P
ud
a
r
F
Auditors & Regulators
En
nt
e
m
e
l
t
ti
Identity Thieves
nt
e
m
e
g
na
a
M
Rogue Employees
t
Da
er
t
n
e
C
a
ty
i
r
u
c
e
S
Privileged Users
Sustainable Compliance
• Attestation of user access is a manual process
• User access does not match their jobs
• Segregation of duties policies not enforced
Identity Theft & External Fraud
• Enterprise brand often used in phishing attacks
• Stolen identity and credit cards used to pay for on-line
purchases
• Consumers hesitate to embrace on-line self service
due to fear of identity theft
Data Privacy & Internal Fraud
• No fine grained control of data visibility and
transaction level access
• Inappropriate or fraudulent use of enterpris’ IT assets
and information services
• Difficult to prove compliance with data privacy and
consumer rights regulations
Data Center Security
• Administration of users in hundreds of DB is not
scalable
• DBA can see all data, violating data privacy mandates
• Integration of identity infrastructure takes 12 months
or longer after an acquisition
IT’s Role in Building Corporate Trust
The Need for IT Governance
Strategy
Majority of 400 directors
surveyed recognize that the
right IT strategy is very
important for
69%
Compliance
66%
Customer
Satisfaction
57%
Managing
Risk
Source: Corporate Board Member/ Deloitte
Consulting, March 2007
Security
The Ponemon Institute finds
that
70%
70%
of all
reported
security
breaches
were due to
insiders
When a
company
announces a
security
breach, its
stock price can
drop by
2%
Source: Ponemon Institute, 2005
Control
Gartner warns that
“More than 80 per cent of
IT groups may be
incapable of satisfying
many of the laws and
regulations, such as
HIPAA and 21 CFR Part 11,
that require changerelated audit trails and
accountability over
material configuration
items.”
Source: Gartner, 2005
It’s A Risky Business
• Société Générale
€10 billion in trading losses due to unauthorized trades
Trader executed unauthorized trades with €75 billion of exposure and attempted to cover up his
losses using fake accounts and emails. When the bank discovered the fraud it had to unwind the
position in 3 days, resulting in €10 billion in losses and triggering a world wide market sell-off.
Source: Fortune, May 2008
• TJ Maxx
$17 Million remediation cost for 45 million stolen credit card numbers
Breach of TJ Maxx’s IT systems led to the lost of 45 million credit and debit card numbers over a
period of 18 months. Estimated total revenue impact from negative press coverage was $4.5 billion.
Source: Information Week, May 2007
• Citi Group
3.9 million customer data lost
Mass theft of debit card PINS results in several hundred fraudulent cash withdrawals in Canada,
Russia, and the U.K. This follows the loss of unencrypted tapes containing information on 3.9M
customers.
Source: InformationWeek, March 2006
• Mellon Bank
$18.1 million in fine for failure to prevent fraudulent data destruction
For a violation of the Fair Debt Collection Practices Act, in which employees destroyed 80,000
unprocessed Federal tax returns and tax return checks in an attempt to conceal failure to meet IRS
processing deadlines, Mellon paid a fine of $18.1 million and closed its tax processing center.
Source: Unbossed.com, April 27, 2005
Guaranteed Bad Press In Public Sector
Breach Notification Is Mandated By Law
• 38 states now have some form of breach notification law,
like California Senate Bill 1386
• Law mandates public disclosure if security breach is found
in any public institution
• Direct mail to all effected people, or
• Notify major statewide media
• Cost of generating letters can range from $2-$12/person
Liability For PCI DSS Non-Compliance
PCI Data Security Standard Is Now Law
• States are adopting PCI DSS into state laws
• Estimated cost is $1 million per breach instance
• Law mandates non-compliant banks to cover cost of notification
and remediation in case of breach
• Law mandates non-compliant business to reimburse card issuing
bank for cost of notification and remediation in case of breach
Value Propositions
Identity Management Values
• Trusted and reliable security
• Efficient regulatory compliance
• Lower administrative and development costs
• Enable online business networks
• Better end-user experience
How Can Identity Management Help?
Establish Enterprise Identity & Roles
?
X
!
• Consolidate or virtualize multiple,
complex identity environments to a single
enterprise identity source
• Automate linkage of employee records
with user accounts
• Establish enterprise roles for automation,
compliance and business continuity
• Eliminate rogue and orphaned accounts
Enforce Strong And Granular Security Policies
• Enforce strong password policies via
synchronization or single sign-on (SSO)
• Implement strong authentication and risk
based authorization for critical apps and
web services
• Enforce minimal access rights based on
roles, attributes, and requests
• Leverage federation technologies for
cross-domain SSO
Automate Security Related Processes
• Reduce administration cost and improve
service level with delegated
administration & self-service
• Implement scalable and dynamic
approval workflows leveraging dynamic
enterprise role and organization data
• Automate detection of fraudulent activities
based on policies
• Role and attribute driven provisioning of
applications with exact access levels
Define Audit And Control Framework
• Implement automated attestation for
entitlements, roles, policies, workflows….
• Implement exception driven process
automation
• Implement segregation of duties around
roles and entitlements
• Implement automations and controls for
management of privileged users
Deploy A Scalable Integration Architecture
• Define an enterprise-wide integration
standard
• Leverage all integrations through a single
interface / application
• Heavily leverage open standards to protect
IT investments
• Maximize out-of-the-box integrations
across technology stacks: applications,
middleware, database and operating
systems
Security And Control For Enterprise Applications
Procure-To-Pay Process
• Automate user management, manage
entitlements, enforce segregation of duties
Financials
Issue
Payment
Issue PO
• Link HR employee data to user accounts
Accept
Shipment
• Integrate application to enterprise
directories and portals
• Enforce appropriate and granular level of
access control based on application and
data being accessed
ERP
SCM
Manageability and Security For Databases
• Externalize and centralize authentication
and authorization of database users with
optional strong authentication
• Centrally manage database users and
database roles
DBA
• Implement strong control over DBA access
DBA
DBA
• Automate security management of shared
accounts
Compliance & Fraud Mgmt. For Financial Services
• Manage Who has access to What, When,
How and Why for SOX, FFIEC, GLBA and
PCI compliance
• Automate termination and job transfer
processes for tight security
• Detect and remediate fraudulent activities
against both outside and inside threats
• Enforce segregation of duties and Chinese
Wall regulatory mandates
Scalable Security And Administration For Retail
• Manage scalable lifecycle management for
a highly dynamic and seasonal workforce
• Improve access security for shared
terminals such as POS and warehouse
terminals
• Enforce segregation of duties across
heterogeneous systems such as receiving
and payment
• Enable federated access for supply chain
partners
Scalable Infrastructure For Telecommunication
• Deploy telco-grade identity store and unify
user profiles from networks and
applications in real-time
• Enable scalable identity administration and
account provisioning for very large user
base and dynamic call center operations
• Deploy self-service and self registration to
reduce customer administration cost
• Enable federated access, SSO, mutual
authentication and fraud prevention for
customer and dealer portals
Guarantee Patient Privacy For Healthcare
• Deploy secured storage and control
processes to guard patient’s data privacy
• Deploy audit and control mechanisms to
ensure cost effective compliance to HIPAA
• Implement access control to ensure the
security of shared workstations for single
sign-on and sign-off
• Enable self-service and automated
application provisioning for mobile
healthcare workers
Flexible, Risk Based Security for Life Sciences
• Enable secure internal and external
collaboration for the development and
marketing of life science products
• Improve risk management by ensuring the
proper level of authentication is required
based on the criticality of the applications.
• Enable self-service and automated
application provisioning for clinical
investigators
• Enable secured handling and storage of
clinical trial patient data
Scalable Security And Administration For Higher Ed.
• Deploy self-registration and self-service to
reduce help desk cost and improve service
level
• Manage the rich role information for a
highly dynamic user base with multiple
affiliations
• Implement on-boarding and off-boarding
automation to deal with activity level driven
by academic calendar
• Deploy secured identity repository to
ensure user privacy and HIPAA
compliance
Enable Service Delivery For Local Government
• Provide secured access for residents to
government services via strong auth’n, risk
based auth’z & safeguarding of identity data
• Enable cost efficient compliance for HIPAA,
PCI, …etc.
• Streamline management of large & distributed
user base via self-service & delegated admin.
• Simplify identity & security integration across
dispersed agencies, districts and departments
Products & Partnerships
2 variations of the suite solution and product slides
Oracle’s Identity Management Suite
Identity Admin.
Access Management
Directory Services
“Identity Management 2.0”
Role Manager
Adaptive Access Manager
Virtual Directory
Entitlements Server
Web Services Manager
Core Platform
Identity Manager
Access Manager
Internet Directory
Identity Federation
Authentication Service
for OS
Enterprise Single Sign-On
Audit & Compliance
Manageability
Identity Management Suite
Enterprise Manager IdM Pack
Oracle’s Comprehensive IdM Solutions
Identity Admin.
Access Management
Directory Services
“Identity Management 2.0”
Role management
Role mining
Relationship management
Identity virtualization
Strong authentication
Risk based authorization
Fine grained entitlements
Web Services security
Core Platform
Identity lifecycle
Organization lifecycle
Provisioning & Reconciliation
Password management
Authentication
Authorization
Single sign-on
Federation
Audit & Compliance
Audit
Reporting
Analytics Fraud
Attestation
Segregation of duties
LDAP storage
LDAP synchronization
OS authentication
Manageability
Service level
Configuration
Performance
Automation
Oracle’s Identity Management Suite
Identity Admin.
Access Management
Directory Services
Access Manager
Identity Manager
Adaptive Access Manager
Internet Directory
Enterprise Single Sign-On
Role Manager
Identity Federation
Virtual Directory
Entitlements Server
Web Services Manager
Authentication Service for OS
Audit & Compliance
Manageability
Identity Management Suite
Enterprise Manager IdM Pack
Identity Admin.
Access Management
Directory Services
Identity lifecycle
Strong authentication
Storage
Role management & mining
Risk based authorization
Virtualization
Organization management
Single sign-on
Synchronization
Provisioning
Federation
Reconciliation
Fine grained entitlements
Password management
Web Services security
Operating systems security
Audit & Compliance
Audit
Reporting
Attestation
Analytics
Manageability
Fraud
Segregation of duties
Service level
Configuration
Performance
Automation
Access Control & Single Sign-On
Single sign-on w/
Federation
Directory
synchronization
Oracle
Internet
LDAP
Directory
HRMS
Personalization
For internal and
external users
AD
Oracle
eSSO
Suite
Contractor
Oracle
Identity
Federation
Oracle
Access
Manager
Customer
Internal User
Self-Service
Self-service and
self-registration
Delegated
administration
Password reset
HRMS
For internal and
external users
LDAP
AD
Contractor
Oracle
Identity
Manager
Customer
Approver
Internal User
Provisioning
ERP
E-Mail
Device
Mainframe
Oracle
Identity
Manager
Partner
Admin
DB
Role Based Policy
User Provisioning
Workflow
Rogue Account
Detection
Customer
Approver
Internal User
Compliant Role Based Provisioning
Align access to business roles
ERP
Automated & auditable attestation
Enforce SoD policies
E-Mail
Mainframe
DB
Attester
Oracle
Provisioning
Identity
Platform
Manager
Oracle
SoD Policy
Application
Engine
Access Controls
Governor
Role
Management
Oracle
Role Manager
HRMS
Identity Theft Protection
Mutual authentication
Knowledge based authentication
Key-logger-proof devices
New Purchase
Oracle
Adaptive
Access
Manager
Secure Mutual Authentication
Device & Geo-location Forensics
Account
Management
Fraud analytics
Transaction monitoring
Device & location tracking
Behavior profiling
Fine Grained Data & Transaction Control
Business
Partner
Oracle
Role
Manager
User
Roles
Country A
Customer
Support
Customer A
Customer B
Oracle
Entitlement
Customer
Server
Data
Country B
Customer
Support
Employee /
Account
Manager
Fine grained contextual control
Leverage roles, relationship, attributes, 3rd
party, session, transaction & historical data
Scalable, Secured & Agile Infrastructure
DBAs
AD
Enterprise
User
Security
LDAP
Centralized Management of DBAs
Integration with Active Directory
LDAP
Oracle
Virtual
Directory
SoD for Privileged DBA Access
DB Vault
Finance DBA
HR
Finance
App A
CRM
App B
CRM DBA
End Users
Administrator
Info. Sec, Auditor
Strong Authentication
Identity Admin
Reporting & Analytics
Risk Based Authorization
Account Admin
Attestation
Federation
Organization Admin
Segregation of Duties
Self-Service
Role Management
Fraud Detection
Delegated Admin
Oracle Identity Management & Security Platform
Provisioning
LDAP Virtualization
Java Platform Security
Reconciliation
LDAP Storage
Password Mgmt.
LDAP Synchronization
Authentication For
Operating Systems
WS Security
DB User Security
Business Apps, HR
Directories, DB
App Server, OS
Identity Admin. – Lifecycle Management
Provisioning, Role Management, Self-Service
Delegated
Administration
Identity
Audit
HRMS
Applications
Identity
Reconciliation
CRM
Password
Sync.
Account
Provisioning
Identity & Role
Lifecycle Management
Infrastructure
Account
Reconciliation
LDAP
Self-Service
Self-Registration
DB
Access Management – Run-Time
Authentication, Authorization, SSO, Federation
Web
Applications
User
Authentication
Session Management
Policy Management
Web SSO
eSSO
Authorization
Legacy
Applications
Web
Service
Fraud Monitoring
Risk Profiling
Federation
& Trust
Access Audit
Partner Applications
& Web Services
Directory Services – Infrastructure
Identity Virtualization And Consolidation
Virtual
Schema 1
HRMS
Applications
Virtual
Schema N
CRM
Internal LDAP
Schema Aggregation
Schema Transformation
Schema Mapping
Data Synchronization
Applications
Aggregated
Schema
Meta
Directory
External LDAP
Oracle Access Manager
Policy Enforcement
Points (PEP)
Authentication & Authorization
Request
WebGates
Applications
End User
AccessGates
Delegated
Admin
Authentication
& Authorization
Decisions
User Data
Policy Data
Identity & Group
Lifecycle Management
OAM Identity Server
Configuration
Data
LDAP Store
Policy
Manager
Policy
Decision
Engine
OAM Access Server
Oracle Web Services Manager
Policy Enforcement Points (PEP)
Client-Side
Agents Option
Gateway Option
Server-Side
Agents Option
(Last-Mile Security)
Clients
J2SE, J2EE, .NET
Web Services
Endpoints (J2EE, .NET)
Policy Management
Monitoring
OWSM Server And Admin Console
Oracle Identity Federation
Applications
Service partners
IDM infrastructures
Identity
Stores
Policy Stores
Oracle Identity
Federation
Certificate
Identity Provider
configuration
discovery
Account
Integration
mapping
APIs
Trade partners
SAML 1.1
SAML 2.0
WS-Fed
Cert Stores
AuthN & SSO
Portals
Affiliates
Oracle Entitlements Server
• Leverage existing
identity stores and
enterprise data for
entitlements decisions
OES PDP
policy
App
OES PAP
policy
policy
• Centralized policy
management, distribution
• Localized policy
decisions and
enforcement
• Protect any system or
business component
across heterogeneous
platforms
OES PDP
Audit
LDAP
App
Audit
OES PDP
Enterprise Data
App
Audit
Oracle Adaptive Access Manager
User
Context
3RD Party Apps/Data
Location
Device
Context
Context
ARM
Historical Data
Context
Context
ASA
Context
• Current vs historical
•
•
•
•
•
User
Device
Location
Transaction
3rd Party
• Cross comparisons
Oracle Enterprise Security
Identity And Access Management
User Management
Directory Management
Access Management
Platform Security
Governance
Risk
Compliance
Identity Audit
Policy &
Process
Management
Application Security
Enterprise
Control
Data Security
Multi-level Access Control
Encryption
Information Rights
DBA Security
Operating System Security
Authentication Service
User Management
Monitoring & Alert
Compliance
Analysis &
Reporting
Audit
Automation
Complete Application Security
• Account provisioning
Access Management
• Strong authentication
• Segregation of duties
• Risk based authorization
• Entitlement attestation
• Federation & WS security
Process
Control Configuration
Application
Process
Control Transaction
• Master data security
• Internal controls violation
• Code security
• High-risk transactions
• Change management
Native Security
• Fraudulent transactions
• DBA access
• Encryption at rest & in transit
• Data classification
• Secured backup
• Info. rights management
Data Security
Oracle Security Products For Apps
• Access Manager
Access Management
• Identity Manager
• Adaptive Access Manager
• Role Manager
• Identity Federation
• Web Services Manager
• Application Access Controls Governor
Process
Control Configuration
Application
• Configuration Controls
Governor
• Preventive Controls
Governor
Process
Control Transaction
• Transaction Controls
Governor
Native Security
• Database Vault & Audit Vault
• Transparent Data Encryption
• Label Security
• Secured Backup
• Enterprise User Security
Data Security
• Information Rights Mgmt.
Identity Management For Oracle Apps
OAM
OAAM
OIF
OES
In Progress
In Progress
In Progress
In Progress
eSSO
OIM
ORM
OID
OVD
OWSM
Out-of-The-Box Connectors
Certified Interoperability
IdM And Data Security
• Enterprise User Security (EUS)
• OVD enables EUS to run on Active Directory, SunOne, and OID
• OIM further enables centralized DB user admin via EUS
• ORM IT role management extends EUS role managment
• Database Vault
• OIM provisions standard DB user + DB Vault privileges
• DB Vault is used to protect DBA access to sensitive IdM data
• Transparent Data Encryption (TDE)
• TDE encrypts data transparently for OID, OIM and ORM
Complete Enterprise Control
GRC Process Management
Policy Repository
Evidence Management
Control Testing
GRC Application Controls
Risk & Compliance Reporting
Identity Management
Controls Monitoring & Enforcement
User On-Boarding Lifecycle Mgmt.
Best Practice Controls & Policies
Account Provisioning & Remediation
Privilege Level SOD
Access & Role Attestation
Contextual SOD Authorization
Authentication, Authorization, SSO
Business Applications
Apps, Systems & Data Repositories
Closed-Loop SOD – Access Provisioning
User, Org
Lifecycle
Event
SOD Policy
Simulation
Access
Request
& Approval
Provisioning
Workflow
Preventive
Validation &
Enforcement
Access
Remediation
Provisioned
User
Access
Identity Management
+
Exceptions
Report
Design & Deploy
Compensating
Controls
Detective SOD
Analysis
Closed-Loop SOD – Role Based Access
Role & Rule
Mining
Role
Design
& Mapping
Role
Assignment
& Admin
Role Design Feedback
Preventive
Validation &
Enforcement
Role
Remediation
Provisioning
Workflow
Provisioned
Role & User
Access
Identity Management
+
SOD Policy
Simulation
Design & Deploy
Compensating
Controls
Exceptions
Report
Detective SOD
Analysis
Partners: ISV Ecosystem
Strong Authentication
Network Access
Industries
Compliance
Identity Assurance
Physical Access
Partners: System Integrators
Global Full Service Partners
Regional And Boutique Partners
Industry Validation
Leader in
Magic Quadrants
“Oracle assumes the No. 1 position”
- Earl Perkins, Perry Carpenter, Aug. 15 2008 (Research G00159740)
User Provisioning, H2 2008
Web Access Management, H2 2008
Magic Quadrant Disclaimer: The Magic Quadrant is copyrighted by Gartner, Inc. and is reused with permission. The Magic Quadrant is a graphical representation of a marketplace at and for a specific time
period. It depicts Gartner's analysis of how certain vendors measure against criteria for that marketplace, as defined by Gartner. Gartner does not endorse any vendor, product or service depicted in the Magic
Quadrant, and does not advise technology users to select only those vendors placed in the "Leaders" quadrant. The Magic Quadrant is intended solely as a research tool, and is not meant to be a specific guide
to action. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
Most Comprehensive IdM Suite
Updated with latest acquisitions
Identity And Access Management Marketplace, Gartner Symposium/ITxpo, Ant Allen, ESC19_1049, 11/07, AE
Strongest Vendor According To
“Oracle is currently the IdM vendor to beat”
- VantagePoint 2007: Identity and Privacy Trends in Enterprise IT
“Oracle continues
to increase in
mindshare while
broadening its IdM
portfolio.”
- VantagePoint 2008:
Identity and Privacy
Trends in Enterprise IT
Provisioning Market Report 2009
“Oracle is currently leading the provisioning market…IBM
and Sun have both lost market share to Oracle…”
- Provisioning Market 2009 report
Market Leader According To
“Oracle has established itself as Leader.”
- The Forrester Wave: Identity And Access Management, Q1 2008
Oracle reached the top of our
evaluation through a combination of
the breadth, depth, interoperability,
and packaging of its IAM features
alongside the strategy and current
state of market execution on its
application-centric identity vision.
- The Forrester Wave: Identity And Access
Management, Q1 2008
IdM Hype Cycle 2008
GRC + Security Product Space
Strength of
GRC Solution
Strength of IdM
Solution
Best of Breed Proof Points
Independent Product Evaluations & Awards
“..very powerful…flexible
account provisioning”
“Quickly, easily, securely
..connect via Single sign-on”
OVD: 2007 Global Excellence
in Directory Services Award
“..strong platform for defining
and enforcing policies in” WSJ
“Brings Management Simplicity
to Web Services” eWeek
“[OWSM] Simple to the
core… easy to use”
Product Strategy &
Roadmap
Oracle’s Identity Management Strategy
Identity Services Framework
Develop
Deploy
Operate
FMW Technologies
• Complete solution
• Integrated suite of best-of-breed components
• Each component individually deployable
• Application centric
• Integrated with business applications
• Integrated to application life cycle
• Hot-pluggable
• Standards-based
• Works across leading platforms
Heterogeneous Support
“Of all the large platform vendors, Oracle, Novell, CA and BMC seem the most
committed to providing significant support for heterogeneous environments.“
- Ray Wagner, Gartner, October 2006
Portals
Application / Web Servers
Applications
Groupware
Directories
Operating Systems
ACF-2 & TSS
RACF & IOS/400
Standards Support
• Contribute and lead
•
•
•
•
•
SSTC (SAML Working Group) - Co-Chair
Liberty Alliance - President, Board Member
WSS, WS-SX (Web Services Security), JCP - Author
SPML - Author
XACML – Voting member
• Implement
• Accelerate product development
• Simplify product integration & minimize TCO
• Innovate
• Enable Identity Governance Framework: CARML, AAPML
• Standards for end-to-end security
Looking Ahead
• Oracle will broaden security product portfolio
• Security is not just another line of business for Oracle
• Security is strategic to Oracle’s entire product portfolio
• Emerging areas: entitlement management, fraud, privacy,
governance, risk management… etc.
• From security silos to built-in security
• Built into enterprise applications, middleware, DB, OS
• Identity Services Framework
• Project Fusion
• Single security model across Enterprise Applications Suite
• Enforced uniformly at all parts of technology infrastructure
• Across entire life-cycle from development to maintenance
Identity Services Framework
Fusion Apps,
Other Fusion
Products
3rd Party
Apps
Custom
Apps
Legacy Applications
(Not Identity Service Ready)
Business Functions
Business
Functions
Business
Functions
Business
Functions
User
Management
Authentication
Authorization
Federation
Service Interfaces
Legacy Interfaces
WS-*, SPML, SAML, XACML, IGF
Connectors, Agents
Identity Services
Authentication
Provisioning
Identity Provider
Audit
Authorization
Administration
Role Provider
Federation & Trust
Enterprise Identity Management Infrastructure
Policy & Orchestration
Virtualization & User Store
Service Oriented
Security Topic
Application Security (Used to Be)
Application A
Silo’ed
Authentication
Silo’ed
Authorization
Silo’ed Identity
Repository
Silo’ed
Administration
Application B
Application C
Challenges
• Non-uniform policies at different granularities
• Non-uniform user experience
• Credential proliferation
• High administration cost
Today’s Identity Management
Strong-Auth
Single Sign-On
Application A
Federation
Application B
Provisioning
Audit &
Compliance
Risk
Analytics
Application C
Identity Management 1.0 Challenges
• Integration cost is high
• Additional infrastructure components to maintain
• Cannot completely make up for poor application security
• Authorization model is still mixed
A Paradigm Change is Happening
• Externalized authorization policies
• Abstraction of deployment details from applications
• Integration of security with IDEs
• Roles, context, trust…
• Hot-pluggable functions
Service Oriented Security
Support For Application Life Cycle
Development
Design
Packaging
Deployment
Management &
Administration
Runtime Integration
10
100
0
Start Building A Service Platform
Oracle
Access
Manager
Oracle
Adaptive
Access
Manager
Oracle
Role
Manager
Oracle
Entitlements
Server
Oracle
Identity
Manager
Oracle
Virtual
Directory
Authentication
Service
Authorization
Service
Identity, Profile
Service
Customers Case Studies
Note: The most common case studies
have been reformatted to be more
presentation friendly. Not all use cases
will be reformatted this way. If you
prefer the original format or need more
use cases, please see the main use case
PPT file.
Oracle IdM’s Customer Focus
• Customer Advisory Board
• Collaboration with strategic customers on product roadmap and
technology directions
• Security Executive Forum
• C-level executive helps to validate Oracle’s strategy and drive
future investments
• Past attendees: Bank of America, British Telecom, Franklin
Templeton, JP Morgan Chase, Network Appliance, Royal Bank
of Scotland, The Hartford, T-Mobile, Toyota, Wachovia, ….
• Best post-sale support in the industry
• Product management sponsorship to ensure every deployment
and every upgrade is a success
• Strong track record of customer upgrade success
Customer Advisory Board
Share, Communicate, Partner
Identity Management Customers
Financial Services
Transportation & Services
Manufacturing & Technology
Telecommunication
Public Sector
Retail
Oracle Confidential
Unparalleled Strength In Fin. Services
Oracle Confidential
Customers Using Oracle IdM With SAP
Oracle Confidential
Award Winning Scalable Solutions
• OAM, OVD, OID
• 34 million users managed on aarp.com
• OIM, ORM
• 1,200 applications under management
• OIM, ORM
• 17,000 managed roles
• OAM, OIM
• 4.5 million users provisioned from kpn.com
IdM Platform Customers
• OAM, OIM
• 80,000 internal users 1.8 million partners,
suppliers and customers
• OAM, OIM
• Provisioning SAP, E-Business Suite and Siebel
• OAM, OIM, OID
• 9 million retail customers using self-registration
& self-service
Compliant Provisioning Customers
• OIM, ORM
• Enterprise wide business role management
• OIM, ORM, OAM
• Access provisioning and attestation
• OIM, OAACG
• Fine grained provisioning of E-Business Suite
Fraud Prevention Customers
• OAAM
• Fraud analysis of on-line, ATM, and in-branch
transaction data
• OAAM
• Integrated identity proofing services for credit
card sign-up kiosks in department stores
• OAAM
• Prevent identity theft from resume database
Fine Grained Authorization Customers
• OES
• Standardized access control across risk
management systems
• OES
• Fine grained access control for B2B fincancial
services portal
• OES
• Fine grained access control for pharmaceutical
service provider portal
Data Center Security Security Customers
• OVD, OID, OAM
• Integrated legacy back-end systems to new
social networking portal
• OVD, OID, OAM, OIM
• Created centralized identity hub across AD,
ADAM, EBS HR and other applications
• OVD, EUS
• Leveraged OVD to centralize DB user
administration and authentication to existing AD
Case Study – Lehman Bro. / Barclays
GLB & SOX Compliance
Business Challenges
• No official record of “who has access to what” to meet
compliance requirements
• No reliable access DB and process for terminating access
when employee leaves firm
Oracle Solution
Return On Investment
• Implemented OIM as enterprise
identity management platform
• > 1,000 applications under centralized
management
• Enabled self-service account
management for employees and
managers
• Comprehensive “who has access to
what” database for compliance and
process automation
• Deployed enterprise-wide integration
methodology and on-boarding, job
change, and termination processes
• Prompt termination of access for all
departing employees
• Reduced wait for new resources
Case Study – Accenture
SAP Management & Self Service
Business Challenges
• High % of help desk resources handling password reset
• Hardware tokens management was manual and expensive
process
• SAP access management was not locked down and
attestation of SAP access was based on email and Excel
Oracle Solution
identity management platform
• > $750,000 annual savings in help
desk cost
• Deployed self-service for password
management and token lifecycle
management
• Eliminated need for a standalone RSA
token management solution
• Automated provisioning process for
SAP, including reconciliation of
employee records from SAP HR
• 10 fewer SAP administrators at an
annual saving of $500,000
• High quality IT compliance data for
core SOX applications: SAP
Case Study – Toyota Financial Services
Oracle Apps Management & Enhanced Security
Business Challenges
• Up to one month to provide all required access for new
employees and employees changing jobs
• Lack of consistent control resulted in large number of
orphaned and rogue accounts
• HR data was of poor quality and cannot be used as source
of truth
Oracle Solution
identity management platform, replacing
failed CA solution
• Clean HR data in PeopleSoft is now
source of truth for identity
• Cleaned up HR data in PeopleSoft
using a “claim your identity” process
• Automated provisioning to core
business and IT applications:
PeopleSoft, Siebel, RACF, AD…..etc.
• Eliminated > 90% of ghost employee,
orphaned and rogue accounts
• Guaranteed service level for access
provisioning
• Reduced help desk calls from selfservice password management
Case Study – Royal Bank of Scotland
Standardized Access Control For A Global Enterprise
Business Challenges
• Access management for globally distributed, multi-brand,
140,000+ workforce is manual, distributed, and nonstandardized
• No one reliable source for “who has access to what”
• Poor identity and role data to enable automation
Oracle Solution
• Implemented OIM and ORM as
enterprise identity management platform
• Lower cost for and improve speed of
meeting compliance and internal audit
mandates
• Implemented automated provisioning
and continuous reconciliation to secure
critical infrastructure applications
• Replaced legacy role management
system and added delegated admin and
workflow capabilities
• 100% reduction in unauthorized
privileges, 90% reduction in exceptions
and 90% reduction in roles and groups
• Standardized and remove duplicate
processes and systems
Case Study – Charles Schwab
Cost Effective Compliance For A Distributed Workforce
Business Challenges
• Non scalable manual process to track 6,000+ mobile retail
worker’s access in 300+ branches
• Homegrown attestation tool not scalable and too expensive
to maintain
• Need to better control access to heterogeneous
environment including PoepleSoft and TopSecret
Oracle Solution
• Implemented OAM, OIM and ORM as
enterprise identity management
platform
• Lower admin cost while providing
more accurate organization, role and
identity data
• Delegated admin of branch hierarchy
and location specific roles
• Consistent access control across
modern and legacy (mainframe)
applications
• Fully automated provisioning process
for critical SOX applications, using
PeopleSoft as trusted identity source
• Consolidated access and role data to
simplify audit reporting and attestation
Case Study – Southwest Airlines
Seamless B2B Integration & Low TCO
Business Challenges
• When mechanics cannot access Boeing’s maintenance
portal, airplanes sit idle at $15,000 per hour
• Boeing was incurring administration and help desk cost for
managing SWA mechanic’s access to the maintenance portal
Oracle Solution
• Implemented OAM and OIF as
enterprise access management and
federation platform
1st
•
airline to implement SAML based
federation solution
• OAM protects intranet and provides
self-service password management
• 6-week deployment
• Saved administration cost of $30 per
employee, per month
• Improved on-time performance and
higher airplane utilization
• Less administration and help desk
cost for partner Boeing
Case Study – General Motors
Lower Operational Costs & Centralized Access Control
Business Challenges
• High administration cost associated with large use base
• User base includes multiple tiers of suppliers and dealers
• System access issues caused delay in supply chain
collaboration
Oracle Solution
• Implemented OAM and OIF as access
control for dealer and supplier portals
• Saved administration cost by
delegating administration to partners
• Enabled 6 levels of delegated
administration for supplier portal
• Improved supply chain portal
accessibility and supply chain
performance
• Enabled attribute level security for
delegated administrators
• Integrated with legacy access
management system: IBM Tivoli
• Centralized policy management
ensures consistent security across all
partners
Case Study – National City
Fighting Internet Fraud & FFIEC Compliance
Business Challenges
• Raising level and sophistication of internet fraud: phishing,
key logging, pharming…etc.
• FFIEC compliance requirement
Oracle Solution
• Implemented OAAM to protect
National City’s on-line banking site
• Increased consumer confidence
without sacrificing usability
• Provided mutual authentication
against phishing
• Decreased liability for National City
and discouraged fraud attempts
• Provides real-time fraud detection
against suspicious behaviors
• Increased ability to deliver new
services in a secured manner
• Integrated with legacy access
management system: CA Siteminder
Case Study – JPMorgan Chase
Leveraging Entitlements Across the Business Units
Business Challenges
• Frequent M&A activities makes it difficult to standardized
access control across inherited systems & personnel moves
• Must protect confidential information and provide proof of
the protection in a scalable manner
• Security architecture must be transparent, flexible, &
efficient
Oracle Solution
• Implemented OES to provides a
common platform for authorizations that
stretch across multiple business lines
and organizations
• Protecting hundreds of applications
simultaneously in a cost effective
manner
• Business users maintain entitlements
for application users by region and
industry
• Policy changes are enforced
instantaneously without synchronization
and migration errors
Case Study – AARP
Fast & Simple Deployment & Integration
Business Challenges
• Member portal evolving from static to social-networking
• Member data need to be maintained in multiple backend
systems
• Core user information stored in a mainframe DB via a
proprietary Web Service
Oracle Solution
• Implemented OVD, OID and OAM to
secure AARP.com for over 30 million
members
• Rapidly and cost effectively deployed
new services without wholesale
replacement of legacy technologies
• OVD exposes mainframe Web Service
as LDAP
• Achieved data integration into multiple
systems without incurring cost of
dedicated synchronization service
• OAM manages self-registration
process
• OID provides authentication service
• Provide flexible security infrastructure
to enable new business/service model
Case Study – Chic-fil-A
Simplify Application Deployment & Identity Integration
Business Challenges
• Applicationccess to fine-grained authorization data
•Employee data spread in multiple data sources
• Difficult to deploy any new applications as a result
Oracle Solution
• Implemented OVD to provide LDAP
interface to internal permission systems
• Rapidly and cost effectively deployed
new services
• OVD connects to AD, ADAM, eBiz
HR, permission DB, and location DB
• Reduced number of repositories
• OVD provides authentication and
authorization related search capabilities
• Reduced the need for new
provisioning connectors
Hartford case study cannot be presented in public sessions. Either make
this slide generic or use the Kable Deutchland case study.
Case Study – The Hartford
Next Generation Business Enablement Technology
Business Challenges
• Need to access industry-specific, web-based applications to
process quotes across multiple carriers
• Need to provide real-time quotes to Independent agents using a
variety of homegrown and vendor solutions
• Need technology that can co-exist with other corporate security
environments and support multiple message transport protocols
Oracle Solution
• Secure WS based quote-management
environment using OWSM
• Protects investment in existing multivendor and home-grown platforms
• Flexible solution that integrates with
existing SOA and 3rd-party hardwarebased security solutions
• Improved productivity and reduced risk
associated with administration of
security policy
• Solution that provides both WS
security and management using
centralized policy administration
• Security enforcement environment that
can be rapidly deployed with no
additional coding
Case Study - Kabel Deutschland
SOA Security Integration
Business Challenges
• Oracle BPEL is used by Kabel Deutshland to implement a
flexible architecture to support the services offered by the
company.
• The Oracle BPEL Process Manager deployment required
additional security and operations management.
Oracle Solution
• OWSM provides tight integration with
Oracle BPEL Process Manager.
• Cost reduction by eliminating the need
for hard coding security for each web
service
• Access to BPEL processes is
protected by Oracle WSM agents, both
on the client and server sides
• Allows customer to eliminate VPN
from service architecture
• Authentication is extended to
Individual users and requests can be
routed to the right service.
• Security is improved by extending
authentication from service level to user
level
For More Information
search.oracle.com
Identity management
or
oracle.com

Oracle Identity And Access Management

Transcription

Similar documents

Elogix – Oracle Practice - Elogix Software Pvt Ltd

UNITASK DIRECT PRINT

uu tn fllu [rnrln - School of Computing

Planning Xtream - MindStream Analytics

Oracle Audio

Providing comPrehensive, Personalised solutions for high net worth

Oracle 10g release 2

OTN EMEA Tour 2016 - OBIEE12c New Features for End

Spence BPO Brochure - Aitken Spence Business Solutions