Webcast Q&A: ING on How to Scale Role Management and Compliance
By Tanu Sood-Oracle on Apr 13, 2012
Thanks to all who attended the live webcast we hosted on ING: Scaling Role Management and Access Certifications to Thousands of Applications on Wed, April 11th. Those of you who couldn’t join us, the webcast replay is now available.
Many thanks to our guest speaker, Mark Robison, Enterprise Architect at ING for walking us through ING’s drivers and rationale for the platform approach, the phased implementation strategy, results & metrics, roadmap and recommendations. We greatly appreciate the insight he shared with us all on the deployment synergies between Oracle Identity Manager (OIM) and Oracle Identity Analytics (OIA) to enforce streamlined user and role management and scalable compliance. Mark was also kind enough to walk us through specific solutions features that helped ING manage the problem of role explosion and implement closed loop remediation.
Our host speaker, Neil Gandhi, Principal Product Manager, Oracle rounded off the presentation by discussing common use cases and deployment scenarios we see organizations implement to automate user/identity administration and enforce closed-loop scalable compliance. Neil also called out the specific features in Oracle Identity Analytics 11gR1 that cater to expediting and streamlining compliance processes such as access certifications.
While we tackled a few questions during the webcast, we have captured the responses to those that we weren’t able to get to here; our sincere thanks to Mark Robison for taking the time to respond to questions specific to ING’s implementation and strategy.
Q. Did you include business friendly entitlment descriptions, or is the business seeing application descriptors
A. We include very business friendly descriptions. The OIA tool has the facility to allow this.
Q. When doing attestation on job change, who is in the workflow to review and confirm that the employee should continue to have access? Is that a best practice?
A. The new and old manager are in the workflow. The tool can check for any Separation of Duties (SOD) violations with both having similiar accesses. It may not be a best practice, but it is a reality of doing your old and new job for a transition period on a transfer.
Q. What versions of OIM and OIA are being used at ING?
A. OIM 11gR1 and OIA 11gR1; the very latest versions available.
Q. Are you using an entitlements / role catalog?
A. Yes. We use both roles and entitlements.
Q. What specific unexpected benefits did the Identity Warehouse provide ING?
A. The most unanticipated was to help Legal Hold identify user ID's in the various applications. Other benefits included providing a one stop shop for all aggregated ID information.
Q. How fine grained are your application and entitlements? Did OIA, OIM support that level of granularity?
A. We have some very fine grained entitlements, but we role this up into approved Roles to allow for easier management. For managing very fine grained entitlements, Oracle offers the Oracle Entitlement Server. We currently do not own this software but are considering it.
Q. Do you allow any individual access or is everything truly role based?
A. We are a hybrid environment with roles and individual positive and negative entitlements
Q. Did you use an Agile methodology like scrum to deliver functionality during your project?
A. We started with waterfall, but used an agile approach to provide benefits after the initial implementation
Q. How did you handle rolling out the standard ID format to existing users?
A. We just used the standard IDs for new users. We have not taken on a project to address the existing nonstandard IDs.
Q. To avoid role explosion, how do you deal with apps that require more than a couple of entitlement TYPES? For example, an app may have different levels of access and it may need to know the user's country/state to associate them with particular customers.
A. We focus on the functional user and craft the role around their daily job requirements. The role captures the required application entitlements. To keep role explosion down, we use role mining in OIA and also meet and interview the business. It is an iterative process to get role consensus.
Q. Great presentation! How many rounds of Certifications has ING performed so far?
A. Around 7 quarters and constant certifications on transfer.
Q. Did you have executive support from the top down
A. Yes The executive support was key to our success.
Q. For your cloud instance are you using OIA or OIM as SaaS?
A. No. We are just provisioning and deprovisioning to various Cloud providers. (Service Now is an example)
Q. How do you ensure a role owner does not get more priviliges as are intended and thus violates another role, e,g, a DBA Roles should not get tor rigt to run somethings as root, as this would affect the root role?
A. We have SOD checks. Also all Roles are initially approved by external audit and the role owners have to certify the roles and any changes
Q. What is your ratio of employees to roles?
A. We are still in process going through our various lines of business, so I do not have a final ratio. From what we have seen, the ratio varies greatly depending on the Line of Business and the diversity of Job Functions. For standardized lines of business such as call centers, the ratio is very good where we can have a single role that covers many employees. For specialized lines of business like treasury, it can be one or two people per role.
Q. Is ING using Oracle On Demand service ?
Q. Do you have to implement or migrate to OIM in order to get the Identity Warehouse, or can OIA provide the identity warehouse as well if you haven't reached OIM yet?
A. No, OIM deployment is not required to implement OIA’s Identity Warehouse but as you heard during the webcast, there are tremendous deployment synergies in deploying both OIA and OIM together.
Q. When is the Security Governor product coming out?
A. Oracle Security Governor for Healthcare is available today.
Hope you enjoyed the webcast and we look forward to having you join us for the next webcast in the Customers Talk: Identity as a Platform webcast series:
Toyota: Putting Customers First – Identity Platform as a Business Enabler
Wednesday, May 16th at 10 am PST/ 1 pm EST
You can also register for a live event at a city near you where Aberdeen’s Derek Brink will discuss the survey results from the recently published report “Analyzing Platform vs. Point Solution Approach in Identity”.
And, you can do a quick (& free) online assessment of your identity programs by benchmarking it against the 160 organizations surveyed in the Aberdeen report, compliments of Oracle.
Here’s the slide deck from our ING webcast: