Wednesday Aug 14, 2013

Integrating Identity Management and GRC: Decreasing Risk Across Your Organization (Deloitte)

In this edition of the Oracle IDM blog, we’ll look at a case study for integrating Oracle Identity Manager (OIM) 11g with Oracle Governance, Risk, and Compliance (GRC) as part of an enterprise deployment and an integrated risk management strategy. We will incorporate specific use cases that leverage an integration of the two solutions to address risk and promote operational efficiency for routine tasks such as access requests and certification.  In addition to the primary focus between OIM and GRC, we will also highlight how Oracle E-Business Suites (EBS) roles are defined, synchronized, and provisioned using a combination of these two solutions providing an end-to-end integrated solution of the Oracle “suite.”

Abstract

When we think about Identity Management, we often relegate it to the IT Security or Infrastructure groups where it is traditionally used to address manual security and administration functions such as creating accounts, e.g., “hire and fire” scenarios, granting additional entitlements, and providing report-outs on information access for audit purposes. As identity systems improved their ability to manage the access they provisioned, it has become clear that there was a powerful relationship between IAM and GRC initiatives to better manager enterprise compliance in an integrated, less redundant fashion.

In many organizations today, GRC initiatives are often spread across multiple infrastructure silos and managed by different business units or IT groups. Tackling the constantly evolving regulatory requirements, coupled with increased business complexity, may present an uphill battle for a compliance department within the organization. Organizations are being asked not only to understand ever-changing global regulations, but also to create appropriate strategies in addressing their GRC needs.

Knowing who has access to what is not only important from a traditional security sense, but is important to financial controls groups being able to attest that financially significant systems have minimal risk through inappropriate access. By integrating Oracle’s GRC and Identity Management platforms and the associated processes, organizations can improve user lifecycle management, continuous monitoring and automated controls enforcement to assist with sustainable risk and compliance management. 

 
Figure 1 – Solution architecture

Solution Architecture

For a visual reference of the type of integration we are discussing, we have included an overview of how the systems can potentially interact.  In Figure 1, you will notice a typical Human Resource authoritative source system feeds OIM and OIM then provisions to target resources.  What’s different is the call-out to Oracle GRC to perform policy checks.

We won’t reference all of the GRC functionality available in this blog, but will focus on the segregation of duties (SoD) integration and relevant use case. [for detailed instructions on this integration, please see: http://docs.oracle.com/cd/E14899_01/doc.9102/e14763/segregation_duties.htm].    What’s interesting about this integration is OIM is able to leverage the information EBS and GRC already have about the roles that exist.  Using OIM scheduled tasks, we are able to synchronize those roles into OIM so that there is no need to manually build them in OIM.  Moreover, if the roles get end-dated in EBS, OIM reconciliation with EBS will end-date the roles and the related access for the users who have that role assigned with a goal of end-to-end compliance.  Both OIM and GRC offer a web services interface for performing common transactions.  More information about this can be found at http://docs.oracle.com/cd/E14507_01/apirefs.1112/e14133/using003.htm

Compliant User Provisioning

In our use case, we will explore how during an access request, a real-time validation can be performed against known SoD conflicts to determine if a role being requested has a conflict.  Through OIM’s Service-Oriented Architecture (SOA) workflow functionality, we can include an additional layer of approval if a conflict is presented.  A conflict is often unavoidable and, in many cases, requires a power user from the compliance organization to step in, review the request, and document a mitigating control before accepting.  In this example, we’ll show a request by a Payables Manager for an Invoice Entry EBS role.
 
As you can see in this process flow, there is cross-functional behavior between the OIM and GRC solutions to identify the SoD violation and apply a mitigating control if required.  Ultimately, OIM manages the provisioning of the role in the end system (EBS in this example) and, therefore, will be able to continually track that entitlement.

There are three take-a-ways from this use case.  With GRC and IAM integration, organizations can:

• Automate provisioning and de-provisioning of business application users, with appropriate authorization and compliance checks.
• Improve the management of enterprise accounts and efficiently produce reports such as “who has access to what.”
• Reduce the cost of compliance by removing the need for after the fact remediation.

In Conclusion

At Deloitte , we see the need to not only install and configure an IAM solution, but to work with our clients to get value out of an enterprise compliance approach.  Solutions can be leveraged in their individual capacity to achieve benefits for an organization, but when organizations leverage cross-platform synergies, such as the ones that Oracle has intentionally created within their OIM and GRC solutions, the sum can become greater than the parts.  An integrated approach to an organization’s IAM and GRC programs can assist in reducing costs and redundancies, and improving value to the organization.

About the Author

Kevin Urbanowicz is a Manager in Deloitte & Touche LLP’s Security & Privacy practice with eight years of experience in information technology with a focus on Identity & Access Management (IAM).  He has served primarily in the Oil & Gas sector where he has helped his clients identify the business drivers and build the business case for establishing world-class IAM solutions that maximize IT efficiency and minimize security and compliance risk. 

Wednesday Aug 07, 2013

Oracle IAM in Telematics: A case study in the Automotive Sector (Deloitte)

In this edition of the Oracle Identity Management (IDM) blog, we’ll look at a case study of IDM/IAM in the Automobile Industry and where it plays a significant role in enabling security to support the telematics initiative.  In a broad sense, telematics is the integrated use of telecommunications with information and communications technology. This technology involves sending, receiving and storing information relating to remote objects, such as vehicles, via telecommunication devices.

Using telematics, organizations can monitor the location, movements, status and behavior of a vehicle or fleet. This is achieved through a combination of a Global Positioning System (GPS) receiver and an electronic Global System for Mobile Communications (GSM) device installed in each vehicle, which then communicates with the user and web-based software. In addition to location data, a telematics system can provide a list of your vehicles with the status of each. You can see when a vehicle is started up and shut down, as well as its idling status, location and speed. This information gives organizations a complete, up-to-the-minute knowledge of vehicle activities in one centralized, web-based interface. All of this information can help:

• Increase productivity
• Improve communications
• Reduce labor costs
• Control fuel costs
• Improve customer service
• Increase fleet safety and security
• Reduce operating expenses
• Reduce environmental impact
• Reduce unauthorized vehicle use

In addition to these benefits, various legislative resolutions and mandates, such as the resolution passed by the European parliament stipulating that all new cars must be fitted with a GPS system and GSM communication links, are driving the implementation of telematics to a large scale. 

While telematics gives organizations all the above mentioned flexibility and benefits, it is prone to the same security challenges as usage of services on the web. Think about a situation where someone gets hold of a mobile device that is connected to several vehicles. A nefarious user can wreak havoc with a vehicle’s systems as well as the personal data which the vehicle has access to.

 Some of the notable challenges around telematics security include:
 
• Password and user management – Management of multiple passwords and user identities for each vehicle.

• Device management – Management of authentication and authorization of devices allowing users to access the vehicle. High mobile device turnover by the user populations calls for new devices to be re-registered and at the same time blacklisting/wiping-out of the personal and vehicle information must be done on the older devices.

• Service management – Management of various telematics and key-off functionalities on a vehicle in a secure environment.

• Data and privacy concerns- As part of telematics services automobile manufacturers need to access personal data to customize the user experience thereby bringing in the challenge of data privacy both in-transit and when it is being processed.

The following section describes how the above-mentioned aspects are managed and how challenges and issues related to managing your telematics services are addressed by using Oracle Access Manager Mobile and Social (OAMMS) and Oracle API Gateway (OAG). 


Fig 1: Oracle IAM integration with Mobile Device

User and device registration: Typically telematics applications send service registration requests through mobile applications which would validate pre-requisites (like validating vehicle identification – Vehicle Identification Number (VIN), payment information, etc.) with the telematics service provider. Once validation is complete against the telematics service provider, identification of the customer identity along with a vehicle and device identity will be created by calling the Mobile and Social Representational state transfer (REST) interface for registration. During this registration process OAG can be made to act as the front end to the OAMMS REST interface to confirm that requests come from legitimate sources and to protect the infrastructure against any intrusion.

Authentication and telematics operations: The above diagram explains how a user request gets authenticated and passed over to a telematics service provider to perform the requested activity. Before accessing the telematics service, the user provides his credentials in the form of a user id and password, which is used to authenticate the user against the enterprise identity store and also create an Oracle Access Manager  token (or JSON Web Token – JWT) on the user’s device. The token is then passed to the telematics service provider with the vehicle information (i.e., VIN) available on the mobile device and the command (requested operation).

Once the token is available to the telematics service provider, it passes the same token over to the OAMMS to validate the authenticity of the request. Once the token is validated, the user’s credentials are authenticated and the requested command is executed on the vehicle.


The token information can be saved for a longer duration in the user’s mobile device for improved user experience and reduced operational time and effort.  For example, a user sends a request to find a vehicle from his mobile device. The assumption is that the user is already authenticated against the enterprise identity store and the token exists on the mobile device. As soon as the user submits the request, a request object is sent to the telematics service provider along with the identity token. The telematics service provider passes the token to OAMMS to validate the account status. OAMMS in conjunction with OAG validates the received token for the user’s account status, session timeout, etc.  Once authenticated a command is sent to the telematics service provider to perform a wakeup call to find the vehicle. The response returned from the vehicle back to the telematics service provider is passed over to the mobile device to locate the vehicle.

The built-in reporting and auditing capability of OAMMS captures each of the transactions. This can be leveraged to define controls for the telematics service. Apart from OAMMS and OAG, Oracle Access Manager and Oracle Adaptive Access Manager can also be deployed to provide a robust solution hence including device marking, wiping out the contents in the device in case the device is lost and also providing two-factor authentication upon accessing a sensitive operation on the vehicle.

In conclusion

In all, telematics services have evolved to better suit the needs of consumers but at the same time have a tradeoff on security to confirm end user usability. These trade-offs increasingly contribute to security risks for the user, organization and their vehicles including theft of vehicle, loss of personal data, malfunction with the vehicle, etc… Security should be addressed in an effective manner with increasingly strict regulations to protect against these risks. The Mobile Access management solution using Oracle API Gateway technology unifies telematics requests across network boundaries to mobile devices. It can provide enhanced security, regulatory compliance and increased usability.

About the Author

Debi Mohanty is a Senior Manager in Deloitte & Touche LLP’s Security & Privacy practice with a focus on Identity and Access management and Information Security. He advises several Fortune 100 clients globally on cloud and mobile security, privacy and identity & access management across diverse industries such as financial services, retail, healthcare, state government, and aerospace and defense.

 

Wednesday Jul 31, 2013

Oracle Waveset to Oracle Identity Manager: A Case Study in Higher Education (Deloitte)

Deloitte is excited about the opportunity to introduce the first blog in a series of four blogs that will look at real world case studies involving Oracle Identity and Access Management (IAM). Our future blogs will expand on relevant IAM topics including: 1) Oracle Waveset to Oracle Identity Manager, 2) Oracle IAM in Telematics, 3) Oracle IAM with Governance Risk and Compliance, and 4) Oracle Identity & Access Governance with Database Security. Throughout this blog series, readers are encouraged to submit questions or comments which will feed into a roundtable type Q&A blog responding to selected comments and questions received.

In this edition of the Oracle IAM blog, we’ll look at a case study for migration from Oracle Waveset to Oracle Identity Manager for a higher education statewide system of community colleges, state universities and technical colleges. This also highlights how the flexibility of Oracle’s IAM product landscape contributed to creating a dynamic and sustainable solution for a public-facing system with nearly 500,000 users.

Current State Evaluation and Replication

The legacy Oracle Waveset instance connected to numerous institutional directories and provided end-user functionalities such as user self-service, account activation and password management as well as administrative help-desk functions with a highly customized interface and set of workflows.

As we analyzed these functions, we identified that a majority of these were available within Oracle Identity Manager (OIM) 11g R2 which simplified their replication. Further, the User Interface (UI) enhancements in OIM 11g R2 allowed for significant customization to the end-user pages, such as the ‘My Information’ page, with minimal custom code.  Initial replication of the core functionalities was crucial to the overall project and allowed for the replacement of Waveset as an end-user facing solution on Day 1 of the OIM go-live. However, this did not cover the numerous resource integrations that Waveset had behind the scenes that would also need to be migrated. Several functionalities such as account activation and password reset/forgot password that required specific workflows and service integration were replicated in separate Oracle ADF-based applications that were split away from the OIM managed servers. This allowed for the highly used end-user functions to run separate of the OIM instances to provide for increased flexibility in load management and tuning.

Resource Migration Approach

As the numerous resources requiring migration would take significant time and effort, it was decided that these resources would be moved over in a phased manner requiring both OIM and Waveset to operate in parallel for a period of time. This approach reduced risk, as a single cutover would have been highly complex with multiple moving parts across colleges and campuses. To enable this to be possible, OIM and Waveset would need to operate together as we migrated each campus from the old Waveset platform to the new OIM platform. To help accomplish this, a custom connector between OIM and Waveset was built to synchronize certain user attributes so that Waveset could update and maintain those attributes on the resources that remained to be managed by it.

Overall, this approach turned out to be highly beneficial as it allowed the team time to ease into using the new identity solution, reduced the risks that would have been present in a single “big bang” cutover event and allowed for a quick win which displays critical progress and success to solution stakeholders. 
 

Figure A – Oracle Waveset to Oracle Identity Manager resource migration approach

Additional Important Success Factors

Throughout the migration, we encountered a number of items that were deemed critical for meeting project goals that primarily focused on the following:

User Experience

As the solution’s primary users were public individuals that would likely not have significant training or usage guidance, focusing on a refined and calculated user experience such as clear verbiage, font sizing and coloring as well as succinct and detailed error messages was important. While these items may seem minor or insignificant to some readers, they, as expected, ended up being extremely beneficial to end-users and reduced support needs.

Performance and Tuning

With our highly active user-base, performance of the solution was critical to success. Use of the existing Oracle Fusion Middleware Performance and Tuning Guide as well as the OIM 11g R2 Reconciliation Tuning Whitepaper were critical for maintaining performance and ongoing stability of a solution with this size. Also important were key architectural decisions around load balancing, managed server clustering, as well as database clustering (e.g. RAC). Providing enough horsepower behind the solution and conducting due diligence around performance testing will reduce the amount of performance-related issues encountered in production.

In Conclusion

The phased migration of Oracle Waveset to Oracle Identity Manager 11g R2 allowed for a quick win in the initial cutover of end-user functions, a lower risk migration path and well as constant stream of “good news” as various campuses were migrated from the old solution to the new one in a phased manner. A focus on user experience and performance tuning also helped to create an effective environment for end-user interaction and contributed to achieving the goals of the initiative. Finally, the new OIM architecture will provide a solid infrastructure for future enhancements and a greatly increased user base that the prior Waveset environment could no longer support.

About the Author

Derek Dahlen is a Manager in Deloitte & Touche LLP’s Security & Privacy practice with over eight years of experience in information security. He specializes in managing, designing and architecting large-scale identity and access management projects with a focus on the Oracle product stack. He has worked with various clients across the financial services and state government sectors.

Thursday Jan 10, 2013

Partner Blog Series: Deloitte Talks Part 2: BYOD - An Emerging technology Concept

There’s an accelerating trend in the workplace raising new challenges for today’s CIO: the bring your own device (BYOD) revolution. The use and acceptance of mobile devices in the workplace is a critical issue that many chief executives are considering for their corporate environment. A BYOD strategy enables an employee to use a single device with the flexibility and usability they prefer, while providing access to both their personal and business applications and data. There are also potential cost savings for the enterprise as the employee may bear the cost of the device and the ongoing mobile access plan. An enterprise should consider the extent to which BYOD will be embraced, and the challenges BYOD presents as a part of an enterprise’s overall mobile security management strategy.

Before embarking on this journey, an organization should first decide – why BYOD? Does the increased user productivity and availability of data outweigh the risk and the associated mitigation expense? There are risks introduced at the device, application and infrastructure levels that present new challenges. These challenges may vary from compliance issues, to data leaks, to malware and challenges will likely only intensify as the number of mobile devices and operating systems proliferate. Another option is that the employer can provide employees with a mobile device hoping to enhance their productivity and ability to support the organization remotely. The illustrative chart below depicts some of the Pros and Cons of an employer providing corporate mobile devices versus letting employees use their own mobile phones and tablets.

Benefits/Obstacles

Bring Your Own

Corporate Provided

Pros

  • Device and connectivity costs incurred by employee
  • Addresses increased demand of employees to connect personal devices to corporate networks

  • Tighter device oversight and control
  • Streamlining devices, platforms and OSes simplifies IT support
  • Service fees negotiated with service providers; increased purchasing power

Cons

  • Limited device oversight and control
  • Increased challenges with enforcing legal and regulatory requirements
  • Device and data ownership questions

  • Cost of providing devices
  • High employee demand for broader diversity in devices can lead to lower satisfaction and adoption
  • May require potential increase in IT support staffing and skill set requirements
  • Privacy considerations with monitoring of employee usage and activity, etc.

As an organization gains an understanding of the key risks that may affect the business, the next step is determining and defining the approach to a secure BYOD solution deployment. One of the primary risks of mobile devices to the enterprise is the security of data that is stored on the devices. Corporate email, financial and marketing data and any other sensitive data may leak out of the organization if the device is not encrypted and adequately protected.

Another point to consider is how the organization might prevent rogue mobile devices from accessing the network. What will prevent users from bringing in their own unpatched/unapproved devices into the environment? Network Access Control (NAC) solutions may help to solve this issue. These solutions have become a popular way to manage the risk of employee owned devices. NAC allows organizations to control which devices can access each level of the organization’s internal network. For example, NAC can limit how a device can connect to the network, what it can access, prevent downloading and potentially prohibit a device from connecting at all. A “health-check” that inspects for required security configurations and controls can be performed before allowing a device to connect to the network to keep the network safe from viruses and malware that could be on an employee owned mobile device. If a “health-check” is not performed before the device is allowed on the network, the scenario described below could occur:


When determining the desired approach, it is critical for an organization to understand the specific use cases and incorporate key business drivers and objectives. This will allow the enterprise to determine if the primary objectives from a mobile security perspective are device, or data centric or a combination of both for their BYOD program.

Device Centric

Data Centric

Mobile device management (MDM)

Minimal device data footprint

Strict device policy enforcement

Communications encryption

Local data encryption

Virtualization

A device-centric approach focuses on the mobile device and associated security controls. This approach is typically centered on how the devices are managed, how policies are enforced, data encryption on the local device and solutions such as secure containers. Some key considerations supporting this approach include:

  • MDM software secures, monitors, manages and supports corporate-owned and employee-owned mobile devices deployed across an enterprise
  • Policy enforcement supports permissible/non-permissible devices, considers factors such as who can connect to the network (user types, etc.)

A data-centric approach focuses on the data stored or processed by the mobile device and how it is secured and transmitted. This approach considers how the data is managed on the devices, transmission security, virtualization and data integrity. Some key considerations are:

  • Minimizing local data storage on the device reduces the risk associated with device loss or theft
  • Securing the transmission of the data from the mobile device to internal/external servers, applications, or other devices is critical
  • Virtualization is an important technology/solution to consider in a data centric approach: virtual desktops accessible from the mobile device or data stored in virtual/cloud environments are critical elements to evaluate
  • Accessing corporate data from mobile devices introduces the need for data integrity controls

For a solid BYOD approach, not only are well defined policies and standards critical, but the technology that enforces this governance should be in place to help ensure that the standards are adhered to. Many organizations may have well defined and communicated policies, but enforcing these restrictions on their users may be a daunting task without the appropriate technology and security framework. To facilitate this approach, mobile security requirements should be defined. A gap analysis should be conducted comparing current state capabilities to the desired state. Next, an overall mobile security operations framework should be developed and the operational processes to support this framework need to be defined. If the mobile security framework is planned appropriately to support a BYOD program and the risks are mitigated throughout the lifecycle, enterprises may see increased user productivity and satisfaction.

About the Writer:

Tim Sanouvong is a Senior Manager in Deloitte & Touche LLP’s Security & Privacy practice with 13 years of experience in the information security area. He specializes in leading large security projects spanning areas such as security strategy and governance, mobile security, and identity and access management. He has consulted for several clients across diverse industries such as financial services, retail, healthcare, state government, and aerospace and defense.

This document contains general information only and Deloitte is not, by means of this document, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This document is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte shall not be responsible for any loss sustained by any person who relies on this document.

About Deloitte
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see
www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.

Copyright © 2013 Deloitte Development LLC. All rights reserved.
Member of Deloitte Touche Tohmatsu Limited

About

Oracle Identity Management is a complete and integrated next-generation identity management platform that provides breakthrough scalability; enables organizations to achieve rapid compliance with regulatory mandates; secures sensitive applications and data regardless of whether they are hosted on-premise or in a cloud; and reduces operational costs. Oracle Identity Management enables secure user access to resources anytime on any device.

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
3
4
5
6
7
8
11
12
13
15
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today