By Greg Jensen on Aug 14, 2013
In this edition of the Oracle IDM blog, we’ll look at a case study for integrating Oracle Identity Manager (OIM) 11g with Oracle Governance, Risk, and Compliance (GRC) as part of an enterprise deployment and an integrated risk management strategy. We will incorporate specific use cases that leverage an integration of the two solutions to address risk and promote operational efficiency for routine tasks such as access requests and certification. In addition to the primary focus between OIM and GRC, we will also highlight how Oracle E-Business Suites (EBS) roles are defined, synchronized, and provisioned using a combination of these two solutions providing an end-to-end integrated solution of the Oracle “suite.”
When we think about Identity Management, we often relegate it to the IT Security or Infrastructure groups where it is traditionally used to address manual security and administration functions such as creating accounts, e.g., “hire and fire” scenarios, granting additional entitlements, and providing report-outs on information access for audit purposes. As identity systems improved their ability to manage the access they provisioned, it has become clear that there was a powerful relationship between IAM and GRC initiatives to better manager enterprise compliance in an integrated, less redundant fashion.
In many organizations today, GRC initiatives are often spread across multiple infrastructure silos and managed by different business units or IT groups. Tackling the constantly evolving regulatory requirements, coupled with increased business complexity, may present an uphill battle for a compliance department within the organization. Organizations are being asked not only to understand ever-changing global regulations, but also to create appropriate strategies in addressing their GRC needs.
Knowing who has access to what is not only important from a traditional security sense, but is important to financial controls groups being able to attest that financially significant systems have minimal risk through inappropriate access. By integrating Oracle’s GRC and Identity Management platforms and the associated processes, organizations can improve user lifecycle management, continuous monitoring and automated controls enforcement to assist with sustainable risk and compliance management.
Figure 1 – Solution architecture
For a visual reference of the type of integration we are discussing, we have included an overview of how the systems can potentially interact. In Figure 1, you will notice a typical Human Resource authoritative source system feeds OIM and OIM then provisions to target resources. What’s different is the call-out to Oracle GRC to perform policy checks.
We won’t reference all of the GRC functionality available in this blog, but will focus on the segregation of duties (SoD) integration and relevant use case. [for detailed instructions on this integration, please see: http://docs.oracle.com/cd/E14899_01/doc.9102/e14763/segregation_duties.htm]. What’s interesting about this integration is OIM is able to leverage the information EBS and GRC already have about the roles that exist. Using OIM scheduled tasks, we are able to synchronize those roles into OIM so that there is no need to manually build them in OIM. Moreover, if the roles get end-dated in EBS, OIM reconciliation with EBS will end-date the roles and the related access for the users who have that role assigned with a goal of end-to-end compliance. Both OIM and GRC offer a web services interface for performing common transactions. More information about this can be found at http://docs.oracle.com/cd/E14507_01/apirefs.1112/e14133/using003.htm
Compliant User Provisioning
In our use case, we will explore how during an access request, a real-time validation can be performed against known SoD conflicts to determine if a role being requested has a conflict. Through OIM’s Service-Oriented Architecture (SOA) workflow functionality, we can include an additional layer of approval if a conflict is presented. A conflict is often unavoidable and, in many cases, requires a power user from the compliance organization to step in, review the request, and document a mitigating control before accepting. In this example, we’ll show a request by a Payables Manager for an Invoice Entry EBS role.
As you can see in this process flow, there is cross-functional behavior between the OIM and GRC solutions to identify the SoD violation and apply a mitigating control if required. Ultimately, OIM manages the provisioning of the role in the end system (EBS in this example) and, therefore, will be able to continually track that entitlement.
There are three take-a-ways from this use case. With GRC and IAM integration, organizations can:
• Automate provisioning and de-provisioning of business application users, with appropriate authorization and compliance checks.
• Improve the management of enterprise accounts and efficiently produce reports such as “who has access to what.”
• Reduce the cost of compliance by removing the need for after the fact remediation.
At Deloitte , we see the need to not only install and configure an IAM solution, but to work with our clients to get value out of an enterprise compliance approach. Solutions can be leveraged in their individual capacity to achieve benefits for an organization, but when organizations leverage cross-platform synergies, such as the ones that Oracle has intentionally created within their OIM and GRC solutions, the sum can become greater than the parts. An integrated approach to an organization’s IAM and GRC programs can assist in reducing costs and redundancies, and improving value to the organization.
About the Author
Kevin Urbanowicz is a Manager in Deloitte & Touche LLP’s Security & Privacy practice with eight years of experience in information technology with a focus on Identity & Access Management (IAM). He has served primarily in the Oil & Gas sector where he has helped his clients identify the business drivers and build the business case for establishing world-class IAM solutions that maximize IT efficiency and minimize security and compliance risk.