Friday Aug 23, 2013

Implementing Oracle Identity & Access Governance with Database Security (Deloitte)

As organized cyber-attacks become sophisticated and targeted, organizations, particularly those in the financial and health sectors, have come under strict regulations. The growing security risks from internal and external sources have brought focus on both preventive and detective controls working together to protect data. In this edition of the Oracle IAM blog series, we will take a look at how an organization can leverage Oracle’s Identity and Access Management technologies in conjunction with Oracle’s database security offerings.

Challenge

Traditionally, encryption has been considered as the required approach to protect information. However, complex information systems have led to implementation of a defense-in-depth approach to database security that includes stronger preventive and detective controls. In addition to encryption, preventive measures should also include restricting access to data within the organization. Compliance requirements on the other hand, have driven adoption of detective controls such as database activity monitoring and auditing. Detective controls complement preventive controls by filtering attempts to connect to the information system, generating activity reports, and help investigations of potential breaches.

A common concern identified in several organizations is the lack of insight about the access users have. This usually stems from multiple points to manually create users and ad-hoc processes, such as a phone call, to grant access to applications. By relying on incoherent manual processes to provide, monitor and audit user access, the organization risks drastic implications on the privacy and integrity of their information. Deloitte approaches this problem by leveraging solutions like Oracle’s IAM stack to pro-actively restrict database access by defining user profiles and centrally managing user life cycle. This, coupled with preventive and detective controls, can offer a holistic approach to securing information.

Separation of Duties

Separation of duties is an important component to managing user access because it separates the responsibility of sensitive tasks into multiple people, so that no one person has all power. Oracle Database Vault, an add-on to Oracle database, protects against insider threats by restricting read/write access to sensitive data. For example, an administrator can be allowed to increase or decrease the size of a table, but given the role, they will be denied read/write access to the contents of the table. By securing access to the data based on multi-factor policies such as application, IP address, and other pre-determined factors, organizations have granular control over what, when, where, and how users can access sensitive data.

Deloitte’s strategy lets the client manage access to its data layer by separating approach vectors, such as internal or external clients, or type of access such as web and mobile applications. Oracle Access Manager helps to control user’s access to web applications, and Oracle Entitlement Server allows administrators to control what a user can see within an application.

Preventive Controls

The first step in this direction is to have a least-privilege approach to endeavor to provide that each user has a base profile giving them minimum access to the database. These profiles can be configured through Oracle Identity Manager (OIM). If a user’s business function requires elevated access, it can be requested. Requests access can be made through a central portal and provisioned automatically through OIM. The requirement for approvals adds a layer of control for the client over what a user can view or modify.

In order to have granular access control, the information stored within the database should be ranked based on sensitivity; this can be achieved by deploying Oracle Label Security (OLS). With OLS in place, only the users with read/write access to sensitive information will be able to interact with the data. By comparing a user’s profile and the level assigned to the data, level based access to data is determined. These data ranks are defined according to the organization’s requirements with the highest level assigned to the most sensitive information. Adding finer security controls, data is put in “compartments” that can have their own levels. For example, the financial compartment can have the highest level ranking.

Detective Controls

As mentioned above, Oracle Database Vault provides security by preventing access. There is a lot that can be done to secure information above the data level. Database defense-in-depth also includes database activity monitoring and auditing. Oracle Audit Vault and Database Firewall monitor database traffic to detect and block threats. The tools help improve compliance reporting by consolidating audit data from databases, operating systems, directories, and other sources. The following illustration shows how the two can work together:


Logs from the Database Firewall and other systems in the network, can be fed into the Audit Vault. Then, custom and template-driven database activity reports can be generated to help address compliance and regulations.

Conclusion

Deloitte suggests organizations establish a database defense-in-depth strategy that includes multiple layers of both preventive and detective security controls. By logging the entire process of user account creation, granting access, changing roles, and user account termination, the organization has a 360-degree approach to access governance. Detective controls add valuable context for investigations and provide a critical layer of security during a security breach incident. If network firewalls are by-passed, or in the case of an insider threat, preventive controls can offer a strong defense. Since these security controls are granular, they can be effectively configured to limit employees to their day-to-day activities. Identity and access management helps setup work flows for provisioning and defining roles to limit access; this coupled with encryption, activity monitoring and reporting, form a holistic defense-in-depth approach to security and compliance.

Wednesday Aug 14, 2013

Integrating Identity Management and GRC: Decreasing Risk Across Your Organization (Deloitte)

In this edition of the Oracle IDM blog, we’ll look at a case study for integrating Oracle Identity Manager (OIM) 11g with Oracle Governance, Risk, and Compliance (GRC) as part of an enterprise deployment and an integrated risk management strategy. We will incorporate specific use cases that leverage an integration of the two solutions to address risk and promote operational efficiency for routine tasks such as access requests and certification.  In addition to the primary focus between OIM and GRC, we will also highlight how Oracle E-Business Suites (EBS) roles are defined, synchronized, and provisioned using a combination of these two solutions providing an end-to-end integrated solution of the Oracle “suite.”

Abstract

When we think about Identity Management, we often relegate it to the IT Security or Infrastructure groups where it is traditionally used to address manual security and administration functions such as creating accounts, e.g., “hire and fire” scenarios, granting additional entitlements, and providing report-outs on information access for audit purposes. As identity systems improved their ability to manage the access they provisioned, it has become clear that there was a powerful relationship between IAM and GRC initiatives to better manager enterprise compliance in an integrated, less redundant fashion.

In many organizations today, GRC initiatives are often spread across multiple infrastructure silos and managed by different business units or IT groups. Tackling the constantly evolving regulatory requirements, coupled with increased business complexity, may present an uphill battle for a compliance department within the organization. Organizations are being asked not only to understand ever-changing global regulations, but also to create appropriate strategies in addressing their GRC needs.

Knowing who has access to what is not only important from a traditional security sense, but is important to financial controls groups being able to attest that financially significant systems have minimal risk through inappropriate access. By integrating Oracle’s GRC and Identity Management platforms and the associated processes, organizations can improve user lifecycle management, continuous monitoring and automated controls enforcement to assist with sustainable risk and compliance management. 

 
Figure 1 – Solution architecture

Solution Architecture

For a visual reference of the type of integration we are discussing, we have included an overview of how the systems can potentially interact.  In Figure 1, you will notice a typical Human Resource authoritative source system feeds OIM and OIM then provisions to target resources.  What’s different is the call-out to Oracle GRC to perform policy checks.

We won’t reference all of the GRC functionality available in this blog, but will focus on the segregation of duties (SoD) integration and relevant use case. [for detailed instructions on this integration, please see: http://docs.oracle.com/cd/E14899_01/doc.9102/e14763/segregation_duties.htm].    What’s interesting about this integration is OIM is able to leverage the information EBS and GRC already have about the roles that exist.  Using OIM scheduled tasks, we are able to synchronize those roles into OIM so that there is no need to manually build them in OIM.  Moreover, if the roles get end-dated in EBS, OIM reconciliation with EBS will end-date the roles and the related access for the users who have that role assigned with a goal of end-to-end compliance.  Both OIM and GRC offer a web services interface for performing common transactions.  More information about this can be found at http://docs.oracle.com/cd/E14507_01/apirefs.1112/e14133/using003.htm

Compliant User Provisioning

In our use case, we will explore how during an access request, a real-time validation can be performed against known SoD conflicts to determine if a role being requested has a conflict.  Through OIM’s Service-Oriented Architecture (SOA) workflow functionality, we can include an additional layer of approval if a conflict is presented.  A conflict is often unavoidable and, in many cases, requires a power user from the compliance organization to step in, review the request, and document a mitigating control before accepting.  In this example, we’ll show a request by a Payables Manager for an Invoice Entry EBS role.
 
As you can see in this process flow, there is cross-functional behavior between the OIM and GRC solutions to identify the SoD violation and apply a mitigating control if required.  Ultimately, OIM manages the provisioning of the role in the end system (EBS in this example) and, therefore, will be able to continually track that entitlement.

There are three take-a-ways from this use case.  With GRC and IAM integration, organizations can:

• Automate provisioning and de-provisioning of business application users, with appropriate authorization and compliance checks.
• Improve the management of enterprise accounts and efficiently produce reports such as “who has access to what.”
• Reduce the cost of compliance by removing the need for after the fact remediation.

In Conclusion

At Deloitte , we see the need to not only install and configure an IAM solution, but to work with our clients to get value out of an enterprise compliance approach.  Solutions can be leveraged in their individual capacity to achieve benefits for an organization, but when organizations leverage cross-platform synergies, such as the ones that Oracle has intentionally created within their OIM and GRC solutions, the sum can become greater than the parts.  An integrated approach to an organization’s IAM and GRC programs can assist in reducing costs and redundancies, and improving value to the organization.

About the Author

Kevin Urbanowicz is a Manager in Deloitte & Touche LLP’s Security & Privacy practice with eight years of experience in information technology with a focus on Identity & Access Management (IAM).  He has served primarily in the Oil & Gas sector where he has helped his clients identify the business drivers and build the business case for establishing world-class IAM solutions that maximize IT efficiency and minimize security and compliance risk. 

Wednesday Aug 07, 2013

Oracle IAM in Telematics: A case study in the Automotive Sector (Deloitte)

In this edition of the Oracle Identity Management (IDM) blog, we’ll look at a case study of IDM/IAM in the Automobile Industry and where it plays a significant role in enabling security to support the telematics initiative.  In a broad sense, telematics is the integrated use of telecommunications with information and communications technology. This technology involves sending, receiving and storing information relating to remote objects, such as vehicles, via telecommunication devices.

Using telematics, organizations can monitor the location, movements, status and behavior of a vehicle or fleet. This is achieved through a combination of a Global Positioning System (GPS) receiver and an electronic Global System for Mobile Communications (GSM) device installed in each vehicle, which then communicates with the user and web-based software. In addition to location data, a telematics system can provide a list of your vehicles with the status of each. You can see when a vehicle is started up and shut down, as well as its idling status, location and speed. This information gives organizations a complete, up-to-the-minute knowledge of vehicle activities in one centralized, web-based interface. All of this information can help:

• Increase productivity
• Improve communications
• Reduce labor costs
• Control fuel costs
• Improve customer service
• Increase fleet safety and security
• Reduce operating expenses
• Reduce environmental impact
• Reduce unauthorized vehicle use

In addition to these benefits, various legislative resolutions and mandates, such as the resolution passed by the European parliament stipulating that all new cars must be fitted with a GPS system and GSM communication links, are driving the implementation of telematics to a large scale. 

While telematics gives organizations all the above mentioned flexibility and benefits, it is prone to the same security challenges as usage of services on the web. Think about a situation where someone gets hold of a mobile device that is connected to several vehicles. A nefarious user can wreak havoc with a vehicle’s systems as well as the personal data which the vehicle has access to.

 Some of the notable challenges around telematics security include:
 
• Password and user management – Management of multiple passwords and user identities for each vehicle.

• Device management – Management of authentication and authorization of devices allowing users to access the vehicle. High mobile device turnover by the user populations calls for new devices to be re-registered and at the same time blacklisting/wiping-out of the personal and vehicle information must be done on the older devices.

• Service management – Management of various telematics and key-off functionalities on a vehicle in a secure environment.

• Data and privacy concerns- As part of telematics services automobile manufacturers need to access personal data to customize the user experience thereby bringing in the challenge of data privacy both in-transit and when it is being processed.

The following section describes how the above-mentioned aspects are managed and how challenges and issues related to managing your telematics services are addressed by using Oracle Access Manager Mobile and Social (OAMMS) and Oracle API Gateway (OAG). 


Fig 1: Oracle IAM integration with Mobile Device

User and device registration: Typically telematics applications send service registration requests through mobile applications which would validate pre-requisites (like validating vehicle identification – Vehicle Identification Number (VIN), payment information, etc.) with the telematics service provider. Once validation is complete against the telematics service provider, identification of the customer identity along with a vehicle and device identity will be created by calling the Mobile and Social Representational state transfer (REST) interface for registration. During this registration process OAG can be made to act as the front end to the OAMMS REST interface to confirm that requests come from legitimate sources and to protect the infrastructure against any intrusion.

Authentication and telematics operations: The above diagram explains how a user request gets authenticated and passed over to a telematics service provider to perform the requested activity. Before accessing the telematics service, the user provides his credentials in the form of a user id and password, which is used to authenticate the user against the enterprise identity store and also create an Oracle Access Manager  token (or JSON Web Token – JWT) on the user’s device. The token is then passed to the telematics service provider with the vehicle information (i.e., VIN) available on the mobile device and the command (requested operation).

Once the token is available to the telematics service provider, it passes the same token over to the OAMMS to validate the authenticity of the request. Once the token is validated, the user’s credentials are authenticated and the requested command is executed on the vehicle.


The token information can be saved for a longer duration in the user’s mobile device for improved user experience and reduced operational time and effort.  For example, a user sends a request to find a vehicle from his mobile device. The assumption is that the user is already authenticated against the enterprise identity store and the token exists on the mobile device. As soon as the user submits the request, a request object is sent to the telematics service provider along with the identity token. The telematics service provider passes the token to OAMMS to validate the account status. OAMMS in conjunction with OAG validates the received token for the user’s account status, session timeout, etc.  Once authenticated a command is sent to the telematics service provider to perform a wakeup call to find the vehicle. The response returned from the vehicle back to the telematics service provider is passed over to the mobile device to locate the vehicle.

The built-in reporting and auditing capability of OAMMS captures each of the transactions. This can be leveraged to define controls for the telematics service. Apart from OAMMS and OAG, Oracle Access Manager and Oracle Adaptive Access Manager can also be deployed to provide a robust solution hence including device marking, wiping out the contents in the device in case the device is lost and also providing two-factor authentication upon accessing a sensitive operation on the vehicle.

In conclusion

In all, telematics services have evolved to better suit the needs of consumers but at the same time have a tradeoff on security to confirm end user usability. These trade-offs increasingly contribute to security risks for the user, organization and their vehicles including theft of vehicle, loss of personal data, malfunction with the vehicle, etc… Security should be addressed in an effective manner with increasingly strict regulations to protect against these risks. The Mobile Access management solution using Oracle API Gateway technology unifies telematics requests across network boundaries to mobile devices. It can provide enhanced security, regulatory compliance and increased usability.

About the Author

Debi Mohanty is a Senior Manager in Deloitte & Touche LLP’s Security & Privacy practice with a focus on Identity and Access management and Information Security. He advises several Fortune 100 clients globally on cloud and mobile security, privacy and identity & access management across diverse industries such as financial services, retail, healthcare, state government, and aerospace and defense.

 

Wednesday Jul 31, 2013

Oracle Waveset to Oracle Identity Manager: A Case Study in Higher Education (Deloitte)

Deloitte is excited about the opportunity to introduce the first blog in a series of four blogs that will look at real world case studies involving Oracle Identity and Access Management (IAM). Our future blogs will expand on relevant IAM topics including: 1) Oracle Waveset to Oracle Identity Manager, 2) Oracle IAM in Telematics, 3) Oracle IAM with Governance Risk and Compliance, and 4) Oracle Identity & Access Governance with Database Security. Throughout this blog series, readers are encouraged to submit questions or comments which will feed into a roundtable type Q&A blog responding to selected comments and questions received.

In this edition of the Oracle IAM blog, we’ll look at a case study for migration from Oracle Waveset to Oracle Identity Manager for a higher education statewide system of community colleges, state universities and technical colleges. This also highlights how the flexibility of Oracle’s IAM product landscape contributed to creating a dynamic and sustainable solution for a public-facing system with nearly 500,000 users.

Current State Evaluation and Replication

The legacy Oracle Waveset instance connected to numerous institutional directories and provided end-user functionalities such as user self-service, account activation and password management as well as administrative help-desk functions with a highly customized interface and set of workflows.

As we analyzed these functions, we identified that a majority of these were available within Oracle Identity Manager (OIM) 11g R2 which simplified their replication. Further, the User Interface (UI) enhancements in OIM 11g R2 allowed for significant customization to the end-user pages, such as the ‘My Information’ page, with minimal custom code.  Initial replication of the core functionalities was crucial to the overall project and allowed for the replacement of Waveset as an end-user facing solution on Day 1 of the OIM go-live. However, this did not cover the numerous resource integrations that Waveset had behind the scenes that would also need to be migrated. Several functionalities such as account activation and password reset/forgot password that required specific workflows and service integration were replicated in separate Oracle ADF-based applications that were split away from the OIM managed servers. This allowed for the highly used end-user functions to run separate of the OIM instances to provide for increased flexibility in load management and tuning.

Resource Migration Approach

As the numerous resources requiring migration would take significant time and effort, it was decided that these resources would be moved over in a phased manner requiring both OIM and Waveset to operate in parallel for a period of time. This approach reduced risk, as a single cutover would have been highly complex with multiple moving parts across colleges and campuses. To enable this to be possible, OIM and Waveset would need to operate together as we migrated each campus from the old Waveset platform to the new OIM platform. To help accomplish this, a custom connector between OIM and Waveset was built to synchronize certain user attributes so that Waveset could update and maintain those attributes on the resources that remained to be managed by it.

Overall, this approach turned out to be highly beneficial as it allowed the team time to ease into using the new identity solution, reduced the risks that would have been present in a single “big bang” cutover event and allowed for a quick win which displays critical progress and success to solution stakeholders. 
 

Figure A – Oracle Waveset to Oracle Identity Manager resource migration approach

Additional Important Success Factors

Throughout the migration, we encountered a number of items that were deemed critical for meeting project goals that primarily focused on the following:

User Experience

As the solution’s primary users were public individuals that would likely not have significant training or usage guidance, focusing on a refined and calculated user experience such as clear verbiage, font sizing and coloring as well as succinct and detailed error messages was important. While these items may seem minor or insignificant to some readers, they, as expected, ended up being extremely beneficial to end-users and reduced support needs.

Performance and Tuning

With our highly active user-base, performance of the solution was critical to success. Use of the existing Oracle Fusion Middleware Performance and Tuning Guide as well as the OIM 11g R2 Reconciliation Tuning Whitepaper were critical for maintaining performance and ongoing stability of a solution with this size. Also important were key architectural decisions around load balancing, managed server clustering, as well as database clustering (e.g. RAC). Providing enough horsepower behind the solution and conducting due diligence around performance testing will reduce the amount of performance-related issues encountered in production.

In Conclusion

The phased migration of Oracle Waveset to Oracle Identity Manager 11g R2 allowed for a quick win in the initial cutover of end-user functions, a lower risk migration path and well as constant stream of “good news” as various campuses were migrated from the old solution to the new one in a phased manner. A focus on user experience and performance tuning also helped to create an effective environment for end-user interaction and contributed to achieving the goals of the initiative. Finally, the new OIM architecture will provide a solid infrastructure for future enhancements and a greatly increased user base that the prior Waveset environment could no longer support.

About the Author

Derek Dahlen is a Manager in Deloitte & Touche LLP’s Security & Privacy practice with over eight years of experience in information security. He specializes in managing, designing and architecting large-scale identity and access management projects with a focus on the Oracle product stack. He has worked with various clients across the financial services and state government sectors.

Tuesday Jul 16, 2013

The Art of the Possible: Real Life Case Study in Oracle IAM 11gR2 Performance Tuning by Alex Bolante (Accenture)

In our last post, we walked through a handful of practical tips and tricks to fine tune your Oracle Identity Management 11gR2 deployment.  This week we look at a real life case study, focused on Oracle Directory Services, where we applied our pragmatic approach and solutions.

Case study: a multinational financial services corporation.  With presence in over 200 countries, this financial services company enables consumers, businesses, financial institutions and governments to use digital currency instead of cash and checks through one of the world’s most advanced processing networks, capable of handling more than 20,000 transactions per second.  Like many legacy customers, the company sought Accenture’s help to strategically plan, design and upgrade to an improved version of Oracle Directory Services that provided:

• Improved directory services performance
• Multi-user topology support
• Enhanced replication
• Increased security

The implementation comprised of approximately 50 servers located across multiple, geographically distributed data centers supporting over 100 applications and more than 250,000 users – included financial institutions, payment product processors and others doing business with this financial services company. 

Environment design specification

Our environment design specification was initially developed to support legacy applications, but given a new set of business and technical requirements, we needed to modify and scale the solution to support future business services with enough capacity to grow up to 40% year over year.  Key performance requirements included:

• Optimized for reads, writes and replication across data centers located across the globe
• Performs 1000 operations per second
• Supports response time of 0.05 milliseconds for single user id searches
• Supports response time of 0.15 milliseconds for single user attribute writes
• Supports 200 concurrent searches
• Supports growth rate of 10,000 objects per month over the next 5 years
• Provides real time password replication using prioritization

Modifying and scaling the solution:
Our process for modifying and scaling the solution included  engaging Oracle product managers and engineers directly to validate our hardware configuration.

Product: Oracle Directory Services
Operating System: 64-bit Solaris 10 Update 10 or higher
Hardware: SPARC T-series
Memory: 64 GB
Disk Space: 270 GB
Swap Space: 15 GB
Tmp Space: 10 GB
File Descriptor Limit: 8192
Replication Topology: Multi-master with no restrictions on the number of masters

We made several recommended configuration changes and tuned the Operating System, Database Cache, Entry Cache, Import Cache, File System Cache and Indexes. 

Disable schema check for fast replication
$dsconfpath/dsconf set-server-prop -p portNum check-schema-enabled:off

Set DB cache size to 1000M
$dsconfpath/dsconf set-server-prop -p portNum db-cache-size:1000M

Set entry cache size to 1000M
$dsconfpath/dsconf set-suffix-prop -p portNum suffixDN entry-cache-size:1000M

Import-cache-size
$dsconfpath/dsconf set-server-prop -p portNum import-cache-size:200M

Set all-ids-threshold
$dsconfpath/dsconf set-server-prop -p portNum all-ids-threshold:8000

Set repl-purge-delay to 1 days
$dsconfpath/dsconf set-server-prop -p portNum repl-purge-delay:1d

Change log path
dsconf set-log-prop -p portNum ACCESS path:/var/ldaplogs/access
dsconf set-log-prop -p portNum AUDIT path:/var/ldaplogs/audit
dsconf set-log-prop -p portNum ERROR path:/var/ldaplogs/error

Enable Audit log
dscond f set-log-prop -p portNum AUDIT enabled:on

The outcome:

After we applied our performance tunings, we performed our tests in production-like environments, verified and documented our results, profiled and monitored our solution, tweaked and tuned our environment and cycled through this step-by-step process until we were satisfied that we had met all requirements.  We shared the results with our Oracle peers to validate – including our testing approach which included search rates and modification rates based on 100 users and 200 users connecting concurrently – and the numbers were right on point with our expectations from the Directory Services upgrade.


How can you apply this to your environment? 

Step 1:
Talk to Oracle Product Management, Development and Engineering directly
,get them involved in your project as early as possible and keep them engaged throughout your project.  It helps to have knowledgeable subject matter experts who can bring your implementation up to par with leading implementations.  Some guidelines for checkpoints include:

Checkpoint 1: Before statement of work (SOW) is signed:
• Is the SOW clearly defined?
• Is the described product functionality feasible?
• Are measurable and achievable success criteria defined?

Checkpoint 2: Before requirements, architecture and project plan are delivered:
• Can the product fulfill the defined requirements?
• Is the architecture and solution design sound and scalable?
• Is the customer's environment ready?

Checkpoint 3: Before the design is delivered:
• Is the design technically sound?
• Can the design be implemented, migrated and supported?
• Are the test plans and approach reasonable?

Step 2:
Define specific, measurable objectives for performance tunings based on your requirements.
  To start with, you can use Accenture’s predefined set of key attributes for developing “good” requirements that are measurable.

• Necessary – an important capability or element of a solution which cannot be compensated for if absent
• Understandable – stated in a context which conveys the essence of what is needed
• Complete – stated in a standalone context which does not rely upon supplemental and/or assumed definitions
• Consistent – does not contradict by context or terminology nor is contradicted by other statements (e.g. is not mutually exclusive)
• Unambiguous – cannot have more than one interpretation
• Attainable – a capability which can be implemented within the constraints of available resources and technology (e.g. product, cost, schedule)
• Verifiable – can establish that the statement has been satisfied through specific measurements, test, demonstration, inspection, and/or analysis

Step 3:
Determine how you plan to implement performance tunings.
There is more than one way to skin a cat.  In addition to the tuning configuration changes made to the environment, you also have to consider hardware sizing and configurations, middleware technologies, application and data samples used for testing and how you measure/analyze results.  For example, hardware sizing guides are meant to provide you with a baseline for your deployment, but they are not exact specifications for your Oracle Identity & Access Management deployment. 

The same applies for a vendor certification matrix – while Oracle’s Identity & Access Management product might be certified or supported on another vendor’s middleware or platform stack, that does not automatically imply it is the ‘optimal’ configuration for your deployment.  Most organizations already have infrastructure standards (e.g. we use WebSphere Application Server for our J2EE apps), but you need to carefully consider that your Oracle Identity & Access Management deployment may be harder to tweak and tune if implemented on top of multiple vendor stacks.  In fact, the more unique your configuration design is, the more challenging it will be to support and the less likely your deployment will be up to par with common practices.

Step 4:
Apply your performance tunings, perform your tests, verify and document your results, profile and monitor your solution, tweak and tune it – wash, rinse and repeat.
  Consider the testing tools you will use to conduct your performance tests and their limitations.  We used both SLAMD and HP LoadRunner for our Directory Services deployment.  SLAMD had resource limitations on the number of connections and threads we could test, especially if it was not running off a dedicated server.  HP LoadRunner had a limitation with testing multiple attribute updates until we applied a hot fix that the vendor eventually provided.

Also, most deployments are two- to three-tier architectures, so you have to tune the database/directory server, middleware/application server, web servers and every component in between each tier (e.g. load balancers for SSL acceleration).  In fact, each tier requires its own performance tuning, pruning, cleaning, care, feeding and regular maintenance.  At its core, there are several performance bottlenecks to consider:

• Start with your server or system resources (e.g. over clocked CPU, maxed out memory, resource contention, insufficient space)
• Tune your way up from data tier to application/web tier (e.g. database/directory servers typically require specific optimizer tunings, predefined indexes and table pruning while application servers typically require proper JVM heap size allocation, connection pooling and message queue thresholds)

Step 5:
Share your experiences with the Oracle Security community at large.
  By now, your Oracle Identity & Access Management solution should be designed to support not only your legacy applications, but also scaled to support future business services!

Stay tuned for our next post on No Where to go but up: Extending the benefits of accelerated IAM to enable new solutions and features where we highlight interesting trends in Security and Identity & Access Management.

References:
Oracle Directory Services: Overview
http://www.oracle.com/us/products/middleware/identity-management/directory-services/resources/index.html

Oracle Directory Services: Discussion Forums https://forums.oracle.com/community/developer/english/fusion_middleware/identity_management/oracle_directory_server_enterprise_edition_sun_dsee/content?start=0

Tuesday Jul 02, 2013

Taking the training wheels off: Accelerating the Business with Oracle IAM by Brian Mozinski (Accenture)

Today, technical requirements for IAM are evolving rapidly, and the bar is continuously raised for high performance IAM solutions as organizations look to roll out high volume use cases on the back of legacy systems.  Existing solutions were often designed and architected to support offline transactions and manual processes, and the business owners today demand globally scalable infrastructure to support the growth their business cases are expected to deliver.

To help IAM practitioners address these challenges and make their organizations and themselves more successful, this series we will outline the:

• Taking the training wheels off: Accelerating the Business with Oracle IAM
The explosive growth in expectations for IAM infrastructure, and the business cases they support to gain investment in new security programs.

• "Necessity is the mother of invention": Technical solutions developed in the field
Well proven tricks of the trade, used by IAM guru’s to maximize your solution while addressing the requirements of global organizations.

• The Art & Science of Performance Tuning of Oracle IAM 11gR2
Real world examples of performance tuning with Oracle IAM

• No Where to go but up: Extending the benefits of accelerated IAM
Anything is possible, compelling new solutions organizations are unlocking with accelerated Oracle IAM

Let’s get started … by talking about the changing dynamics driving these discussions.

Big Companies are getting bigger everyday, and increasingly organizations operate across state lines, multiple times zones, and in many countries or continents at the same time.  No longer is midnight to 6am a safe time to take down the system for upgrades, to run recon’s and import or update user accounts and attributes.  Further IT organizations are operating as shared services with SLA’s similar to telephone carrier levels expected by their “clients”.  Workers are moved in and out of roles on a weekly, daily, or even hourly rate and IAM is expected to support those rapid changes.  End users registering for services during business hours in Singapore are expected their access to be green-lighted in custom apps hosted in Portugal within the hour.  Many of the expectations of asynchronous systems and batched updates are not adequate and the number and types of users is growing.

When organizations acted more like independent teams at functional or geographic levels it was manageable to have processes that relied on a handful of people who knew how to make things work …. Knew how to get you access to the key systems to get your job done.  Today everyone is expected to do more with less, the finance administrator previously supporting their local Atlanta sales office might now be asked to help close the books for the Johannesburg team, and access certification process once completed monthly by Joan on the 3rd floor is now done by a shared pool of resources in Sao Paulo.  

Fragmented processes that rely on institutional knowledge to get access to systems and get work done quickly break down in these scenarios.  Highly robust processes that have automated workflows for connected or disconnected systems give organizations the dynamic flexibility to share work across these lines and cut costs or increase productivity.

As the IT industry computing paradigms continue to change with the passing of time, and as mature or proven approaches become clear, it is normal for organizations to adjust accordingly. Businesses must manage identity in an increasingly hybrid world in which legacy on-premises IAM infrastructures are extended or replaced to support more and more interconnected and interdependent services to a wider range of users. The old legacy IAM implementation models we had relied on to manage identities no longer apply.

End users expect to self-request access to services from their tablet, get supervisor approval over mobile devices and email, and launch the application even if is hosted on the cloud, or run by a partner, vendor, or service provider.

While user expectations are higher, they are also simpler … logging into custom desktop apps to request approvals, or going through email or paper based processes for certification is unacceptable.  Users expect security to operate within the paradigm of the application … i.e. feel like the application they are using.

Citizen and customer facing applications have evolved from every where, with custom applications, 3rd party tools, and merging in from acquired entities or 3rd party OEM’s resold to expand your portfolio of services.  These all have their own user stores, authentication models, user lifecycles, session management, etc.  Often the designers/developers are no longer accessible and the documentation is limited.  Bringing together underlying directories to scale for growth, and improve user experience is critical for revenue … but also for operations.

Job functions are more dynamic.... take the Olympics for example.  Endless organizations from corporations broadcasting, endorsing, or marketing through the event … to non-profit athletic foundations and public/government entities for athletes and public safety, all operate simultaneously on the world stage.  Each organization needs to spin up short-term teams, often dealing with proprietary information from hot ads to racing strategies or security plans.  IAM is expected to enable team’s to spin up, enable new applications, protect privacy, and secure critical infrastructure.  Then it needs to be disabled just as quickly as users go back to their previous responsibilities.

On a more technical level …
Optimized system directory; tuning guidelines and parameters are needed by businesses today. Business’s need to be making the right choices (virtual directories) and considerations via choosing the correct architectural patterns (virtual, direct, replicated, and tuning), challenge is that business need to assess and chose the correct architectural patters (centralized, virtualized, and distributed)

Today's Business organizations have very complex heterogeneous enterprises that contain diverse and multifaceted information. With today's ever changing global landscape, the strategic end goal in challenging times for business is business agility. The business of identity management requires enterprise's to be more agile and more responsive than ever before. The continued proliferation of networking devices (PC, tablet, PDA's, notebooks, etc.) has caused the number of devices and users to be granted access to these devices to grow exponentially. Business needs to deploy an IAM system that can account for the demands for authentication and authorizations to these devices.

Increased innovation is forcing business and organizations to centralize their identity management services. Access management needs to handle traditional web based access as well as handle new innovations around mobile, as well as address insufficient governance processes which can lead to rouge identity accounts, which can then become a source of vulnerabilities within a business’s identity platform. Risk based decisions are providing challenges to business, for an adaptive risk model to make proper access decisions via standard Web single sign on for internal and external customers,. Organizations have to move beyond simple login and passwords to address trusted relationship questions such as: Is this a trusted customer, client, or citizen? Is this a trusted employee, vendor, or partner? Is this a trusted device?

Without a solid technological foundation, organizational performance, collaboration, constituent services, or any other organizational processes will languish. A Single server location presents not only network concerns for distributed user base, but identity challenges. The network risks are centered on latency of the long trip that the traffic has to take. Other risks are a performance around availability and if the single identity server is lost, all access is lost.

As you can see, there are many reasons why performance tuning IAM will have a substantial impact on the success of your organization.  In our next installment in the series we roll up our sleeves and get into detailed tuning techniques used everyday by thought leaders in the field implementing Oracle Identity & Access Management Solutions.

Wednesday Jun 26, 2013

Taking the Plunge - or Dipping Your Toe - into the Fluffy IAM Cloud by Paul Dhanjal (Simeio Solutions)

In our last three posts, we’ve examined the revolution that’s occurring today in identity and access management (IAM). We looked at the business drivers behind the growth of cloud-based IAM, the shortcomings of the old, last-century IAM models, and the new opportunities that federation, identity hubs and other new cloud capabilities can provide by changing the way you interact with everyone who does business with you.

In this, our final post in the series, we’ll cover the key things you, the enterprise architect, should keep in mind when considering moving IAM to the cloud.

Invariably, what starts the consideration process is a burning business need: a compliance requirement, security vulnerability or belt-tightening edict. Many on the business side view IAM as the “silver bullet” – and for good reason. You can almost always devise a solution using some aspect of IAM.

The most critical question to ask first when using IAM to address the business need is, simply: is my solution complete? Typically, “business” is not focused on the big picture. Understandably, they’re focused instead on the need at hand: Can we be HIPAA compliant in 6 months? Can we tighten our new hire, employee transfer and termination processes? What can we do to prevent another password breach? Can we reduce our service center costs by the end of next quarter?

The business may not be focused on the complete set of services offered by IAM but rather a single aspect or two. But it is the job – indeed the duty – of the enterprise architect to ensure that all aspects are being met. It’s like remodeling a house but failing to consider the impact on the foundation, the furnace or the zoning or setback requirements. While the homeowners may not be thinking of such things, the architect, of course, must.

At Simeio Solutions, the way we ensure that all aspects are being taken into account – to expose any gaps or weaknesses – is to assess our client’s IAM capabilities against a five-step maturity model ranging from “ad hoc” to “optimized.” The model we use is similar to Capability Maturity Model Integration (CMMI) developed by the Software Engineering Institute (SEI) at Carnegie Mellon University. It’s based upon some simple criteria, which can provide a visual representation of how well our clients fair when evaluated against four core categories:

·         Program Governance

·         Access Management (e.g., Single Sign-On)

·         Identity and Access Governance (e.g., Identity Intelligence)

·         Enterprise Security (e.g., DLP and SIEM)

Often our clients believe they have a solution with all the bases covered, but the model exposes the gaps or weaknesses. The gaps are ideal opportunities for the cloud to enter into the conversation.

The complete process is straightforward:

1.    Look at the big picture, not just the immediate need – what is our roadmap and how does this solution fit?

2.    Determine where you stand with respect to the four core areas – what are the gaps?

3.    Decide how to cover the gaps – what role can the cloud play?

Returning to our home remodeling analogy, at some point, if gaps or weaknesses are discovered when evaluating the complete impact of the proposed remodel – if the existing foundation wouldn’t support the new addition, for example – the owners need to decide if it’s time to move to a new house instead of trying to remodel the old one.

However, with IAM it’s not an either-or proposition – i.e., either move to the cloud or fix the existing infrastructure. It’s possible to use new cloud technologies just to cover the gaps.

Many of our clients start their migration to the cloud this way, dipping in their toe instead of taking the plunge all at once. Because our cloud services offering is based on the Oracle Identity and Access Management Suite, we can offer a tremendous amount of flexibility in this regard. The Oracle platform is not a collection of point solutions, but rather a complete, integrated, best-of-breed suite. Yet it’s not an all-or-nothing proposition. You can choose just the features and capabilities you need using a pay-as-you-go model, incrementally turning on and off services as needed. Better still, all the other capabilities are there, at the ready, whenever you need them.

Spooling up these cloud-only services takes just a fraction of the time it would take a typical organization to deploy internally. SLAs in the cloud may be higher than on premise, too. And by using a suite of software that’s complete and integrated, you can dramatically lower cost and complexity.

If your in-house solution cannot be migrated to the cloud, you might consider using hardware appliances such as Simeio’s Cloud Interceptor to extend your enterprise out into the network. You might also consider using Expert Managed Services. Cost is usually the key factor – not just development costs but also operational sustainment costs. Talent or resourcing issues often come into play when thinking about sustaining a program. Expert Managed Services such as those we offer at Simeio can address those concerns head on.

In a cloud offering, identity and access services lend to the new paradigms described in my previous posts. Most importantly, it allows us all to focus on what we're meant to do – provide value, lower costs and increase security to our respective organizations. It’s that magic “silver bullet” that business knew you had all along.

If you’d like to talk more, you can find us at simeiosolutions.com.

Wednesday Jun 12, 2013

Abandoning our "Last Century" IAM Models by Paul Dhanjal (Simeio Solutions)

In our previous blog, we looked at the business drivers behind the growth of cloud-based Identity and Access Management (IAM). These drivers, combined with cultural and technology trends, have made cloud-based IAM more attractive – and, frankly, more necessary – than ever.

Now that business has evolved to offer more and more interconnected and interdependent services to a wider range of users, the old models we had relied on to manage identities no longer apply. Our old identity management and security models designed for internal users simply can’t keep up with the rapidly evolving landscape. The forces that are shaping this new reality are so powerful, their momentum so great, that they now dictate the terms of how identity must be managed within an organization. The balance of power has shifted away from the IT organization and into the hands of end-users. If you are to meet their expectations, if you hope to compete and remain relevant, you must make the transition from build-your-own IAM to out-of-the-box IAM, from customization to configuration.

While there may be a big stick pushing us to make this transition, the carrots are equally compelling: lower costs, faster time to market, enhanced security, greater flexibility and, perhaps most important, the freedom to focus on the value and quality of the services you provide instead of how they’re provided.

There may be no better example of this than bring-your-own-device (BYOD). For years, IT laid down the law to prevent it. Now, fueled by the consumerization of mobile devices and tablets, BYOD has become the rule rather than the exception. It was inevitable. BYOD not only reduces strain on the organization to purchase and support such devices, it also increases employee satisfaction and productivity.

But, of course, the concerns behind the original reticence to allow BYOD remain. In fact, those concerns are magnified now that we’ve moved from uniform desktops tethered to the office to diverse mobile devices that can literally be taken – and lost  – anywhere in the world.

Here’s where out-of-the-box solutions such as Oracle Access Management Suite come to the rescue. They’re designed to enable centralized policy management for securing access to services via mobile applications, going beyond web single sign-on, authentication and authorization. Such solutions are designed from the ground up to handle the added complexity of password management and security in a mobile world, including strong authentication, real-time behavioral profiling, and device fingerprinting. Adaptive products such as those from Oracle provide a multi-faceted approach to mitigate breaches into mobile and Web Applications, all while tying into a closed loop audit process with powerful reporting and notification engines.

Another example is the growing need to manage external identities – those of partners or customers. It may be tempting to use existing capabilities designed for internal identities for this. After all, the same basic services are involved, including handling access requests, granting access, and password management. But the differences are simply too great. There are different business needs, different security concerns, different compliance requirements, even different licensing issues.

Here, too, the new cloud-based IAM models offer us a solution. Their multi-tenancy capabilities mean a single instance of software can serve multiple constituencies discretely by virtually partitioning the management of identities based on any criteria or business need.

As they say on those late night infomercials, that’s not all. The cloud model and its converging standards open the door to entirely new ways of dealing with external identities. For example, products such as Oracle Access Manager allow users to register for a site's services using their social login IDs as an authentication mechanism (using OAuth and OpenID standards). This gets the organization out of the business of managing these external identities altogether, delegating password management, user profile, account settings, etc. to a third party – Google or Facebook, for example. 

If you’re not willing to delegate these tasks, you can still leverage external identities during registration by pulling the user’s basic identity information from a trusted third-party identity provider (IDP). This approach marries the old with the new, maintaining a security perimeter for user access by ensuring audit and closed-loop certification processes are still in place, while reducing the burden on the user who no longer has to provide basic information in order to register.

Delegation is a recurring theme in new IAM models. Cloud-based IAM, for example, makes it easy to push out user administration, certification and operational request management to individual lines of business. This in turn enables you to downsize centralized call support by using delegated authorities within those business units – managers who are closer (both conceptually and physically) to the users who require access. This is done via strong workflow management, which ties into a well-governed and managed role service as well as enterprise roles and processes for mover/joiner/leaver scenarios.

Case in point: the HR systems the US government uses to provision all roles (for resources and entitlements). Users request access directly from their managers. End-dates are used to enforce de-provisioning of all granted access, even during termination. The result is end-to-end lifecycle management with delegated administration, while ensuring compliance with a centralized audit process.

In our next post, we’ll explore what identity looks like in a secure, connected world and what that means for your business.

Monday Jan 14, 2013

Partner Blog Series: aurionPro SENA- Who Moved My Security Boundary? Part 2

The BYOD Culture

Author: Mike Nelsey

Ask most employees what they want from their IT department and they will say “useable devices that connect to services that are there when I need them…”, “always on” or something akin to that.  What they are really saying is “I want something like what I use at home – in fact, why can’t I use mine as it is far better than this outdated pile of junk you’ve given me and insist I use?”  And they’re right in many cases, save for highly secure or confidential environments.

The challenge of the everything-everywhere culture that modern users – not just Generation Y – have come to expect can come at a price.  We’re not here to tell you how to run a BYOD scheme, what policies you should have.  They are well documented and it is accepted that a good BYOD approach can improve productivity.  How organisations now securely extend the range of data that can be made available, manage who can use their device, where, when and how becomes an expanded security challenge, particularly around identification, audit and compliance.

In the last article we touched upon boundaries moving, disappearing or being pulled in to surround our data; In effect data, but more importantly, identity of those accessing the data is becoming the new boundary.

What’s really new, then?  Arguably, we are turning our internal users into consumers, treating them in the same way as – for example – media companies are – where a consumer’s rights can be managed by what they are accessing, from which location, which device and even time bounded.  Let’s learn from this for our internal users. 

Such an approach will require an update of risk and threat models to build a consumer orientated approach to drive context based access control.  Our systems will need to be able to assess the overall risk of access and supply the data accordingly.  After all, the data being accessed in many cases is the same, be it for the consumer or the employer’s users. 

However, we make the step to a consumer based model not only with the risks mentioned above, but also with the risk of disenfranchising our users, because we still want them to prove who they are , and prove this to us, depending upon the risk matrix of the data requests.  Again, we should be able to learn from and replicate the innovation of the consumer side model.  For example, if our users are logging on to review low level information, say shift rotas, then can they use their social media logins.  If they then want to move on to look at more sensitive data, we can step up the authentication at that point.  Appropriate access control designed with the needs of the users and the business in mind. 

Separating out the controls in this way means that we can have fine grained privilege and authorisation layers to set who can see what how when and where, removing the complexity of a multi-layered security approach for the underlying applications and removing this layer from the applications per se.  Simplification driving improved security and improved user experiences. 

So BYOD in isolation is insufficient.  Come to that, BYOD is an opportunity to take a broader approach to data and identity controls as a part of a considered approach. 

In the next blog we will look more closely at how consumer and social identities are being used as a foundation to accelerate application development and simplify the end-user experience, encouraging faster and broader adoption of new services.

About the Author:

Mike Nelsey, Managing Director, aurionPro SENA

Working in the IT industry since the early 90’s, Mike leads the aurionProSENA European operation. Mike has been involved in identity and access management since 1999 when the company won its first framework agreement with UK policing for web access control. Since then he has overseen the company’s strategy moving into a focused delivery model working closely with Oracle to provide a true stack offering covering consult, design, build and support.

Thursday Jan 10, 2013

Partner Blog Series: Deloitte Talks Part 2: BYOD - An Emerging technology Concept

There’s an accelerating trend in the workplace raising new challenges for today’s CIO: the bring your own device (BYOD) revolution. The use and acceptance of mobile devices in the workplace is a critical issue that many chief executives are considering for their corporate environment. A BYOD strategy enables an employee to use a single device with the flexibility and usability they prefer, while providing access to both their personal and business applications and data. There are also potential cost savings for the enterprise as the employee may bear the cost of the device and the ongoing mobile access plan. An enterprise should consider the extent to which BYOD will be embraced, and the challenges BYOD presents as a part of an enterprise’s overall mobile security management strategy.

Before embarking on this journey, an organization should first decide – why BYOD? Does the increased user productivity and availability of data outweigh the risk and the associated mitigation expense? There are risks introduced at the device, application and infrastructure levels that present new challenges. These challenges may vary from compliance issues, to data leaks, to malware and challenges will likely only intensify as the number of mobile devices and operating systems proliferate. Another option is that the employer can provide employees with a mobile device hoping to enhance their productivity and ability to support the organization remotely. The illustrative chart below depicts some of the Pros and Cons of an employer providing corporate mobile devices versus letting employees use their own mobile phones and tablets.

Benefits/Obstacles

Bring Your Own

Corporate Provided

Pros

  • Device and connectivity costs incurred by employee
  • Addresses increased demand of employees to connect personal devices to corporate networks

  • Tighter device oversight and control
  • Streamlining devices, platforms and OSes simplifies IT support
  • Service fees negotiated with service providers; increased purchasing power

Cons

  • Limited device oversight and control
  • Increased challenges with enforcing legal and regulatory requirements
  • Device and data ownership questions

  • Cost of providing devices
  • High employee demand for broader diversity in devices can lead to lower satisfaction and adoption
  • May require potential increase in IT support staffing and skill set requirements
  • Privacy considerations with monitoring of employee usage and activity, etc.

As an organization gains an understanding of the key risks that may affect the business, the next step is determining and defining the approach to a secure BYOD solution deployment. One of the primary risks of mobile devices to the enterprise is the security of data that is stored on the devices. Corporate email, financial and marketing data and any other sensitive data may leak out of the organization if the device is not encrypted and adequately protected.

Another point to consider is how the organization might prevent rogue mobile devices from accessing the network. What will prevent users from bringing in their own unpatched/unapproved devices into the environment? Network Access Control (NAC) solutions may help to solve this issue. These solutions have become a popular way to manage the risk of employee owned devices. NAC allows organizations to control which devices can access each level of the organization’s internal network. For example, NAC can limit how a device can connect to the network, what it can access, prevent downloading and potentially prohibit a device from connecting at all. A “health-check” that inspects for required security configurations and controls can be performed before allowing a device to connect to the network to keep the network safe from viruses and malware that could be on an employee owned mobile device. If a “health-check” is not performed before the device is allowed on the network, the scenario described below could occur:


When determining the desired approach, it is critical for an organization to understand the specific use cases and incorporate key business drivers and objectives. This will allow the enterprise to determine if the primary objectives from a mobile security perspective are device, or data centric or a combination of both for their BYOD program.

Device Centric

Data Centric

Mobile device management (MDM)

Minimal device data footprint

Strict device policy enforcement

Communications encryption

Local data encryption

Virtualization

A device-centric approach focuses on the mobile device and associated security controls. This approach is typically centered on how the devices are managed, how policies are enforced, data encryption on the local device and solutions such as secure containers. Some key considerations supporting this approach include:

  • MDM software secures, monitors, manages and supports corporate-owned and employee-owned mobile devices deployed across an enterprise
  • Policy enforcement supports permissible/non-permissible devices, considers factors such as who can connect to the network (user types, etc.)

A data-centric approach focuses on the data stored or processed by the mobile device and how it is secured and transmitted. This approach considers how the data is managed on the devices, transmission security, virtualization and data integrity. Some key considerations are:

  • Minimizing local data storage on the device reduces the risk associated with device loss or theft
  • Securing the transmission of the data from the mobile device to internal/external servers, applications, or other devices is critical
  • Virtualization is an important technology/solution to consider in a data centric approach: virtual desktops accessible from the mobile device or data stored in virtual/cloud environments are critical elements to evaluate
  • Accessing corporate data from mobile devices introduces the need for data integrity controls

For a solid BYOD approach, not only are well defined policies and standards critical, but the technology that enforces this governance should be in place to help ensure that the standards are adhered to. Many organizations may have well defined and communicated policies, but enforcing these restrictions on their users may be a daunting task without the appropriate technology and security framework. To facilitate this approach, mobile security requirements should be defined. A gap analysis should be conducted comparing current state capabilities to the desired state. Next, an overall mobile security operations framework should be developed and the operational processes to support this framework need to be defined. If the mobile security framework is planned appropriately to support a BYOD program and the risks are mitigated throughout the lifecycle, enterprises may see increased user productivity and satisfaction.

About the Writer:

Tim Sanouvong is a Senior Manager in Deloitte & Touche LLP’s Security & Privacy practice with 13 years of experience in the information security area. He specializes in leading large security projects spanning areas such as security strategy and governance, mobile security, and identity and access management. He has consulted for several clients across diverse industries such as financial services, retail, healthcare, state government, and aerospace and defense.

This document contains general information only and Deloitte is not, by means of this document, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This document is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte shall not be responsible for any loss sustained by any person who relies on this document.

About Deloitte
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see
www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.

Copyright © 2013 Deloitte Development LLC. All rights reserved.
Member of Deloitte Touche Tohmatsu Limited

Wednesday Jan 09, 2013

Telenet uses Oracle Identity Management

The Company:

Founded in 1996, Telenet began as a European broadband services pioneer. Today, the company is a market leader in Belgium for residential high-speed internet, telephony, and digital television services. It serves 1.24 million digital television subscribers, 1.22 million internet customers, and 815,000 fixed telephony accounts. Telenet Solutions, the company’s business market division, offers a complete communications solutions portfolio for organizations and corporations, holding a commanding lead in the Belgian/Luxembourg business market.

Business Challenges:

  • Existing legacy identity management system required custom coding and was hard to maintain
  • Need to automate user provisioning for a dynamic workforce
  • Need to automate immediate revocation of user accounts on job changes to improve security
  • Wanted to accelerate the internal approval process for user access to business application
  • Build transparency and gain complete insight into who has access to what and when

Solution:

Telenet implemented Oracle Identity Management to centralize identity management and security operations. Leveraging Oracle Identity Manager and Oracle Identity Analytics (part of Oracle Identity Governance Suite), Telenet managed to automate user account administration, streamline user access control, optimize license management and offer insight into who had access to what business applications.

For more information on Telenet’s implementation, check out the case study and the following video.


Friday Apr 13, 2012

Webcast Q&A: ING on How to Scale Role Management and Compliance

Thanks to all who attended the live webcast we hosted on ING: Scaling Role Management and Access Certifications to Thousands of Applications on Wed, April 11th. Those of you who couldn’t join us, the webcast replay is now available.

Many thanks to our guest speaker, Mark Robison, Enterprise Architect at ING for walking us through ING’s drivers and rationale for the platform approach, the phased implementation strategy, results & metrics, roadmap and recommendations. We greatly appreciate the insight he shared with us all on the deployment synergies between Oracle Identity Manager (OIM) and Oracle Identity Analytics (OIA) to enforce streamlined user and role management and scalable compliance. Mark was also kind enough to walk us through specific solutions features that helped ING manage the problem of role explosion and implement closed loop remediation.

Our host speaker, Neil Gandhi, Principal Product Manager, Oracle rounded off the presentation by discussing common use cases and deployment scenarios we see organizations implement to automate user/identity administration and enforce closed-loop scalable compliance. Neil also called out the specific features in Oracle Identity Analytics 11gR1 that cater to expediting and streamlining compliance processes such as access certifications.

While we tackled a few questions during the webcast, we have captured the responses to those that we weren’t able to get to here; our sincere thanks to Mark Robison for taking the time to respond to questions specific to ING’s implementation and strategy.

Q. Did you include business friendly entitlment descriptions, or is the business seeing application descriptors
A. We include very business friendly descriptions.  The OIA tool has the facility to allow this.

Q. When doing attestation on job change, who is in the workflow to review and confirm that the employee should continue to have access? Is that a best practice?  
A. The new and old manager  are in the workflow.  The tool can check for any Separation of Duties (SOD) violations with both having similiar accesses.  It may not be a best practice, but it is a reality of doing your old and new job for a transition period on a transfer.

Q. What versions of OIM and OIA are being used at ING?  
A. OIM 11gR1 and OIA 11gR1; the very latest versions available.

Q. Are you using an entitlements / role catalog?  
A. Yes. We use both roles and entitlements.

Q. What specific unexpected benefits did the Identity Warehouse provide ING? 
 A. The most unanticipated was to help Legal Hold identify user ID's in the various applications.   Other benefits included providing a one stop shop for all aggregated ID information.

Q. How fine grained are your application and entitlements? Did OIA, OIM support that level of granularity?  
A. We have some very fine grained entitlements, but we role this up into approved Roles to allow for easier management.   For managing very fine grained entitlements, Oracle offers the Oracle Entitlement Server.  We currently do not own this software but are considering it.

Q. Do you allow any individual access or is everything truly role based?  
A. We are a hybrid environment with roles and individual positive and negative entitlements

Q. Did you use an Agile methodology like scrum to deliver functionality during your project?
A. We started with waterfall, but used an agile approach to provide benefits after the initial implementation

Q. How did you handle rolling out the standard ID format to existing users?
A. We just used the standard IDs for new users.  We have not taken on a project to address the existing nonstandard IDs.

Q. To avoid role explosion, how do you deal with apps that require more than a couple of entitlement TYPES? For example, an app may have different levels of access and it may need to know the user's country/state to associate them with particular customers.  
A. We focus on the functional user and craft the role around their daily job requirements.  The role captures the required application entitlements.  To keep role explosion down, we use role mining in OIA and also meet and interview the business.  It is an iterative process to get role consensus.

Q. Great presentation! How many rounds of Certifications has ING performed so far? 
A. Around 7 quarters and constant certifications on transfer.

Q. Did you have executive support from the top down  
A. Yes  The executive support was key to our success.

Q. For your cloud instance are you using OIA or OIM as SaaS? 
A. No.  We are just provisioning and deprovisioning to various Cloud providers.  (Service Now is an example)

Q. How do you ensure a role owner does not get more priviliges as are intended and thus violates another role, e,g, a DBA Roles should not get tor rigt to run somethings as root, as this would affect the root role?
A. We have SOD  checks.  Also all Roles are initially approved by external audit and the role owners have to certify the roles and any changes

Q. What is your ratio of employees to roles?  
A. We are still in process going through our various lines of business, so I do not have a final ratio.  From what we have seen, the ratio varies greatly depending on the Line of Business and the diversity of Job Functions.  For standardized lines of business such as call centers, the ratio is very good where we can have a single role that covers many employees.  For specialized lines of business like treasury, it can be one or two people per role.

Q. Is ING using Oracle On Demand service ?  
A. No

Q. Do you have to implement or migrate to OIM in order to get the Identity Warehouse, or can OIA provide the identity warehouse as well if you haven't reached OIM yet?
A. No, OIM deployment is not required to implement OIA’s Identity Warehouse but as you heard during the webcast, there are tremendous deployment synergies in deploying both OIA and OIM together.

Q. When is the Security Governor product coming out?
A. Oracle Security Governor for Healthcare is available today.


Hope you enjoyed the webcast and we look forward to having you join us for the next webcast in the Customers Talk: Identity as a Platform webcast series:
Toyota: Putting Customers First – Identity Platform as a Business Enabler
Wednesday, May 16th at 10 am PST/ 1 pm EST
Register Today

You can also register for a live event at a city near you where Aberdeen’s Derek Brink will discuss the survey results from the recently published reportAnalyzing Platform vs. Point Solution Approach in Identity”.

And, you can do a quick (& free)  online assessment of your identity programs by benchmarking it against the 160 organizations surveyed  in the Aberdeen report, compliments of Oracle.

Here’s the slide deck from our ING webcast:

Wednesday Mar 28, 2012

Derek Brink shares "Worst Practices in IT Security"

Derek Brink is Vice President and Research Fellow in IT Security for the Aberdeen Group.  He has established himself as an IT Security Expert having a long and impressive career with companies and organizations ranging from RSA, Sun, HP, the PKI Forum and the Central Intelligence Agency.  So shouldn't he be talking about "Best Practices in IT Security?"

In his latest blog he talks about the thought processes that drive the wrong behavior, and very cleverly shows how that incorrect thinking exposes weaknesses in our IT environments.

Check out his latest blog post titled: "The Screwtape CISO: Memo #1 (silos, stovepipes and point solutions)"

Hear Derek speak live during the Aberdeen event series 

Tuesday Jan 10, 2012

Customers Talk: 5 Identity Platform Webcasts You Can’t Miss


2011 saw talk of Identity Management emerging from under the shadows of IT to serve the needs of the business. We predict 2012 will see a lot of attention paid to how Identity Management is enabling the business, transforming the way IT is leveraged to meet business objectives.

A common theme among their stories is that Identity Management is not a point solution. Identity Management is a platform of complimentary solutions with a rationalized architecture that can be adopted separately but provide strong interoperability to reduce total cost of ownership. A recent study by Abderdeen noted that organizations who have taken a platform approach can save up to 48%.

Oracle is proud to launch a series of webcasts where we’ll explore the diverse challenges that organizations are facing, and you can hear real customers speak to their specific business objectives and how they leveraged the Identity as a Platform approach to tackle those. In this 5-webcast series, you will hear first-hand from your peers at SaskTel, Agilent, Cisco, ING and Toyota, and learn how leading organizations are rethinking Identity Management as a business versus an IT initiative. You will find that the challenge each of these customers was looking to solve was quite different from each other, yet there is a commonality in their approach to the solution.

To register for one or more of these webcasts and to know more, click here.

Build a Secure Cloud with Oracle Identity Management

Wednesday, January 25, 2012 10:00 AM PST

Presenters: Brian Baird, Chief Technology Officer Identity Management Center of Excellence, SaskTel and Marc Chanliau, Director Product Management, Oracle

Best Practices, Getting Started with an Identity Platform

Wednesday, February 15, 2012 10:00 AM PST

Presenters: Balganesh Krishnamurthy, Agilent and Naresh Persaud, Director, Product Marketing, Oracle

Cisco's Platform Approach to Identity Management

Wednesday, March 14, 2012 10:00 AM PDT

Presenters: Ranjan Jain, Domain Architect for Enterprise Identity, Cisco and Michael Neuenschwander, Sr. Director, Product Management, Oracle

Scaling Role Management and Access Certification to Thousands of Applications

Wednesday, April 11, 2012 10:00 AM PDT                                                                           

Presenters: Mark Robison, Enterprise Architect, ING and Neil Gandhi, Principal Product Manager, Oracle

Putting Customers First: Identity Platform as a Business Enabler

Wednesday, May 30, 2012 10:00 AM PDT

Presenters: Mike Colbus, National Technology Delivery Manager, Toyota and Marc Boroditsky, Vice President Product Management, Oracle

Register today and discover how Identity as a Platform can transform the way you do business.
About

Oracle Identity Management is a complete and integrated next-generation identity management platform that provides breakthrough scalability; enables organizations to achieve rapid compliance with regulatory mandates; secures sensitive applications and data regardless of whether they are hosted on-premise or in a cloud; and reduces operational costs. Oracle Identity Management enables secure user access to resources anytime on any device.

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
3
4
5
6
7
8
11
12
13
15
17
18
19
20
21
22
24
25
26
27
28
29
30
   
       
Today