Wednesday Aug 14, 2013

Integrating Identity Management and GRC: Decreasing Risk Across Your Organization (Deloitte)

In this edition of the Oracle IDM blog, we’ll look at a case study for integrating Oracle Identity Manager (OIM) 11g with Oracle Governance, Risk, and Compliance (GRC) as part of an enterprise deployment and an integrated risk management strategy. We will incorporate specific use cases that leverage an integration of the two solutions to address risk and promote operational efficiency for routine tasks such as access requests and certification.  In addition to the primary focus between OIM and GRC, we will also highlight how Oracle E-Business Suites (EBS) roles are defined, synchronized, and provisioned using a combination of these two solutions providing an end-to-end integrated solution of the Oracle “suite.”

Abstract

When we think about Identity Management, we often relegate it to the IT Security or Infrastructure groups where it is traditionally used to address manual security and administration functions such as creating accounts, e.g., “hire and fire” scenarios, granting additional entitlements, and providing report-outs on information access for audit purposes. As identity systems improved their ability to manage the access they provisioned, it has become clear that there was a powerful relationship between IAM and GRC initiatives to better manager enterprise compliance in an integrated, less redundant fashion.

In many organizations today, GRC initiatives are often spread across multiple infrastructure silos and managed by different business units or IT groups. Tackling the constantly evolving regulatory requirements, coupled with increased business complexity, may present an uphill battle for a compliance department within the organization. Organizations are being asked not only to understand ever-changing global regulations, but also to create appropriate strategies in addressing their GRC needs.

Knowing who has access to what is not only important from a traditional security sense, but is important to financial controls groups being able to attest that financially significant systems have minimal risk through inappropriate access. By integrating Oracle’s GRC and Identity Management platforms and the associated processes, organizations can improve user lifecycle management, continuous monitoring and automated controls enforcement to assist with sustainable risk and compliance management. 

 
Figure 1 – Solution architecture

Solution Architecture

For a visual reference of the type of integration we are discussing, we have included an overview of how the systems can potentially interact.  In Figure 1, you will notice a typical Human Resource authoritative source system feeds OIM and OIM then provisions to target resources.  What’s different is the call-out to Oracle GRC to perform policy checks.

We won’t reference all of the GRC functionality available in this blog, but will focus on the segregation of duties (SoD) integration and relevant use case. [for detailed instructions on this integration, please see: http://docs.oracle.com/cd/E14899_01/doc.9102/e14763/segregation_duties.htm].    What’s interesting about this integration is OIM is able to leverage the information EBS and GRC already have about the roles that exist.  Using OIM scheduled tasks, we are able to synchronize those roles into OIM so that there is no need to manually build them in OIM.  Moreover, if the roles get end-dated in EBS, OIM reconciliation with EBS will end-date the roles and the related access for the users who have that role assigned with a goal of end-to-end compliance.  Both OIM and GRC offer a web services interface for performing common transactions.  More information about this can be found at http://docs.oracle.com/cd/E14507_01/apirefs.1112/e14133/using003.htm

Compliant User Provisioning

In our use case, we will explore how during an access request, a real-time validation can be performed against known SoD conflicts to determine if a role being requested has a conflict.  Through OIM’s Service-Oriented Architecture (SOA) workflow functionality, we can include an additional layer of approval if a conflict is presented.  A conflict is often unavoidable and, in many cases, requires a power user from the compliance organization to step in, review the request, and document a mitigating control before accepting.  In this example, we’ll show a request by a Payables Manager for an Invoice Entry EBS role.
 
As you can see in this process flow, there is cross-functional behavior between the OIM and GRC solutions to identify the SoD violation and apply a mitigating control if required.  Ultimately, OIM manages the provisioning of the role in the end system (EBS in this example) and, therefore, will be able to continually track that entitlement.

There are three take-a-ways from this use case.  With GRC and IAM integration, organizations can:

• Automate provisioning and de-provisioning of business application users, with appropriate authorization and compliance checks.
• Improve the management of enterprise accounts and efficiently produce reports such as “who has access to what.”
• Reduce the cost of compliance by removing the need for after the fact remediation.

In Conclusion

At Deloitte , we see the need to not only install and configure an IAM solution, but to work with our clients to get value out of an enterprise compliance approach.  Solutions can be leveraged in their individual capacity to achieve benefits for an organization, but when organizations leverage cross-platform synergies, such as the ones that Oracle has intentionally created within their OIM and GRC solutions, the sum can become greater than the parts.  An integrated approach to an organization’s IAM and GRC programs can assist in reducing costs and redundancies, and improving value to the organization.

About the Author

Kevin Urbanowicz is a Manager in Deloitte & Touche LLP’s Security & Privacy practice with eight years of experience in information technology with a focus on Identity & Access Management (IAM).  He has served primarily in the Oil & Gas sector where he has helped his clients identify the business drivers and build the business case for establishing world-class IAM solutions that maximize IT efficiency and minimize security and compliance risk. 

Wednesday Jul 31, 2013

Oracle Waveset to Oracle Identity Manager: A Case Study in Higher Education (Deloitte)

Deloitte is excited about the opportunity to introduce the first blog in a series of four blogs that will look at real world case studies involving Oracle Identity and Access Management (IAM). Our future blogs will expand on relevant IAM topics including: 1) Oracle Waveset to Oracle Identity Manager, 2) Oracle IAM in Telematics, 3) Oracle IAM with Governance Risk and Compliance, and 4) Oracle Identity & Access Governance with Database Security. Throughout this blog series, readers are encouraged to submit questions or comments which will feed into a roundtable type Q&A blog responding to selected comments and questions received.

In this edition of the Oracle IAM blog, we’ll look at a case study for migration from Oracle Waveset to Oracle Identity Manager for a higher education statewide system of community colleges, state universities and technical colleges. This also highlights how the flexibility of Oracle’s IAM product landscape contributed to creating a dynamic and sustainable solution for a public-facing system with nearly 500,000 users.

Current State Evaluation and Replication

The legacy Oracle Waveset instance connected to numerous institutional directories and provided end-user functionalities such as user self-service, account activation and password management as well as administrative help-desk functions with a highly customized interface and set of workflows.

As we analyzed these functions, we identified that a majority of these were available within Oracle Identity Manager (OIM) 11g R2 which simplified their replication. Further, the User Interface (UI) enhancements in OIM 11g R2 allowed for significant customization to the end-user pages, such as the ‘My Information’ page, with minimal custom code.  Initial replication of the core functionalities was crucial to the overall project and allowed for the replacement of Waveset as an end-user facing solution on Day 1 of the OIM go-live. However, this did not cover the numerous resource integrations that Waveset had behind the scenes that would also need to be migrated. Several functionalities such as account activation and password reset/forgot password that required specific workflows and service integration were replicated in separate Oracle ADF-based applications that were split away from the OIM managed servers. This allowed for the highly used end-user functions to run separate of the OIM instances to provide for increased flexibility in load management and tuning.

Resource Migration Approach

As the numerous resources requiring migration would take significant time and effort, it was decided that these resources would be moved over in a phased manner requiring both OIM and Waveset to operate in parallel for a period of time. This approach reduced risk, as a single cutover would have been highly complex with multiple moving parts across colleges and campuses. To enable this to be possible, OIM and Waveset would need to operate together as we migrated each campus from the old Waveset platform to the new OIM platform. To help accomplish this, a custom connector between OIM and Waveset was built to synchronize certain user attributes so that Waveset could update and maintain those attributes on the resources that remained to be managed by it.

Overall, this approach turned out to be highly beneficial as it allowed the team time to ease into using the new identity solution, reduced the risks that would have been present in a single “big bang” cutover event and allowed for a quick win which displays critical progress and success to solution stakeholders. 
 

Figure A – Oracle Waveset to Oracle Identity Manager resource migration approach

Additional Important Success Factors

Throughout the migration, we encountered a number of items that were deemed critical for meeting project goals that primarily focused on the following:

User Experience

As the solution’s primary users were public individuals that would likely not have significant training or usage guidance, focusing on a refined and calculated user experience such as clear verbiage, font sizing and coloring as well as succinct and detailed error messages was important. While these items may seem minor or insignificant to some readers, they, as expected, ended up being extremely beneficial to end-users and reduced support needs.

Performance and Tuning

With our highly active user-base, performance of the solution was critical to success. Use of the existing Oracle Fusion Middleware Performance and Tuning Guide as well as the OIM 11g R2 Reconciliation Tuning Whitepaper were critical for maintaining performance and ongoing stability of a solution with this size. Also important were key architectural decisions around load balancing, managed server clustering, as well as database clustering (e.g. RAC). Providing enough horsepower behind the solution and conducting due diligence around performance testing will reduce the amount of performance-related issues encountered in production.

In Conclusion

The phased migration of Oracle Waveset to Oracle Identity Manager 11g R2 allowed for a quick win in the initial cutover of end-user functions, a lower risk migration path and well as constant stream of “good news” as various campuses were migrated from the old solution to the new one in a phased manner. A focus on user experience and performance tuning also helped to create an effective environment for end-user interaction and contributed to achieving the goals of the initiative. Finally, the new OIM architecture will provide a solid infrastructure for future enhancements and a greatly increased user base that the prior Waveset environment could no longer support.

About the Author

Derek Dahlen is a Manager in Deloitte & Touche LLP’s Security & Privacy practice with over eight years of experience in information security. He specializes in managing, designing and architecting large-scale identity and access management projects with a focus on the Oracle product stack. He has worked with various clients across the financial services and state government sectors.

Wednesday Jan 09, 2013

Telenet uses Oracle Identity Management

The Company:

Founded in 1996, Telenet began as a European broadband services pioneer. Today, the company is a market leader in Belgium for residential high-speed internet, telephony, and digital television services. It serves 1.24 million digital television subscribers, 1.22 million internet customers, and 815,000 fixed telephony accounts. Telenet Solutions, the company’s business market division, offers a complete communications solutions portfolio for organizations and corporations, holding a commanding lead in the Belgian/Luxembourg business market.

Business Challenges:

  • Existing legacy identity management system required custom coding and was hard to maintain
  • Need to automate user provisioning for a dynamic workforce
  • Need to automate immediate revocation of user accounts on job changes to improve security
  • Wanted to accelerate the internal approval process for user access to business application
  • Build transparency and gain complete insight into who has access to what and when

Solution:

Telenet implemented Oracle Identity Management to centralize identity management and security operations. Leveraging Oracle Identity Manager and Oracle Identity Analytics (part of Oracle Identity Governance Suite), Telenet managed to automate user account administration, streamline user access control, optimize license management and offer insight into who had access to what business applications.

For more information on Telenet’s implementation, check out the case study and the following video.


Friday Dec 02, 2011

Managing Risk and Enforcing Compliance in Healthcare with Identity Analytics – Q&A Follow-Up

Thanks to all who attended the live webcast event hosted by Healthcare IT News. Hope you find the discussion and the presentations useful; we look forward to a continued conversation.

Compliance in healthcare has always been an active discussion in the identity management industry and here at Oracle too. So, we were very pleased when Jason W. Zellmer, Director, Strategy and Information Management at Kaiser Permanente Information Security agreed to be on a live panel discussion with us to share his experiences and insights with his peers. Especially after having had a similar role in a financial services organization in the past, his commentary on how acute identity management and compliance needs are in a healthcare organization like Kaiser Permanente was particularly insightful. The live event also allowed us to bring in experts from Kaiser’s identity management implementation partner, PricewaterhouseCoopers as well as Oracle’s own solution expert to provide a 360-degrees perspective on healthcare compliance solution design and implementation for healthcare organizations.

The on-demand webcast replay is now available and so are the slides for download. And, since we didn’t have time to address all the questions we received during the live Q&A portion of the webcast, we have captured responses to the remaining questions here. Please continue to provide us your feedback and insights from your experience in deploying identity compliance solutions.

Q. Could you brief about the OOTB component in ERP for managing SOD checks and how this is effective in the context of integrating with OIM and OIA?

A. Oracle Identity Manager (OIM) and Oracle Identity Analytics (OIA) work seamlessly with OOTB ERP SOD engines like Oracle Applications Access Control Governor (OAACG) to enable both preventative SOD (and IT policy monitoring) checks during the user provisioning process as well as detective and remedial SOD actions.

Q. How are Oracle IDM products flexible with the changing compliance requirements if any?

A. As compliance regulations continue to evolve, standards-based, open Oracle Identity Management solutions allow you to easily configure your workflows in accordance with the changing requirements. And since Oracle Identity Management solutions allow you to externalize security from applications and provide a centralized security platform, organizations can easily adapt to the changing regulatory and compliance landscape without having to rip and replace existing solutions.

Q. Where did you get the 48% IAM cost reduction and 80% productivity boost from?

A. Recently Aberdeen Research conducted a survey comparing cost savings from Platform vs. Point solutions in identity Management and found that organizations choosing products from an integrated stack can save up to 48% long term and achieve better automation and lower administrative costs. Please refer to the Aberdeen paper available for download. The 80% user productivity boost was determined based on the benchmark study conducted for the latest release of Oracle Identity Analytics 11g. Please refer to the recent announcement of availability of enhanced Oracle Identity Analytics.

Q. You referred to an ROI study on Identity Analytics and a model for computing compliance cost savings. Where can I find more information?

A. Forrester Consulting recently conducted a study where they interviewed 4 organizations that had deployed Oracle Identity Analytics to understand the various use cases, cost implications and the results from their respective implementations. Based on these actual studies, Forrester then built an ROI model and calculated aggregated savings for a typical organization. We recommend you refer to the Forrester Study on Total Economic Impact of Oracle Identity Analytics. For an in-person discussion, please email Richard Caldwell.

About

Oracle Identity Management is a complete and integrated next-generation identity management platform that provides breakthrough scalability; enables organizations to achieve rapid compliance with regulatory mandates; secures sensitive applications and data regardless of whether they are hosted on-premise or in a cloud; and reduces operational costs. Oracle Identity Management enables secure user access to resources anytime on any device.

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
3
4
5
6
7
8
11
12
13
15
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today