DevEX - reference for building teams, processes, and platforms
Building a Secure Cloud with Identity Management
1. <Insert Picture Here>
Building a Secure Cloud with Identity Management
Marc Chanliau, Director of Product Management, Oracle
Brian Baird, CTO for SaskTel Identity Management Center of Excellence, SaskTel
2. This document is for informational purposes. It is not a commitment
to deliver any material, code, or functionality, and should not be relied
upon in making purchasing decisions. The development, release,
and timing of any features or functionality described in this document
remains at the sole discretion of Oracle. This document in any form,
software or printed matter, contains proprietary information that is the
exclusive property of Oracle. This document and information
contained herein may not be disclosed, copied, reproduced or
distributed to anyone outside Oracle without prior written consent of
Oracle. This document is not part of your license agreement nor can
it be incorporated into any contractual agreement with Oracle or its
subsidiaries or affiliates.
3. Agenda
• Barriers to Cloud Adoption
• Security Gaps Between Enterprise and Cloud
• Oracle Identity Management
• Summary
4. Security is the #1 Barrier to Cloud Adoption
87% Security main barrier to
cloud adoption
Source: IDC Enterprise Panel, 3Q09
52% Concerned with trusting
an outside 3rd party
Source: IDC Cloud Security Survey 2011`
41% Fear a security breach
from use of security SaaS
Source: IDC Cloud Security Survey, 2011
Cloud Computing saves costs but
reduces control, visibility and trust
40% Compliance concerns
prevent use of SaaS
Source: IDC Cloud Security Survey, 2011
5. The Cloud Security Continuum
HIGH
MED-
HIGH
Public Cloud
RISK
Private Hosted Cloud
MED-
LOW
Private In House Cloud Cloud computing increases
LOW risk and decreases control
Enterprise
CONTROL
HIGH LOW
1990 1995 2000 2005 2008
6. Risk and Fragmentation Increase Latency
• Security silos result in policy
fragmentation
• Multiple points of failure
• Security gaps increase vulnerability
LATENCY
to breaches
• Poor response to threats
RISK • Latency increases with
fragmentation
• Inability to develop and deploy
applications and users
FRAGMENTATION
7. Identity Management And The Cloud
Custom Standardized Solutions
• Customer Benefits Private Managed Hybrid Utility
• Reduce Capital Expenses With Subscription Pricing
• Reduce Management Costs And Simplify Upgrading
• Leverage Elastic Scalability Services SaaS
• Enable Hybrid Cloud Computing
Cloud
• Natural Maturation Of The IT Industry
• Customers Want Fully Integrated Industry-vertical Outsourced
Business Solutions
• Cost To Integrate & Deploy Is A Major Inhibitor To Idm’s
Success; Far Exceeds Cost To Acquire & Manage On-Premise
• In The End Very Few Customers Will Want “Parts”
Past Future
8. Dimensions of Cloud Identity Management
Are you building Do you need IdM but don’t
Are you using cloud want to maintain it?
apps? c cloud apps? c
Identity as a Identity as a Identity Hosted as
Bridge to Cloud Foundation for Cloud a Cloud Service
9. Authentication and SSO
• Access anytime, anywhere from
any device
• Mobile authentication, SSO and
access control
• Connect Internet and Social
identities to enterprise identity
• Seamless integration and control
with enterprise
10. Federated Standards
• Multiple standard support for
authentication to multiple clouds
• SAML
Employees/Con Social
Networks
• OAuth
tractors
• OpenID
• WS-Fed
• Accelerated on boarding of
partners and service providers
Partners/ SaaS
Subsidiaries Applications
11. Authorization
• Centralized Policy
Centralized Policy
Enforcement
Administration
• Distributed Real-time Policy
Execution
• Standards-based policies:
XACML, RBAC, ABAC, JAA
S
Evaluate Policies and Policy Enforcement for
Enforce Access Apps, Middleware and
Databases
12. Context-Aware Security and Fraud Prevention
User: Jdoe • Location aware
Paswd:1happycat$
User: Jdoe • Device aware
Paswd:1happycat$
Entitlement
Policy
• Entitlements based
User: Jdoe • Enterprise control
Paswd:1happycat$
• Full audit
Filtered
Private Data
Trust but Verify:
Limit Access by Policy
13. User Provisioning and Role Management
• User lifecycle
management for on-
premise and SaaS
applications
• Self-service
provisioning and
Users Apps Roles,
Entitlements request mgmt
• Flexible – Roles, rules
and policies
Managers
14. Audit and Compliance
• Access certification
• Risk scoring
• Privileged access
control
• Workflow remediation
• Business views
Audit Reporting
Actionable Intelligence
15. Oracle Identity Management powered by
SaskTel Identity Management Centre of Excellence
Do you need IdM but don’t
want to maintain it?
Enterprise
• Identity Administration and Provisioning
• Secure Authentication & Token Services
• Directory and Federation
• Access Administration and Review
• Governance and Visibility
• Shared runtime to maximize efficiency
• Oracle product, delivery and support expertise
• Binding shared risk model to ensure success
Identity Management
Centre of Excellence
16. Business Drivers for Identity Cloud Adoption
SaskTel Identity Management Centre of Excellence
• Same Day vs. Weeks • 5 yr savings up to 75%
Binding SLA
• Stay business focused • No Capital $ required
Shared Risk
• Program Orientation • Operational $ minimized
17. Multi-tenant vs. Private Identity Cloud Options
SaskTel Identity Management Centre of Excellence
Multi-tenant Instance Private Instance
• Maximize cost savings • More configuration & control
• Maximize Time to Value • Deploy specific components
• Minimize administration • Secure DMZ termination with
optional appliance on premise
• Integrated OIM 11g Suite Plus
• Dual private MPLS VPN option
• Secure DMZ termination
• Active / Active redundancy
• Encrypted VPN connectivity available
• Active / Passive redundancy
18. Why consider SaskTel for Cloud Computing?
SaskTel Identity Management Centre of Excellence
• Very strong financial stability
• Complete, Open and Integrated
• Committed to Oracle Identity portfolio
• Innovative, Scalable and Modernized
• Proven ability to manage secure and
• Identity Management for Enterprise.
complex carrier grade environments
Cloud, Mobile and Social environments
• Global Oracle Technology partnership
• Simplified, Actionable Compliance
• Efficient and successful Identity
Program execution is all we do!
19. Get Started!
SaskTel Identity Management Centre of Excellence
① Contact your Oracle License rep
② Define your success Criteria
③ Execute Proof of Concept using
SaskTel Identity Management Cloud
④ Delivery business value quickly
⑤ Evolve your Identity Management
Program with Oracle and SaskTel
20. Oracle Identity Management Platform
Bridges the Gap
Adaptive Access
Fraud
Identity Admin and
Administration • DetectionRisk
Context /
Governance Aware
Reduces risk and
• Role Mgmt
Access Consolidates user
• Provisioning • latency bydetection
Anomaly
Access roles and preventing fraud in
Management
• Identity Analytics • real timecertification
Directory Access
Scalable Repository • Single-sign on entitlements and
Services Overcomes security reduces risk
• Identity Synch
Reduces latency silos by centralizing • Certification
• Password policy
• and fragmentation
Identity and consolidating
• Authorization Risk Management
Virtualization
by consolidating security policies.
Audit
• identity data
Reporting
Administration
AuthN and AuthZ
Identity
Tools Point Solutions Platform Intelligence
21. Oracle Identity Management Platform Reduces Cost
Oracle IAM Suite
Benefits
Advantage
48% Cost Savings
Increased End-
User Productivity
Reduced Risk
• Emergency Access
• End-user Self Service
• 11% faster
• 30% faster
• Suspend/revoke/de-
• 46% faster
46% More
Responsive Enhanced Agility
provision end user access
• Integrate a new app faster
with the IAM infrastructure • 64% faster
• Integrate a new end user • 73% faster
35% Fewer Audit
Deficiencies
Enhanced
role faster into the solution
• Reduces unauthorized
• 14% fewer
Security and access
Compliance • 35% fewer
• Reduces audit deficiencies
Reduced Total • Reduces total cost of IAM
• 48% lower
Cost initiatives
Source: Aberdeen “Analyzing point solutions vs. platform” 2011
22. Oracle Identity Management
Summary
• Complete, Open and Integrated
• Innovative, Scalable and Modernized SaaS
PaaS
• Identity Management for Enterprise.
IaaS
Cloud, Mobile and Social environments
• Simplified, Actionable Compliance
23. Learn More
Join the Oracle IDM
Contact Community
• www.oracle.com/identity
• Your Oracle Representative
• twitter.com/OracleIDM
• Call 1-800-672-2537
• facebook.com/OracleIDM
• Blogs.oracle.com/OracleIDM
Notes de l'éditeur
Bridging The Security Gap Between The Enterprise and Cloud.While public and private clouds simplify the IT environment, they complicate security and compliance by disrupting the control and administration of user access. As a result, security is the number one barrier to cloud adoption. Organizations that move applications into the cloud have to bridge the gap between the enterprise and the cloud by providing user administration, application authorization, authentication and compliance reporting to restore control and address regulatory mandates. Oracle Identity Management provides multiple solutions to address the speed, scale and trust required by organizations to bridge the gap and unlock the potential of the cloud.
I want to set some context for the talk by describing the dramatic changes in end user requirements. As we speak to customers we are amazed by how large an impact cloud computing play into their strategy for the future. The Cloud is the biggest opportunity to reduce cost The barrier to most of the cloud projects today is security …As we speak to customers in diverse verticals with regard to cloud – the feedback is that security is the number one barrier to unlocking the opportunity – lines of business complain about the loss of forensics , the loss of visibility and reporting and more importantly the compliance issues. Cloud applications are enabling new business and IT models through hosted and flexible, scalableapplications. Yet, mass migration to cloud-delivered applications has been slowed due to concernsabout security. Key barriers to entry are focused around loss of control, lack of cloud access visibility, and enforcement of corporate governance and regulatory compliance.Central to these concerns is that corporate users manage their own accounts for cloud applications, typically using weak passwords that are disconnected from the corporate identity infrastructure. User actions in these disconnected applications go without oversight or authorization, leading to risk of sensitive data loss and compliance violations. Additionally, the lack of standardized logging prevents administrators from monitoring and correlating cloud application user activity with internal audit repositories.
We have been putting in the plumbing – and focused on inputs and outputs – we need an intelligent approach ( Examples)Today we are fragmented As we try to respond to insider fraud and breaches – our systems are not well prepared. Our current approach to access control is fragmented. By Fragmentation we disconnected in Workflow, Visibility and Audit Workflow is critical Workflow – when a user changes jobs the ability to detect the change and propagate changes to all of the systems they have access to. In addition when a user requests access – being detective about the controls and separation of duties constraints on the user. We have lots of cases where users separate and still have access to systems. It means if a user is on you CRM application in a session and they are removed being able to shut down the access in real time.360 view of the user Visibility – The lack of a 360 degree view on user access and more so fine grained access is challenging. Being able to tell immediately by looking at a user if they have been granted emergency access or look a their historical access. We hear stories about organizations doing certification reviews and certifying access to employees that are no longer with the company. – CLEARLY CERTICICATION REVIEW ALONE IS NOT THE ANSWER. This is an example of how fragmentation hurts.Audit reporting Audit Reporting – Lastly audit reporting – because our identity systems are fragmented companies are spending 40% of their IT budgets on compliance issues.We are not able to address the challenge effectively because our view of access is fragmentedChange today does not propagate as fast as HR changes occur. Or as system changes occur – this is a real problem – Many people can
So we have this new techology and opposition and opportunity, but why?Benefits are compellingVertical requirements – Organizations have worked diligently to customize and adapt COTS to address the requirementsIntegration requirementsNo one wants parts
Cloud-ready IdM is a set of Identity Services that identify, control, and manage users and their access to Cloud resources. There are 3 dimensions to an Identity management solution which is cloud ready.Identity as a bridge to cloudWhen organizations adopt SaaS applications ex. Google apps, they may want to have local authentication or delegate authentication to the cloud provider, while maintaining local SSO system interoperating with the cloud provider through federated assertions. Also, cloud consumers needs to ensure users can securely access applications from a range of different devices…this too creates the need for local security enforcement. So there is need to extend identity administration and access review to cloud applications – integration between the two (standards)Foundation for CloudOne of Oracle’s goals is to provide customers with the technology they need to power cloud offerings. ManyOrganizations are looking to add new business services which need to be underpinned with standards based identity management technology. Many organizations also want to provide a consistent user experience for users irrespective of which device they access business services from. With its Identity Management 11g, Oracle is delivering the foundation for a unique architecturecalled Service-Oriented Security which is all about making every aspect of the Oracle identity management stack service enabled through shared service interfaces based on open standards . With Service Oriented Security, we are abstracting out the complexity of implementing security into applications so that developers can now seamlessly weave security into their applications, as well as deploy them rapidly into a cloud based identity management framework.Hosted as a Cloud Service Some organizations have a business requirement to externalize specific Identity Management tasks to avoid operational expenditures. For example, Certain tasks can be outsourced – examples include service request management , layered security etc. For such organizations, IdM hosted by a Managed Service Provider can create unique business value. In order to simplify administration, managed service providers (MSPs) typically delegate administration tasks to customers. However, deploying and maintaining an identity infrastructure may not be a core competency for these MSPs. Oracle offers a set of turnkey IDM tools to help MSPs offer core IDM services such as identity synchronization, password synchronization, role based provisioning, and enterprise single sign on.
In the cloud computing context, the ability to authenticate your external users such as partners, suppliers, and consumers becomes very important. And so does the ability to provide cross domain, cross-perimeter single sign on between services. For example, organizations may want all of their users to leverage an external cloud application without replicating all of that identity information in a third party product. Many organizations also want the convenience of having SSO for their users as they access not only internal applications but also SaaS applications in the cloud. Oracle offers a best in class Access Management offering called the Oracle Access Management Suite Plus which delivers SSO, Federation, Security Token Service and centralized policy management for web applications. With our Access Management solutions, an organization can link its online services with those of its partners and constituents without imposing on them the additional burden of managing user identities and credentials. An additional benefit of Oracle Access Management is a consistent user Irrespective of which device users are accessing applications from.
The ability to collaborate seamlessly with your partners, vendors, customersand so on is important in the cloud context . For example, an organization may already have all of its internal user identities stored in an AD and its external users such as partners and vendors in an LDAP directory and they may want all of their users to leverage an external cloud application without replicating all of that identity information in a third party product. Many organizations also want the convenience of having their users sign on once to access not only internal applications but also SaaS applications in the cloud. Oracle Access Management includes Federation which allows organizations to do more business online by enabling business partners seamless and secure single sign-on access to various protected applications. Oracle offers extended standards-based support for several federation standards including the latest versions of SAML, OpenID, Oauth, Liberty Alliance Federation, WS-Fed and Windows CardSpace. This enables flexible integration capabilities and helps accelerate deployment in heterogeneous and cloud environments
With Oracle Entitlements Server, you can externalize and centralize fine grained authz policies based on industry authz standards.Externalization of Fine-grained Entitlements takes out the complexity of building security policies into each application and it simplifies the enforcement of granular security policies simplifying the task of compliance with the newer regulations around data privacy. The centralized management of entitlements enables your security policies and business logic to evolve separately. Because your security policies are maintained and evolved separately, developers can focus their resources on streamlining the business logic. This leads to operational efficiencies. OES can enforce authz policies in real-timeenabling mission-critical apps to make millions of authorization decisions in under a second.Oracle Entitlements Server offers comprehensive support for several modern security standards such as XACML, NIST RBAC, Enterprise RBAC, OpenAZ and JAAS. Support for a broad spectrum of standards provides greater choice and flexibility for customers when it comes to enforcing granular security policies on the basis of user roles, run-time attributes, context-aware conditions or any combination of those.
Defense against Sophisticated security threats needs sophisticated security solutions. Threats such as phishing, session hijacking, and so on are very hard to defend against with traditional security mechanisms. The traditional ways of defending against external threats is by strengthening authentication at the server end. Strong auth solutions like hardware tokens are not only expensive but are vulnerable like we saw with the recent RSA breach. That is why Oracle has introduced a technology called context-aware security to combat this problem. Just like in the real world where we rely on multiple attributes to identify a person, in the digital world we can rely on multiple data points to ensure that a user’s digital identity is real. The data that we have available to us is data such as user identity, device identity, geographical location, IP address, transactional information and application data. In addition we can also pull historical data from a user’s previous interactions with the site and 3rd party data such as data derived from identity proofing providers.. All of these data points can be used to evaluate risk and take action in real time to prevent fraud. If the perceived level of real-time risk is high, actions can be initiated against threats with secondary authentication techniques layered on top of existing authentication schemes – for example - the system can challenge the user some knowledge based questions. Alternatively, in extreme cases the transaction may be blocked and reported if the level of risk is high.
Catalog Roles, Entitlements, Accounts in Application Instances : Connected & Disconnected Centralized Catalog Lifecycle ManagementAutomated Catalog Population from Apps and Asset Management SystemsAutomatic Seeding and Manual Edits for Keyword Tags & CategoriesOOB Fields: Business Friendly Glossary, Risk Levels, Search Keyword tags, Resource Audit Objectives, Navigational Category etcBusiness user Friendly Search PatternsFull Text Search with Auto-TaggingCategories, Keyword Searches, Saved Shopping CartBookmark/Quick-Links – Saved Catalog QueriesShopping Cart Experience“Add” Access to Cart and then “Submit”Saved Shopping Carts or ProfilesCreated by Admins to provide “out of box” request accelerators specific to jobs, locations, departments etc
BASICLY: Prevent fraud from occurring by making it simple to confirm that the right users have access to the right systems applications and information - this requires us to provide business oriented user experiences – reporting to them what has been authorized and certify it and incorporating the analytics they need to understand if the access is appropriate and giving them a simple way to remediate any anomaly – Prevention starts with the appropriate level of controls to make sure the right people have the right access – things break and sometimes and we need to constantly analyze the data to check it complies with what we have done in the past. LET ME PROVIDE A HEALTHCARE EXAMPLE– but I think many vertical industries can parallel this:In healthcare organizations many hospitals and health delivery networks not only need to certify who has access to patient data they need to meet the requirements of disclosure laws and also make sure that legitimate users are not accessing information they shouldn’t like practitioners looking at the private health records of VIP patients.As a preventive control we would certify user access – but that alone does not tell us who has viewed which patient records - we need to be able to collect access audit information from the the registration system, the medical records systems and potentially an data requests that pass through the HL7 interfaces and correlate these by user id to know who is doing what. But just correlation is not enough – we would have to filter to alert on the specific anomalies that matter. IN ONE OF OUR DEPLOYMENTS AFTER A ONE DAY PILOT WE FOUND AN EMPLOYEE WHO WAS LOOKING AT INFORMATION THEY WERE NOT SUPPOSED TO – We have to be detective - This situation would be true for heavily regulated applications in financial services as well – Where they are looking to maintain the confidentiality of data between the sell side and buy side.Today Oracle has two offerings that target this relationship – Our Oracle Identity Analytics offering – which provides identity analytics, certification review and role management and our Security Governor that can look at user activity and detect anomaly.
Why Consider SaskTel for Cloud Computing?SaskTel is the primary provider of Telco services in the Province of Saskatchewan, Canada. With more than a Billion dollars in annual revenue and responsibility for executing critical service delivery for assets including 911, SaskTel has to be operationally efficient and stable. Financial and operational stability are critical elements to consider when evaluating your potential Cloud Computing provider. This consideration becomes even more critical when Identity, Access and related security services are used to compliment an On Premise environment. Core Cloud operational delivery models are nothing new to Oracle and SaskTel. Oracle products have been hosted by SaskTel for nearly a decade. This includes both US and Canada based subscribers. SaskTel and Oracle are taking their relationship to the next by offering Oracle Technology based Cloud Services including Identity Management.SaskTel’s Identity Management Centre of Excellence is very well funded and executes in Tier 2 + data centers owned and operated by SaskTel in Canada. Oracle’s On Demand (Cloud) facilities are being used to launch SaskTel Cloud services in the United States. As a result, you are assured that binding service delivery and service support requirements are safe when partnering with SaskTel for your Identity Program.
How to get started?Having specific goals in mind when contacting your Oracle License Rep will allow SaskTel and Oracle to quickly position a logical starting point for your Identity Program. It doesn’t really matter where you start. Many tenants are interested in Identity Provisioning while others are only initially interested in Identity Analytics or Access Management. Oracle’s Identity portfolio is engineered to work together. SaskTel’s Identity Cloud is engineered to ensure fast delivery and operational reliability.Most tenants initiate cloud adoption using a Proof of Concept trial model. This approach is executed based on predetermined scope and success criteria. Once the Proof of Concept is successfully executed, business processes and technology configuration elements are quickly refined and promoted to Quality Assurance and Production. Your Identity Program will never truly be done. Continuous improvement allows for agility and “Lean Thinking”. SaskTel prefers to enhance your Identity Program in small batches based on defined business value. You will also benefit from the “tribal knowledge” generated by executing our defined method across all tenants.Get started today by contacting your Oracle License Rep. Ask your License Rep about how the SaskTel Identity Management Centre of Excellence will reduce Time to Value, Operational Cost and mitigate risk for your Identity Management Program.Note:SaskTel and Oracle have a Global License arrangement. This means your local Oracle License Rep anywhere in the world can engage SaskTel’s Identity Management Centre of Excellence.
Earlier in this presentation we discussed how there is gap in security risk between the enterprise and the public cloud. Oracle Identity Management can bridge the gap by effectively reducing risk and fragmentation for various cloud deployment options.Oracle Directory Services solutions help reduce latency and fragmentation by centralizing and consolidating identity data. With Oracle’s next generation directory server called OUD, organizations can scale their directory servers to billions of identities. Oracle Access Management solutions bridge fragmentation across security silos by centralizing and consolidating security policies. For example, with Oracle Security Token Service identities can be propagated seamlessly from applications to downstream web services via standards based tokens.Oracle Identity Manager and Oracle Identity Analytics reduce latency by consolidating roles and entitlements. With OIA, organizations can meet the challenges for frequent attestations. Finally with Oracle Adaptive Access Manager, we can reduce risk and latency by preventing fraud in real-time. OAAM can layer multi factor authentication on top of existing auth schemes making auth stronger without the use of any additional hardware.
Recently Aberdeen Research published a brief comparing the benefits of a platform approach vs a point solution approach. Many organizations use an IAM suite to meet their identity and access management requirements and that is refered to as a platform approach. In contrast there are other organizations that use a collection of best of breed solutions from multiple vendors and that is referred to as the point solution approach. In compiling their research report Aberdeen interviewed more than a 100 odd customers and their findings were very interesting. They found that a platform based approach to IAM resulted in a cost savings of 48% over a comparative point solution approach. So in effect using an IAM platform can help organizations using a collection of point solutions to recover their investment with a positive ROI. This paper is available on o.com/identity for download.