2. This document is for informational purposes. It is not a commitment
to deliver any material, code, or functionality, and should not be relied
upon in making purchasing decisions. The development, release,
and timing of any features or functionality described in this document
remains at the sole discretion of Oracle. This document in any form,
software or printed matter, contains proprietary information that is the
exclusive property of Oracle. This document and information
contained herein may not be disclosed, copied, reproduced or
distributed to anyone outside Oracle without prior written consent of
Oracle. This document is not part of your license agreement nor can
it be incorporated into any contractual agreement with Oracle or its
subsidiaries or affiliates.
3. Agenda
• The Platform Evolution
• The Oracle Platform
• Differentiation
• Demonstration
• Platform For Cloud
4. Identity Point Solution vs. Suite vs. Platform
An Evolution of Sophistication
Tools Point Solutions Platform Intelligence
• Scripted • User interface • Multi-solution • Actionable
commands Intelligence
• Process • Multi-process
• Development specific • Cross-solution
• Shared services reporting
Kit
• Multi-function • Rationalized
• Single purpose • Behavior
Architecture analytics
• Developer • Risk aware
Extendable
5. Identity Management Evolves
From Tools to Intelligence
Authoritative ID Access Via User Lifecycle In Certify Access Monitor
with Massive Mobile & Social Hybrid/Cloud for Millions of Behavior &
Scale Channels Environments Users & Detect Improper
Entitlements Access
Cloud/
Mobile
Extranet
Risk Management
Audit
Enterprise Administration
Authentication
Identity
Tools Point Solutions Platform Intelligence
6. The Oracle Identity Stack
Complete, Innovative and Rationalized
Identity Governance Access Management Directory Services
• Password Management • Single Sign-On & Federation • LDAP Storage
• Self-Service Request & Approval • Web Services Security • Virtualized Identity Access
• Roles based User Provisioning • Authentication & Fraud • LDAP Synchronization
Prevention
• Analytics, Policy Monitoring • Next Generation (Java) Directory
• Authorization & Entitlements
• Risk-based Access Certification
• Access from Mobile Devices
Platform Security Services
Identity Services for Developers
7. How The Suite Works Together
A Rationalized Architecture
Shared Actionable
Services Intelligence
Suite Extendable
Inter-operability And
Configurable
8. Shared Services
Oracle Platform Security Services
Directory User
Authentication Authorization Auditing Session Data Policy Store
Services Provisioning
Access Governance Administration Directory
• Highly scalable runtime security service
• Central management and uniform control across applications
9. Suite Level Inter-operability
Components Connect With Each Other
Identity Management Suite Must Have Use Cases
Directory Administration • User Reconciliation & Administration
• Sign-On and Identity Propagation
• External Authorization
• Attribute Exchange
Platform Access • Web SSO & Non-web SSO
• Centralized Monitoring
10. Actionable Intelligence
Take Action and Resolve Issues
Disable
Escalate
• Excessive Access
• Anomalous Behavior
Remediate
• User Termination
• User Job Change Re-authorize
• Orphaned Account
• Un-trusted Device
• User On-board De-provision
• SoD Violation Update
11. Extendable and Configurable
Common ADF Extendibility
• Look and Feel
• Data Driven UI
• Drag and Drop Configuration
• Behavior
• BPEL Workflow Design
• Built in Auditing
• API and SPI
• Build New Identity Applications
• Identity Enable Home Grown Apps
12. Platform Case Oracle Fusion Applications
Data and Transaction Security
Function and Data
Security
Granular Access Control
Flexible Policy Control
Easy Configuration
14. Case Study: Sasktel
Identity as a Service Example
COMPANY OVERVIEW RESULTS
• A leading Canadian full service communications provider in the • Displaced legacy SiteMinder solution with
Province of Saskatchewan with nearly 5000 employees Oracle Identity and Access Management
• Offers a wide range of communications products and services including • Monetized capital investments by offering
voice, data, Internet, entertainment, security monitoring, messaging, Oracle Identity and Access Management Suite
cellular, wireless data and directory services to general public as a cloud services
CHALLENGES/OPPORTUNITIES • Reduced internal opex and capex
• A number of legacy technologies had to be refreshed to cut down
operational expenses and increase scope of capabilities
• Nearly a half million customers accessing Sasktel’s services from a
wide variety of devices demanded self service
SOLUTION
• Leveraged Oracle Identity and Access Management Suite
15. Case Study: Oracle Public Cloud
Security and Identity Management Service
Identity Management
in the Cloud
•Built on Oracle Identity Management
• Single Sign-On and Federation
• Multi-factor authentication
• Fully Delegated Administration
16. Let us Help You Build a Business Case
Speak with Setup Free
References Workshop
Schedule a Develop an ROI
Demonstration Analysis
Before we describe the platform I want to compare and contrast what we mean by a platform approach vs. a point solution approach. Its really an evolution – That builds on the capabilities of previous phaseTools All of our Identity management solutions started out as tools that were either home grown software or scripts that were used to manipulate identity data. Some good examples The Unix group id clean up scripts are a good example – mostly looking to unify group ids across systems and figure out how to align file access NIS and NIS+ is another good example of early stage provisioning tool for distributed environments. Sudo – another good example of a single purpose Unix tool for privileged user access control ADSI – many AD shops just used the ADSI toolkit to script directory synchronization The Net – These tools were typically limited to single OS and were very development toolkit like tools The result is that this process is still cumbersome and error prone and does not scale very well very difficult to audit and maintain As a result – NIS and NIS+ are end of life and people moved on.Point Solutions Point solutions showed some innovation – they provided the capabilities of the tools with an easier user experience Instead of being single purpose scripts they were more flexible – they had databases in the backend so we could report etc Examples: Microsoft ILM – instead of doing ADSI scripts you now get a multi function tool that automates ADSI – still focused on the MS applications Kerberos Solutions for Access control – instead of Kerberos supporting only Unix platforms we get Kerberos everywhere with token translation etc Many other vendors tool single function capabilities like privilege access , provisioning, web access and made them multi-platform Dominant 4 processes are ( Administration, Authentication, Authorization and Audit )The Net - While these solutions were multi-platform – they were single focused on a single process… the provisioning tools did not understand the details of role management or did not have the context of security risk. In the case of emergency access the provisioning solutions did not understand the context of emergency privileged access.Platform As organizational maturity evolves and internal governance, compliance and risk are more important – people realize that all of the processes in identity management are connected. As an example – many auditors are looking at the cross system access rights for users. A user may have limited access to the application but at the same time may have DBA privileges on the database. Conflicting access and Separation of Duties becomes more important … Auditors are trying to enforce the control of least privilege. We can’t solve these challenges without a complete user view and and organizational view – Following the organizational shift – the platform is the next evolution.The Net- We have to be able to reconcile the access rights people have on systems to what they are actually doing on the system and provide visibility to audit and security groups – Point solutions don’t provide the level of architecture an out of the box interoperability to achieve thisIntelligence The volume of scrutiny on access is only increasing – the way we scale is to build on the platform evolution to provide greater intelligence. The cross solution reporting is where they opportunity is – no one wants to look at access for 100 different systems to decide if a user’s access is excessive . They want one report that highlights the issues across all systems…. That the next evolution.
The slide shows identity management requirements at different levels of sophistication- At the foundation we have to know who’s who across all of our applications. Providing secure authentication is next typically this is user name and password or strong authentication Slightly more sophisticated is administration because it has to be flexible to handle all of the nuances of moves adds and changes To provide compliance reporting is next in the ladder because this requires intelligence of SOD At the highest level is understanding risk- understanding patterns of behavior so we can step up authentication and authorization – and understanding what access may be risky during a certification review Finally – it has to scale to address the opportunity At the identity level – this means massive scale for numbers of users because we not only have to manage our enterprise users we have to manage our subscribers and customers. NOTE: China mobile has over 600 Million subscribers . Vodaphone in the UK has about 341 million subscribers – If we want to take advantage of opportunities in china we have to more than double our scale. So imagine if you are ATT with 100 million subscribers and you have to merge with T mobile at 34 million subscribers and you have to integrate.The authentication level – The scale is also increasing because of mobile use and social networking – with social networking I am referring to services that allow users to authenticate to get access to applications or data resources via their social networking login. Interesting stat If facebook were a country it would be the 3rd largest with double the population of the US. At the mobile level many customers are building internal application stores to provide applications to their employees. They have to be able to provide single sign on across applications. The administration has to scale to the cloudTo take advantage of the cloud – organizations have to bridge the gap between the security in the enterprise with the security in the cloud. This means delegated administration and managing moves adds and changes directly to the cloud.The audit has to scale Many customers have done their initial projects on certification review – but now need to scale the process to more applications the volume of entitlements is only increasing. Identity management has to evolve to provide
What makes the Platform compelling is how it works together:Shared Services: Instead of separate solutions for - Administration, Authn, Authz, Audit – a set of share services allows these services to be consumed by each component in the stack and by developers of new applications – IN the demonstration at the end we will show an example Actionable Intelligence:The most compelling benefit of the platform approach is having ” Actionable intelligence”.. If you see something you can do something… Ie I find a compliance violation … the same platform can fix it… I don’t have to call someone or open a help desk ticket If a user is logging in from an un-trusted device or we detect an attack – we should be able to act on the information and disable access Its all about information we can act on.Suite Interoperability If you were to purchase a point solution for provisioning and wanted to manage access to the point solution – you would need to purchase another tool. With the oracle platform the components all connect with each other. The question every auditor wants to answer is what secures is the security system. With a platform the components secure each other Extendable and Configurable With point solutions – you typically get limited ability to extend the tool to address your requirements- with the Oracle platform all of the components have a common way to extend the UI and behavior
Note to speaker:To prepare your own story around platform security services you can read the white paper http://www.oracle.com/technetwork/middleware/id-mgmt/opss-tech-wp-131775.pdfOr view the online webinartp://bcove.me/qfau7awgWhat distinguishes Oracle’s Platform is that we have created a rationalized architecture that allows pillars to share data and behavior – The result is that security can be externalized from your applications at the same time. It is not only true for the Identity management Components. These shared services allow all of oracle middleware to consume Identity Management as a service.The net result is that products across Oracle Middleware don’t rebuild security they leverage from the platform and this drastically reduces complexity and increases security. The demonstration at the end will show how this works.What we did : We took each of the components in our stack and abstracted the critical interactions needed for each application. These collection of actions forms the core of our shared servicesAuthentication and Authorization : Means that each application does not have to be responsible for login or building that into the system and at the same time have specific authorization for data and transactions.Auditing: Across all of the services, we get a common audit log which makes auditor review easier and better correlationDirectory Services: Single identity store across applications with full capability to virtualize, synchronize and User Provisioning: Single service to create update and delete users and user data.Shared services also highlights Oracle’s commitment to Identity Management –Identity Platform shared services means that Oracle can now utilize Identity management in all of its portfolio products. If you look at other vendors they can claim as much dependence cross business on their identity products. Oracle’s next generation ERP fusion Applications are built on Identity Platform Oracles recently launched Oracle Public Cloud is built on the Oracle Identity Platform And Oracle’s middleware is built on the platform
Suite Level interoperability is a differentiator – In order to get to a state where we have on going intelligence the components of the identity solution have to work together. The data for “who did what” from the access management solution has to be combined with the data for “who as access to what”When you think about securing your systems there are a few use cases that everyone needs across Identity management components User Reconciliation and Administration – Having orphaned accounts in the web access system is not acceptable – we cant solve that unless your provisioning system connects to the web access systems and does this automaticallySign On and Identity Propagation – If you deployed a directory server – you don’t want users to sign on via a separate password you need your web access solution to provide authorization for access to the directoryAttribute exchange Web SSO and Non Web SSO -
Intelligence alone is not enough – the platform allows us to make the intelligence actionable. If we detect something we need to be able to take automated response. If we detect a hacker breaking in the Platform has to be able to shut down access. The biggest security risks exist because we cant act fast enough.Security is about Latency – How fast we can detect risk and fix it. – When we look at many of the security breaches out there they find that a lot of the exposures were well understood well before the break in. The platform is both detective and preventive- by connecting all of the processes in Identity Management we can aggregate all of the risk factors and take action . If these components were separate we would lose visibilityAdministration Single view of a user across all systems gives us intelligence on excessive access If we have reconciliation – we can detect orphaned accounts when users separate from the organization When emergency access is granted – the platform can track it and remove it automatically when its no longer neededCombing Adaptive AccessWhen a user comes in from an un-trusted device, the platform can detect and disable the action or force the user to re-authorize Governance If a separation of duties violation is detected during a certification review , the system would need to remediate the violation Net – All of these automated responses are possible if customers adopt a product that is part of a platform.
Note to Speaker:Instead of belaboring the details of ADF and Identity . You can come up with some nuggets you feel comfortable with by reading through the online brief http://docs.oracle.com/cd/E14571_01/web.1111/b31974/adding_security.htmExtensibility is critical – especially large organizations that have to content with slightly different requirements from multiple departments. Everyone needs a special field added or an approval process.Single way to extend all components – Customers choosing a platform approach get a single facility for extending all of their identity applications vs choosing to customize multiple point solutions via different methods.With Oracle’s Identity Platform we have built in support for Oracle’s Application Development Facility that allows common configuration across all of fusion middleware. It allows drag and drop UI configuration – simple interface to configure workflow and exposes an API that lets customers build applications on top of the Identity Platform.
Background for speaker See the link for a briefing: http://www.oracle.com/us/products/applications/fusion/index.htmlFusion Apps PillarsCRM FIN -Financials GRC – Governance , Risk and Compliance HCM – Human Capital Management Procurement P2P – Project Portfolio ManagementSCM – Supply Chain Management Function and Data Security– Applications include multiple roles and supports a comprehensive set of standards to secure data and functions Granular Access Control-Function security privileges are used to control access to a page or specific functionality within a page Flexible Policy Control-Data security includes privileges conditionally granted to a role which allows for roles to define inclusion and exclusion Easy Configuration- Within Oracle Fusion Applications the role, role memberships, and privilege as well as data security policies are authored at design time The security across all pillars is built on top of Service oriented security – single identity provider, provisioning service and authorization serviceIf a customer purchased Peoplesoft and Siebel they would need to provision user access to each application and configure security separately in each application. The application roles in people soft are very different from the application roles in Siebel. In addition, each application maintains separate user account management and password management. Each application has security policy for access to forms and transactions was developed internal to each application separately. To enable the next generation of ERP apps all Fusion applications will use Platform security services based on Fusion Middleware. When an employee is on-boarded in to Oracles HR Fusion App (HCM) that user can be automatically provisioned to any of the other ERP apps depending on job role. So if we hire a sales rep the rep would get accounts in Siebel and perhaps limited access to the Procurement system. When the user separates from the organization all of the access is disabled across applications. When the user signs on to any application, the sign on can be recognized across applications.More importantly, these applications share a common declarative security framework which means we can make sure that the sales representative does not have the capability to create purchase orders in the procurement system. Without a shared framework cross system controls are not scalable. When we need to change the dollar approval authority of a manager in the procurement system the constraint can apply across all systems where needed. The net result is improved security and a framework that us extendable to other applications. Because the platform is service oriented the applications can reside on separate servers or across a network off-premise
See the separate demonstration viewlet and instructions in the zipfile.
Transcript: SaskTel is a full service carrier, owned by the province of Saskatchewan, Canada. SaskTel offers wireline, wireless, Internet, and new emerging technologies that are demanded by customers. SaskTel had acquired many identity access management technologies over the last dozen years or so. Many of these solutions were legacy technologies.SaskTel needed to refresh their IT environment in order to cut down operational costs and increase the scope of functional capability. Sasktel had many applications that were mission critical to SaskTel's business with over 560,000+ customersdemanding self-service. Many of these customers were accessing SaskTel services over mobile devices so the solutions just had to work on any device. Sasktel leveraged Oracle IAM Suite with OIA.SaskTel was able to mitigate risk and reduce their opex and capex by deploying Oracle's Identity and Access Management solution. In addition, they monetized their capital investments by offering Oracle's Identity and Access Management suite as a cloud service. For SaskTel the migration was all about P&L. They had to be able to manage their costs and then recognize revenue on the other side. Oracle was the only partner was -- that was willing to step up and help them monetize those investments. SaskTel is also working with Oracle consulting services and Oracle license to take their cloud service to market.
At this year’s OpenWorld, Oracle announced the launch of Oracle Public Cloud. The Oracle Public Cloud is an enterprise cloud for business. It is an integrated suite of services spanning Oracle's complete portfolio based on open Java and SQL standards offering flexible cloud and on-premise deployment. The services offered in our cloud are based upon Oracle's complete portfolio of best-in-class solutions. They are fully integrated together so IT departments do not have to unify the solutions they buy, and we provide an extensive array of timely and relevant 3rd party content to enrich applications. Applications can be built or extended using standards-based technology such as full Java EE applications and SQL. Organizations can deploy Java applications with no changes onto our cloud, customize Fusion Applications, and develop new custom applications. There is easy instant provisioning with a transparent, predictable pricing model that is based upon monthly subscriptions and consolidated billing. Additionally, applications and end users can move from our cloud to on premise and back. One of the exciting things about Oracle Public Cloud is the soon to be available, Security and Identity Management which is powered by Oracle Identity Management. Customers can leverage the Oracle Public Cloud and its Identity Management services to secure their applications and IT infrrastructure without the hassles of deploying and maintaining on premise software. With the Oracle Public Cloud’s Identity Management services, organizations benefit from many IdM functional capabilities like Single Sign-On, Multi Factor Authentication, User Provisioning to applications and fully delegated adminstration.
I want to repeat our offer to assist. The best approach is to get guidance from people who have gone through the process Speak with our customers We invite you to speak with one of our customers who has created a business case and taken a platform approach. Contact a sales rep or reach out to someone here at the event and we can discuss how to help setup a follow on conversation for you.Setup a Free WorkshopOur Sales consultants have created a repeatable workshop to help customers assess their current environment and determine how to get started. Schedule a DemonstrationThe best way to get a feel for how a platform approach works is to setup a demonstration to see all of the components running together. Develop an ROI analysis Over the course of may deployments we have collected data to examine the return on investment customers have received. We have compiled this information into an ROI tool that can be leveraged to provide a baseline . Work with our reps to help develop an ROI analysis for your environment.