Overview – So today the process of certifying applications and and managing enterprise roles is largely spreadsheet driven and most companies today are able to manage entitlement certification for a handful of applications but the question everyone is asking is how do we scale to thousands of apps This presentation is about how Oracle can enable businesses to make the process repeatable, sustainable. More importantly orchestrate certification review campaigns and measure progress
The Oracle Lens:First I want to start with some observations about security and place and Oracle Lens on how we see security – Today there are lots of different tools people are deploying to address security. Lots of end point security laptops and we have lots of solutions looking at email security and DLP. We have deployed lots of network scanning and ways of monitoring what’s happening in the enterprise .. ( CLICK THE BUILD) but when we examine what’s actually happening most of the threats are against the applications and the data . In fact 48% of the breaches were caused by insiders – so with all the monitoring 48% of breaches were caused by people who had either excessive access or even legitimate access to the data. 98% of stolen records are from servers, 86% of hacking attacks were due to lost or stolen credentials –SO THE ORACLE LENS IS ITS ALL ABOUT THE DATA AND APPLICATIONS – while we cant neglect perimeter security protecting data and applications provides the best opportunity to have a drastic impact on security.What does this mean:While this does not mean we should neglect our perimeter or remove our endpoint security – it means that the last mile is about really taking control of access in the enterprise. While we can’t dramatically lower the number of hackers externally we can control and manage user access internally and that would reduce 48% of the problem. Your applications have most of your mission critical data and your private data.So instead of only monitoring the network for attacks – I need to also check that my database is protected from SQL injection attacks and be able to check for anomalous behavior from insiders because remember 48% of it is internalInstead of only using email security to protect data – Look at how I can provide greater access control of insiders . In most cases when we look at breaches by insiders the problem is excessive access.Story We were doing an interesting POC at a healthcare organization – looking for clinicians accessing patient data they were not supposed to have access to and within the first 10 minutes found a clinician who had accessed the data of a family member. The Oracle Lens is – Its about your data and applications and its about Access –Our Security Solutions are focused on Identity management and Database security.
The problem with Application and Data Security is that it is fragmented:As an example - many organizations will try to lock down root access at the OS level while at the same time granting SQL DBA privileges to developers to access the data base. Most of the audit issues and excessive access is caused by many systems and no automated way to propagate access changes across systems.Example:Lots of first generation identity management solutions or home grown solutions that have stalled or not providing enough coverage. The result is: Poor Reporting and Audit Exposure. It becomes impossible to reconcile who has access to what data and applications without a way to reconcile the information. It hurts forensics since we cant tell which accounts belong to specific users. It Makes the enterprise more vulnerable to breaches Two examples: 1. In the Wiki Leaks Scandal when they examined Bradley Manning’s access they found that his access was excessive and if regular certification reviews were done the excessive access would have been detected.2. Security is about latency of changing access consistently and quickly – and Fragmentation increases the latency of changing access. Most organizations rely on help desks to change access which can take weeks. The UBS banking fraud case describes a rogue inside trader who uses his excessive access to his advantage.The Impact is Missed Opportunities * Without a grasp on security and compliance new business initiatives stall. In many organizations new business initiatives are slowed because they can’t overcome the compliance burdens.
When we look across organizations we see a landscape of departmental solutions and home grown solutions. In many cases the process is manual and cumber some. Example 1:For many organizations when a user comes on board they provision a user via a “model after paradigm” where they use the profile of a user in a similar job role to provide access. The result is often the user we are modeling has excessive access and this propagates a bigger access control problemExample 2:In many cases the organization has deployed a “point solution” that can provision to only a few applications – when access is managed the non-managed applications quickly become out of synch with the managed applications. The result is an audit issue trying to reconcile accessFrom an organizational perspective – this is costly with lots of redundant solutions and inconsistent results. Organization spend thousands of dollars per quarter trying to reconcile access rights with defined audit control rules. Many of the audit exposure are cross department – Mainframe applications are notorious since the applications are share and multi-department apps. Scaling the audit control is painful… as a data-point when we sell our Oracle Identity Analytics – the mainframe applications are typically a first project for cleanup.Net: We have to think organizationally – using a common product suite to deliver consistent results – From a cost perspective it is expensive to negotiate with many vendors to adopt departmental solutions. Typically once an organization has purchases two point solutions they have reached the cost of acquiring a suite. More importantly from a support perspective having a single vendor provide support organizationally improves quality of service.
We need to rethink our approach.Many organizations are moving toward a centralized access governance model. Forrester Insights in 2011. Noted that 54% of Chief security officers now report to the CEO or to the executive board. The reason is that a departmental approach has resulted in lots of redundant spend and effort. [Now Build and Talk to Each Point Specifically]We need to think Organizationally v.s. Departmentally This is true for most compliance. If every department buys encryption technology to satisfy a unique need the organization looses the benefit of a global sourcing opportunity. In addition, if we just look at the time it takes to evaluate many point solutions and do the purchasing the cost is immense. Thinking organizationally is also a statement about requirements – having an organizational perspective on what the reporting requirements are and aligning with the organizations risk tolerance is critical. Every organization has to think about how to start small finish big.It’s a Roadmap Opportunity not a Single Point SolutionMany first generation identity management solutions are end of life’d today because they can’t adequately address the needs to evolving compliance and security. NIS and NIS+ are both examples of provisioning solutions that were single platform and could not address password aging controls. As the requirements of auditors have become more cross platform and expanded to the cloud and mobile world organizations need to have a roadmap and realize that they need to track the lifecycle of technologies get better ROIThe benefit is Interoperability – integrating the solutions in-house is costly and brittle Most of the point solutions are integrated in house – this process is costly and cumbersome and when new versions of the software are shipped typically the integrations break which created a maintenance burden in house. Having point solutions from multiple vendors puts organizations in a position to constantly keep up with changing integration needs. Contrast this to single vendor platform approach with a common data model many of the use cases work out of the boxScale & Simplicity Departmental solutions were typically meant to scale to a department level – solutions in a platform have typically gone through a maturity curve to scale at the organizational level and to an extranet audience. As we think about the enterprise and cloud – the scale and simplicity needs to be part of our thinking.
The slide shows identity management requirements at different levels of sophistication- At the foundation we have to know who’s who across all of our applications. Providing secure authentication is next typically this is user name and password or strong authentication Slightly more sophisticated is administration because it has to be flexible to handle all of the nuances of moves adds and changes To provide compliance reporting is next in the ladder because this requires intelligence of SOD At the highest level is understanding risk- understanding patterns of behavior so we can step up authentication and authorization – and understanding what access may be risky during a certification review Finally – it has to scale to address the opportunity At the identity level – this means massive scale for numbers of users because we not only have to manage our enterprise users we have to manage our subscribers and customers. NOTE: China mobile has over 600 Million subscribers . Vodaphone in the UK has about 341 million subscribers – If we want to take advantage of opportunities in china we have to more than double our scale. So imagine if you are ATT with 100 million subscribers and you have to merge with T mobile at 34 million subscribers and you have to integrate.The authentication level – The scale is also increasing because of mobile use and social networking – with social networking I am referring to services that allow users to authenticate to get access to applications or data resources via their social networking login. Interesting stat If facebook were a country it would be the 3rd largest with double the population of the US. At the mobile level many customers are building internal application stores to provide applications to their employees. They have to be able to provide single sign on across applications. The administration has to scale to the cloudTo take advantage of the cloud – organizations have to bridge the gap between the security in the enterprise with the security in the cloud. This means delegated administration and managing moves adds and changes directly to the cloud.The audit has to scale Many customers have done their initial projects on certification review – but now need to scale the process to more applications the volume of entitlements is only increasing. Identity management has to evolve to provide
The solution needs to be interoperable out of the boxFor many organizations the help desk acts as the glue connecting separate identity management solutions cross department. When a user separates from the organization – the help desk manually calls someone to remove the account across the systems and applications and the help desk has to remove he user from the corresponding identity management systems. When tickets are dropped or take too long to complete we get audit issues Two points of interoperability are critical A single user view - the biggest exposure to risk and compliance is knowing who has access to what and the exposure that hackers and insiders are going after are the exposures that are not visible. Having a single point of view for user access that can be regularly certified and reported on is critical Organizational view – being able to see cross department is critical – this means cross system. If user in purchasing has access to the pricing system we need to have visibility to the possible access conflicts.Its about Common Reporting and Data When a user departs from the organization and the provisioning solution disables his or her accounts it also needs to instantaneously disable the session on the web access manager as well. This level of “inter-operability is critical” . The platform approach maximizes the inter-operability so the customer does not have to figure it out in house.
At an organizational level its about scale – Point Solutions Don’t ScalePoint solutions that are process specific can’t scale to accommodate the needs of thousands of systems to provide the full capabilities needed for access control and enforcement. As the size of the organization increases the scale is important because we only have a handful of help desk staff and a few administrators. Adopting and deploying point solutions would create a quagmireAt a coarse grained level – we have to have access control across thousands of systems – this means onboarding – offboarding, privileged access control and certification review Accommodate 100s of Thousands of Users – In a department we are concerned with hundreds of users at an Organizational level we have to think about 100s of thousands – because Identity management is not only about internal users its also about external users as well. We are letting more outsiders inside the organization than ever before – we have to secure access to applications and data.Certify and Report on Access for Millions of Entitlements – when we think departmentally administrators focused on thousands of entitlements across single platforms – but to reach the goal we have to focus on millions of entitlements and be able to scale to manage these.
Note To speaker:To hear Derek Brink discuss the results of the Aberdeen study – listen to the webcast https://event.on24.com/eventRegistration/EventLobbyServlet?target=registration.jsp&eventid=351680&sessionid=1&key=447376809BE9DD78590D28294BCBF0A9&partnerref=fmwnewsBB_sec_idmmulti0911&sourcepage=registerRead the QA from the Webcast:http://blogs.oracle.com/OracleIDM/entry/webcast_follow_up_analyzing_pointRead the Aberdeen paper http://www.oracle.com/webapps/dialogue/ns/dlgwelcome.jsp?p_ext=Y&p_dlg_id=10644056&src=7319991&Act=11Encourage the audience to read the paper.Key Points Here:There is a distinct shift toward a platform approach – Aberdeen did a study of 160 companies world wide and found there was a distinct shift to how organizations are thinking about identity management. 53% plan to take a platform approach to Identity management. The results were true globally and across different company sizes The survey was equally covered from small, midsized and large companies. Although a large volume of respondents were north america, the results were similar in all geographies.
Note:Again read the paper and listen to the webcast to to internalize this slide.The Goal is Standardized and Repeatable Instead of inconsistent process and costly redundant tools across departments – the goal is to be more standardized and repeatable. Standardizing also helps organizations mature their level of sophistication with regard to Identity and Access Management. These customers were better able to leverage automated approvals and had better exception handling overall. Customers who chose a point solution approach were less likely to achieve the same benefits – the costs of in-house integration or home grown tools were a limiting factor in extending the capabilities organizationally.Customers Who Chose a Platform Were More Standardized OrganizationallyBecause they had common workflow across departments and common reporting
Note:Again read the paper and listen to the webcast to to internalize this slide.Platform Customers Achieved more Sophisticated Capabilities 63% of platform adopters had been able to get reporting on who had access to what and access privilege reports. In addition 68% had a achieved a maturity to manage Seperation of Duties vs 36% of the point solution approach customers. The interoperability of solutions produces the benefit – You can hear from our customers who have achieved these benefits in an up-coming webcast series. Greater Organizational Scale Most of the point solution customers were doing periodic validation via spreadsheets since their solutions were only department centric. More importantly many of the platform customers had matured to enforcing separation of duties given they had adopted platform solutions for administration.
By choosing solutions that are part of a suite customers can actually reduce cost and improve security. Background on Aberdeen Surveyed 160 companies globally – small medium and large. Roughly ½ had built their deployment with point solutions the other 50% chose solutions that were part of an integrated suite. _ the net result - The companies with an integrated suite had 35% fewer audit deficiencies. Saved 48% over companies that integrated the solutions in-house The rationalization is that – If the content is interoperable – for example security policy, user identity and workflow – we can deploy faster and get a closed loop system so we don’t have to rely on help desks and manual effort.In addition we get complete 360 visibility on user access.
I want to repeat our offer to assist. The best approach is to get guidance from people who have gone through the process Speak with our customers We invite you to speak with one of our customers who has created a business case and taken a platform approach. Contact a sales rep or reach out to someone here at the event and we can discuss how to help setup a follow on conversation for you.Setup a Free WorkshopOur Sales consultants have created a repeatable workshop to help customers assess their current environment and determine how to get started. Schedule a DemonstrationThe best way to get a feel for how a platform approach works is to setup a demonstration to see all of the components running together. Develop an ROI analysis Over the course of may deployments we have collected data to examine the return on investment customers have received. We have compiled this information into an ROI tool that can be leveraged to provide a baseline . Work with our reps to help develop an ROI analysis for your environment.
As mentioned before we have a unique online opportunity to learn from and get questions answered by our customers. These are live webcasts but they will also be available on demand as well.On Feb 15th – Agilent Technologies discusses how they moved from multiple point solutions to consolidate their deployment on OracleOn Marc 14th - Cisco discusses their unique approach to consolidate their identity program into a platform On April 11th – ING Bank - discussed how a platform with integrated administration and governance reduced cost and improved complianceOn May 30th – Toyota Motors -
Join our community for regular updates on content and hear about upcoming events and news.
Biz case-keynote-final copy
<Insert Picture Here>Building The Business Case for a Platform
This document is for informational purposes. It is not a commitmentto deliver any material, code, or functionality, and should not be reliedupon in making purchasing decisions. The development, release,and timing of any features or functionality described in this documentremains at the sole discretion of Oracle. This document in any form,software or printed matter, contains proprietary information that is theexclusive property of Oracle. This document and informationcontained herein may not be disclosed, copied, reproduced ordistributed to anyone outside Oracle without prior written consent ofOracle. This document is not part of your license agreement nor canit be incorporated into any contractual agreement with Oracle or itssubsidiaries or affiliates.
Agenda • The Oracle Lens • The Current Situation • Platform vs. Point Solution • Aberdeen IAM Study • Case Studies
The Oracle Lens on Identity and Security Applications and Data Endpoint Security • How do I control insiders? Other 48% Caused Applications Vulnerability • Can I report onSecurity by Insiders Management anomalous behavior? 98% Stolen Records Data From Servers • Can I reduce excessive 86% Hacking Involve Stolen Credentials access? Email Network • Can I prevent Intrusions? Security Security 2010 Data Breach Investigations Report
A Patchwork of SolutionsFragmentation Reduces Effectiveness • Audit exposure • Poor reporting, • Limited root cause tracking • Vulnerable to breaches • Multiple points of failure • Missed business opportunities • Inability to develop and deploy applications to users
Identity Management Organizational Situation Ad hoc and Redundant Stalled Deployments Audit Exposures High Operational Cost Departmental Solutions Redundant Technologies Capability Gaps Home Grown Solutions Organization
We Need To Re-Think Our ApproachPoint Solutions vs. Platform SolutionOrganizational Roadmap vs. &Departmental LifecycleInter-operable Scale vs. & Integrated Simplicity
Roadmap and Lifecycle Evolve From Tools to Intelligence Authoritative ID Access Via User Lifecycle In Certify Access Monitor with Massive Mobile & Social Hybrid/Cloud for Millions of Behavior & Scale Channels Environments Users & Detect Improper Entitlements Access Cloud/ Mobile Extranet Risk Management AuditEnterprise Administration Authentication Identity Tools Point Solutions Platform Intelligence
Inter-operable vs. Integrated Common Data model and Common Services User View Organization View
Scale and Simplicity • A Few Administrators • Handful of Help Desk Staff
Trend Is Toward a PlatformGlobal Aberdeen Study 160 Enterprises • Average 4 to 5 Solutions • Geography • 56% Americas • 30% EMEA • 14% APAC • Size • 32% small (<50m) • 36% mid-size (50m-1B) • 32% large (>1B)
Standardized and RepeatablePlatform Customers More Automated and Standardized • Standardized Audit • Automated Approvals • Better Analytics • Exception Handling
Better Performance and MaturityPlatform Approach Enables IAM Maturity • Audit Reporting • SoD Enforcement • Access Review • Increased Control
Platform Reduces Cost vs. Point Solutions Oracle IAM Suite Benefits Advantage • Emergency Access • 11% faster48% Increased End- Cost Savings User Productivity • End-user Self Service • 30% faster Reduced Risk • Suspend/revoke/de-provision • 46% faster46% end user access More Responsive Enhanced Agility • Integrate a new app faster with the IAM infrastructure • 64% faster • Integrate a new end user role • 73% faster35% Fewer Audit Deficiencies Enhanced Security and Compliance faster into the solution • Reduces unauthorized access • 14% fewer • Reduces audit deficiencies • 35% fewer Reduced Total Cost • Reduces total cost of IAM • 48% lower initiatives Source: Aberdeen “Analyzing point solutions vs. platform” 2011
Oracle Identity Management Platform Complete, Innovative and Inter-operable Identity Governance Access Management Directory Services• Password Management • Single Sign-On & Federation • LDAP Storage• Self-Service Request & Approval • Web Services Security • Virtualized Identity Access• Roles based User Provisioning • Authentication & Fraud • LDAP Synchronization Prevention• Analytics, Policy Monitoring • Next Generation (Java) Directory • Authorization & Entitlements• Risk-based Access Certification • Access from Mobile Devices Platform Security Services Identity Services for Developers
Let us Help You Build a Business Case Speak with Setup Free References Workshop Schedule a Develop an ROI Demonstration Analysis
Live Platform Webcast SeriesCustomers Discussing Results of Platform Approach Platform Best Practices Cisco’s Platform Approach Agilent Technologies Cisco Systems February 15th 2012 March 14th 2012 Platform for Compliance Platform Business Enabler ING Bank Toyota Motors April 11th 2012 May 30th 2012 Register at: www.oracle.com/identity