Bridging the Cloud Sign-On Gap


Published on

Published in: Technology, Business
1 Comment
  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • One of the benefits of Cloud Applications is that they provide access for employees from anywhere. Here we see that employees can just as easily access applications from the office, which is behind the firewall, as they can from their home, hotel or even a coffee shop that is outside the firewall. This allows employee to remain productive wherever they are
  • However, with this increase access to the applications so does the risk of attack. Just like the employee, any would be hacker has access to the application as well. To compound this problem, most cloud applications have a standard naming convention for all their customers. Be this an e-mail account or and first initial last name, it isn’t hard for someone to determine the logon ID and then begin to hack the password. So now your critical data is exposed to anyone with internet access.
  • The natural Knee Jerk reaction to solve this problem is to increase security . Whether this is through increasing password policies (i.e. stronger \\ longer passwords that change more frequently) or implementing a strong authentication solution provide by the Cloud Application. However this results in a Decrease in productivity as user lose the strong authentication device, or they forget their passwords which results in account lockouts and prevents access to data.
  • There are events that require termination of user’s access to applications. Most of the time this is result of the termination. For internally hosted applications, this is easy. Simply remove the employee’s network access and building badge and they can no longer access the information in the applications. However, with hosted applications this becomes a problem since they are available from anywhere. What is to stop them from access a valuable company asset and puling down all the data. With ESSO Logon Manager controlling the user’s password once the process of terminating the network ID still works. Without access to ESSO, the user will no longer be able to gain access to the data in the cloud.When a user is moved from one role and organization to another, instead of having to adjust the ID on the Cloud Application, a simple request to ESSO Provisioning Gateway to remove the credentials from ESSO disables the user the ability to access the data. Both of these processes can be done internally and are easier to incorporate into current practices and ensure termination of access, rather than hoping someone went to the external site to modify the logon credential.
  • ESSO Anywhere is the only enterprise single sign solution that can address this use case. ESSO Anywhere allows users once authentication to their corporate directory to access the Single Sign On Solutions. This allows users to gain access to their secure credentials from any location they desire. Once authenticated, the LM Agent is downloaded and configured on the user’s machine. This operation can be done on any machine as administrative rights are not needed. After the agent has been configured, the user’s credential are downloaded and available. As the user launches their cloud applications, the LM Agent injects credentials just as if it was on the corporate network. All login events are audited events are retained to ensure your compliance stance.Once the user is done using SSO, and disconnects from the corporate directory, the LM agent can be configured to remove itself and the credentials from the local machine.
  • Pre-integration of OAAM, OAM and OIM for self-service password management and secure login flowsEasily add needed security to vulnerable flows such as password resetBenefits over OIM+OAM alone:KBA (Knowledge Based Authentication)Large OOTB question libraryQuestion management – edit, create, deleteLocalization – 26 languagesControls to balance usability with securityRegistration logicValidationsQuestion setTune categories to user populationBalance complexityAnswer logicIncrease usability – less service calls
  • The slide shows identity management requirements at different levels of sophistication- At the foundation we have to know who’s who across all of our applications. Providing secure authentication is next typically this is user name and password or strong authentication Slightly more sophisticated is administration because it has to be flexible to handle all of the nuances of moves adds and changes To provide compliance reporting is next in the ladder because this requires intelligence of SOD At the highest level is understanding risk- understanding patterns of behavior so we can step up authentication and authorization – and understanding what access may be risky during a certification review Finally – it has to scale to address the opportunity At the identity level – this means massive scale for numbers of users because we not only have to manage our enterprise users we have to manage our subscribers and customers. NOTE: China mobile has over 600 Million subscribers . Vodaphone in the UK has about 341 million subscribers – If we want to take advantage of opportunities in china we have to more than double our scale. So imagine if you are ATT with 100 million subscribers and you have to merge with T mobile at 34 million subscribers and you have to integrate.The authentication level – The scale is also increasing because of mobile use and social networking – with social networking I am referring to services that allow users to authenticate to get access to applications or data resources via their social networking login. Interesting stat If facebook were a country it would be the 3rd largest with double the population of the US. At the mobile level many customers are building internal application stores to provide applications to their employees. They have to be able to provide single sign on across applications. The administration has to scale to the cloudTo take advantage of the cloud – organizations have to bridge the gap between the security in the enterprise with the security in the cloud. This means delegated administration and managing moves adds and changes directly to the cloud.The audit has to scale Many customers have done their initial projects on certification review – but now need to scale the process to more applications the volume of entitlements is only increasing. Identity management has to evolve to provide
  • Recently Aberdeen Research published a brief comparing the benefits of a platform approach vs a point solution approach. Many organizations use an IAM suite to meet their identity and access management requirements and that is refered to as a platform approach. In contrast there are other organizations that use a collection of best of breed solutions from multiple vendors and that is referred to as the point solution approach. In compiling their research report Aberdeen interviewed more than a 100 odd customers and their findings were very interesting. They found that a platform based approach to IAM resulted in a cost savings of 48% over a comparative point solution approach. So in effect using an IAM platform can help organizations using a collection of point solutions to recover their investment with a positive ROI. This paper is available on for download.
  • Bridging the Cloud Sign-On Gap

    1. 1. Kuppinger Cole Webinar Bridging the Cloud Sign-On Gap Sebastian Rohr, Kuppinger Cole Matt Berzinski, Oracle February 9th, 2012 This Webinar is supported by
    2. 2. 2 © Kuppinger Cole 2012 • Call for Speakers: • Propose your project for the European Identity Awards: • Become an Event Partner: • 500+ delegates • 50+ Partners and Exhibitors • 4 Session Tracks • 100+ Speakers Educate.Innovate.Connect.
    3. 3. Some guidelines for the Webinar You are muted centrally. You don‘t have to mute/unmute yourself – we control the mute/unmute features We will record the Webinar – the podcast recording will be available tomorrow Q+A will be at the end – you can ask questions using the Q+A tool anytime which we will pick at the end or, if appropriate, during the Webinar © Kuppinger Cole 20123
    4. 4. • Sign-on (and other) challenges in internal IT • Reaching out for/to the cloud • Specific issues around hybrid deployments Part 1: Presentation by Sebastian Rohr • How to „Bridge the Gap“ • Tackling sign-on, authorization and governance • Extending the reach of internal solutions Part 2: Presentation by Matt Berzinski • Additional Questions can be placed using the GoToWebinar Tool – area „Questions“ Part 3: Discussion 4 Bridging the Cloud Sign-On Gap– Extend your Enterprise SSO reach to the Cloud © Kuppinger Cole 2012
    5. 5. Business just wants the services they need to do their job and to keep corporate information protected adequately (hopefully) 5 What business really wants: Service delivery and Information Security © Kuppinger Cole 2012
    6. 6. IT Technology & Delivery Centralized Mainframe 1980 1990 2000 2010 20201970 MidSize Client/Server Web 1960 Client Server In-house In-house In-house Outsourced Hosting Outsourced ASP Web Managed Service as-a-Service SW- Platform- Infrastr.- In-house/outsourced 6 © Kuppinger Cole 2012
    7. 7. Serving demand with a mix of Cloud and “classic” services Offering adaptable Strong Authentication Safeguarding Audit Trails in all delivery methods Staying in Compliance with (multiple) Legislations/Regulations Providing reliable & authentic Billing/Accounting information Providing proper means of Access Control to sensitive data 7 Challenges your IT faces today © Kuppinger Cole 2012
    8. 8. With kind permission by E. von Faber 8 Serving IT demand with a Cloud-Mix Distributed, scalable Cloud-Computing ERP, CRM, SCM, Office etc. Software-as-a-Service RTE (i.e. .Net, Java), Database Platform-as-a-Service Systems in remote Datacenter Hosting Maintenance, Configuration Changes Managed Services Remote Monitoring Service Monitoring & Support Hardware, MIPS, Memory Infrastruct.-as-a-Serv. Application Plattform:RTE,DB Hardware,Infrastructure Datacenter+Network shared dedicated DCof Customer OneDCofService PoviderMulti-DC (distributed) OnetoOneOnetoMany Control/Knowledge AttackVectors/Threats + – – + © Kuppinger Cole 20128
    9. 9. Offering Strong Authentication Username/Password are all over the place • Hard to remember (the plethora) • Not always secure enough – other methods needed! • Two-factor Auth & Strong Auth often a requirement • Not every internal app can use 2FA/SA natively • Even harder for (multiple) Cloud services • Context-aware Auth often not available (XACML) • „Step-up“ Auth not supported by Cloud Service © Kuppinger Cole 20129
    10. 10. Safeguarding Audit Trails • Hard enough to tell in internal apps • Keeping track of a Access Rights & Permissions Who did what? • Webservices/WebGUI • Fat Client By which means? • Workflows established? • Role-model and „need-to-know“ Who requested it? • Multi-approver support in work-flows • Re-Certification of once deployed permissions Who authorized it? Get that for your Cloud-Services! At least partially… © Kuppinger Cole 201210
    11. 11. • National laws & regulations • Regional laws & regulations Where do you do business? • Healthcare • Food/Pharmaceutical • Financial… In which verticals? • Do you need to know where your data is located? • Do you need to keep your data in your country? Special Requirements • Safeguarding compliance through central logs • Probably establish SIEM with specific filters How to keep track? 11 Staying in Compliance © Kuppinger Cole 2012
    12. 12. Many internal IT services are paid „by consumption“ Number of transactions processed Time spent „using“ the service Processing cycles, bandwidth or memory used How to make that available to other departments? 12 Providing usage based invoicing © Kuppinger Cole 2011
    13. 13. Proper means of Access Control • Needs some legal clarification beforehand • Relatively complex to establish Federation • Not feasible with „real“ Cloud Services • Too much technical effort & risk (trust, legal) Direct integration • Easier to establish/extend • Easier to „tear down“ and maintain Web Access Management • Quick & easy to extend • Good manageability • Often times already proven deployment Enterprise SSO © Kuppinger Cole 201213
    14. 14. Using Hybrid Cloud Deployments Challenges  May add Complexity  May tamper with Security  Will provide Elasticity  Impacts Networking – Discovery – Communication – Latency – Availability Recommendations  Stay secure from the start – Create proper process, then – Build on trusted technology – No „experiments“, please!  If possible, Federate (later)  Extend your enterprise security architecture & tools  Remain in control  Maintain Know-How inside © Kuppinger Cole 201214
    15. 15. Touch-Points – do NOT re-invent! What you need  Strong Authentication  Proper Audit trails  Accounting/Invoicing  Governance + Risk Mgmnt.  Provisioning  Access Control Where to get it  Re-use internal Auth + SSO  Re-use internal Access Control  internal Auth + Access Control  above + internal GRC + add-in  Extend internal IdM tools  See above, but: do not forget Cloud-PAM! 15 © Kuppinger Cole 2012 And now let´s see how this could be achieved!
    16. 16. <Insert Picture Here> Bridging the Sign-On Gap to the Cloud
    17. 17. 17 Copyright © 2010, Oracle. Proprietary and Confidential This document is for informational purposes. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described in this document remains at the sole discretion of Oracle. This document in any form, software or printed matter, contains proprietary information that is the exclusive property of Oracle. This document and information contained herein may not be disclosed, copied, reproduced or distributed to anyone outside Oracle without prior written consent of Oracle. This document is not part of your license agreement nor can it be incorporated into any contractual agreement with Oracle or its subsidiaries or affiliates.
    18. 18. 18 Copyright © 2010, Oracle. Proprietary and Confidential Cloud applications are proliferating • More services being offered in a hosted manner – CRM – Personal Productivity Products – Business Intelligence • Provide many benefits to the organization – No need to procure large and complex infrastructure – No deployment or maintenance costs associated – Provides easy access to information from anywhere
    19. 19. 19 Copyright © 2010, Oracle. Proprietary and Confidential Drawbacks of cloud applications • Add another set of credentials for users to maintain • Securing access to those applications – Federation can lead to more legal fees than IT fees • Controlling access to only those who need it – Changing roles – Termination • Auditing access to the application
    20. 20. 20 Copyright © 2010, Oracle. Proprietary and Confidential Oracle ESSO Suite Plus Solves Enterprise Access Challenges ESSO Authentication Manager ESSO Provisioning Gateway ESSO Logon Manager ESSO Password Reset Sign-On ESSO Kiosk ManagerESSO Anywhere ESSO Logon Manager Sign-on
    21. 21. 21 Copyright © 2010, Oracle. Proprietary and Confidential ESSO Logon Manager Overview
    22. 22. 22 Copyright © 2010, Oracle. Proprietary and Confidential Access the cloud anytime, from anywhere Cloud Application
    23. 23. 23 Copyright © 2010, Oracle. Proprietary and Confidential Provides a security challenge Cloud Application
    24. 24. 24 Copyright © 2010, Oracle. Proprietary and Confidential How to combat this? Increase Security – Strong Authentication • Site Specific • Not associated with business • Another infrastructure to maintain – Tougher Passwords Decrease Productivity – Loss of Strong Authentication Device – Forget Passwords – Account Lockouts
    25. 25. 25 Copyright © 2010, Oracle. Proprietary and Confidential ESSO LM Bridges the Sign On Gap • Enforces strong password policies • Optionally can generate random passwords not known by users Manage Passwords • Leverage corporate strong authentication deployment • Challenge for re-authentication prior to providing credentials to the application Integrate Strong Auth • All logon events are audited and associated to an enterprise user name • Track all password change events to comply with security • Generate reports showing inactive accounts Ensure Compliance
    26. 26. 26 Copyright © 2010, Oracle. Proprietary and Confidential ESSO creates Strong Passwords Randomly Generated Password look like this:
    27. 27. 27 Copyright © 2010, Oracle. Proprietary and Confidential Controlling User’s Access • More challenging then conventional applications – Hosted applications can be accessed from anywhere – Disabling network ID does not terminate application access • ESSO LM does not allow user’s to reveal passwords • This allows easy removal of access – Disable windows account – Remove SSO password through ESSO Provisioning Gateway
    28. 28. 28 Copyright © 2010, Oracle. Proprietary and Confidential ESSO from Anywhere Remote PC ESSO-LM Agent Cloud Applications
    29. 29. 29 Copyright © 2010, Oracle. Proprietary and Confidential ESSO Enables Cloud Apps • Simplify access to hard to connect cloud applications through ESSO • Increase security by maintaining user’s password and extending existing strong authentication • Audit all access to the application for Regulatory Compliance • Enforce all policies from any computer with internet access • Deliver ROI by terminated inactive accounts
    30. 30. 31 Copyright © 2010, Oracle. Proprietary and Confidential • Established track record – Passlogix Founded in 1996 – Oracle Acquired Passlogix in Oct 2010 – Proven history of success • Market-leading – 10’s of millions of licenses sold – Thousands of enterprise customers – 10,000’s of applications – Customers with millions of employees • Patented technology – Provides fast deployment, quick ROI – 2 US patents and 7 foreign, additional pending Why Oracle ESSO Suite?
    31. 31. 32 Copyright © 2010, Oracle. Proprietary and Confidential Recognized Leadership “The company goes around a problem .... It is far different from thinking out of the box. It's refusing to acknowledge that the box exists in the first place.” 2011 ESSO Marketscope “Passlogix provides an excellent, lightweight, low maintenance SSO solution, suitable for deployments of any scale … and it is seen as a “best of breed” enterprise SSO product – the general good opinion in which it is held …” “Passlogix has some highly functional ESSO technology … they often pioneer in the market…” 100% of customers would buy it again 100% of customers would recommend it to a peer 100% of customers said Passlogix keeps all promises 71% ranked Passlogix as their Best or 2nd Best Vendor Magic Quadrant Disclaimer: The Magic Quadrant is copyrighted by Gartner, Inc. and is reused with permission. The Magic Quadrant is a graphical representation of a marketplace at and for a specific time period. It depicts Gartner's analysis of how certain vendors measure against criteria for that marketplace, as defined by Gartner. Gartner does not endorse any vendor, product or service depicted in the Magic Quadrant, and does not advise technology users to select only those vendors placed in the "Leaders" quadrant. The Magic Quadrant is intended solely as a research tool, and is not meant to be a specific guide to action. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. The Magic Quadrant graphic was published by Gartner, Inc., as part of a larger research note and should be evaluated in the context of the entire report. The Gartner report is available upon request from Oracle RATING Strong Negative Caution Promising Positive Strong Positive ActivIdentity x Avencis x CA Technologies x Evidian x IBM x Ilex x Imprivata x i-Sprint Innovations x Microsoft x NetIQ x Oracle x As of 20 September 2011
    32. 32. 33 Copyright © 2010, Oracle. Proprietary and Confidential Deployed by Leading Customers Financial Healthcare / Pharmaceuticals Energy Government
    33. 33. 34 Copyright © 2011, Oracle. All rights reserved Oracle ESSO Suite Is Integrated with Oracle IAM OAM ESSO OIM ESSO ESSO ODS • Single Sign-On from Desktop to Web Apps and Cloud • Single login to access enterprise apps and OAM protected web apps • Integrated with industry leading provisioning solution • Integrated with Directory Services • Leverage existing investments in directory servers
    34. 34. 35 Copyright © 2011, Oracle. All rights reserved Cost Benefits of Oracle ESSO Suite • Organization with 7000 users • 1 Password Reset per quarter/user • Average helpdesk call $40 140% 12 months Payback period ROI Source: ESSO Buyer’s Guide:, Sep 2011 Link:
    35. 35. 36 Copyright © 2010, Oracle. Proprietary and Confidential Enterprise Extranet Cloud/ Mobile Tools Point Solutions Platform Intelligence Identity Authentication Administration Audit Risk Management Certify Access for Millions of Users & Entitlement s User Lifecycle In Hybrid/Clou d Environmen ts Access Via Mobile & Social Channels Authoritati ve ID with Massive Scale Monitor Behavior & Detect Improper Access Oracle Provides an Evolved IDM Platform
    36. 36. 37 Copyright © 2010, Oracle. Proprietary and Confidential 46% Cost Savings Source: Aberdeen “Analyzing point solutions vs. platform” 2011 Benefits Oracle IAM Suite Advantage Increased End-User Productivity • Emergency Access • End-user Self Service • 11% faster • 30% faster Reduced Risk • Suspend/revoke/de-provision end user access • 46% faster Enhanced Agility • Integrate a new app faster with the IAM infrastructure • Integrate a new end user role faster into the solution • 64% faster • 73% faster Enhanced Security and Compliance • Reduces unauthorized access • Reduces audit deficiencies • 14% fewer • 35% fewer Reduced Total Cost • Reduces total cost of IAM initiatives • 48% lower 48% More Responsive 35% Fewer Audit Deficiencies Oracle Platform Makes All the Difference
    37. 37. 38 Copyright © 2011, Oracle. Proprietary and Confidential One Company, One Solution, One Stack  Proven vendor • Acquire and retain best of breed technology and talent • Battle-tested for large, mission-critical applications • Referenceable, award-winning customer deployments  Most complete and integrated best-of- breed portfolio • Service-Oriented Security • Interoperable components  Future proof investment • Standards-based and hot pluggable for easy integration • Established deployment best practices • Large implementation ecosystem
    38. 38. 39 Copyright © 2011, Oracle. Proprietary and Confidential Learn More
    39. 39. 40 Copyright © 2011, Oracle. Proprietary and Confidential Get a Jumpstart with Oracle Consulting Services  Thought leaders that provide customers with tightly integrated, comprehensive and superior services as part of the Oracle brand  Q2FY11 Forrester Wave report rates Oracle Consulting as the leader  World’s top experts in User Life Cycle Management Pre-Install • Oracle Identity Management Deployment Strategy • Oracle Identity Management Vendor Transition Strategy Install • ESSO Quickstart • Oracle Identity Manager Quickstart • IDM Virtualization service • Directory Services Quickstart Post Install • Oracle Directory Services & Identity Management Health Checks • ESSO Health Check
    40. 40. © 2010 Oracle Corporation – Proprietary and Confidential 41 Join the Oracle IDM Community Twitter Facebook Oracle Identity Management blog
    41. 41. © 2010 Oracle Corporation – Proprietary and Confidential 42 Q&A