Bridging the Cloud Sign-On Gap

Kuppinger Cole WebinarBridging the Cloud Sign-On Gap Sebastian Rohr, Kuppinger Cole sr@kuppingercole.com Matt Berzinski, Oracle matthew.berzinski@oracle.com February 9th, 2012 This Webinar is supported by

• 500+ delegates • 50+ Partners and Exhibitors • 4 Session Tracks • 100+ Speakers • Call for Speakers: http://www.id-conf.com/events/eic2012/callforspeakers • Propose your project for the European Identity Awards: http://www.id- conf.com/events/eic2012/award • Become an Event Partner: bb@kuppingercole.comE ducate. I nnovate. C onnect.2 © Kuppinger Cole 2012

Some guidelines for the Webinar You are muted centrally. You don‘t have to mute/unmute yourself – we control the mute/unmute features We will record the Webinar – the podcast recording will be available tomorrow Q+A will be at the end – you can ask questions using the Q+A tool anytime which we will pick at the end or, if appropriate, during the Webinar3 © Kuppinger Cole 2012

Bridging the Cloud Sign-On Gap– Extend your Enterprise SSO reach to the Cloud Part 1: • Sign-on (and other) challenges in internal IT Presentation by • Reaching out for/to the cloud Sebastian Rohr • Specific issues around hybrid deployments Part 2: • How to „Bridge the Gap“ Presentation by • Tackling sign-on, authorization and governance Matt Berzinski • Extending the reach of internal solutions Part 3: • Additional Questions can be placed using the Discussion GoToWebinar Tool – area „Questions“4 © Kuppinger Cole 2012

What business really wants: Service delivery and Information Security Business just wants the services they and to keep corporate need to do their job information protected adequately (hopefully)5 © Kuppinger Cole 2012

IT Technology & Delivery SW- Platform- as-a-Service Infrastr.- Managed ASP Web Service Hosting Client/Server Web Outsourced Client Server In-house Outsourced MidSize In-house In-house Centralized Mainframe In-house/outsourced 1960 1970 1980 1990 2000 2010 20206 © Kuppinger Cole 2012

Challenges your IT faces todayServing demand with a mix of Cloud and “classic” servicesOffering adaptable Strong AuthenticationSafeguarding Audit Trails in all delivery methodsStaying in Compliance with (multiple) Legislations/RegulationsProviding reliable & authentic Billing/Accounting informationProviding proper means of Access Control to sensitive data7 © Kuppinger Cole 2012

Serving IT demand with a Cloud-MixCloud-Computing One to Many (distributed) – + Multi-DC Application Hardware, Infrastructure Plattform: RTE, DBDistributed, scalable sharedSoftware-as-a-Service Attack Vectors / ThreatsERP, CRM, SCM, Office etc. Datacenter+ Network Control / KnowledgePlatform-as-a-Service One DC of ServiceRTE (i.e. .Net, Java), DatabaseInfrastruct.-as-a-Serv. PoviderHardware, MIPS, MemoryHostingSystems in remote Datacenter CustomerManaged Services dedicated One to OneMaintenance, Configuration Changes DC ofMonitoring & Support + –Remote Monitoring Service 8 © Kuppinger Cole 2012 With kind permission by E. von Faber 8

Offering Strong Authentication Username/Password are all over the place • Hard to remember (the plethora) • Not always secure enough – other methods needed! • Two-factor Auth & Strong Auth often a requirement • Not every internal app can use 2FA/SA natively • Even harder for (multiple) Cloud services • Context-aware Auth often not available (XACML) • „Step-up“ Auth not supported by Cloud Service9 © Kuppinger Cole 2012

Safeguarding Audit Trails Who did • Hard enough to tell in internal apps what? • Keeping track of a Access Rights & Permissions By which • Webservices/WebGUI means? • Fat Client Who • Workflows established?requested it? • Role-model and „need-to-know“ Who • Multi-approver support in work-flowsauthorized it? • Re-Certification of once deployed permissions Get that for your Cloud-Services! At least partially…10 © Kuppinger Cole 2012

Staying in ComplianceWhere do you • National laws & regulationsdo business? • Regional laws & regulations • Healthcare In which • Food/Pharmaceutical verticals? • Financial… Special • Do you need to know where your data is located?Requirements • Do you need to keep your data in your country? How to keep • Safeguarding compliance through central logs track? • Probably establish SIEM with specific filters11 © Kuppinger Cole 2012

Providing usage based invoicingMany internal IT services are paid „by consumption“Number of transactions processedTime spent „using“ the serviceProcessing cycles, bandwidth or memory usedHow to make that available to other departments?12 © Kuppinger Cole 2011

Proper means of Access Control • Needs some legal clarification beforehand Federation • Relatively complex to establish Direct • Not feasible with „real“ Cloud Services integration • Too much technical effort & risk (trust, legal)Web Access • Easier to establish/extendManagement • Easier to „tear down“ and maintain • Quick & easy to extend Enterprise • Good manageability SSO • Often times already proven deployment13 © Kuppinger Cole 2012

Using Hybrid Cloud Deployments Challenges Recommendations May add Complexity  Stay secure from the start May tamper with Security – Create proper process, then – Build on trusted technology Will provide Elasticity – No „experiments“, please! Impacts Networking  If possible, Federate (later) – Discovery – Communication  Extend your enterprise – Latency security architecture & tools – Availability  Remain in control  Maintain Know-How inside14 © Kuppinger Cole 2012

Touch-Points – do NOT re-invent! What you need Where to get it Strong Authentication  Re-use internal Auth + SSO Proper Audit trails  Re-use internal Access Control Accounting/Invoicing  internal Auth + Access Control Governance + Risk Mgmnt.  above + internal GRC + add-in Provisioning  Extend internal IdM tools Access Control  See above, but: do not forget Cloud-PAM! And now let´s see how this could be achieved!15 © Kuppinger Cole 2012

<Insert Picture Here>Bridging the Sign-On Gap to the Cloud

This document is for informational purposes. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described in this document remains at the sole discretion of Oracle. This document in any form, software or printed matter, contains proprietary information that is the exclusive property of Oracle. This document and information contained herein may not be disclosed, copied, reproduced or distributed to anyone outside Oracle without prior written consent of Oracle. This document is not part of your license agreement nor can it be incorporated into any contractual agreement with Oracle or its subsidiaries or affiliates.17 Copyright © 2010, Oracle. Proprietary and Confidential

Cloud applications are proliferating • More services being offered in a hosted manner – CRM – Personal Productivity Products – Business Intelligence • Provide many benefits to the organization – No need to procure large and complex infrastructure – No deployment or maintenance costs associated – Provides easy access to information from anywhere18 Copyright © 2010, Oracle. Proprietary and Confidential

Drawbacks of cloud applications • Add another set of credentials for users to maintain • Securing access to those applications – Federation can lead to more legal fees than IT fees • Controlling access to only those who need it – Changing roles – Termination • Auditing access to the application19 Copyright © 2010, Oracle. Proprietary and Confidential

Oracle ESSO Suite Plus Solves Enterprise Access Challenges ESSO Logon Manager ESSO Anywhere Sign-On ESSO Kiosk Manager Sign-on ESSO Provisioning ESSO Password Reset Gateway ESSO Logon Manager ESSO Authentication Manager20 Copyright © 2010, Oracle. Proprietary and Confidential

How to combat this? Increase Security Decrease Productivity – Strong Authentication – Loss of Strong • Site Specific Authentication Device • Not associated with – Forget Passwords business • Another infrastructure – Account Lockouts to maintain – Tougher Passwords24 Copyright © 2010, Oracle. Proprietary and Confidential

ESSO LM Bridges the Sign On Gap • Enforces strong password policies Manage • Optionally can generate random passwords not known by Passwords users • Leverage corporate strong authentication deployment Integrate • Challenge for re-authentication prior to providing credentials Strong Auth to the application • All logon events are audited and associated to an enterprise Ensure user name Compliance • Track all password change events to comply with security • Generate reports showing inactive accounts25 Copyright © 2010, Oracle. Proprietary and Confidential

Controlling User’s Access • More challenging then conventional applications – Hosted applications can be accessed from anywhere – Disabling network ID does not terminate application access • ESSO LM does not allow user’s to reveal passwords • This allows easy removal of access – Disable windows account – Remove SSO password through ESSO Provisioning Gateway27 Copyright © 2010, Oracle. Proprietary and Confidential

ESSO Enables Cloud Apps • Simplify access to hard to connect cloud applications through ESSO • Increase security by maintaining user’s password and extending existing strong authentication • Audit all access to the application for Regulatory Compliance • Enforce all policies from any computer with internet access • Deliver ROI by terminated inactive accounts29 Copyright © 2010, Oracle. Proprietary and Confidential

Why Oracle ESSO Suite? • Established track record – Passlogix Founded in 1996 – Oracle Acquired Passlogix in Oct 2010 – Proven history of success • Market-leading – 10’s of millions of licenses sold – Thousands of enterprise customers – 10,000’s of applications – Customers with millions of employees • Patented technology – Provides fast deployment, quick ROI – 2 US patents and 7 foreign, additional pending31 Copyright © 2010, Oracle. Proprietary and Confidential

Recognized Leadership 2011 ESSO Marketscope RATING Strong Strong Caution Promising Positive Negative Positive ActivIdentity x “Passlogix has some highly functional ESSO Avencis x technology … they often pioneer in the CA Technologies x Evidian x market…” IBM x Ilex x “Passlogix provides an excellent, lightweight, low Imprivata x i-Sprint Innovations x maintenance SSO solution, suitable for deployments Microsoft x of any scale … and it is seen as a “best of breed” NetIQ x Oracle x enterprise SSO product – the general good opinion in which it is held …” As of 20 September 2011 100% of customers would buy it again 100% of customers would recommend it to a peer 100% of customers said Passlogix keeps all promises 71% ranked Passlogix as their Best or 2nd Best Vendor “The company goes around a problem .... It is far different from thinking out of the box. Its refusing to acknowledge that the box exists in the first place.”Magic Quadrant Disclaimer: The Magic Quadrant is copyrighted by Gartner, Inc. and is reused with permission. The Magic Quadrant is a graphical representation of a marketplace at and for a specific time period. It depicts Gartners analysis of howcertain vendors measure against criteria for that marketplace, as defined by Gartner. Gartner does not endorse any vendor, product or service depicted in the Magic Quadrant, and does not advise technology users to select only those vendorsplaced in the "Leaders" quadrant. The Magic Quadrant is intended solely as a research tool, and is not meant to be a specific guide to action. Gartner disclaims all warranties, express or implied, with respect to this research, including any 32 Copyright © 2010, Oracle. Proprietary and Confidentialwarranties of merchantability or fitness for a particular purpose. The Magic Quadrant graphic was published by Gartner, Inc., as part of a larger research note and should be evaluated in the context of the entire report. The Gartner report isavailable upon request from Oracle

Oracle ESSO Suite Is Integrated with Oracle IAM • Single Sign-On from Desktop to Web Apps and Cloud OAM ESSO • Single login to access enterprise apps and OAM protected web apps • Integrated with industry OIM ESSO leading provisioning solution • Integrated with Directory Services ESSO ODS • Leverage existing investments in directory servers34 Copyright © 2011, Oracle. All rights reserved

Cost Benefits of Oracle ESSO Suite • Organization with 7000 users • 1 Password Reset per quarter/user • Average helpdesk call $40 140% ROI 12 months Payback period Source: ESSO Buyer’s Guide:, Sep 2011 Link: http://bit.ly/OperantConditioning35 Copyright © 2011, Oracle. All rights reserved

Oracle Provides an Evolved IDM Platform Certify Monitor Authoritati Access Via User Access for Behavior & ve ID with Mobile & Lifecycle In Detect Massive Social Hybrid/Clou Millions of Improper Scale Channels d Users & Access Environmen EntitlementCloud/ s tsMobileExtranet Risk Management AuditEnterprise Administration Authentication Identity Tools Point Solutions Platform Intelligence36 Copyright © 2010, Oracle. Proprietary and Confidential

Oracle Platform Makes All the Difference Oracle IAM Suite Benefits Advantage Increased End-User • Emergency Access • 11% faster48% Cost Savings Productivity Reduced Risk • End-user Self Service • 30% faster • Suspend/revoke/de-provision • 46% faster end user access46% More Responsive Enhanced Agility • Integrate a new app faster with the IAM infrastructure • 64% faster • Integrate a new end user role • 73% faster faster into the solution35% Fewer Audit Deficiencies Enhanced Security and Compliance • Reduces unauthorized access • 14% fewer • Reduces audit deficiencies • 35% fewer Reduced Total Cost • Reduces total cost of IAM • 48% lower initiatives Source: Aberdeen “Analyzing point solutions vs. platform” 201137 Copyright © 2010, Oracle. Proprietary and Confidential

One Company, One Solution, One Stack  Proven vendor • Acquire and retain best of breed technology and talent • Battle-tested for large, mission-critical applications • Referenceable, award-winning customer deployments  Most complete and integrated best-of- breed portfolio • Service-Oriented Security • Interoperable components  Future proof investment • Standards-based and hot pluggable for easy integration • Established deployment best practices • Large implementation ecosystem38 Copyright © 2011, Oracle. Proprietary and Confidential

Get a Jumpstart with Oracle Consulting Services  Thought leaders that provide customers Pre-Install Install Post Install with tightly integrated, • Oracle Identity • ESSO • Oracle Directory comprehensive and Management Quickstart Services & superior services as Deployment • Oracle Identity Identity part of the Oracle Strategy Manager Management brand • Oracle Identity Quickstart Health Checks  Q2FY11 Forrester Management • IDM • ESSO Health Vendor Check Wave report rates Virtualization Transition service Oracle Consulting as Strategy • Directory the leader Services  World’s top experts in Quickstart User Life Cycle Management40 Copyright © 2011, Oracle. Proprietary and Confidential

Join the Oracle IDM Community Twitter twitter.com/OracleIDM Facebook facebook.com/OracleIDM Oracle Identity Management blog blogs.oracle.com/OracleIDM Oracle.com/identity© 2010 Oracle Corporation – Proprietary and Confidential 41

https://blogs.oracle.com	801
http://blogs.oracle.com	57
http://www.5z5.com	4
http://www.bonweb.fr	1
http://www.schuirink.net	1
http://www.hanrss.com	1

Bridging the Cloud Sign-On Gap

by OracleIDM on Feb 09, 2012

Accessibility

Categories

Upload Details

Usage Rights

6 Embeds 865

Statistics

Bridging the Cloud Sign-On Gap — Presentation Transcript