• Like
  • Save


Flash Player 9 (or above) is needed to view presentations.
We have detected that you do not have it on your computer. To install it, go here.

Bridging the Cloud Sign-On Gap

Uploaded on


More in: Technology , Business
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to like this
No Downloads


Total Views
On Slideshare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide
  • One of the benefits of Cloud Applications is that they provide access for employees from anywhere. Here we see that employees can just as easily access applications from the office, which is behind the firewall, as they can from their home, hotel or even a coffee shop that is outside the firewall. This allows employee to remain productive wherever they are
  • However, with this increase access to the applications so does the risk of attack. Just like the employee, any would be hacker has access to the application as well. To compound this problem, most cloud applications have a standard naming convention for all their customers. Be this an e-mail account or and first initial last name, it isn’t hard for someone to determine the logon ID and then begin to hack the password. So now your critical data is exposed to anyone with internet access.
  • The natural Knee Jerk reaction to solve this problem is to increase security . Whether this is through increasing password policies (i.e. stronger \\ longer passwords that change more frequently) or implementing a strong authentication solution provide by the Cloud Application. However this results in a Decrease in productivity as user lose the strong authentication device, or they forget their passwords which results in account lockouts and prevents access to data.
  • There are events that require termination of user’s access to applications. Most of the time this is result of the termination. For internally hosted applications, this is easy. Simply remove the employee’s network access and building badge and they can no longer access the information in the applications. However, with hosted applications this becomes a problem since they are available from anywhere. What is to stop them from access a valuable company asset and puling down all the data. With ESSO Logon Manager controlling the user’s password once the process of terminating the network ID still works. Without access to ESSO, the user will no longer be able to gain access to the data in the cloud.When a user is moved from one role and organization to another, instead of having to adjust the ID on the Cloud Application, a simple request to ESSO Provisioning Gateway to remove the credentials from ESSO disables the user the ability to access the data. Both of these processes can be done internally and are easier to incorporate into current practices and ensure termination of access, rather than hoping someone went to the external site to modify the logon credential.
  • ESSO Anywhere is the only enterprise single sign solution that can address this use case. ESSO Anywhere allows users once authentication to their corporate directory to access the Single Sign On Solutions. This allows users to gain access to their secure credentials from any location they desire. Once authenticated, the LM Agent is downloaded and configured on the user’s machine. This operation can be done on any machine as administrative rights are not needed. After the agent has been configured, the user’s credential are downloaded and available. As the user launches their cloud applications, the LM Agent injects credentials just as if it was on the corporate network. All login events are audited events are retained to ensure your compliance stance.Once the user is done using SSO, and disconnects from the corporate directory, the LM agent can be configured to remove itself and the credentials from the local machine.
  • Pre-integration of OAAM, OAM and OIM for self-service password management and secure login flowsEasily add needed security to vulnerable flows such as password resetBenefits over OIM+OAM alone:KBA (Knowledge Based Authentication)Large OOTB question libraryQuestion management – edit, create, deleteLocalization – 26 languagesControls to balance usability with securityRegistration logicValidationsQuestion setTune categories to user populationBalance complexityAnswer logicIncrease usability – less service calls
  • The slide shows identity management requirements at different levels of sophistication- At the foundation we have to know who’s who across all of our applications. Providing secure authentication is next typically this is user name and password or strong authentication Slightly more sophisticated is administration because it has to be flexible to handle all of the nuances of moves adds and changes To provide compliance reporting is next in the ladder because this requires intelligence of SOD At the highest level is understanding risk- understanding patterns of behavior so we can step up authentication and authorization – and understanding what access may be risky during a certification review Finally – it has to scale to address the opportunity At the identity level – this means massive scale for numbers of users because we not only have to manage our enterprise users we have to manage our subscribers and customers. NOTE: China mobile has over 600 Million subscribers . Vodaphone in the UK has about 341 million subscribers – If we want to take advantage of opportunities in china we have to more than double our scale. So imagine if you are ATT with 100 million subscribers and you have to merge with T mobile at 34 million subscribers and you have to integrate.The authentication level – The scale is also increasing because of mobile use and social networking – with social networking I am referring to services that allow users to authenticate to get access to applications or data resources via their social networking login. Interesting stat If facebook were a country it would be the 3rd largest with double the population of the US. At the mobile level many customers are building internal application stores to provide applications to their employees. They have to be able to provide single sign on across applications. The administration has to scale to the cloudTo take advantage of the cloud – organizations have to bridge the gap between the security in the enterprise with the security in the cloud. This means delegated administration and managing moves adds and changes directly to the cloud.The audit has to scale Many customers have done their initial projects on certification review – but now need to scale the process to more applications the volume of entitlements is only increasing. Identity management has to evolve to provide
  • Recently Aberdeen Research published a brief comparing the benefits of a platform approach vs a point solution approach. Many organizations use an IAM suite to meet their identity and access management requirements and that is refered to as a platform approach. In contrast there are other organizations that use a collection of best of breed solutions from multiple vendors and that is referred to as the point solution approach. In compiling their research report Aberdeen interviewed more than a 100 odd customers and their findings were very interesting. They found that a platform based approach to IAM resulted in a cost savings of 48% over a comparative point solution approach. So in effect using an IAM platform can help organizations using a collection of point solutions to recover their investment with a positive ROI. This paper is available on o.com/identity for download.


  • 1. Kuppinger Cole WebinarBridging the Cloud Sign-On Gap Sebastian Rohr, Kuppinger Cole sr@kuppingercole.com Matt Berzinski, Oracle matthew.berzinski@oracle.com February 9th, 2012 This Webinar is supported by
  • 2. • 500+ delegates • 50+ Partners and Exhibitors • 4 Session Tracks • 100+ Speakers • Call for Speakers: http://www.id-conf.com/events/eic2012/callforspeakers • Propose your project for the European Identity Awards: http://www.id- conf.com/events/eic2012/award • Become an Event Partner: bb@kuppingercole.comE ducate. I nnovate. C onnect.2 © Kuppinger Cole 2012
  • 3. Some guidelines for the Webinar You are muted centrally. You don‘t have to mute/unmute yourself – we control the mute/unmute features We will record the Webinar – the podcast recording will be available tomorrow Q+A will be at the end – you can ask questions using the Q+A tool anytime which we will pick at the end or, if appropriate, during the Webinar3 © Kuppinger Cole 2012
  • 4. Bridging the Cloud Sign-On Gap– Extend your Enterprise SSO reach to the Cloud Part 1: • Sign-on (and other) challenges in internal IT Presentation by • Reaching out for/to the cloud Sebastian Rohr • Specific issues around hybrid deployments Part 2: • How to „Bridge the Gap“ Presentation by • Tackling sign-on, authorization and governance Matt Berzinski • Extending the reach of internal solutions Part 3: • Additional Questions can be placed using the Discussion GoToWebinar Tool – area „Questions“4 © Kuppinger Cole 2012
  • 5. What business really wants: Service delivery and Information Security Business just wants the services they and to keep corporate need to do their job information protected adequately (hopefully)5 © Kuppinger Cole 2012
  • 6. IT Technology & Delivery SW- Platform- as-a-Service Infrastr.- Managed ASP Web Service Hosting Client/Server Web Outsourced Client Server In-house Outsourced MidSize In-house In-house Centralized Mainframe In-house/outsourced 1960 1970 1980 1990 2000 2010 20206 © Kuppinger Cole 2012
  • 7. Challenges your IT faces todayServing demand with a mix of Cloud and “classic” servicesOffering adaptable Strong AuthenticationSafeguarding Audit Trails in all delivery methodsStaying in Compliance with (multiple) Legislations/RegulationsProviding reliable & authentic Billing/Accounting informationProviding proper means of Access Control to sensitive data7 © Kuppinger Cole 2012
  • 8. Serving IT demand with a Cloud-MixCloud-Computing One to Many (distributed) – + Multi-DC Application Hardware, Infrastructure Plattform: RTE, DBDistributed, scalable sharedSoftware-as-a-Service Attack Vectors / ThreatsERP, CRM, SCM, Office etc. Datacenter+ Network Control / KnowledgePlatform-as-a-Service One DC of ServiceRTE (i.e. .Net, Java), DatabaseInfrastruct.-as-a-Serv. PoviderHardware, MIPS, MemoryHostingSystems in remote Datacenter CustomerManaged Services dedicated One to OneMaintenance, Configuration Changes DC ofMonitoring & Support + –Remote Monitoring Service 8 © Kuppinger Cole 2012 With kind permission by E. von Faber 8
  • 9. Offering Strong Authentication Username/Password are all over the place • Hard to remember (the plethora) • Not always secure enough – other methods needed! • Two-factor Auth & Strong Auth often a requirement • Not every internal app can use 2FA/SA natively • Even harder for (multiple) Cloud services • Context-aware Auth often not available (XACML) • „Step-up“ Auth not supported by Cloud Service9 © Kuppinger Cole 2012
  • 10. Safeguarding Audit Trails Who did • Hard enough to tell in internal apps what? • Keeping track of a Access Rights & Permissions By which • Webservices/WebGUI means? • Fat Client Who • Workflows established?requested it? • Role-model and „need-to-know“ Who • Multi-approver support in work-flowsauthorized it? • Re-Certification of once deployed permissions Get that for your Cloud-Services! At least partially…10 © Kuppinger Cole 2012
  • 11. Staying in ComplianceWhere do you • National laws & regulationsdo business? • Regional laws & regulations • Healthcare In which • Food/Pharmaceutical verticals? • Financial… Special • Do you need to know where your data is located?Requirements • Do you need to keep your data in your country? How to keep • Safeguarding compliance through central logs track? • Probably establish SIEM with specific filters11 © Kuppinger Cole 2012
  • 12. Providing usage based invoicingMany internal IT services are paid „by consumption“Number of transactions processedTime spent „using“ the serviceProcessing cycles, bandwidth or memory usedHow to make that available to other departments?12 © Kuppinger Cole 2011
  • 13. Proper means of Access Control • Needs some legal clarification beforehand Federation • Relatively complex to establish Direct • Not feasible with „real“ Cloud Services integration • Too much technical effort & risk (trust, legal)Web Access • Easier to establish/extendManagement • Easier to „tear down“ and maintain • Quick & easy to extend Enterprise • Good manageability SSO • Often times already proven deployment13 © Kuppinger Cole 2012
  • 14. Using Hybrid Cloud Deployments Challenges Recommendations May add Complexity  Stay secure from the start May tamper with Security – Create proper process, then – Build on trusted technology Will provide Elasticity – No „experiments“, please! Impacts Networking  If possible, Federate (later) – Discovery – Communication  Extend your enterprise – Latency security architecture & tools – Availability  Remain in control  Maintain Know-How inside14 © Kuppinger Cole 2012
  • 15. Touch-Points – do NOT re-invent! What you need Where to get it Strong Authentication  Re-use internal Auth + SSO Proper Audit trails  Re-use internal Access Control Accounting/Invoicing  internal Auth + Access Control Governance + Risk Mgmnt.  above + internal GRC + add-in Provisioning  Extend internal IdM tools Access Control  See above, but: do not forget Cloud-PAM! And now let´s see how this could be achieved!15 © Kuppinger Cole 2012
  • 16. <Insert Picture Here>Bridging the Sign-On Gap to the Cloud
  • 17. This document is for informational purposes. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described in this document remains at the sole discretion of Oracle. This document in any form, software or printed matter, contains proprietary information that is the exclusive property of Oracle. This document and information contained herein may not be disclosed, copied, reproduced or distributed to anyone outside Oracle without prior written consent of Oracle. This document is not part of your license agreement nor can it be incorporated into any contractual agreement with Oracle or its subsidiaries or affiliates.17 Copyright © 2010, Oracle. Proprietary and Confidential
  • 18. Cloud applications are proliferating • More services being offered in a hosted manner – CRM – Personal Productivity Products – Business Intelligence • Provide many benefits to the organization – No need to procure large and complex infrastructure – No deployment or maintenance costs associated – Provides easy access to information from anywhere18 Copyright © 2010, Oracle. Proprietary and Confidential
  • 19. Drawbacks of cloud applications • Add another set of credentials for users to maintain • Securing access to those applications – Federation can lead to more legal fees than IT fees • Controlling access to only those who need it – Changing roles – Termination • Auditing access to the application19 Copyright © 2010, Oracle. Proprietary and Confidential
  • 20. Oracle ESSO Suite Plus Solves Enterprise Access Challenges ESSO Logon Manager ESSO Anywhere Sign-On ESSO Kiosk Manager Sign-on ESSO Provisioning ESSO Password Reset Gateway ESSO Logon Manager ESSO Authentication Manager20 Copyright © 2010, Oracle. Proprietary and Confidential
  • 21. ESSO Logon Manager Overview21 Copyright © 2010, Oracle. Proprietary and Confidential
  • 22. Access the cloud anytime, from anywhere Cloud Application22 Copyright © 2010, Oracle. Proprietary and Confidential
  • 23. Provides a security challenge Cloud Application23 Copyright © 2010, Oracle. Proprietary and Confidential
  • 24. How to combat this? Increase Security Decrease Productivity – Strong Authentication – Loss of Strong • Site Specific Authentication Device • Not associated with – Forget Passwords business • Another infrastructure – Account Lockouts to maintain – Tougher Passwords24 Copyright © 2010, Oracle. Proprietary and Confidential
  • 25. ESSO LM Bridges the Sign On Gap • Enforces strong password policies Manage • Optionally can generate random passwords not known by Passwords users • Leverage corporate strong authentication deployment Integrate • Challenge for re-authentication prior to providing credentials Strong Auth to the application • All logon events are audited and associated to an enterprise Ensure user name Compliance • Track all password change events to comply with security • Generate reports showing inactive accounts25 Copyright © 2010, Oracle. Proprietary and Confidential
  • 26. ESSO creates Strong Passwords Randomly Generated Password look like this:26 Copyright © 2010, Oracle. Proprietary and Confidential
  • 27. Controlling User’s Access • More challenging then conventional applications – Hosted applications can be accessed from anywhere – Disabling network ID does not terminate application access • ESSO LM does not allow user’s to reveal passwords • This allows easy removal of access – Disable windows account – Remove SSO password through ESSO Provisioning Gateway27 Copyright © 2010, Oracle. Proprietary and Confidential
  • 28. ESSO from Anywhere Cloud Applications Remote PC ESSO-LM Agent28 Copyright © 2010, Oracle. Proprietary and Confidential
  • 29. ESSO Enables Cloud Apps • Simplify access to hard to connect cloud applications through ESSO • Increase security by maintaining user’s password and extending existing strong authentication • Audit all access to the application for Regulatory Compliance • Enforce all policies from any computer with internet access • Deliver ROI by terminated inactive accounts29 Copyright © 2010, Oracle. Proprietary and Confidential
  • 30. Why Oracle ESSO Suite? • Established track record – Passlogix Founded in 1996 – Oracle Acquired Passlogix in Oct 2010 – Proven history of success • Market-leading – 10’s of millions of licenses sold – Thousands of enterprise customers – 10,000’s of applications – Customers with millions of employees • Patented technology – Provides fast deployment, quick ROI – 2 US patents and 7 foreign, additional pending31 Copyright © 2010, Oracle. Proprietary and Confidential
  • 31. Recognized Leadership 2011 ESSO Marketscope RATING Strong Strong Caution Promising Positive Negative Positive ActivIdentity x “Passlogix has some highly functional ESSO Avencis x technology … they often pioneer in the CA Technologies x Evidian x market…” IBM x Ilex x “Passlogix provides an excellent, lightweight, low Imprivata x i-Sprint Innovations x maintenance SSO solution, suitable for deployments Microsoft x of any scale … and it is seen as a “best of breed” NetIQ x Oracle x enterprise SSO product – the general good opinion in which it is held …” As of 20 September 2011 100% of customers would buy it again 100% of customers would recommend it to a peer 100% of customers said Passlogix keeps all promises 71% ranked Passlogix as their Best or 2nd Best Vendor “The company goes around a problem .... It is far different from thinking out of the box. Its refusing to acknowledge that the box exists in the first place.”Magic Quadrant Disclaimer: The Magic Quadrant is copyrighted by Gartner, Inc. and is reused with permission. The Magic Quadrant is a graphical representation of a marketplace at and for a specific time period. It depicts Gartners analysis of howcertain vendors measure against criteria for that marketplace, as defined by Gartner. Gartner does not endorse any vendor, product or service depicted in the Magic Quadrant, and does not advise technology users to select only those vendorsplaced in the "Leaders" quadrant. The Magic Quadrant is intended solely as a research tool, and is not meant to be a specific guide to action. Gartner disclaims all warranties, express or implied, with respect to this research, including any 32 Copyright © 2010, Oracle. Proprietary and Confidentialwarranties of merchantability or fitness for a particular purpose. The Magic Quadrant graphic was published by Gartner, Inc., as part of a larger research note and should be evaluated in the context of the entire report. The Gartner report isavailable upon request from Oracle
  • 32. Deployed by Leading Customers Financial Healthcare / Pharmaceuticals Energy Government33 Copyright © 2010, Oracle. Proprietary and Confidential
  • 33. Oracle ESSO Suite Is Integrated with Oracle IAM • Single Sign-On from Desktop to Web Apps and Cloud OAM ESSO • Single login to access enterprise apps and OAM protected web apps • Integrated with industry OIM ESSO leading provisioning solution • Integrated with Directory Services ESSO ODS • Leverage existing investments in directory servers34 Copyright © 2011, Oracle. All rights reserved
  • 34. Cost Benefits of Oracle ESSO Suite • Organization with 7000 users • 1 Password Reset per quarter/user • Average helpdesk call $40 140% ROI 12 months Payback period Source: ESSO Buyer’s Guide:, Sep 2011 Link: http://bit.ly/OperantConditioning35 Copyright © 2011, Oracle. All rights reserved
  • 35. Oracle Provides an Evolved IDM Platform Certify Monitor Authoritati Access Via User Access for Behavior & ve ID with Mobile & Lifecycle In Detect Massive Social Hybrid/Clou Millions of Improper Scale Channels d Users & Access Environmen EntitlementCloud/ s tsMobileExtranet Risk Management AuditEnterprise Administration Authentication Identity Tools Point Solutions Platform Intelligence36 Copyright © 2010, Oracle. Proprietary and Confidential
  • 36. Oracle Platform Makes All the Difference Oracle IAM Suite Benefits Advantage Increased End-User • Emergency Access • 11% faster48% Cost Savings Productivity Reduced Risk • End-user Self Service • 30% faster • Suspend/revoke/de-provision • 46% faster end user access46% More Responsive Enhanced Agility • Integrate a new app faster with the IAM infrastructure • 64% faster • Integrate a new end user role • 73% faster faster into the solution35% Fewer Audit Deficiencies Enhanced Security and Compliance • Reduces unauthorized access • 14% fewer • Reduces audit deficiencies • 35% fewer Reduced Total Cost • Reduces total cost of IAM • 48% lower initiatives Source: Aberdeen “Analyzing point solutions vs. platform” 201137 Copyright © 2010, Oracle. Proprietary and Confidential
  • 37. One Company, One Solution, One Stack  Proven vendor • Acquire and retain best of breed technology and talent • Battle-tested for large, mission-critical applications • Referenceable, award-winning customer deployments  Most complete and integrated best-of- breed portfolio • Service-Oriented Security • Interoperable components  Future proof investment • Standards-based and hot pluggable for easy integration • Established deployment best practices • Large implementation ecosystem38 Copyright © 2011, Oracle. Proprietary and Confidential
  • 38. Learn More39 Copyright © 2011, Oracle. Proprietary and Confidential
  • 39. Get a Jumpstart with Oracle Consulting Services  Thought leaders that provide customers Pre-Install Install Post Install with tightly integrated, • Oracle Identity • ESSO • Oracle Directory comprehensive and Management Quickstart Services & superior services as Deployment • Oracle Identity Identity part of the Oracle Strategy Manager Management brand • Oracle Identity Quickstart Health Checks  Q2FY11 Forrester Management • IDM • ESSO Health Vendor Check Wave report rates Virtualization Transition service Oracle Consulting as Strategy • Directory the leader Services  World’s top experts in Quickstart User Life Cycle Management40 Copyright © 2011, Oracle. Proprietary and Confidential
  • 40. Join the Oracle IDM Community Twitter twitter.com/OracleIDM Facebook facebook.com/OracleIDM Oracle Identity Management blog blogs.oracle.com/OracleIDM Oracle.com/identity© 2010 Oracle Corporation – Proprietary and Confidential 41
  • 41. Q&A© 2010 Oracle Corporation – Proprietary and Confidential 42