Events include: Last Attestation History, Open Audit Violations and Provisioning Method. Based on the resources the use has access to, the entitlements privileges, the way access was granted or the user assigned to a role, all these factors contribute to a user’s risk profile. The Identity Warehouse aggregates this info from across all resources and builds the user’s risk profile. To take the subjectiveness out of it, instead of assigning a risk #, the users are bucketed into Low Risk, Med Risk, High Risk making risk aggregation objective & intuitive. Since the reviewers focus should rightfully be on high and med risk profiles rather than the low risk ones, you can use the risk aggregation to build checks & balances for your med & high risk profiles, do a Cert360 on those users to completely assess their entitlements profiles while low risk users can even be bulk certified using an automated, intuitive web interface. Risk analytics really takes advantage of the new interface, where your reviewers can now really focus on "what matters most" and quickly access users, roles, accounts, etc. with ease
Identity Administration helps solve the provisioning/de-provisioning challenge and many other common issues. Let’s take a look at how this works. Oracle Identity Manager automates all aspects of administering user identities. It’s key capabilities can be broadly broken down into 3 buckets It automates provisioning and de-provisioning of users. Typically when an employee joins the company, they are entered into the HR system. OIM can automatically detect this addition/change, and kick off a workflow process for provisioning them with access to the systems they would need. After receiving the necessary approvals, OIM automatically creates accounts for this user in all the relevant applications. Similarly, when an employee departs, since OIM knows everything she has access to, it can quickly revoke access from all systems. Additionally, as folks change roles they are automatically de-provisioned from systems they no longer need, and added to new ones relevant to their new role. This ensures that users do not “collect” privileges over time, another common security vulnerability. Another immediate benefit organizations realize as soon as they implement OIM is they’re quickly able to identify and remediate orphaned accounts – live accounts whose owners are no longer with the organization OIM also provides much improved visibility across enterprise-wide security controls, quickly able to produce reports such as “who has access to what”. As we’ll discuss later, this also greatly eases the cost of compliance. Finally, another great source of cost savings is through end user self-service. Users can use a web interface to reset forgotten passwords, request new accounts and more, thus eliminating a significant volume of help-desk calls
Access Certification or attestation is a key part of Sarbanes-Oxley compliance and a highly recommended security best-practice. Oracle Identity Analytics offers a best-in-class attestation feature that can be deployed quickly to enable an enterprise-wide attestation process that features automated report generation, delivery and notification. Attestation reviewers can review fine-grained access reports within an interactive user interface that supports fine-grained certify, reject, decline, and delegate actions. All report data and reviewers’ actions are captured for future auditing needs. Reviewer actions can optionally trigger corrective action using Oracle Identity Manager’s workflow engine. The new OIA attestation UI is quite dynamic. Like the ipad, There really is no wrong way of holding it. u can sort and filter and view users and their access the way u want to, but always go back to that "original" view
Complimentary functionalities must be harnessed to achieve true end to end enterprise class security. Oracle has the most complete identity and access management offering in the industry because we are executing on a complete vision of security. Oracle Identity Management is a comprehensive offering of several best of breed products. Oracle IdM is the most complete and integrated IDM suite in the industry today. It is hot-pluggable and supports most leading third party platforms and applications. It is built on a unique architectural approach called Service Oriented Security which enables security to be externalized from applications and centralized using a standards based IDM framework. At Oracle, we like to think of IdM as being composed of some distinct functional areas: We have Identity Administration which is all about user provisioning and role lifecycle management. Oracle Identity Manager - our two flagship product in the Id Admin space. Then we have Access Management which is all about access control – authentication, authorization, single sign on and federation. In addition, Oracle also offers next gen access management technologies for risk based access control, for fine grained authorizaton, for web services security and information rights management for securing sensitive, unstructured business information. We also have Directory Services for centralizing and consolidating user identities. With Oracle Id analytics and the new Oracle Security Governor, we now offer comprehensive Identity & Access Governance. Of course, OPSS is the security foundation across all of Middleware and Fusion apps.
Healthcare it consolidated
<Insert Picture Here>Managing Risk and Enforcing Compliance inHealthcare with Identity Analytics
Agenda• Panel Discussion• Challenges and Implementation Overview• The Solution Behind the Implementation• Q&A
Panel Discussion Jason W. Zellmer Rex Thexton Viresh GargDirector, Strategy and Information Managing Director, Advisory Director Management ServicesKaiser Permanente Information Security PricewaterhouseCoopers Oracle Identity Management
PwCHealth Information Privacy &Security (HIPS) & OracleSecurity Practice Overview
PwC Healthcare Information Privacy & Security (HIPS) ServiceofferingsPwC 5
PwC - Oracle Security OverviewOur practice has years of experience in Security and Identity &Access Management with over 1000 professionals in NA.•PwC is the leading Oracle IdM partner for five consecutive years•PwC has completed over 150 implementations over the last 4 years•PwC is the only Oracle partner to be a four time Titan Award winner•PwC has conducted more 11g implementations than any other Oracle partner•PwC has been nominated to Oracle’s Deputy CTO program since its inception•PwC is involved in a significant % of all large Security Deals at Oracle•PwC is the only Diamond Partner with advanced specialization area in identityPwC 6
Kaiser Implementation Overview KaiserPermanente’s Goals• Resolve significant deficiencies identified by internal audit for access management controls across the enterprise• Develop sustainable and cost effective compliance processes through the automation of access management and recertification• Standardize on a new IAM product suite (Oracle – OIA/OIM) and retire the legacy IAM technology stack (IBM Tivoli)• Collapse existing IAM functions (help desks, security admins) within the regional business units by expanding the footprint of centralized IAM services• Implement self-service functionality to enable business users and reduce administrative burden for care delivery staff (doctors, nurses, etc.)• Objectives to span across: • 7 major business units • 150+ SOX applicationsPwC 7 • 1300+ HIPAA applications
Kaiser Identity Management Identity Administration Overview at KP (Current State) • Access Review by Applications • Access Review performed by line managers - view users access specific to one application . Key Pain Points: • Lack of Holistic View • Absence of automated remediation and remediation validation mechanisms. • Inability to perform role certification. Identity Administration Overview at KP (Future State) KP-OIM Refine • Authoritative Source for Identities • Automated Roles based Role Life-cycle provisioning Management • Identity Synchronization New Verify Define Users Identity Life-cycle Management KP- OIA Users Change Leave • Authoritative Source for Events Roles • Role Life-cycle Management • Advanced Role Certification 8 CapabilityPwC 8
Old data learns new tricks:Managing patient privacy and security on a new data-sharingplayground ublished: Fall 2011 ata is quickly becoming one of the health industry’s most treasured commodities. Yet, health organizations are acutely aware that sensitive data can be easily compromised. In just the last year and a half, a breach of personal health information occurred, on average, every other day. Breaches erode productivity and patient trust. They’re costly, unpredictable, and unfortunately quite common. More than half of healthcare organizations surveyed by PwC have had at least one privacy/security-related issue in the last two years. ownload this report from PwC at www.PwC.com/us/HITprivacysecurityPwC 9
Managing Risk and Enforcing Compliance inHealthcare with Identity AnalyticsViresh Garg, Director, Identity Management, Oracle
This document is for informational purposes. It is not a commitmentto deliver any material, code, or functionality, and should not be reliedupon in making purchasing decisions. The development, release,and timing of any features or functionality described in this documentremains at the sole discretion of Oracle. This document in any form,software or printed matter, contains proprietary information that is theexclusive property of Oracle. This document and informationcontained herein may not be disclosed, copied, reproduced ordistributed to anyone outside Oracle without prior written consent ofOracle. This document is not part of your license agreement nor canit be incorporated into any contractual agreement with Oracle or itssubsidiaries or affiliates.
Healthcare Challenges Are Unique, Acute HITECH Sarbanes-Oxley HIPAA EHR Access IT/Helpdesk Costs Staff Meaningful Use Productivity VIP Cases Patient Care SLA Secure Access Control Sustainable Compliance Practices
Building User’s Risk Profile Identity Warehouse Applications Risk Assignment Identity Data Sources Resources Identities Entitlements Roles Events DB Risk Aggregation Mainframe Low Risk Med Risk High Risk Auto Certify Cert360 Approve Reject
Closed-Loop Feedback User On- • IT and Business Roles boarding SOD Checking SOD Checks • Preventative User Access User Off- Change Aggregate • Remedial board Risk Score • Risk Feedback • User Administration • Access Certifications
Automating User Administration Oracle Identity Manager GRANT REVOKE GRANT REVOKE GRANT REVOKE Employee HR System Workflow Applications, Systems• Automate Roles Based Provisioning / Deprovisioning• Identify orphaned accounts and take remedial action• Self-service requests including password management• Provide risk feedback and audit trail for compliance reporting in Identity Analytics
Automating Compliance Certification 1 Set Up Periodic 2 Reviewer Is Notified 3 Automated Action 4 Report Built Goes to Self Service is taken based on And Results Review Periodic Review Stored in DB Reviewer Selections Email What Is Certify Result Reviewed? to User Automatically Reject Terminate User Who Decline Notify the Reviews Process Owner It? Archive Delegate Notify Delegated Attested Data Reviewer Attestation Start Actions Comments When? Delegation How Paths Often?
Oracle Identity Management Solution SetComplete, Innovative and Integrated
Platform Reduces Cost vs. Point Solutions48% Cost Savings46% More Responsive35% Fewer Audit Deficiencies Source: Aberdeen “Analyzing point solutions vs. platform” 2011
Summary • Boost Security & Compliance • Enforce and prove compliance, prevent privilege abuse with Identity Analytics • Improve patient care SLA, curb unauthorized access, reduce costs with Identity Manager tied to Identity Analytics • Boost user productivity by 80% • For More Information • Contact: Richard.Caldwell@oracle.com • Call him: 1-781-565-1779 • www.oracle.com/identity • Blogs.oracle.com/OracleIDM
Q&A Jason W. Zellmer Rex Thexton Viresh GargDirector, Strategy and Information Managing Director, Advisory Director Management ServicesKaiser Permanente Information Security PricewaterhouseCoopers Oracle Identity Management
A particular slide catching your eye?
Clipping is a handy way to collect important slides you want to go back to later.