Your SlideShare is downloading. ×
SANS Institute Product Review of Oracle Identity Manager
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply

SANS Institute Product Review of Oracle Identity Manager

3,786
views

Published on

Published in: Technology

0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
3,786
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
0
Comments
0
Likes
2
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • Question for Phil:Welcome Phil. Can you tell us about your role ?Question for Patrick:Welcome Patrick. Tell us about your role and how you got started with Identity Management?
  • Phil - Tell us a little bit aboutSuperValu and the scope of operations in North America?
  • Questions for Phil:What was the environment and infrastructure like when you started?What were the chief business drivers for SuperValu’s Identity Management deployment ?
  • Lets discuss Learning Experiences Questionsfor Phil:1. From your perspective, when starting with provisioning what area of the enterprise would you start ?2. What advise would you give to architects getting started with provisioning and Identity Management ? 
  • Familiar, OOB Access Request with user friendly glossarySophisticated, standards based approval workflowsBusiness Manager has risk based guidance, friendly interfaces and closed loop to address issuesStandard and PrivFlexible Administrative interfaces: drag and drop Admin for Delegation, If you must customize; durable customization
  • Join The Community
  • Transcript

    • 1. User Provisioning and Compliance: SANS Institute Product Review of Oracle Identity ManagerDave Shackleford, Senior Instructor and Analyst, SANSPhillip Black, Director of Identity & Access Management, SuperValuPatrick Abreo, Principal Security Architect, SuperValuViresh Garg, Director of Product Management, Oracle © 2012 The SANS™ Institute - www.sans.org
    • 2. Agenda • User Provisioning Challenges • Overview of User Provisioning with Oracle Identity Manager • Use Case Review • Customer Perspectives: SuperValu • Oracle Identity Manager 11gR2 Summary • Q&A
    • 3. Self-Service Provisioning Made Simple: A Review of Oracle Identity Manager 11g R2Dave Shackleford, for SANS and Voodoo Security © 2012 The SANS™ Institute - www.sans.org
    • 4. Why Provisioning is Important• Attackers are focusing on users like never before – Social engineering attacks + extensive privileges = breaches• Self-service provisioning aims to help with this – Often part of a larger IAM suite• Insider Threats• Compliance• The downside? Self-provisioning tools have traditionally been complex – Business users driving more simplicity © 2012 The SANS™ Institute - www.sans.org 4
    • 5. Oracle Identity Manager 11g R2 Review• The focus of the review included: – Personalization and customization of the User Interface (UI) – Provisioning entitlements based on use cases and user profiles of varying complexity – Creating self-service permissions and workflow to legacy systems and applications – A workflow use case involving an asset request with multiple parties needed to identify and approve the request – Provisioning to a mobile device• These use cases were important due to their real- world relevance and key functionality areas © 2012 The SANS™ Institute - www.sans.org 5
    • 6. Overall Impression• Oracle Identity Manager (OIM) 11g R2 reduced complexities normally associated with IAM self- service tools – Automated workflow – Provisions to legacy apps without new coding, connectors or XML• Use cases and interfaces are business friendly and incorporate features we already know, like shopping carts• There are many features, not all of which were explored © 2012 The SANS™ Institute - www.sans.org 6
    • 7. Task 1: UI PersonalizationSpecific task/information “portlets” added to the UI © 2012 The SANS™ Institute - www.sans.org 7
    • 8. Task 1.1: UI Customization• Customization included specific saved search queries, logo addition, and use of UI “sandboxes” – Customization for business look and feel – Customized company or business unit features automatically show up on customer interfaces – Sandboxes allow testing of UI changes © 2012 The SANS™ Institute - www.sans.org 8
    • 9. Task 2: Self-Service Application Provisioning• The scenario: An employee needs access to a timecard application• Based on a user’s ID and group, with specific assigned privileges, they can search for the app © 2012 The SANS™ Institute - www.sans.org 9
    • 10. Task 2: Self-Service Application Provisioning• The employee uses the familiar “shopping cart” to request the app and kick off a workflow for approval• The manager is then notified and can approve the request through portal © 2012 The SANS™ Institute - www.sans.org 10
    • 11. Task 2: Self-Service Application ProvisioningAfter approval, the employee’s entitlement isapproved, and the Timecard application isavailable © 2012 The SANS™ Institute - www.sans.org 11
    • 12. Task 2: More complex entitlements © 2012 The SANS™ Institute - www.sans.org 12
    • 13. Task 3: Legacy Application Provisioning• Some apps won’t have APIs, or won’t be easily integrated for provisioning• We call these apps “disconnected” and use a custom form to provision © 2012 The SANS™ Institute - www.sans.org 13
    • 14. Task 3: Legacy Application Provisioning• Custom form manages access to app © 2012 The SANS™ Institute - www.sans.org 14
    • 15. Task 3: Legacy Application ProvisioningA user request using the new form © 2012 The SANS™ Institute - www.sans.org 15
    • 16. Task 3: Manual Tasks for Provisioning• Finally, the manager in the workflow needs to approve the request – One manual task for adding the user is performed, and the workflow continues © 2012 The SANS™ Institute - www.sans.org 16
    • 17. Task 4: Asset Request with Multiple Approvers• User needs a new corporate-issued mobile device © 2012 The SANS™ Institute - www.sans.org 17
    • 18. Task 4: Asset Request with Multiple Approvers• What does the user see during this asset request process?• Treated much like a legacy “disconnected” provisioning request © 2012 The SANS™ Institute - www.sans.org 18
    • 19. Conclusion• User interfaces greatly simplified as business units demand control over their own applications – The entitlement provisioning is presented to end users through a self-service “shopping cart” interface – Provides a familiar and straightforward “look and feel” for them• Legacy “disconnected” apps are easily integrated into the workflows• Custom forms and personalization attributes are simple to create © 2012 The SANS™ Institute - www.sans.org 19
    • 20. Customer Perspectives: SuperValuPhillip Black, Director of Identity & Access Management, SuperValuPatrick Abreo, Principal Security Architect, SuperValu 20 Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 16
    • 21. SuperValu Background21 Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 16
    • 22. Business Drivers for SuperValu Simplify Customer Experience and Consolidate Identities Operational Costs User Productivity Compliance Enforcement Customer Satisfaction22 Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 16
    • 23. SuperValu Roadmap Prioritize Based on Drivers and Efficiency External Authorization Risk-based AuthenticationMaturity Fat Client and Mobile Integration Self-Service Provisioning Single Sign On 23 Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 16
    • 24. Key Learning Experiences • Map out the big picture • Plan strategically, work tactically • Adopt an incremental and result- oriented approach • Prioritize in favor of customer value24 Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 16
    • 25. Oracle Identity Manager 11gR2SummaryViresh GargDirector of Product Management, Oracle25 Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 16
    • 26. Oracle Identity Governance Governance Platform Connectors Provisioning De-provisioning Access Request Privileged Account Role Lifecycle Checkin/Checkout Rogue Account IT Audit Monitoring Reporting & Privileged Management Management Identity Certifications Detection & Remediation Access Monitoring Roles Ownership, Risk & Audit Objectives Entitlements Accounts Catalog Management Glossaries26 Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 16
    • 27. Oracle Identity ManagerKey Capabilities• Comprehensive user administration• Centralized role lifecycle management• Self service interfaces for access requestBenefits• Simplifies user lifecycle management• Eliminates ghost accounts, excess or erroneous privileges• Enforces compliance mandates such as segregation of duties27 Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 16
    • 28. Oracle Identity Manager 11gR2 Overview “Shopping Cart” Access Request Durable UI Customization Sophisticated Approval Workflows Closed Loop Remediation28 Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 16
    • 29. Shopping Cart Experience for Access Request Simple self-service access Search Catalog Add To Cart Checkout Approval29 Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 16
    • 30. Customizable User Interface Flexible, durable personalization and customization• Durable UI customization• Cost-effective• Simplified lifecycle management• Facilitates integration with UI Look & Feel Forms UI Look & Feel corporate portal strategies Work Flow Logic 30 Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 16
    • 31. Sophisticated Approval Workflows  View and take action on approval tasks via email, mobile (browser) and self-service UI  Add comments and attachments  See current and future approvers  Prioritize and organize tasks31 Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 16
    • 32. Oracle Identity Governance Suite Closed-loop Remediation Access Request Monitor Rogue Access Enterprise/ Detection Roles Reduce Risk Provisioning Improve & ConnectorsAudit/ Policy Compliance AccessMonitoring Certification 32 Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 16
    • 33. Part of a Complete Identity Management Solution Governance Access Directory Password Reset Web Single Sign-on LDAP Storage Privileged Accounts Federation Virtual Directory Access Request Mobile, Social & Cloud Meta Directory Roles Based Provisioning External Authorization Role Mining SOA Security Attestation Integrated ESSO Separation of Duties Token Services Platform Security Services33 Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 16
    • 34. Q&34 A Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 16
    • 35. www.oracle.com/Identity www.facebook.com/OracleIDM www.twitter.com/OracleIDM blogs.oracle.com/OracleIDM35 Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 16