Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Bridging the Cloud Sign-On Gap


Published on

Published in: Technology, Business
  • Be the first to like this

Bridging the Cloud Sign-On Gap

  1. 1. Kuppinger Cole Webinar Bridging the Cloud Sign-On Gap Sebastian Rohr, Kuppinger Cole Matt Berzinski, Oracle February 9th, 2012 This Webinar is supported by
  2. 2. 2 © Kuppinger Cole 2012 • Call for Speakers: • Propose your project for the European Identity Awards: • Become an Event Partner: • 500+ delegates • 50+ Partners and Exhibitors • 4 Session Tracks • 100+ Speakers Educate.Innovate.Connect.
  3. 3. Some guidelines for the Webinar You are muted centrally. You don‘t have to mute/unmute yourself – we control the mute/unmute features We will record the Webinar – the podcast recording will be available tomorrow Q+A will be at the end – you can ask questions using the Q+A tool anytime which we will pick at the end or, if appropriate, during the Webinar © Kuppinger Cole 20123
  4. 4. • Sign-on (and other) challenges in internal IT • Reaching out for/to the cloud • Specific issues around hybrid deployments Part 1: Presentation by Sebastian Rohr • How to „Bridge the Gap“ • Tackling sign-on, authorization and governance • Extending the reach of internal solutions Part 2: Presentation by Matt Berzinski • Additional Questions can be placed using the GoToWebinar Tool – area „Questions“ Part 3: Discussion 4 Bridging the Cloud Sign-On Gap– Extend your Enterprise SSO reach to the Cloud © Kuppinger Cole 2012
  5. 5. Business just wants the services they need to do their job and to keep corporate information protected adequately (hopefully) 5 What business really wants: Service delivery and Information Security © Kuppinger Cole 2012
  6. 6. IT Technology & Delivery Centralized Mainframe 1980 1990 2000 2010 20201970 MidSize Client/Server Web 1960 Client Server In-house In-house In-house Outsourced Hosting Outsourced ASP Web Managed Service as-a-Service SW- Platform- Infrastr.- In-house/outsourced 6 © Kuppinger Cole 2012
  7. 7. Serving demand with a mix of Cloud and “classic” services Offering adaptable Strong Authentication Safeguarding Audit Trails in all delivery methods Staying in Compliance with (multiple) Legislations/Regulations Providing reliable & authentic Billing/Accounting information Providing proper means of Access Control to sensitive data 7 Challenges your IT faces today © Kuppinger Cole 2012
  8. 8. With kind permission by E. von Faber 8 Serving IT demand with a Cloud-Mix Distributed, scalable Cloud-Computing ERP, CRM, SCM, Office etc. Software-as-a-Service RTE (i.e. .Net, Java), Database Platform-as-a-Service Systems in remote Datacenter Hosting Maintenance, Configuration Changes Managed Services Remote Monitoring Service Monitoring & Support Hardware, MIPS, Memory Infrastruct.-as-a-Serv. Application Plattform:RTE,DB Hardware,Infrastructure Datacenter+Network shared dedicated DCof Customer OneDCofService PoviderMulti-DC (distributed) OnetoOneOnetoMany Control/Knowledge AttackVectors/Threats + – – + © Kuppinger Cole 20128
  9. 9. Offering Strong Authentication Username/Password are all over the place • Hard to remember (the plethora) • Not always secure enough – other methods needed! • Two-factor Auth & Strong Auth often a requirement • Not every internal app can use 2FA/SA natively • Even harder for (multiple) Cloud services • Context-aware Auth often not available (XACML) • „Step-up“ Auth not supported by Cloud Service © Kuppinger Cole 20129
  10. 10. Safeguarding Audit Trails • Hard enough to tell in internal apps • Keeping track of a Access Rights & Permissions Who did what? • Webservices/WebGUI • Fat Client By which means? • Workflows established? • Role-model and „need-to-know“ Who requested it? • Multi-approver support in work-flows • Re-Certification of once deployed permissions Who authorized it? Get that for your Cloud-Services! At least partially… © Kuppinger Cole 201210
  11. 11. • National laws & regulations • Regional laws & regulations Where do you do business? • Healthcare • Food/Pharmaceutical • Financial… In which verticals? • Do you need to know where your data is located? • Do you need to keep your data in your country? Special Requirements • Safeguarding compliance through central logs • Probably establish SIEM with specific filters How to keep track? 11 Staying in Compliance © Kuppinger Cole 2012
  12. 12. Many internal IT services are paid „by consumption“ Number of transactions processed Time spent „using“ the service Processing cycles, bandwidth or memory used How to make that available to other departments? 12 Providing usage based invoicing © Kuppinger Cole 2011
  13. 13. Proper means of Access Control • Needs some legal clarification beforehand • Relatively complex to establish Federation • Not feasible with „real“ Cloud Services • Too much technical effort & risk (trust, legal) Direct integration • Easier to establish/extend • Easier to „tear down“ and maintain Web Access Management • Quick & easy to extend • Good manageability • Often times already proven deployment Enterprise SSO © Kuppinger Cole 201213
  14. 14. Using Hybrid Cloud Deployments Challenges  May add Complexity  May tamper with Security  Will provide Elasticity  Impacts Networking – Discovery – Communication – Latency – Availability Recommendations  Stay secure from the start – Create proper process, then – Build on trusted technology – No „experiments“, please!  If possible, Federate (later)  Extend your enterprise security architecture & tools  Remain in control  Maintain Know-How inside © Kuppinger Cole 201214
  15. 15. Touch-Points – do NOT re-invent! What you need  Strong Authentication  Proper Audit trails  Accounting/Invoicing  Governance + Risk Mgmnt.  Provisioning  Access Control Where to get it  Re-use internal Auth + SSO  Re-use internal Access Control  internal Auth + Access Control  above + internal GRC + add-in  Extend internal IdM tools  See above, but: do not forget Cloud-PAM! 15 © Kuppinger Cole 2012 And now let´s see how this could be achieved!
  16. 16. <Insert Picture Here> Bridging the Sign-On Gap to the Cloud
  17. 17. 17 Copyright © 2010, Oracle. Proprietary and Confidential This document is for informational purposes. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described in this document remains at the sole discretion of Oracle. This document in any form, software or printed matter, contains proprietary information that is the exclusive property of Oracle. This document and information contained herein may not be disclosed, copied, reproduced or distributed to anyone outside Oracle without prior written consent of Oracle. This document is not part of your license agreement nor can it be incorporated into any contractual agreement with Oracle or its subsidiaries or affiliates.
  18. 18. 18 Copyright © 2010, Oracle. Proprietary and Confidential Cloud applications are proliferating • More services being offered in a hosted manner – CRM – Personal Productivity Products – Business Intelligence • Provide many benefits to the organization – No need to procure large and complex infrastructure – No deployment or maintenance costs associated – Provides easy access to information from anywhere
  19. 19. 19 Copyright © 2010, Oracle. Proprietary and Confidential Drawbacks of cloud applications • Add another set of credentials for users to maintain • Securing access to those applications – Federation can lead to more legal fees than IT fees • Controlling access to only those who need it – Changing roles – Termination • Auditing access to the application
  20. 20. 20 Copyright © 2010, Oracle. Proprietary and Confidential Oracle ESSO Suite Plus Solves Enterprise Access Challenges ESSO Authentication Manager ESSO Provisioning Gateway ESSO Logon Manager ESSO Password Reset Sign-On ESSO Kiosk ManagerESSO Anywhere ESSO Logon Manager Sign-on
  21. 21. 21 Copyright © 2010, Oracle. Proprietary and Confidential ESSO Logon Manager Overview
  22. 22. 22 Copyright © 2010, Oracle. Proprietary and Confidential Access the cloud anytime, from anywhere Cloud Application
  23. 23. 23 Copyright © 2010, Oracle. Proprietary and Confidential Provides a security challenge Cloud Application
  24. 24. 24 Copyright © 2010, Oracle. Proprietary and Confidential How to combat this? Increase Security – Strong Authentication • Site Specific • Not associated with business • Another infrastructure to maintain – Tougher Passwords Decrease Productivity – Loss of Strong Authentication Device – Forget Passwords – Account Lockouts
  25. 25. 25 Copyright © 2010, Oracle. Proprietary and Confidential ESSO LM Bridges the Sign On Gap • Enforces strong password policies • Optionally can generate random passwords not known by users Manage Passwords • Leverage corporate strong authentication deployment • Challenge for re-authentication prior to providing credentials to the application Integrate Strong Auth • All logon events are audited and associated to an enterprise user name • Track all password change events to comply with security • Generate reports showing inactive accounts Ensure Compliance
  26. 26. 26 Copyright © 2010, Oracle. Proprietary and Confidential ESSO creates Strong Passwords Randomly Generated Password look like this:
  27. 27. 27 Copyright © 2010, Oracle. Proprietary and Confidential Controlling User’s Access • More challenging then conventional applications – Hosted applications can be accessed from anywhere – Disabling network ID does not terminate application access • ESSO LM does not allow user’s to reveal passwords • This allows easy removal of access – Disable windows account – Remove SSO password through ESSO Provisioning Gateway
  28. 28. 28 Copyright © 2010, Oracle. Proprietary and Confidential ESSO from Anywhere Remote PC ESSO-LM Agent Cloud Applications
  29. 29. 29 Copyright © 2010, Oracle. Proprietary and Confidential ESSO Enables Cloud Apps • Simplify access to hard to connect cloud applications through ESSO • Increase security by maintaining user’s password and extending existing strong authentication • Audit all access to the application for Regulatory Compliance • Enforce all policies from any computer with internet access • Deliver ROI by terminated inactive accounts
  30. 30. 31 Copyright © 2010, Oracle. Proprietary and Confidential • Established track record – Passlogix Founded in 1996 – Oracle Acquired Passlogix in Oct 2010 – Proven history of success • Market-leading – 10’s of millions of licenses sold – Thousands of enterprise customers – 10,000’s of applications – Customers with millions of employees • Patented technology – Provides fast deployment, quick ROI – 2 US patents and 7 foreign, additional pending Why Oracle ESSO Suite?
  31. 31. 32 Copyright © 2010, Oracle. Proprietary and Confidential Recognized Leadership “The company goes around a problem .... It is far different from thinking out of the box. It's refusing to acknowledge that the box exists in the first place.” 2011 ESSO Marketscope “Passlogix provides an excellent, lightweight, low maintenance SSO solution, suitable for deployments of any scale … and it is seen as a “best of breed” enterprise SSO product – the general good opinion in which it is held …” “Passlogix has some highly functional ESSO technology … they often pioneer in the market…” 100% of customers would buy it again 100% of customers would recommend it to a peer 100% of customers said Passlogix keeps all promises 71% ranked Passlogix as their Best or 2nd Best Vendor Magic Quadrant Disclaimer: The Magic Quadrant is copyrighted by Gartner, Inc. and is reused with permission. The Magic Quadrant is a graphical representation of a marketplace at and for a specific time period. It depicts Gartner's analysis of how certain vendors measure against criteria for that marketplace, as defined by Gartner. Gartner does not endorse any vendor, product or service depicted in the Magic Quadrant, and does not advise technology users to select only those vendors placed in the "Leaders" quadrant. The Magic Quadrant is intended solely as a research tool, and is not meant to be a specific guide to action. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. The Magic Quadrant graphic was published by Gartner, Inc., as part of a larger research note and should be evaluated in the context of the entire report. The Gartner report is available upon request from Oracle RATING Strong Negative Caution Promising Positive Strong Positive ActivIdentity x Avencis x CA Technologies x Evidian x IBM x Ilex x Imprivata x i-Sprint Innovations x Microsoft x NetIQ x Oracle x As of 20 September 2011
  32. 32. 33 Copyright © 2010, Oracle. Proprietary and Confidential Deployed by Leading Customers Financial Healthcare / Pharmaceuticals Energy Government
  33. 33. 34 Copyright © 2011, Oracle. All rights reserved Oracle ESSO Suite Is Integrated with Oracle IAM OAM ESSO OIM ESSO ESSO ODS • Single Sign-On from Desktop to Web Apps and Cloud • Single login to access enterprise apps and OAM protected web apps • Integrated with industry leading provisioning solution • Integrated with Directory Services • Leverage existing investments in directory servers
  34. 34. 35 Copyright © 2011, Oracle. All rights reserved Cost Benefits of Oracle ESSO Suite • Organization with 7000 users • 1 Password Reset per quarter/user • Average helpdesk call $40 140% 12 months Payback period ROI Source: ESSO Buyer’s Guide:, Sep 2011 Link:
  35. 35. 36 Copyright © 2010, Oracle. Proprietary and Confidential Enterprise Extranet Cloud/ Mobile Tools Point Solutions Platform Intelligence Identity Authentication Administration Audit Risk Management Certify Access for Millions of Users & Entitlement s User Lifecycle In Hybrid/Clou d Environmen ts Access Via Mobile & Social Channels Authoritati ve ID with Massive Scale Monitor Behavior & Detect Improper Access Oracle Provides an Evolved IDM Platform
  36. 36. 37 Copyright © 2010, Oracle. Proprietary and Confidential 46% Cost Savings Source: Aberdeen “Analyzing point solutions vs. platform” 2011 Benefits Oracle IAM Suite Advantage Increased End-User Productivity • Emergency Access • End-user Self Service • 11% faster • 30% faster Reduced Risk • Suspend/revoke/de-provision end user access • 46% faster Enhanced Agility • Integrate a new app faster with the IAM infrastructure • Integrate a new end user role faster into the solution • 64% faster • 73% faster Enhanced Security and Compliance • Reduces unauthorized access • Reduces audit deficiencies • 14% fewer • 35% fewer Reduced Total Cost • Reduces total cost of IAM initiatives • 48% lower 48% More Responsive 35% Fewer Audit Deficiencies Oracle Platform Makes All the Difference
  37. 37. 38 Copyright © 2011, Oracle. Proprietary and Confidential One Company, One Solution, One Stack  Proven vendor • Acquire and retain best of breed technology and talent • Battle-tested for large, mission-critical applications • Referenceable, award-winning customer deployments  Most complete and integrated best-of- breed portfolio • Service-Oriented Security • Interoperable components  Future proof investment • Standards-based and hot pluggable for easy integration • Established deployment best practices • Large implementation ecosystem
  38. 38. 39 Copyright © 2011, Oracle. Proprietary and Confidential Learn More
  39. 39. 40 Copyright © 2011, Oracle. Proprietary and Confidential Get a Jumpstart with Oracle Consulting Services  Thought leaders that provide customers with tightly integrated, comprehensive and superior services as part of the Oracle brand  Q2FY11 Forrester Wave report rates Oracle Consulting as the leader  World’s top experts in User Life Cycle Management Pre-Install • Oracle Identity Management Deployment Strategy • Oracle Identity Management Vendor Transition Strategy Install • ESSO Quickstart • Oracle Identity Manager Quickstart • IDM Virtualization service • Directory Services Quickstart Post Install • Oracle Directory Services & Identity Management Health Checks • ESSO Health Check
  40. 40. © 2010 Oracle Corporation – Proprietary and Confidential 41 Join the Oracle IDM Community Twitter Facebook Oracle Identity Management blog
  41. 41. © 2010 Oracle Corporation – Proprietary and Confidential 42 Q&A