Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

SANS Institute Product Review of Oracle Identity Manager

5,944 views

Published on

Published in: Technology
  • @sheley fields Hi Sheley . my work colleague found a template a form version with this link http://pdf.ac/9k6AB1
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Fantastic comments - I learned a lot from the analysis ! Does someone know if my company might be able to access a template IRS 2290 version to edit ?
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

SANS Institute Product Review of Oracle Identity Manager

  1. 1. User Provisioning and Compliance: SANS Institute Product Review of Oracle Identity ManagerDave Shackleford, Senior Instructor and Analyst, SANSPhillip Black, Director of Identity & Access Management, SuperValuPatrick Abreo, Principal Security Architect, SuperValuViresh Garg, Director of Product Management, Oracle © 2012 The SANS™ Institute - www.sans.org
  2. 2. Agenda • User Provisioning Challenges • Overview of User Provisioning with Oracle Identity Manager • Use Case Review • Customer Perspectives: SuperValu • Oracle Identity Manager 11gR2 Summary • Q&A
  3. 3. Self-Service Provisioning Made Simple: A Review of Oracle Identity Manager 11g R2Dave Shackleford, for SANS and Voodoo Security © 2012 The SANS™ Institute - www.sans.org
  4. 4. Why Provisioning is Important• Attackers are focusing on users like never before – Social engineering attacks + extensive privileges = breaches• Self-service provisioning aims to help with this – Often part of a larger IAM suite• Insider Threats• Compliance• The downside? Self-provisioning tools have traditionally been complex – Business users driving more simplicity © 2012 The SANS™ Institute - www.sans.org 4
  5. 5. Oracle Identity Manager 11g R2 Review• The focus of the review included: – Personalization and customization of the User Interface (UI) – Provisioning entitlements based on use cases and user profiles of varying complexity – Creating self-service permissions and workflow to legacy systems and applications – A workflow use case involving an asset request with multiple parties needed to identify and approve the request – Provisioning to a mobile device• These use cases were important due to their real- world relevance and key functionality areas © 2012 The SANS™ Institute - www.sans.org 5
  6. 6. Overall Impression• Oracle Identity Manager (OIM) 11g R2 reduced complexities normally associated with IAM self- service tools – Automated workflow – Provisions to legacy apps without new coding, connectors or XML• Use cases and interfaces are business friendly and incorporate features we already know, like shopping carts• There are many features, not all of which were explored © 2012 The SANS™ Institute - www.sans.org 6
  7. 7. Task 1: UI PersonalizationSpecific task/information “portlets” added to the UI © 2012 The SANS™ Institute - www.sans.org 7
  8. 8. Task 1.1: UI Customization• Customization included specific saved search queries, logo addition, and use of UI “sandboxes” – Customization for business look and feel – Customized company or business unit features automatically show up on customer interfaces – Sandboxes allow testing of UI changes © 2012 The SANS™ Institute - www.sans.org 8
  9. 9. Task 2: Self-Service Application Provisioning• The scenario: An employee needs access to a timecard application• Based on a user’s ID and group, with specific assigned privileges, they can search for the app © 2012 The SANS™ Institute - www.sans.org 9
  10. 10. Task 2: Self-Service Application Provisioning• The employee uses the familiar “shopping cart” to request the app and kick off a workflow for approval• The manager is then notified and can approve the request through portal © 2012 The SANS™ Institute - www.sans.org 10
  11. 11. Task 2: Self-Service Application ProvisioningAfter approval, the employee’s entitlement isapproved, and the Timecard application isavailable © 2012 The SANS™ Institute - www.sans.org 11
  12. 12. Task 2: More complex entitlements © 2012 The SANS™ Institute - www.sans.org 12
  13. 13. Task 3: Legacy Application Provisioning• Some apps won’t have APIs, or won’t be easily integrated for provisioning• We call these apps “disconnected” and use a custom form to provision © 2012 The SANS™ Institute - www.sans.org 13
  14. 14. Task 3: Legacy Application Provisioning• Custom form manages access to app © 2012 The SANS™ Institute - www.sans.org 14
  15. 15. Task 3: Legacy Application ProvisioningA user request using the new form © 2012 The SANS™ Institute - www.sans.org 15
  16. 16. Task 3: Manual Tasks for Provisioning• Finally, the manager in the workflow needs to approve the request – One manual task for adding the user is performed, and the workflow continues © 2012 The SANS™ Institute - www.sans.org 16
  17. 17. Task 4: Asset Request with Multiple Approvers• User needs a new corporate-issued mobile device © 2012 The SANS™ Institute - www.sans.org 17
  18. 18. Task 4: Asset Request with Multiple Approvers• What does the user see during this asset request process?• Treated much like a legacy “disconnected” provisioning request © 2012 The SANS™ Institute - www.sans.org 18
  19. 19. Conclusion• User interfaces greatly simplified as business units demand control over their own applications – The entitlement provisioning is presented to end users through a self-service “shopping cart” interface – Provides a familiar and straightforward “look and feel” for them• Legacy “disconnected” apps are easily integrated into the workflows• Custom forms and personalization attributes are simple to create © 2012 The SANS™ Institute - www.sans.org 19
  20. 20. Customer Perspectives: SuperValuPhillip Black, Director of Identity & Access Management, SuperValuPatrick Abreo, Principal Security Architect, SuperValu 20 Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 16
  21. 21. SuperValu Background21 Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 16
  22. 22. Business Drivers for SuperValu Simplify Customer Experience and Consolidate Identities Operational Costs User Productivity Compliance Enforcement Customer Satisfaction22 Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 16
  23. 23. SuperValu Roadmap Prioritize Based on Drivers and Efficiency External Authorization Risk-based AuthenticationMaturity Fat Client and Mobile Integration Self-Service Provisioning Single Sign On 23 Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 16
  24. 24. Key Learning Experiences • Map out the big picture • Plan strategically, work tactically • Adopt an incremental and result- oriented approach • Prioritize in favor of customer value24 Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 16
  25. 25. Oracle Identity Manager 11gR2SummaryViresh GargDirector of Product Management, Oracle25 Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 16
  26. 26. Oracle Identity Governance Governance Platform Connectors Provisioning De-provisioning Access Request Privileged Account Role Lifecycle Checkin/Checkout Rogue Account IT Audit Monitoring Reporting & Privileged Management Management Identity Certifications Detection & Remediation Access Monitoring Roles Ownership, Risk & Audit Objectives Entitlements Accounts Catalog Management Glossaries26 Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 16
  27. 27. Oracle Identity ManagerKey Capabilities• Comprehensive user administration• Centralized role lifecycle management• Self service interfaces for access requestBenefits• Simplifies user lifecycle management• Eliminates ghost accounts, excess or erroneous privileges• Enforces compliance mandates such as segregation of duties27 Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 16
  28. 28. Oracle Identity Manager 11gR2 Overview “Shopping Cart” Access Request Durable UI Customization Sophisticated Approval Workflows Closed Loop Remediation28 Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 16
  29. 29. Shopping Cart Experience for Access Request Simple self-service access Search Catalog Add To Cart Checkout Approval29 Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 16
  30. 30. Customizable User Interface Flexible, durable personalization and customization• Durable UI customization• Cost-effective• Simplified lifecycle management• Facilitates integration with UI Look & Feel Forms UI Look & Feel corporate portal strategies Work Flow Logic 30 Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 16
  31. 31. Sophisticated Approval Workflows  View and take action on approval tasks via email, mobile (browser) and self-service UI  Add comments and attachments  See current and future approvers  Prioritize and organize tasks31 Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 16
  32. 32. Oracle Identity Governance Suite Closed-loop Remediation Access Request Monitor Rogue Access Enterprise/ Detection Roles Reduce Risk Provisioning Improve & ConnectorsAudit/ Policy Compliance AccessMonitoring Certification 32 Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 16
  33. 33. Part of a Complete Identity Management Solution Governance Access Directory Password Reset Web Single Sign-on LDAP Storage Privileged Accounts Federation Virtual Directory Access Request Mobile, Social & Cloud Meta Directory Roles Based Provisioning External Authorization Role Mining SOA Security Attestation Integrated ESSO Separation of Duties Token Services Platform Security Services33 Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 16
  34. 34. Q&34 A Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 16
  35. 35. www.oracle.com/Identity www.facebook.com/OracleIDM www.twitter.com/OracleIDM blogs.oracle.com/OracleIDM35 Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 16

×