More Related Content Similar to SANS Institute Product Review of Oracle Identity Manager Similar to SANS Institute Product Review of Oracle Identity Manager (20) SANS Institute Product Review of Oracle Identity Manager1. User Provisioning and
Compliance:
SANS Institute Product
Review of Oracle Identity
Manager
Dave Shackleford, Senior Instructor and Analyst, SANS
Phillip Black, Director of Identity & Access Management, SuperValu
Patrick Abreo, Principal Security Architect, SuperValu
Viresh Garg, Director of Product Management, Oracle
© 2012 The SANS™ Institute - www.sans.org
2. Agenda
• User Provisioning Challenges
• Overview of User Provisioning
with Oracle Identity Manager
• Use Case Review
• Customer Perspectives:
SuperValu
• Oracle Identity Manager 11gR2
Summary
• Q&A
3. Self-Service Provisioning
Made Simple:
A Review of
Oracle Identity Manager
11g R2
Dave Shackleford, for SANS and Voodoo Security
© 2012 The SANS™ Institute - www.sans.org
4. Why Provisioning is Important
• Attackers are focusing on users like never
before
– Social engineering attacks + extensive
privileges = breaches
• Self-service provisioning aims to help with
this
– Often part of a larger IAM suite
• Insider Threats
• Compliance
• The downside? Self-provisioning tools have
traditionally been complex
– Business users driving more simplicity
© 2012 The SANS™ Institute - www.sans.org 4
5. Oracle Identity Manager 11g R2
Review
• The focus of the review included:
– Personalization and customization of the User Interface
(UI)
– Provisioning entitlements based on use cases and user
profiles of varying complexity
– Creating self-service permissions and workflow to
legacy systems and applications
– A workflow use case involving an asset request with
multiple parties needed to identify and approve the
request
– Provisioning to a mobile device
• These use cases were important due to their real-
world relevance and key functionality areas
© 2012 The SANS™ Institute - www.sans.org 5
6. Overall Impression
• Oracle Identity Manager (OIM) 11g R2 reduced
complexities normally associated with IAM self-
service tools
– Automated workflow
– Provisions to legacy apps without new coding,
connectors or XML
• Use cases and interfaces are business friendly and
incorporate features we already know, like
shopping carts
• There are many features, not all of which were
explored
© 2012 The SANS™ Institute - www.sans.org 6
7. Task 1: UI Personalization
Specific task/information “portlets” added to the UI
© 2012 The SANS™ Institute - www.sans.org 7
8. Task 1.1: UI Customization
• Customization included specific saved search
queries, logo addition, and use of UI
“sandboxes”
– Customization for business look and feel
– Customized company or business unit features
automatically show up on customer interfaces
– Sandboxes allow testing of UI changes
© 2012 The SANS™ Institute - www.sans.org 8
9. Task 2: Self-Service Application
Provisioning
• The scenario: An employee needs access to a
timecard application
• Based on a user’s ID and group, with specific
assigned privileges, they can search for the app
© 2012 The SANS™ Institute - www.sans.org 9
10. Task 2: Self-Service Application
Provisioning
• The employee uses the familiar “shopping cart” to
request the app and kick off a workflow for
approval
• The manager is then notified and can approve the
request through portal
© 2012 The SANS™ Institute - www.sans.org 10
11. Task 2: Self-Service Application
Provisioning
After approval, the employee’s entitlement is
approved, and the Timecard application is
available
© 2012 The SANS™ Institute - www.sans.org 11
12. Task 2: More complex entitlements
© 2012 The SANS™ Institute - www.sans.org 12
13. Task 3: Legacy Application
Provisioning
• Some apps won’t have APIs, or won’t be
easily integrated for provisioning
• We call these apps “disconnected” and use a
custom form to provision
© 2012 The SANS™ Institute - www.sans.org 13
14. Task 3: Legacy Application
Provisioning
• Custom form manages access to app
© 2012 The SANS™ Institute - www.sans.org 14
15. Task 3: Legacy Application
Provisioning
A user request using the new form
© 2012 The SANS™ Institute - www.sans.org 15
16. Task 3: Manual Tasks for Provisioning
• Finally, the manager in the workflow needs to
approve the request
– One manual task for adding the user is
performed, and the workflow continues
© 2012 The SANS™ Institute - www.sans.org 16
17. Task 4: Asset Request with Multiple
Approvers
• User needs a new corporate-issued mobile
device
© 2012 The SANS™ Institute - www.sans.org 17
18. Task 4: Asset Request with Multiple
Approvers
• What does the user see during this asset
request process?
• Treated much like a legacy “disconnected”
provisioning request
© 2012 The SANS™ Institute - www.sans.org 18
19. Conclusion
• User interfaces greatly simplified as business
units demand control over their own
applications
– The entitlement provisioning is presented to
end users through a self-service “shopping
cart” interface
– Provides a familiar and straightforward “look
and feel” for them
• Legacy “disconnected” apps are easily
integrated into the workflows
• Custom forms and personalization attributes
are simple to create
© 2012 The SANS™ Institute - www.sans.org 19
20. Customer Perspectives:
SuperValu
Phillip Black, Director of Identity & Access Management, SuperValu
Patrick Abreo, Principal Security Architect, SuperValu
20 Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 16
21. SuperValu Background
21 Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 16
22. Business Drivers for SuperValu
Simplify Customer Experience and Consolidate Identities
Operational Costs User Productivity
Compliance Enforcement Customer Satisfaction
22 Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 16
23. SuperValu Roadmap
Prioritize Based on Drivers and Efficiency
External
Authorization
Risk-based
Authentication
Maturity
Fat Client and
Mobile Integration
Self-Service
Provisioning
Single Sign On
23 Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 16
24. Key Learning Experiences
• Map out the big picture
• Plan strategically, work tactically
• Adopt an incremental and result-
oriented approach
• Prioritize in favor of customer value
24 Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 16
25. Oracle Identity Manager 11gR2
Summary
Viresh Garg
Director of Product Management, Oracle
25 Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 16
26. Oracle Identity Governance
Governance Platform
Connectors
Provisioning De-provisioning
Access Request Privileged Account Role Lifecycle Checkin/Checkout Rogue Account IT Audit Monitoring Reporting & Privileged
Management Management Identity Certifications
Detection & Remediation Access Monitoring
Roles Ownership, Risk & Audit
Objectives
Entitlements
Accounts
Catalog Management
Glossaries
26 Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 16
27. Oracle Identity Manager
Key Capabilities
• Comprehensive user administration
• Centralized role lifecycle management
• Self service interfaces for access request
Benefits
• Simplifies user lifecycle management
• Eliminates ghost accounts, excess or
erroneous privileges
• Enforces compliance mandates such as
segregation of duties
27 Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 16
28. Oracle Identity Manager 11gR2 Overview
“Shopping Cart” Access Request
Durable UI Customization
Sophisticated Approval Workflows
Closed Loop Remediation
28 Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 16
29. Shopping Cart Experience for Access Request
Simple self-service access
Search Catalog Add To Cart Checkout Approval
29 Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 16
30. Customizable User Interface
Flexible, durable personalization and customization
• Durable UI customization
• Cost-effective
• Simplified lifecycle
management
• Facilitates integration with UI Look & Feel Forms
UI Look & Feel
corporate portal strategies
Work Flow Logic
30 Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 16
31. Sophisticated Approval Workflows
View and take action on approval
tasks via email, mobile (browser) and
self-service UI
Add comments and attachments
See current and future approvers
Prioritize and organize tasks
31 Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 16
32. Oracle Identity Governance Suite
Closed-loop Remediation
Access
Request Monitor
Rogue
Access
Enterprise/ Detection
Roles
Reduce
Risk
Provisioning Improve
& Connectors
Audit/ Policy
Compliance
Access
Monitoring Certification
32 Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 16
33. Part of a Complete Identity Management
Solution
Governance Access Directory
Password Reset Web Single Sign-on LDAP Storage
Privileged Accounts Federation Virtual Directory
Access Request Mobile, Social & Cloud Meta Directory
Roles Based Provisioning External Authorization
Role Mining SOA Security
Attestation Integrated ESSO
Separation of Duties Token Services
Platform Security Services
33 Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 16
34. Q&
34
A
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 16
35. www.oracle.com/Identity
www.facebook.com/OracleIDM
www.twitter.com/OracleIDM
blogs.oracle.com/OracleIDM
35 Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 16
Editor's Notes Question for Phil:Welcome Phil. Can you tell us about your role ?Question for Patrick:Welcome Patrick. Tell us about your role and how you got started with Identity Management? Phil - Tell us a little bit aboutSuperValu and the scope of operations in North America? Questions for Phil:What was the environment and infrastructure like when you started?What were the chief business drivers for SuperValu’s Identity Management deployment ? Lets discuss Learning Experiences Questionsfor Phil:1. From your perspective, when starting with provisioning what area of the enterprise would you start ?2. What advise would you give to architects getting started with provisioning and Identity Management ? Familiar, OOB Access Request with user friendly glossarySophisticated, standards based approval workflowsBusiness Manager has risk based guidance, friendly interfaces and closed loop to address issuesStandard and PrivFlexible Administrative interfaces: drag and drop Admin for Delegation, If you must customize; durable customization Join The Community