The document provides an overview of a SANS Institute product review of Oracle Identity Manager. It summarizes the review of Oracle Identity Manager 11gR2, which focused on personalizing the user interface, provisioning entitlements based on use cases, creating self-service permissions and workflows, an asset request workflow involving multiple approvers, and provisioning to mobile devices. The review found that Oracle Identity Manager 11gR2 simplified complexities normally associated with identity and access management self-service tools by automating workflows, provisioning to legacy applications without new coding, and incorporating familiar features like shopping carts. It also provided customer perspectives from SuperValu on their identity management roadmap and key learning experiences.

1. User Provisioning and
Compliance:
SANS Institute Product
Review of Oracle Identity
Manager
Dave Shackleford, Senior Instructor and Analyst, SANS
Phillip Black, Director of Identity & Access Management, SuperValu
Patrick Abreo, Principal Security Architect, SuperValu
Viresh Garg, Director of Product Management, Oracle
© 2012 The SANS™ Institute - www.sans.org

2. Agenda
• User Provisioning Challenges
• Overview of User Provisioning
with Oracle Identity Manager
• Use Case Review
• Customer Perspectives:
SuperValu
• Oracle Identity Manager 11gR2
Summary
• Q&A

3. Self-Service Provisioning
Made Simple:
A Review of
Oracle Identity Manager
11g R2
Dave Shackleford, for SANS and Voodoo Security
© 2012 The SANS™ Institute - www.sans.org

4. Why Provisioning is Important
• Attackers are focusing on users like never
before
– Social engineering attacks + extensive
privileges = breaches
• Self-service provisioning aims to help with
this
– Often part of a larger IAM suite
• Insider Threats
• Compliance
• The downside? Self-provisioning tools have
traditionally been complex
– Business users driving more simplicity
© 2012 The SANS™ Institute - www.sans.org 4

5. Oracle Identity Manager 11g R2
Review
• The focus of the review included:
– Personalization and customization of the User Interface
(UI)
– Provisioning entitlements based on use cases and user
profiles of varying complexity
– Creating self-service permissions and workflow to
legacy systems and applications
– A workflow use case involving an asset request with
multiple parties needed to identify and approve the
request
– Provisioning to a mobile device
• These use cases were important due to their real-
world relevance and key functionality areas
© 2012 The SANS™ Institute - www.sans.org 5

6. Overall Impression
• Oracle Identity Manager (OIM) 11g R2 reduced
complexities normally associated with IAM self-
service tools
– Automated workflow
– Provisions to legacy apps without new coding,
connectors or XML
• Use cases and interfaces are business friendly and
incorporate features we already know, like
shopping carts
• There are many features, not all of which were
explored
© 2012 The SANS™ Institute - www.sans.org 6

7. Task 1: UI Personalization
Specific task/information “portlets” added to the UI
© 2012 The SANS™ Institute - www.sans.org 7

8. Task 1.1: UI Customization
• Customization included specific saved search
queries, logo addition, and use of UI
“sandboxes”
– Customization for business look and feel
– Customized company or business unit features
automatically show up on customer interfaces
– Sandboxes allow testing of UI changes
© 2012 The SANS™ Institute - www.sans.org 8

9. Task 2: Self-Service Application
Provisioning
• The scenario: An employee needs access to a
timecard application
• Based on a user’s ID and group, with specific
assigned privileges, they can search for the app
© 2012 The SANS™ Institute - www.sans.org 9

10. Task 2: Self-Service Application
Provisioning
• The employee uses the familiar “shopping cart” to
request the app and kick off a workflow for
approval
• The manager is then notified and can approve the
request through portal
© 2012 The SANS™ Institute - www.sans.org 10

11. Task 2: Self-Service Application
Provisioning
After approval, the employee’s entitlement is
approved, and the Timecard application is
available
© 2012 The SANS™ Institute - www.sans.org 11

12. Task 2: More complex entitlements
© 2012 The SANS™ Institute - www.sans.org 12

13. Task 3: Legacy Application
Provisioning
• Some apps won’t have APIs, or won’t be
easily integrated for provisioning
• We call these apps “disconnected” and use a
custom form to provision
© 2012 The SANS™ Institute - www.sans.org 13

14. Task 3: Legacy Application
Provisioning
• Custom form manages access to app
© 2012 The SANS™ Institute - www.sans.org 14

15. Task 3: Legacy Application
Provisioning
A user request using the new form
© 2012 The SANS™ Institute - www.sans.org 15

16. Task 3: Manual Tasks for Provisioning
• Finally, the manager in the workflow needs to
approve the request
– One manual task for adding the user is
performed, and the workflow continues
© 2012 The SANS™ Institute - www.sans.org 16

17. Task 4: Asset Request with Multiple
Approvers
• User needs a new corporate-issued mobile
device
© 2012 The SANS™ Institute - www.sans.org 17

18. Task 4: Asset Request with Multiple
Approvers
• What does the user see during this asset
request process?
• Treated much like a legacy “disconnected”
provisioning request
© 2012 The SANS™ Institute - www.sans.org 18

19. Conclusion
• User interfaces greatly simplified as business
units demand control over their own
applications
– The entitlement provisioning is presented to
end users through a self-service “shopping
cart” interface
– Provides a familiar and straightforward “look
and feel” for them
• Legacy “disconnected” apps are easily
integrated into the workflows
• Custom forms and personalization attributes
are simple to create
© 2012 The SANS™ Institute - www.sans.org 19

20. Customer Perspectives:
SuperValu
Phillip Black, Director of Identity & Access Management, SuperValu
Patrick Abreo, Principal Security Architect, SuperValu
20 Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 16

21. SuperValu Background
21 Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 16

22. Business Drivers for SuperValu
Simplify Customer Experience and Consolidate Identities
Operational Costs User Productivity
Compliance Enforcement Customer Satisfaction
22 Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 16

23. SuperValu Roadmap
Prioritize Based on Drivers and Efficiency
External
Authorization
Risk-based
Authentication
Maturity
Fat Client and
Mobile Integration
Self-Service
Provisioning
Single Sign On
23 Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 16

24. Key Learning Experiences
• Map out the big picture
• Plan strategically, work tactically
• Adopt an incremental and result-
oriented approach
• Prioritize in favor of customer value
24 Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 16

25. Oracle Identity Manager 11gR2
Summary
Viresh Garg
Director of Product Management, Oracle
25 Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 16

26. Oracle Identity Governance
Governance Platform
Connectors
Provisioning De-provisioning
Access Request Privileged Account Role Lifecycle Checkin/Checkout Rogue Account IT Audit Monitoring Reporting & Privileged
Management Management Identity Certifications
Detection & Remediation Access Monitoring
Roles Ownership, Risk & Audit
Objectives
Entitlements
Accounts
Catalog Management
Glossaries
26 Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 16

27. Oracle Identity Manager
Key Capabilities
• Comprehensive user administration
• Centralized role lifecycle management
• Self service interfaces for access request
Benefits
• Simplifies user lifecycle management
• Eliminates ghost accounts, excess or
erroneous privileges
• Enforces compliance mandates such as
segregation of duties
27 Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 16

28. Oracle Identity Manager 11gR2 Overview
“Shopping Cart” Access Request
Durable UI Customization
Sophisticated Approval Workflows
Closed Loop Remediation
28 Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 16

29. Shopping Cart Experience for Access Request
Simple self-service access
Search Catalog Add To Cart Checkout Approval
29 Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 16

30. Customizable User Interface
Flexible, durable personalization and customization
• Durable UI customization
• Cost-effective
• Simplified lifecycle
management
• Facilitates integration with UI Look & Feel Forms
UI Look & Feel
corporate portal strategies
Work Flow Logic
30 Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 16

31. Sophisticated Approval Workflows
 View and take action on approval
tasks via email, mobile (browser) and
self-service UI
 Add comments and attachments
 See current and future approvers
 Prioritize and organize tasks
31 Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 16

32. Oracle Identity Governance Suite
Closed-loop Remediation
Access
Request Monitor
Rogue
Access
Enterprise/ Detection
Roles
Reduce
Risk
Provisioning Improve
& Connectors
Audit/ Policy
Compliance
Access
Monitoring Certification
32 Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 16

33. Part of a Complete Identity Management
Solution
Governance Access Directory
Password Reset Web Single Sign-on LDAP Storage
Privileged Accounts Federation Virtual Directory
Access Request Mobile, Social & Cloud Meta Directory
Roles Based Provisioning External Authorization
Role Mining SOA Security
Attestation Integrated ESSO
Separation of Duties Token Services
Platform Security Services
33 Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 16

34. Q&
34
A
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 16

35. www.oracle.com/Identity
www.facebook.com/OracleIDM
www.twitter.com/OracleIDM
blogs.oracle.com/OracleIDM
35 Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 16