<Insert Picture Here> Enterprise Identity Management Reference Architecture Umut Ceyhan Principal Sales Consultant, IDM SEE
Agenda Introduction Virtualization Access Management Provisioning Demo Architecture Reference Architecture Provisioning Virtualization & Access Management (WebSSO) Solution Components Scenarios Conclusion Q&A <Insert Picture Here>
Introduction <Insert Picture Here>
Basic Concepts What is Identity Management? Identity Management (IdM) is an integrated system of business processes, policies and technologies that enable organizations to facilitate and control their users' access to critical online applications and resources while protecting confidential personal and business information from unauthorized users. -Wikipedia
Basic Concepts Virtualization A way to provide a consolidated view of distributed user identity from multiple, often disparate, data sources without having to construct an entire directory infrastructure. Implemented in the form of middleware, a virtual directory is a lightweight service that operates between applications and identity data. A virtual directory receives queries and directs them to the appropriate data sources -Wikipedia
Basic Concepts Access Management Web Access Management controls access to Web resources, providing: * Authentication Management * Policy-based Authorization * Audit & Reporting Services (optional) * Single sign-on Convenience -Wikipedia
Basic Concepts Enterprise Provisioning Typically managed by a CIO, and necessarily involves human resources and IT departments cooperating to: give users access to data repositories or grant authorization to systems, networks applications and databases based on a unique user identity, and appropriate for their use hardware resources, such as computers, mobile phones and pagers. As its most central responsibility, the provisioning process monitors access rights and privileges to ensure the security of an enterprise's resources and user privacy. As a secondary responsibility, it ensures compliance and minimizes the vulnerability of systems to penetration and abuse. -Wikipedia
Demo Architecture <Insert Picture Here>
Building Blocks of Architecture Access Management (AAA) WebSSO, FGA, Risk Management App 1 App 2 App 3 Virtualization LDAP v2/3.0 MS AD DB Provisioning Trusted Res. Trusted Res.
Virtualization Identity Information Proxy 3 User Repositories MS Active Directory Employees Sun iplanet Dir. Server Contractors MyCompany CRM Database - Customers Virtualized View: dc=mycompany,dc=ovd LDAP listener Employees: ou=employees,dc=mycompany,dc=ovd Contractors: ou=contractors,dc=mycompany,dc=ovd Customers: ou=customers,dc=mycompany,dc=ovd Alternative Listeners: LDAP, DSML, WS, Custom etc.
Virtualization
Solution Components <Insert Picture Here>
Oracle Identity Manager Oracle Identity Manager Benefits Reduced administration cost Cost effective regulatory compliance Improved security Improved service level Features Identity life-cycle management for the heterogeneous enterprise Approval and provisioning workflows Complete integration solutions: OOTB connectors & Adapter Factory Deep integration to ERP and HRMS Audit and compliance reporting and process automation
Oracle Access Manager Oracle Access Manager (Web) Benefits Centralized and consistent security across heterogeneous environments Reduced administration cost Improved end user experience Features Web single-sign-on Common policy management Multi-level, multi-factor authentication management Workflow driven self-service and delegated administration Web Services interfaces
Oracle Virtual Directory Oracle Virtual Directory Benefits Rapid application deployment Tighter controls on identity data Real-time identity information access Features Modern Java & Web Services technology Virtualization, proxy, join & routing capabilities Superior extensibility Scalable multi-site administration Direct data access
Demo Scenarios <Insert Picture Here>
Sample User HR Data Userid: umut First Name: umut Last Name: ceyhan Organization: Consultancy / Sales / HR / Finance Employee Type: Full-Time / Part-Time / Contractor User Title: Sales Consultant / Account Manager etc. Location: Athens / London / Berlin
Identity Roles Consultancy Role (Members of Consultancy Organization) Target Resources: MS Active Directory (OU=Consultancy) MS Exchange (mail quota 5MB) Oracle Internet Directory Denied Resources: iplanet Dir. Server Sales Role (Members of Sales Organization) Target Resources: MS Active Directory (OU=Sales) MS Exchange (mail quota 10MB) Oracle Internet Directory Denied Resources: iplanet Dir. Server
Identity Roles Contractor Role (Contractors) Target Resources: Sun iplanet Dir. Server Denied Resources: MS Active Directory MS Exchange Self Service Request Resource without Role: Mobile Phone
Demo Scenarios: Identity Lifecycle - 1 On-boarding (JOIN) Reconciliation: HR Consultant Role Provision Targets: AD, Exchange, OID Reconciliation: HR Contractor Role Provision Targets: iplanet Dir. Server Manual Creation of Customer Identity On Sample CRM application
Demo Scenarios: Virtualization Walking through Virtualized Services MS Active Dir., iplanet, Oracle DB Features of OVD
Demo Scenarios: Access Management & WebSSO Access Management & WebSSO Services Checking Central AuthN, AuthZ, Auditing Policies: Employee Portal, Contractor Portal, Customer Portal Brief info for integration with custom applications WNA Integration for better user convenience
Demo Scenarios: Identity Lifecycle - 2 Change in User Profile (MOVE) Trusted Recon for Identity Profile Attributes from HR Organization Change: Consultancy Sales Role Change in HR: Contractor Consultant Role
Demo Scenarios: Delegated Administration Self Service Request for Mobile Phone Request for entitlements Approval workflow for Mobile Phone Review & Modify of requested entitlements by Manager Manual Provisioning workflow Manual provisioning by Delegated Administrator
Demo Scenarios: Identity Lifecycle - 3 Off-boarding (LEAVE) Status change in user information in HR Automatical user deprovisioning
Demo Scenarios: Compliance and Auditing Reporting Operational Reports: Who has what etc. 22 Historical Reports: Who had what etc. 15 Attestation Configuration and Running: Mobile Phone Attest. SOD features Access policies
Conclusion <Insert Picture Here>
Leader in Magic Quadrants User Provisioning, H2 2007 Web Access Management, H2 2007 Magic Quadrant Disclaimer: The Magic Quadrant is copyrighted by Gartner, Inc. and is reused with permission. The Magic Quadrant is a graphical representation of a marketplace at and for a specific time period. It depicts Gartner's analysis of how certain vendors measure against criteria for that marketplace, as defined by Gartner. Gartner does not endorse any vendor, product or service depicted in the Magic Quadrant, and does not advise technology users to select only those vendors placed in the "Leaders" quadrant. The Magic Quadrant is intended solely as a research tool, and is not meant to be a specific guide to action. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
Market Leader According To Oracle has established itself as Leader. - The Forrester Wave: Identity And Access Management, Q1 2008 Oracle reached the top of our evaluation through a combination of the breadth, depth, interoperability, and packaging of its IAM features alongside the strategy and current state of market execution on its application-centric identity vision. - The Forrester Wave: Identity And Access Management, Q1 2008
Service Oriented Security SECURITY AS A SERVICE!
Service Oriented Security Business Drivers Security is not an infrastructural issue any more NO BOLTING-ON SECURITY Security Always at Application lifecycle SOA is perfect technological foundation
Service-Oriented Security Expected Solutions SOA Enabled Applications Security as a Service Fine Grained Authorization Identity Governance
Q & A <Insert Picture Here>
Case Studies <Insert Picture Here>
Case Study Swedish Police BUSINESS CHALLENGE Establish secure and centralized mgt of identities across multiple enterprise directories & applications - incorporation of process workflows End users and managers have poor visibility into in-process and completed provisioning workflows Protect against locally administered changes to user entitlements directly w/in the target systems Poor mgt of user certificates within RSA Keon ORACLE SOLUTION Oracle Identity Manager selected over Novell in March 2005 Highly flexible and extensible product Superior support for onboarding and analysis mechanisms for orphan account detection Support for rollback/undo and escalation Mature product with solid architecture Flexibility and customizability RESULTS Significant cost avoidance (est. over $1M) for identity synchronization, workflow & administration functionality Establishment of automated role & rule-based assignment of access privileges to all managed systems Improvement of information quality by centralizing user records and cleaning existing data Detailed and easily accessible audit functionality
Case Study Polish Police BUSINESS CHALLENGE Highest requirement for security and availability Need for strong encryption (PKI), delegated management Support for local and central applications Environment has Non touchable applications and also is not a 100% reliable Network ORACLE SOLUTION Oracle Identity and Access Management Suite Oracle Internet Directory in Multimaster Cluster HA Oracle VPD Oracle Consulting Services Oracle Partner Services RESULTS Single Clustered LDAP repository of all employees and authentication attributes Single point of Identity creation (including PKI) 24/7 availability - local distributed LDAP s with fallback to central server Access Policies management both central and delegated