An Oracle White Paper January 2010. Access Certification: Addressing & Building on a Critical Security Control



Similar documents
Oracle Role Manager. An Oracle White Paper Updated June 2009

Achieving Sarbanes-Oxley Compliance with Oracle Identity Management. An Oracle White Paper September 2005

Product Lifecycle Management in the Medical Device Industry. An Oracle White Paper Updated January 2008

Attestation of Identity Information. An Oracle White Paper May 2006

An Oracle White Paper November Financial Crime and Compliance Management: Convergence of Compliance Risk and Financial Crime

An Oracle Communications White Paper December Serialized Asset Lifecycle Management and Property Accountability

Managing the Product Value Chain for the Industrial Manufacturing Industry

Oracle Data Integrator and Oracle Warehouse Builder Statement of Direction

Oracle Identity Management Concepts and Architecture. An Oracle White Paper December 2003

Product Lifecycle Management in the Food and Beverage Industry. An Oracle White Paper Updated February 2008

Oracle Business Rules Business Whitepaper. An Oracle White Paper September 2005

Symantec Security Compliance Solution Symantec s automated approach to IT security compliance helps organizations minimize threats, improve security,

Oracle s BigMachines Solutions. Cloud-Based Configuration, Pricing, and Quoting Solutions for Enterprises and Fast-Growing Midsize Companies

An Oracle White Paper January Oracle Database Firewall

An Oracle White Paper October Siebel Financial Services Customer Relationship Management for Banking

An Oracle White Paper July Introducing the Oracle Home User in Oracle Database 12c for Microsoft Windows

An Oracle White Paper October An Integrated Approach to Fighting Financial Crime: Leveraging Investments in AML and Fraud Solutions

Accelerating the Transition to Hybrid Cloud with Oracle Managed Cloud Integration Service

MANAGING A SMOOTH MARKETING AUTOMATION SOFTWARE IMPLEMENTATION

Oracle Mobile Cloud Service. A Complete Strategy for Developing, Deploying, and Monitoring Mobile Apps

March Oracle Business Intelligence Discoverer Statement of Direction

An Oracle White Paper January Oracle Database Firewall

The Yin and Yang of Enterprise Project Portfolio Management and Agile Software Development: Combining Creativity and Governance

October A New Standard for Excellence. Transforming Education and Research with Oracle Innovation

An Oracle White Paper April, Spend Management Best Practices: A Call for Data Management Accelerators

The Benefits of a Unified Enterprise Content Management Platform

INFORMATION SIMPLIFIED

The Next Generation of Local Government: Transforming Non-Emergency and 311 Call Center Solutions to a Complete Constituent Experience

How To Manage Content Management With A Single System

An Oracle White Paper February Real-time Data Warehousing with ODI-EE Changed Data Capture

An Oracle White Paper June Integration Technologies for Primavera Solutions

An Oracle White Paper May 2011 BETTER INSIGHTS AND ALIGNMENT WITH BUSINESS INTELLIGENCE AND SCORECARDS

The Oracle Mobile Security Suite: Secure Adoption of BYOD

An Oracle White Paper June Tackling Fraud and Error

The Case for a Stand-alone Rating Engine for Insurance. An Oracle Brief April 2009

Addressing IT governance, risk and compliance (GRC) to meet regulatory requirements and reduce operational risk in financial services organizations

The Role of Data Integration in Public, Private, and Hybrid Clouds

An Oracle White Paper August Higher Security, Greater Access with Oracle Desktop Virtualization

10 Questions to Ask Your On-Demand Contact Center Provider. An Oracle White Paper September 2006

ORACLE AGILE PLM FOR THE MEDICAL DEVICE INDUSTRY

CRM On Demand now hosted locally in Europe. An Oracle White Paper 2011

ORACLE BUSINESS INTELLIGENCE APPLICATIONS FOR JD EDWARDS ENTERPRISEONE

<Insert Picture Here> Oracle Identity And Access Management

Oracle Identity Management for SAP in Heterogeneous IT Environments. An Oracle White Paper January 2007

INFORMATION CONNECTED

An Oracle White Paper March Integrating Microsoft SharePoint Server With Oracle Virtual Directory

Oracle SQL Developer Migration. An Oracle White Paper September 2008

Lowering E-Discovery Costs Through Enterprise Records and Retention Management. An Oracle White Paper March 2007

Business Intelligence and Service Oriented Architectures. An Oracle White Paper May 2007

An Oracle White Paper November Knowledge-Infused Customer Relationship Management: A Game-Changing Investment for Customer Support

The Business Case for Information Management An Oracle Thought Leadership White Paper December 2008

Improve your Customer Experience with High Quality Information

April Oracle Higher Education Investment Executive Brief

ETPL Extract, Transform, Predict and Load

Manage Oracle Database Users and Roles Centrally in Active Directory or Sun Directory. Overview August 2008

PROACTIVE ASSET MANAGEMENT

Oracle Business Intelligence Enterprise Edition Plus and Microsoft Office SharePoint Server. An Oracle White Paper October 2008

Integrating Tutor and UPK Content: A Complete User Documentation Solution. An Oracle White Paper April 2008

ORACLE HYPERION DATA RELATIONSHIP MANAGEMENT

Managed Storage Services

A Comprehensive Solution for API Management

How To Manage It Asset Management On Peoplesoft.Com

Evolution from the Traditional Data Center to Exalogic: An Operational Perspective

Monitoring and Diagnosing Production Applications Using Oracle Application Diagnostics for Java. An Oracle White Paper December 2007

Oracle Financial Services Broker Compliance

ORACLE VM MANAGEMENT PACK

An Oracle White Paper September Adapting to PeopleSoft Continuous Delivery

Oracle Business Intelligence Applications Overview. An Oracle White Paper March 2007

PRIMAVERA CONTRACT MANAGEMENT

An Oracle White Paper May The Role of Project and Portfolio Management Systems in Driving Business and IT Strategy Execution

Highmark Unifies Identity Data With Oracle Virtual Directory. An Oracle White Paper January 2009

Oracle Identity Management: Integration with Windows. An Oracle White Paper December. 2004

Oracle Cloud for Midsize Service Companies. An Oracle Industry Brief

Oracle Data Integrator 12c (ODI12c) - Powering Big Data and Real-Time Business Analytics. An Oracle White Paper October 2013

Oracle Enterprise Single Sign-on Technical Guide An Oracle White Paper June 2009

Oracle Data Integrator and Oracle Warehouse Builder Statement of Direction

ORACLE APPLICATION ACCESS CONTROLS GOVERNOR FOR PEOPLESOFT

Introduction. Automated Discovery of IT assets

Oracle On Demand Infrastructure: Virtualization with Oracle VM. An Oracle White Paper November 2007

Oracle Documents Cloud Service. Secure Collaboration for the Digital Workplace

Power Reply and Oracle Utilities

An Oracle White Paper December Tutor Top Ten List: Implement a Sustainable Document Management Environment

ORACLE FINANCIALS ACCOUNTING HUB

An Oracle White Paper June Oracle Linux Management with Oracle Enterprise Manager 12c

Express Implementation for Electric Utilities

An Oracle White Paper. December Cloud Computing Maturity Model Guiding Success with Cloud Capabilities

Transcription:

An Oracle White Paper January 2010 Access Certification: Addressing & Building on a Critical Security Control

Disclaimer The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle s products remains at the sole discretion of Oracle. 2

Table of Contents 1. Executive Summary... 4 2. The Forces Driving Security Controls Related to Access... 4 3. Using Access Certification to Address Critical Issues... 5 4. Key Criteria for an Access Certification Solution... 6 5. Oracle Identity Analytics... 8 6. Oracle Identity Analytics at Work in the Real World... 9 7. Conclusion... 10 3

1. Executive Summary Today s enterprise faces multiple, multi-faceted business challenges in which the management of employees and partners access to enterprise resources is vital. Foremost among these, is the challenge of complying with an ever-growing number of regulations governing the integrity and privacy of enterprise data. With the need to protect data comes, of course, the need to closely manage access to it by knowing at all times who has access to resources and whether their access is appropriate, and by providing documentation of this information in the event of an audit. But compliance is not the only challenge in today s enterprise. Even more critical is the need to operate an agile business that can respond quickly and competitively to business opportunities and competitive threats. Operating such a business while remaining compliant is a tall order. To succeed, a company must have an identity and access management (IAM) infrastructure in place to ensure that people have access to all the resources they need (but none of those they don t), and to prove in audits that access is being managed correctly and in compliance with internal security policies and external regulations. Moreover, this infrastructure must be based on efficient and effective processes that free people to focus on the growth of the business without having to devote undue time and budget to its security. This paper will examine these often conflicting demands on the enterprise and show how access certification technology makes it possible to meet them, first by enabling access control compliance, and second, by laying the foundation for a strong IAM infrastructure. It will: Describe the forces driving security controls related to access Explain how access certification addresses these issues Discuss the key criteria for an access certification solution Introduce Oracle Identity Analytics for access certification Present real-world examples of Oracle solution deployments 2. The Forces Driving Security Controls Related to Access Ongoing and Growing Pressure to Prove Compliance In the alphabet soup of regulations governing business around the world today, one of the most pressing concerns is the integrity and privacy of data. From Sarbanes-Oxley, with its emphasis on the integrity of financial information, to the Health Insurance Portability and Accountability Act (HIPAA) and other industry-specific laws protecting data privacy, regulations force companies to focus on access. They have specifically led to increased scrutiny of assigned access to enterprise systems, applications, and data. It is vital for companies to know and even more important to be able to prove who has 4

access to what, whether that access is appropriate, and what is being done about it if it isn t. Insider Threats Resulting from Inappropriate Access The need to closely govern access to systems and resources extends beyond complying with regulations to protecting enterprise assets. The threat posed by inappropriate access is grave. One can look all the way back to the 1990s, when accounting fraud caused the collapse of Barings Bank and when unauthorized trading resulted in nearly $2 billion in losses for the London Metal Exchange. And such problems have continued to proliferate; consider, for example, the 2008 Société Générale trading loss incident in which fraudulent transactions by an employee caused the bank to lose billions. Clearly, these insider threats must be eradicated and an important step toward that is eliminating opportunities for inappropriate access to systems by rogue traders and other insiders. Need to Expand Reach and Manage Risk While security is critical to preventing business losses, it must be balanced against the openness that is equally critical to achieving business agility in the Web 2.0 era. Systems must be locked down to the extent that they keep out malevolent efforts to gain access from inside or from outside the enterprise. But at the same time, they must be open enough to ensure that everyone who is working in the best interests of the enterprise can get their jobs done. Open access must be coupled with access control to achieve this careful balance between agility and security. A business that is secure in its ability to appropriately control access to its resources will be empowered to apply those resources to bold and confident growth and expansion. 3. Using Access Certification to Address Critical Issues The forces described in the previous chapter are leading companies to take action to address the following: Understanding who has access to what systems, applications, and data Validating that the assigned access is correct and appropriate Documenting and providing evidence for both of the above Understanding, Validating, and Documenting Access An effective technology solution for access certification can provide a clear and comprehensive understanding of who has access to what resources by automatically consolidating and correlating entitlement data from throughout the enterprise and reporting on user access across enterprise systems and applications. In addition, such a 5

solution will speed and increase the accuracy of access review and validation through the use of automation. An effective solution will also empower decision makers to revoke any inappropriate access that it detects so that the enterprise can enforce policies in areas such as separation of duties and least privilege. Finally, it will provide reports leveraging the resulting audit trail to provide evidence that assigned access has been reviewed and, where necessary, corrected. Maintaining Security Within and Beyond the Enterprise Access certification is critical to maintaining security, particularly in guarding against access violations that could lead to security breaches. Regularly scheduled access reviews ensure that users are assigned the appropriate minimum access necessary to do their jobs and no more. Event-based access reviews that are triggered by transfers, promotions, or terminations ensure that internal employees do not aggregate access as they move throughout the organization and that both internal and external users do not retain access when their relationships with the organization end. Laying a Foundation for IAM Initiatives to Manage Risk Identity and access management is the cornerstone of an enterprise s ability to extend its reach while still managing business risk. Access certification technology lays the foundation for initiatives in this area in several ways. It accomplishes the fundamental work of consolidating and correlating identity and access data the same data that can be used in provisioning and role management. The entire process of certification by its very nature cleanses the consolidated data, leaving an excellent foundation on which to build. 4. Key Criteria for an Access Certification Solution Comprehensive Automation An effective access certification solution should automate the entire certification process, from building a warehouse of entitlements, to scheduling and monitoring certifications, to providing ongoing tracking and reporting. The solution should have the functionality to automatically: Import entitlement data from the existing IT infrastructure and from any enterprise application, and to correlate entitlement data from multiple sources to a single identity Schedule both manager and application-owner certifications based on business priorities and monitor to ensure that reviews are completed on schedule Track revocations of or modifications to access and ensure that the appropriate 6

changes are made throughout the IT infrastructure Generate reports to alert administrators to existing or potential access policy violations, remediations, and exceptions, and to demonstrate compliance with regulatory requirements Minimal Customization and Programming Requirements As an enterprise extends its reach to include increasing numbers of external partners and their resources, it becomes increasingly important for the access certification solution to work seamlessly with those partners and their systems, applications, and data. It should not require substantial customization or programmatic development to work with external resources. Integration with Provisioning and Role Management An access certification solution that can be integrated with a company s provisioning and role management processes enables complete life-cycle management of security policy violations and the access revocations that are associated with those violations. This closed-loop approach makes it possible to: Efficiently and effectively automate the removal of inappropriate access while capturing the appropriate audit information Increase compliance effectiveness by ensuring that business roles are consistently being defined based on correctly assigned access Get to the point where you are able to assign, attest, and audit access using roles Depth of Vendor Expertise The right access certification solution should come from a vendor with a deep understanding of the interrelationships between core identity challenges, processes, and solutions. The vendor should: Provide expertise in compliance management that encompasses expertise in inextricably related areas such as provisioning, role management, and directory services Demonstrate an understanding of, and the ability to effectively respond to challenges in areas such as Web access management and secure Web services Have the experience, expertise, and services to serve as a strong architecture and design resource that can guide your efforts to build an effective identity infrastructure 7

5. Oracle Identity Analytics Oracle Identity Analytics is a comprehensive solution for automating every aspect of the access certification process. It is specifically designed to be easily integrated with existing and planned components of the enterprise identity infrastructure. Comprehensive Capabilities Oracle Identity Analytics serves as a platform for automating the full range of existing manual compliance processes relating to access certification and access policy enforcement. The solution includes capabilities to: Automatically collect and correlate identity data from multiple enterprise resources Dynamically generate certification populations to ensure that certifications are performed by the appropriate business owners Automate detection of existing and potential policy violations in critical compliance areas such as segregation of duties (SoD) and unauthorized aggregation of privilege Report extensively on certification status, policy violations, and other access-related information, reducing the need to manually gather this type of data for audits Easily Integrated with Existing Infrastructures Oracle Identity Analytics leverages agent-less connectors and a general-purpose extract, transform, and load (ETL) based data collection capability for correlating entitlement data generated from any enterprise resource. This can dramatically: Reduce the time, cost, and complexity of implementing the solution Simplify the process of working with growing numbers of external partners and their applications Accelerate business value, with ROI typically achieved within 90 days of implementation Part of a Complete Portfolio of Identity Solutions Oracle Identity Analytics is part of Oracle s complete identity management & administration portfolio for ensuring security and maintaining compliance, which means that it can: Integrate seamlessly with Oracle Identity Manager for provisioning and auditing, Oracle Access Manager for access management, and Oracle s Directory offerings for directory services Oracle Identity Analytics is also designed to integrate seamlessly with other identity access management products and with leading SIEM and IT GRC vendors to provide a comprehensive compliance solution. 8

From the Recognized Leader in Identity Management Oracle identity management has been recognized as a leader in a number of analyst reports, including the Gartner User Provisioning Magic Quadrant, the Gartner Magic Quadrant for Web Access Management, and the Forrester Wave report on provisioning. Oracle: Offers expertise not just in access certification in particular and compliance management in general, but also in provisioning, role management, and directory services Provides a complete portfolio of solutions to address emerging challenges in Web access management and secure Web services Goes beyond the technology to provide consulting services and support from a proactive services and enablement team Teams with business consulting and systems integration firms to help deliver additional consulting services for successful technology deployments Product details are available at www.oracle.com/oracleidentityanalytics6. Oracle Identity Analytics at Work in the Real World The financial industry is undoubtedly one of the most highly regulated in the world, subject not only to broadly applied regulations such as Sarbanes-Oxley, but also to a growing number of industry-specific regulations. Accurately certifying user access particularly with regard to high-risk transactions is an important part of complying with the various laws that govern the industry. To improve its regulatory compliance, a leading global investment bank recently automated its access certification process using Oracle technology. Goal: Improve Access Certification With 350,000 users distributed across 40,000+ business units, and with more than 100,000 accounts having access to high-risk transactions, the company required an effective solution for certifying access on a very large scale. Oracle Identity Analytics solution made it possible to automate the entire access certification process through an implementation that included: Building an identity warehouse to serve as a common repository for application security data and user entitlement data for 350,000 users, along with business descriptions for entitlements Ensuring that SoD policies are defined and enforced across all users and applications, with 200+ SoD policies defined and applied to the 350,000 users Generating 10,000+ certifications (for 100,000 user accounts) and routing them to 15,000 business unit managers all within a 60-day timeframe Performing a mass clean-up of orphaned accounts that were identified during the 9

data-loading phase, which involved remediating 200,000 financially critical transactions across various applications Identifying SoD policy violations in 60,000+ user accounts and routing them to the appropriate business owners to revoke the errant access Deployment of the Oracle solution enabled the organization to achieve the following benefits: Reducing the amount of time and budget devoted to access certification by automating its traditional manual process Reducing the security and compliance risk associated with access to high-risk transactions Ensuring compliance with SoD policy by automating its enforcement across the enterprise Lessening the risk of being cited for noncompliance by accelerating the time required to certify access in general and to identify and remediate violations in particular 7. Conclusion Access certification technology is an invaluable tool for helping an enterprise manage its efforts to comply with the many regulations that govern businesses across a variety of industries today. Automating the certification process increases certification accuracy and effectiveness, which in turn improves compliance and reduces risk. An Identity Compliance solution provides the organization with a clear understanding of their users' identities and access rights to critical business information and services and establishes compliance controls for ensuring that access is correct and remains correct. It enables the organization to answer those key questions: Who has access to what, when? Who approved those access privileges? Are the access rights in line with policy? With an automated solution, compliance requirements can be met and proven with minimum cost to the organization. Additionally, cost savings can be extended across the enterprise by utilizing the information gathered in a compliance exercise to refine your identity and access management program. Access control compliance is an ideal first step towards strengthening the security of business services and information, and reducing risk by evolving your identity management practices. 10

Access Certification January 2010 Author: Mathew Hamlin Contributing Author: Neil Gandhi Oracle Corporation World Headquarters 500 Oracle Parkway Redwood Shores, CA 94065 U.S.A. Worldwide Inquiries: Phone: +1.650.506.7000 Fax: +1.650.506.7200 oracle.com Copyright 2009, Oracle and/or its affiliates. All rights reserved. This document is provided for information purposes only and the contents hereof are subject to change without notice. This document is not warranted to be error-free, nor subject to any other warranties or conditions, whether expressed orally or implied in law, including implied warranties and conditions of merchantability or fitness for a particular purpose. We specifically disclaim any liability with respect to this document and no contractual obligations are formed either directly or indirectly by this document. This document may not be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without our prior written permission. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. 0109

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information