Enterprise Identity Management Reference Architecture

<Insert Picture Here>

Enterprise Identity Management Reference

Architecture

<Insert Picture Here>

Agenda

•

Introduction

•

Demo Architecture

• Virtualization & Access Management (WebSSO)

• Solution Components

•

Scenarios

•

Conclusion

<Insert Picture Here>

Basic Concepts

What is Identity Management?

Identity Management (IdM) is an

integrated system of

business processes, policies and technologies

enable organizations to facilitate and

control their users'

access to critical online applications and

resources

Basic Concepts

Virtualization

A way to provide a consolidated view of distributed user

identity from multiple, often disparate, data sources without

having to construct an entire directory infrastructure.

Implemented in the form of middleware, a virtual directory is a

lightweight service that operates between applications and identity data. A virtual directory receives queries and directs them to the appropriate data sources…

Basic Concepts

Access Management

Web Access Management controls access to Web resources, providing: * Authentication Management

* Policy-based Authorization

* Audit & Reporting Services (optional) * Single sign-on Convenience

Basic Concepts

Enterprise Provisioning

Typically managed by a CIO, and necessarily involves human resources

and IT departments cooperating to:

•give users access to data repositories or grant

authorization to systems, networks applications and databases

based on a unique user identity, and appropriate for their use

hardware resources, such as computers, mobile phones and pagers.

As its most central responsibility, the provisioning process monitors

access rights and privileges to ensure the security of an

enterprise's resources and user privacy. As a secondary responsibility, it

ensures compliance and minimizes the vulnerability of

systems to penetration and abuse.

<Insert Picture Here>

Virtualization

LDAP v2/3.0 MS AD _DB

Provisioning

Trusted Res.

App 1 App 2 _{App 3}

Access Management (AAA) – WebSSO, FGA, Risk Management

Building Blocks of Architecture

Virtualization

Identity Information Proxy

•

3 User Repositories

• MS Active Directory – Employees

• Sun iPlanet Dir. Server – Contractors

• MyCompany CRM Database - Customers

•

Virtualized View: dc=mycompany,dc=ovd – LDAP

listener

• Employees: ou=Employees,dc=mycompany,dc=ovd

• Contractors: ou=Contractors,dc=mycompany,dc=ovd

• Customers: ou=Customers,dc=mycompany,dc=ovd

<Insert Picture Here>

Oracle Identity Manager

•

Benefits

• Reduced administration cost

• Cost effective regulatory compliance

• Improved security

• Improved service level

•

Features

• Identity life-cycle management for the heterogeneous enterprise

• Approval and provisioning workflows

• Complete integration solutions: OOTB connectors & Adapter Factory

• Deep integration to ERP and HRMS

• Audit and compliance reporting and process automation

Oracle

Oracle

Identity Manager

Oracle Access Manager

•

Benefits

• Centralized and consistent security across heterogeneous environments

• Reduced administration cost

• Improved end user experience

•

Features

• Web single-sign-on

• Common policy management

• Multi-level, multi-factor authentication management

• Workflow driven self-service and delegated administration

• Web Services interfaces

Oracle Access

Oracle Access

Manager

Oracle Virtual Directory

•

Benefits

• Rapid application deployment

• Tighter controls on identity data

• Real-time identity information access

•

Features

• Modern Java & Web Services technology

• Virtualization, proxy, join & routing capabilities

• Superior extensibility

• Scalable multi-site administration

• Direct data access

Oracle

Oracle

Virtual Directory

<Insert Picture Here>

•

Userid: umut

•

First Name: umut

•

Last Name: ceyhan

•

Organization: Consultancy / Sales / HR / Finance

•

Employee Type: Full-Time / Part-Time / Contractor

•

User Title: Sales Consultant / Account Manager etc.

•

Location: Athens / London / Berlin

Identity Roles

•Consultancy Role (Members of Consultancy

Organization)

•

Target Resources:

•

MS Active Directory (OU=Consultancy)

•

MS Exchange (mail quota 5MB)

•

Oracle Internet Directory

•

Denied Resources: iPlanet Dir. Server

•Sales Role (Members of Sales Organization)

•

Target Resources:

•

MS Active Directory (OU=Sales)

•

MS Exchange (mail quota 10MB)

•

Oracle Internet Directory

Identity Roles

•Contractor Role (Contractors)

•

Target Resources:

•

Sun iPlanet Dir. Server

•

Denied Resources:

•

MS Active Directory

•

MS Exchange

•

Self Service Request Resource without Role:

•

On-boarding (JOIN)

• Reconciliation: HR – Consultant Role

•

Provision Targets: AD, Exchange, OID

• Reconciliation: HR – Contractor Role

•

Provision Targets: iPlanet Dir. Server

• Manual Creation of Customer Identity

•

On Sample CRM application

Demo

•

Walking through Virtualized Services

•

MS Active Dir., iPlanet, Oracle DB

•

Features of OVD

Demo

•

Access Management & WebSSO Services

•

Checking Central AuthN, AuthZ, Auditing Policies:

Employee Portal, Contractor Portal, Customer Portal

•

Brief info for integration with custom applications

•

WNA Integration for better user convenience

Demo

•

Change in User Profile (MOVE)

•

Trusted Recon for Identity Profile Attributes from HR

•

Organization Change: Consultancy

Sales

•

Role Change in HR: Contractor

Consultant Role

Demo

•

Self Service Request for Mobile Phone

•

Request for entitlements

•

Approval workflow for Mobile Phone

•

Review & Modify of requested entitlements by

Manager

•

Manual Provisioning workflow

•

Manual provisioning by Delegated Administrator

Demo

•

Off-boarding (LEAVE)

•

Status change in user information in HR

•

Automatical user deprovisioning

Demo

•

Reporting

•

Operational Reports: Who has what etc. 22

•

Historical Reports: Who had what etc. 15

•

Attestation

•

Configuration and Running: Mobile Phone Attest.

•

SOD features

•

Access policies

Demo

<Insert Picture Here>

Leader in Magic Quadrants

Magic Quadrant Disclaimer: The Magic Quadrant is copyrighted by Gartner, Inc. and is reused with permission. The Magic Quadrant is a graphical representation of a marketplace at and for a specific time period. It depicts Gartner's analysis of how certain vendors measure against criteria for that marketplace, as defined by Gartner. Gartner does not endorse any vendor, product or service depicted in the Magic Quadrant, and does not advise technology users to select only those vendors placed in the "Leaders" quadrant. The Magic Quadrant is intended solely as a research tool, and is not meant to be a specific guide to action. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

Market Leader According To

“Oracle has established itself as Leader.”

- The Forrester Wave: Identity And Access Management, Q1 2008

Oracle reached the top of our

evaluation through a combination of the breadth, depth, interoperability, and packaging of its IAM features alongside the strategy and current state of market execution on its application-centric identity vision.

- The Forrester Wave: Identity And Access Management, Q1 2008

Service Oriented Security

Service Oriented Security

Business Drivers

•

Security is not an infrastructural issue any

more

•

NO BOLTING-ON SECURITY

•

Security Always at Application lifecycle

Service-Oriented Security

Expected Solutions

<Insert Picture Here>

<Insert Picture Here>

Case Study – Swedish Police

• Significant cost avoidance (est. over $1M) for identity synchronization, workflow & administration functionality • Establishment of automated role & rule-based assignment of access privileges to all managed systems • Improvement of information quality by centralizing user records and cleaning existing data

• Detailed and easily accessible audit functionality

BUSINESS CHALLENGE

• Establish secure and centralized mgt of identities across multiple enterprise directories &

applications - incorporation of process workflows • End users and managers have poor visibility into

in-process and completed provisioning workflows • Protect against locally administered changes to

user entitlements directly w/in the target systems • Poor mgt of user certificates within RSA Keon

RESULTS

ORACLE SOLUTION

• Oracle Identity Manager selected over Novell in March 2005

• Highly flexible and extensible product

• Superior support for onboarding and analysis mechanisms for orphan account detection • Support for rollback/undo and escalation • Mature product with solid architecture • Flexibility and customizability

Case Study – Polish Police

• Single Clustered LDAP repository of all employees and authentication attributes • Single point of Identity creation (including PKI)

• 24/7 availability - local distributed LDAP’s with fallback to central server • Access Policies management – both central and delegated

BUSINESS CHALLENGE

• Highest requirement for security and availability • Need for strong encryption (PKI), delegated

management

• Support for local and central applications • Environment has “Non touchable” applications

and also is not a 100% reliable Network

RESULTS

ORACLE SOLUTION

• Oracle Identity and Access Management Suite • Oracle Internet Directory in Multimaster Cluster HA • Oracle VPD

• Oracle Consulting Services • Oracle Partner Services