Overview Vinson Tan IDM Sales Consulting September 2010 Oracle Identity Management Solutions IDM Framework Applications Web Services Authentication Authorization ! ! Access Check Password Rules Roles Users One Time Password ID Lifecycle Management Account Provisioning & Reconciliation Access Policy Role Resolution & Assignment Role Mgmt Databases Directories Office Automation Fine-Grained Access Control Smart Card Fraud Detection Application Password Management Self Service Delegated Admin Federated Services Risk Models Access Risk Management High Performance LDAP ID Store Virtualization Encryption and Masking Privileged User Controls Multi-Factor Authorization Activity Monitoring and Audit Secure Configuration Identity Management Database Security Oracle Security Inside Out User Provisioning 4 Oracle Confidential 4 Information Rights Management Databases Applications Content Infrastructure User Provisioning Role Management Entitlements Management Risk-Based Access Control Virtual Directories Document-level access control All copies, regardless of location (even beyond the firewall) Auditing and revocation Information Oracle Identity Management Most Comprehensive, Integrated Access Management Identity Administration Directory Services Access Manager Adaptive Access Manager Enterprise Single Sign-On Identity Federation Entitlements Server Identity Manager Internet Directory Virtual Directory Directory Server Enterprise Edition Audit & Compliance Identity Analytics Enterprise Manager Operational Manageability Oracle Platform Security Services Oracle IdM Suite 11g Architecture Identity & Access OAM OAAM OIF OES Enterprise Apps OIM ORM OWSM OAS4OS Identity Services (Standards Based) Authentication Authorization Federation Trust Identity Admin Provisioning Role Mgmt. Policy Mgmt. Enterprise Oracle LOB / Fusion ISV OID OVD 6 Persistence (Standards Based) LDAP (OID) DB File Technology (FMW & IdM) Virtualization (OVD) Orchestration (BPEL PM) Deploy & Install User Interface Access Management Product Portfolio Platform Security For Java User Administration Core Infrastructure Common Audit Framework Access Identity Shared Services Audit Risk IDENTITY ADMINISTRATION Oracle Identity Administration User Self Service & Delegated Administration Oracle Identity Manager Password Management Organization Administration Role Administration & Lifecycle Management Request Management for Registration, Roles, Accounts & Entitlements User Provisioning for Roles, Accounts & Entitlements Provisioning & Reconciliation Connector Framework Applications Integration & Connectors Identity Lifecycle Mgmt Policy based Provisioning Provisioned Applications Identity New Contractor Approval Self Registration Role Mgmt New Employee HRMS Revoked Applications Reconciliation Engine Identity Store Access Policy Workflow Connector User Group Role Mgmt SAP HRMS Role Based User Provisioning GRANT REVOKE GRANT REVOKE GRANT REVOKE Oracle Identity Manager Automate Roles Based Provisioning / Deprovisioning Identify orphaned accounts Report on Who has access to what Self-service requests HR System Approval Workflows Employee Joins / Departs Applications SoD Compliant Provisioning Preventative Simulation Conflict Analysis SoD Policy Simulation SoD Validation Request OIA Applications SoD Engine OIM Identity Administration Resource Approval Workflow Resource 1 2 Analysis Simulation SoD Validation Response Resource Provisioning Workflow 2 3 Provision SoD compliant entitlement assignments Automated De-Provisioning Identity Store Identity Lifecycle Management Manual Task Revoked Cell Phone Store Reconciliation Engine Terminated Employee HRMS Revoked Applications Connector Provisioning Workflow Self Service and Delegated Admin Delegated Admin Self-Service Self Service Account Requests Delegated Administration Password Reset and Profile Management Manager assigning proxy user User doing password reset Extranet Provisioning Internet Delegated admin Password reset Customers Partners Suppliers SSO/LDAP CRM/Billing User Organization Millions of users and hundreds of organizations but simpler provisioning policies User/company registration, account and password management Multi-tier delegated administration and compliance reporting Self registration Social Networking User Available Out-of-The-Box Connectors Database Servers Directory Servers Enterprise Applications Enterprise Messaging Operating Systems Security Management Help Desk RACF ACF2 TopSecret ACCESS MANAGEMENT 16 Oracle Access Management Comprehensive security for applications, data, documents and web services End-to-end authentication, single sign-on, and fine grained application protection grained application protection Innovative anomaly detection, transaction security, and multi-factor authentication Extensive 3 rd party integrations 17 Copyright 2010, Oracle. All rights reserved Oracle Access Management Suite Plus Entitlements Server Adaptive Access Manager Entitlements Management Fine Grained Authorization Risk-based Authentication Real-time Fraud Prevention Information Rights Mgt. Security Beyond Firewalls Auditing and Revocation Access Manager/ ESSO Web Access Control Single Sign-On Identity Federation Partner SSO & Identity Federation Fedlet SP integration OpenSSO STS Security Token Management Identity Propagation Oracle Confidential For Internal Use Only Access Management 11g Architecture Authentication & SSO Identity Federation Security Token Service Fraud Prevention Authorization & Entitlements Shared Services for Access (SSA) Token Processing Session Management Trust Management Password Policy Password Reset Delegated Admin Shared Services for Identity (SSI) AuthN Identity AuthZ Credential Common Key Store SSL Oracle WebLogic Server Oracle Platform Security Services AuthN Services Identity Services AuthZ Services Credential Store Common Audit Framework Key Store Services SSL Configuration Domain Management Deployment Management Post Install Configuration 19 Confidential & Proprietary. Internal Only Copyright 2010, Oracle. All rights reserved Enable Single Sign-On Oracle Access Manager Oracle Enterprise Single Sign-On Desktop Login Extranet & Intranet SSO Extranet & Intranet SSO Oracle Access Manager / Oracle Enterprise Single Sign-On Custom Applications Portals Stronger Stronger Authentication Authentication Audit User Access Audit User Access Extranet & Intranet SSO Extranet & Intranet SSO Corporate Directory Employees Custom Applications Business Applications Oracle ESSO Suite OAM Architecture Identity Federation (OIF) Identity Provider Establish Identity Filter attributes Service Provider Map Attributes Link Identities Pass Identity Flexible integration framework Lightweight SP integration via Fedlet Support for industry standards, SAML, WS-Federation Enterprise-ready operational management and monitoring Assert Identity Maintain session Pass Identity Attributes to Apps 23 Copyright 2010, Oracle. All rights reserved Identity Providers and Service Providers Domain B trusts Domain A Domain A acts in an Identity Provider role Domain B acts in a Service Provider role Use Case: Account Mapping The user has accounts with both federation partners and theres a common element available for mapping ECM Email File systems Intranet/ extranet Databases Oracle IRM Server Customer Supplier Oracle Information Rights Management Securing all copies of your sensitive information Enterprise perimeters Oracle IRM Server Partner Everywhere IRM-encrypted content is stored, transmitted or used NO ACCESS FOR UNAUTHORIZED USERS Transparent, revocable access for authorized users Centralized policy and auditing for widely distributed content Content security beyond the database, application and firewall Oracle Entitlements Server Oracle Entitlements Server Oracle Entitlements Server (OES) is a Fine-Grained Entitlements Management Solution that provides centralized policy management and distributed, runtime policy enforcement for applications and SOA Oracle Confidential For Internal Use Only Custom Apps Access Check Services Packaged Apps Databases Entitlement Data Identity Directories Request Grant Deny Users Fraud Prevention (OAAM) Fraud Prevention Secure Login Challenge Model Risk Evaluate transactions Analysis and Forensics Detect Anomalies Strengthened authentication Real-time anomaly detection Preventative actions Reporting and forensics Challenge or Block 28 Copyright 2010, Oracle. All rights reserved OAAM Risk Analytics User Profile Device Fingerprint IP Geolocation IP Geolocation Application & Contextual Data Web Services Security & STS (OWSM) Authorization Authentication Valid Web Service? Issue, renew, validate Credentials Authorize / Enforce Access Evaluate Policies Re-route service Trust Authority / Comprehensive enterprise security and token services Shared security services authN, authZ, tokens Support for industry standards, XACML, SOAP Centralized policy management Authorize / Deny Access Trust Authority / Token Service 30 Copyright 2010, Oracle. All rights reserved DIRECTORY SERVICES 31 Directory Services Combined Oracle-Sun Solution Oracle Virtual Directory Real-time consolidation of disparate identity stores Oracle Internet Directory Oracle Directory Server EE (previously Sun Directory Server EE) High Performance Directory with native LDAP store Ideally suited for heterogeneous environments High Performance Directory, built on Oracle Database Ideally suited for Oracle applications and environments Centralized Identity Data Virtualize LDAP, DB, Web Virtualize LDAP, DB, Web Service ID Sources Service ID Sources Single LDAP View Single LDAP View INTERNAL USERS AND ATTRIBUTES EXTERNAL USERS AND ATTRIBUTES HR Apps Directories Custom Applications Portals LDAP LDAP Multiple DBMS Virtually Consolidate Virtually Consolidate firstThen Retire ID Stores firstThen Retire ID Stores Rapidly Expose Identity Rapidly Expose Identity Data to Applications Data to Applications Service ID Sources Service ID Sources MERGERS AND ACQUISITIONS USERS AND ATTRIBUTES Mainframe Custom Applications Business Applications Directory Services Manager Web Services Directories Customer References Most ASEAN Telecom runs Oracle Identity Management Local Customers Bank Mandiri Year : 2007 Target System : 7 User Count : 18.000 IDM Products : OIM Indosat Year : 2007 Target System : 23 XL Axiata Year : 2008 Target System : 47 User Count : 8800 IDM Products : OIM User Count : 8000 IDM Products : OIM,OAM, ESSO, OVD/OID Local Customers Telkomsel Year : 2009 Target System : 33 User Count : 12.000 IDM Products : OIM, OAM, OVD/OID BUSINESS CHALLENGE Implement an identity management solution to minimize the risk arising from unauthorized system access Demonstrate compliance with Sarbanes-Oxley legislation by ensuring clear audit trails for all transactions ORACLE SOLUTION Oracle Identity Manager Oracle Access Manager Oracle Enterprise Manager Oracle Enterprise Single Sign-on Oracle Internet Directory Case Study Indosat SSO & Unified, Automated Identity & Access management PT Indosat tbk provides fixed and wireless voice, data, and internet services. The company is Indonesias second-largest telecommunications provider with around 32 million subscribers. Integrated identity management solution with 55 business and telecommunications applications, including billing, enterprise resource planning, human resources, customer relationship management, and telco management products Enabled fulfilling up to 2,000 requests for user names and passwords a day Eased IT workload, with two staff members overseeing the identity management process for 6,000 users Fulfilled Sarbanes-Oxley requirements and enhanced IT security control by establishing clear audit trails and enabling the production of accurate compliance reports transactions Improve IT security operations control Support new business opportunities such as mobile banking RESULTS Applications Provision & Access Accounts Enterprise- Wide Portals Suppliers HR & Biz Applications Identity LIfecycle Office Automation Physical Items Access & Control Databases & OS/Legacy Customers Employees Other Sources Flat Files Databases Directories Q & A