Sun Identity Manager

and
Integration with
SAP GRC
Hakan Terzioglu
Solution Architect
Sun Software Practice

1
Agenda

• Business Drivers for Identity Management

• Sun’s Identity Management Solution
• Sun Java System Identity Manager
> Provisioning/Workflow
> Profile Management
> Password Management
> High-scale provisioning
> Auditing
> Reporting
• SAP GRC Overview
• Integrating Sun IdM and SAP GRC
• Summary and Questions
Pressure Points for IT
Auditor Perspective:
Show me processes for prevention AND show me proof
Top 10 Control Violations
• Unidentified or unresolved segregation of duties
• OS access controls on financial apps or portal not secure
• DB access supporting financial applications not secure
• Dev staff can run business transactions in production
• Lots of users with access to “super user” transactions
• Previous employees or consultants have system access
• Posting periods not restricted within GL application
• Custom programs, tables and interfaces are not secured
• Procedures for manual processes do not exist or not
followed
• System docs do not match actual process

Source: Ken Vander Wal, Partner, National Quality Leader, E&YISACA Sarbanes Conference , 4/6/04
Auditing & Provisioning Integration

Preventative Detective
Identity Auditing:
Addressing the Need for Monitoring and
Enforcement
“What should a user have access to”
Prevention
• Password Management
• Delegated Admin
• Synchronization
• Automated provisioning
• Approval Workflow
• Reporting
“What does a user have access to”
Monitoring and Enforcement
• Reporting
• Audit Policy
• Periodic Access Review
• Separation of Duty Checks
• Monitoring of Excessive Access
• Role & Policy Reconciliation
Vision: Monitoring and Enforcement
of Identity Controls

(Identity Lifecycle
Management)
 Compliance Landscape:
Identity Auditing Is The Intersection Point
Security Controls

Intrusion Physical
Detection Access

Security Event
Management
BPM/SOA
Password Mgmt
Business
Identity ERP Compliance Process
Provisioning Identity
Controls Auditing
(e.g. Approva, Virsa)
Controls
Role
Mgmt Config Mgmt
Document
Mgmt

ILM

Information Controls
 Vision: Extending Identity Controls
Security Controls

Intrusion Physical
Detection Access

Security Event
Management
BPM/SOA
Password Mgmt

Identity ERP Compliance Business

Provisioning Identity
Controls Auditing
(e.g. Virsa, Approva) Process
Role Controls
Mgmt Config Mgmt
Document
Mgmt

ILM

Information Controls
Sun Identity Management Suite
Access/Federation
Manager
• Partner single sign-on
• Account linking
• Global log-out
Identity Manager
• Automated Provisioning
• Password Management
• Identity Synchronization
• Identity Auditing
Open Directory Server
• Next Generation
Directory Server
• Open source
• 100% Java
• Fully tested and documented
3+ Billion Identities Under Management
Directory Server
• Directory services
• Virtual directory services
• Security/failover services
• Data distribution services
• AD synch services
Role Manager
• Role Engineering
• Role Maintenance
• Role Certification
• Identity Compliance
Open Single-Sign On
• Open Source Web
Single Sign On
• Includes Federation
Services
10
 Provisioning Lifecycle
New • User info entered in HR or
Users user self-registers
• Accounts provisioned to
enterprise systems,
applications, directories
• Non-digital resources
assigned and/or initiated

Users Change
Leave Events
& User
Support
• Employee status updated in HR
• Partner contact changes
• Customer closes account • Job/role/status changes
• Accounts disabled & removed • Password changes and resets
• Non-digital resources retrieved and/or cancelled • Profile information changes
• Additional requests for account
access or non-digital resources
 Provisioning
Challenges
NT Exchange RACF AD SecurID Oracle Identity Management
• Account Discovery
• Account Mapping
• Account Risk Analysis
• Account Disable / Removal
Jberry Bbanks A49320 Cooperl Skeeti Sequensh
Esiegel Lsulley A39943 Tinleyj Frenetc Welchj • Account Provisioning
Jrowland Lbitmore A49454 Harrisd Smileys Pettyr
Mfriedel Ltimble A93934 wooc Entrald Robertsj
Sbenson Aboyle A39485 Rowlandr Novacho Julianr
Thanks
Jwayne
Bcoldwel
Dparis
A49382
A48382
Bensons
Quinleys
Alvarag
Narlersh
Nantpre
Enaget
The solution must provide
Tcarrol Clriot A49382 Harminb Woodst Jhancock • Central audit trail/accountability
Sharris
Bwhite
Etear
Smackay
A39485
A29483
Travolta
Francek
Nicklausj
Hoganb
Johnh
Hanwayv
• Secure delegation of administration
Ddailey Mturner A49583 Lipperd Palmera Composi • Automated workflow/approvals
Eheiden Mmclain A49382 Skatee Dimarcoc Initalialy • Security policy enforcement
Lball Mcpasch A49302 Marinoe Perryk cwoo
Hwiggins Jpasch A42845 Flamingo Beards Stickler Clayton
• Standards-based interfaces
Cjohnson claytonw A20184 Russiak cw33 Bourne Woo
Cwillis Tdean A49284 Crowd Fusar Fusar
c_woo Jtorville A49248 Pazzaz Poli Margoliao
Mthomas Cdean A50824 Daoudc Margaglio Navka
Browland Nreagan A42948 Louf Lithowan Koskoma
Mprehn Rnixon A49274 Peizerat Vanagas Hackinsa
Ggoodnow Gbush A37520 Anissina Lightes Newjers Clayton Woo
Slake Jvance A49294 Ferrisb Naugano Shara
Bblake Jcarpent A03749 Lupers Footman Alexander
Fjohnson Mstewart A49274 Lobach Figureas Sasha
Galonso Lchristia A33993 Frenchj Lupesh Reuben
Slippes Jbenley A38288 Navratol Arganish Struedl • NT c_woo
salger jmackay A48228 dellm Delegant tangor
• Exchange claytonw
• RACF A49382
• AD woo2
ralnc493 ralnc493 ralnc493 ralnc493 ralnc493 ralnc493 • SecurID cw33
• Oracle cwoo
Provisioning Today:
Fragmented, Manual and Insecure

Partners Employees Customers Former

Employees

Facilities/
Human Resources System Call Center Help Desk Purchasing

Exchange and Active Directory

Oracle Financials Siebel CRM Chargeable Assets Other Assets
• Mobile phone/service • Office space
• Conference call account • Phone
• Credit card • Laptop
Provisioning with Sun IdM

HR Manager

Partners Employees Customers Former

Employees

• Reduced riskManager
Approving
• Complete view of user’s identity
• Efficient, automated operations

Exchange and Active Directory

Oracle Financials Siebel CRM Chargeable Assets Other Assets
• Mobile phone/service • Office space
• Conference call account • Phone
• Credit card • Laptop
Provisioning
Agent-less Connector Architecture
Directories

• Minimizes agent deployment Operating Systems

• Eliminates agent administration Databases

• Enables faster deployment Mainframes

Business Applications

Native Security Protocols ie: SSA, SSH, SSL etc.

App Server
Identity Manager
Databases
Identity Synchronization
Provisioning Business Applications

Profile ManagementPassword Management

Gateway

NT/Active Directory

Resource Adapter Wizard

Custom Application
Provisioning
Virtual Identity Manager, works in Real Time

• Minimizes deployment time

• Eliminates operational challenges Directories

• Manage centrally, enforce locally Operating Systems

Databases

Business Applications

Identity Manager Mainframes

Identity Synchronization
Provisioning

Profile ManagementPassword Management App Server

Databases
“Virtual Identity
Manager” Business Applications
Provisioning
Account Auto-Discovery
• Logical management of multiple
disparate identities
Jsmith
• Reduces risk of “orphaned” privileges
Email Application

Identity Manager
Identity Manager
Identity Synchronization
Provisioning Identity Synchronization jms
Profile ManagementPassword Management
Profile ManagementPassword Management Business Application

SmithJ
Joe Smith
Directories
“Virtual Identity”
Provisioning
Workflow
• Capable of complex processes
> Multi-step approvals
> Robust notification framework
> Silent Directory data transformations
> Can include digital and non-digital assets
• Task persistence
> Task recovery
> Administrator queues
> Escalation
• Automatic network/resource error compensation with notification
• Diverse execution models
> Synchronous, concurrent or hybrid workflows
> Independent thread forked processes
> Deferred/scheduled processes to execute at a preset time
• Ease of Development with NetBeans IDE
NetBeans UI – Workflow Editor
NetBeans UI – Source Code View
Profile Management
• Single-point end-user account self-service
> Basic account self-service and attribute management
>e.g. name, address, email address, etc.
> Single-point password sync/reset
> Integrated challenge/response for forgotten passwords

• Anonymous sign-up process

> With full workflow/approval enablement
> Full end-user self-subscription at Identity Server
“Service” level

• Integrated workflow, approvals & audit

 Password Management Today:
Users

Partners Employees Customers Temporary

Employees
Process

Help Desk
Help Desk
Environment

Exchange and Active Directory Siebel CRM Unix PeopleSoft Oracle Financials RACF
Human Resources System
Password Management
• Self-service password reset & synchronization
> Convenient access through:
> Web browser
> IVR system
> Network log-in (Windows)
• Automated password policy enforcement
> Password history store
> Password exclusion dictionary
> Help desk integration to track password-related activity
• Reporting on self-service password resets
> Number of password resets
> Number of password changes
 Password Management With Sun
Users

Partners Employees Customers Temporary

Employees
Process

Interactive Voice Response (IVR)

Environment

Exchange and Active Directory Siebel CRM Unix PeopleSoft Oracle Financials RACF
Human Resources System
Auditing: It’s all about Control
• Creation and management of audit policies
• Audit Scanning
• S.O.D. Reporting
• Remediation/mitigation of audit violations using Workflow
• Periodic Access Review (a.k.a. Attestation/Recertification)
• Partnerships for deep ERP compliance (SAP, Approva)
• Auditing Reports available OOTB
> Separation of Duties Report
> Audit Violation History Report
> Audit Policy Summary
> Resource Violation History
> and more!
 Periodic Access Review
Begin • Manager is requested to perfo
Audit • Logs into Identity Manager and

Attestation Identify &

Recertification Correct
Violations
• Once all issues are resolve, manager is confident and can then attest/recertify access rights for d

• IM generates PAR report detailing e

• Manager chooses to Mitigate and/o
Reporting
Example reports include:
• Number of password resets
• Number of password changes
• Number of Resource Accounts created
• Number of Resource Accounts deleted
• Ability to create your own usage reports

Reports can be customized!!

Technology Partners
Business Role Management
Enterprise Application Controls Management ESSO
SAP GRC Overview

29
30
31
32
33
34
35
36
37
Integrating SAP GRC
with Sun IdM

38
39
40
41
42
Why Sun ?
• Business Centric
> Identity is a business problem first,
technology second
> Bringing business and IT strategy to
deliver secure business processes,
services, applications
• Open
> Open Source, Open Access, Open
Standards
> Reduces risk, improves transparency
• Best in Class
> Complete, market leading, highly
Sun is the leading
modular
Identity infrastructure
> Delivers scale and performance
provider
43
 Learn More

Web Page Identity Insights

a membership program for
sun.com/identity/rolemanager
identity management

White Papers
Podcasts solutions for business-level issues

& Videos
topical discussions and interviews

44
Questions & Answers

45
 Thank You

Hakan Terzioglu
hakan.terzioglu@Sun.com

46