330 likes | 476 Views
Simplifying Your Identity Management Implementation. Nelson Mak Sales Consulting Director, North Asia Identity Management and Security.
E N D
Simplifying Your Identity Management Implementation Nelson Mak Sales Consulting Director, North Asia Identity Management and Security
The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
Program Agenda • Implementation Challenges • Our Solution • Case Studies • Q&A
Why is Identity Governance hard to Implement? Key Challenges • Multi-vendor, Fragmented Point Solutions • Costly integration with Support challenges • Specialized Knowledge • Expensive Customizations • Expensive to implement, maintain & upgrade • Scalability • 1000s of apps, millions of entitlements • Takes too long to on-board applications
Program Agenda • Implementation Challenges • Our Solution • Case Studies • Q&A
Oracle Identity Governance Cost Effective Deployment • Platform Approach • Integration ->Converged • One Architecture • Modern Tooling • Browser Based • Drag and Drop, Declarative • No XML editing, proprietary scripting or Java coding
Oracle Identity Governance Governance Platform Connectors Provision De-Provision Grant User Access Monitor User Access Check-in/ Checkout Privileged Account Request Role Lifecycle Management Identity Certifications Reporting & Privileged Access Monitoring IT Audit Monitoring Rogue Detection & Reconciliation Access Request Access Catalog Roles IT Ownership Entitlements Accounts Business Attributes Glossaries
Oracle Identity Governance A Platform Approach Improve Compliance Reduce Risk Reduce Cost Common Data Model Common Architecture Closed Loop Remediation Common Connectors
Oracle Identity Governance Privileged Account Management • A new offering integrated with the Governance Platform • Password check-out for shared OS, database, and application accounts • Catalog for regular and break-the-glass access request • Access certification for access review and audit • Same connectors that are used in access request and access certification
Simplified Customizations Browser Based Tooling • Form Designer • Extend User, Role, Organization, Catalog and Application Instance entities • Durable Customizations • Workflow Designer • Request Routing Rules & Notification • Security Policies • Attribute/Data Level Security
Simplified Lifecycle Management Sandbox • Develop and test customizations without impacting other users • Publish to all users after testing • Un-publish in case of accidental errors • Move customizations from one environment to another
Simplified Application On-boarding From “Days” to “Minutes” • Rapid on-boarding of 1000’s of applications • On-boarding steps reduced to • Define forms • Configure associated entitlements • Publish to catalog • Manual Provisioning Workbench • Leverages same powerful SOA based workflow engine for manual provisioning task
Program Agenda • Implementation Challenges • Our Solution • Case Studies • Q&A
Simplifying Your Identity Management ImplementationCase Studies – 1 Group Companies in China 350,000 Employees 20+ Sub Companies
Business Painpoints No centralized access control and security from group to subsidiaries No linking between user information, IT accounts and HR records Security No process, standard and control for user management User has multiple passwords, no user experience Business No standardize integration framework for existing and future business application Lack of group level centralized access control for core business application IT Infra
Business Objectives Starndardization: To drive the integration and starndard based on the user management lifecycle. Standard Platform: Building and Linking the platform for group and companies Platform Integration: Implement Central User Store, SSO, User Management and Data Synchronization.
Deployment Approach Shared Application Group ODS Web Tier ODS Authenticate OIF OIF Web Tier OIM OIM OAM Psoft Employees OAM Company X Portal Portal Apps Apps OA Email
Business Value • Enhance HQ IT control from decentralization to centralization • Cost Savings: Prevent losses from orphan account, reduce operation and admin cost from shared IDM service • Compliance and Security: Built up the enterprise wide standard and policy, enforce centralized end-to-end management from group to all SBUs and BUs and reduce security risk • Business Process Automation: HR driven user identity and organization life cycle management, fill-up the gap among people, business and IT • Client Experience: Improve and streamlines the user experience through single username password and self-service console for end-user
Simplifying Your Identity Management ImplementationCase Studies – 2 Group Companies in Korea 500,000 Staffs 30+ Sub-Companies
Customer Information • Number of Employee : about 500,000 • Enterprise Portal : Messaging Service, Workflow, Remote Access, Searching Employee Information, One Voice of all Sub-Company • HQ store all Global User Information • Enterprise Portal provide real time employee information to each Sub-Company • Enterprise Portal : Based onEurope,America,Asia • Number of Sub-Company : about 30
Enterprise Portal Flow User Reg Group LDAP Portal Group(Enterprise Portal) Replication Replica LDAP File I/O, Batch Replication Partner e-HR G-ERP Replica LDAP Company A (P/L IF Batch) Sub LDAP AD SSO Client (P/L IF) Dept A Dept B Dept C Department A APP SSO
Objectives Enterprise Portal Case • Identity Management Automation • Btw each group, provide automated identity synchronization process • For each sub-company, standardize the process for employee and contractors identity management • Reduce time and complexity for identity synchronization time • Provisioning / De-provisioning • Identity life cycle management of Global employee including contractors • Identity management for heterogeneousIT environment • Managing unused resource account, reduce security risk • Password Sync • Password sync for heterogeneous IT resources from Global User Directory Server • Controlled Employee Identity Information • Provide limited employee information sync process for each sub-company
Outlook Enterprise Portal Directory Outlook Directory Filtering MetaFrame Servers Active Directory Filtering Sub-Company Sync Directories IBM Directory Sametime Servers Enterprise Portal Applications Architecture – Phase 1 Identity Manager User Database
Master Directory Sync Directory Sync Directory Filtering Filtering WorkFlow Enterprise Portal Identity Manager Identity Manager Identity Manager Master Directory Master Directory Filtering Filtering Temporary Database Sync Directory Temporary Database e-HR e-HR Architecture – Phase 2
Architecture – Phase 3 Enterprise Portal – Phase 3 Admin Self-Service HR HR User/Group User/Group AD AD for VPN User/Group Sync DB(Oracle Database) Employee Portal DB(Oracle Database) North America IM KR IM HQ ODSEE NA ODSEE ODSEE for each Company Continental Identity Sync using LDAP Replication AD AD EU ODSEE CN ODSEE China IM EU IM DB(Oracle Database) DB(Oracle Database)
ERP Security • Identity Access Management for ERP • Requires a centralized Identity Access Management System for all ERP systems • Provisioning / De-provisioning • Identity life cycle management of ERP User including contractors & partners • Using Central Provisioning to manage user and entitlement in ERP • Detect illegal ERP account, reduce security risk • Using multiple approval process, need to mange each single level of entitlements • Auditing • Audit all ERP users entitlement to eliminate security risk regularly • Restrict the access to ERP data based on location • Enforce SOD Check
AS-IS vsTo-Be Update Employee Update Employee HR Enterprise Portal HR Request (CSR/Mail) Login to Self Service ERP User HR Admin HR Admin Approval Req Enterprise Portal Request ID/Entitlement Sub LDAP Approve App. Owner Request to IT Admin Approval/Audit Identity Manager IT System ID/Entitlement Assign ERP User IT Admin Assign Id/Entitlement IT System Real Time Sync App. Owner Sub LDAP System Admin Application Application Batch Database Admin Policy Admin Global ERP Global ERP Biz. App Admin
Enter to win a brand new Apple TV • Get an entry form at the IDM demo stations • Visit all 9 IDM demo stations in Moscone South • Get your form signed at each demo station • Submit your form
Join the Oracle IDM Community Twittertwitter.com/OracleIDM Facebookfacebook.com/OracleIDM Blog blogs.oracle.com/OracleIDM oracle.com/identity