strategies for reducing access controls risk
TRANSCRIPT
<Insert Picture Here>
Smart Strategies for Reducing Risk and Improving ComplianceArtur AlvesSolution ArchitectOracle [email protected]
Copyright © 2011, Oracle. Proprietary
The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions.The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
Copyright © 2011, Oracle. Proprietary
<Insert Picture Here>
Agenda
● Factors increasing risk
● Strategies for reducing risk
● Demo
● Case Studies
Copyright © 2011, Oracle. Proprietary
Video – Too Much Information
Copyright © 2011, Oracle. Proprietary
Complex Regulatory
Environment
Dynamic User Population
What Is Increasing Risk?
Corporate user population is increasingly mobile
85% of all mobile devices are unsecured by IT*
* Malicious Mobile Threats Report, Juniper Networks 2011
Regulations are increasing world-wide
40% of IT budget is spent on addressing compliance mandates*
* Forrester Consulting, 2010
IT spending on SaaS apps projected to increase 5x in 2011*
25 billion app downloads projected for 2011*
* IDC, Dec 2010
Application Explosion
Copyright © 2011, Oracle. Proprietary
Analyze Your Risks
Prioritize Based on Economics and Impact
Create a Sustainable Program
Strategies for Reducing Risk and Improving Compliance
Copyright © 2011, Oracle. Proprietary
Risk Score Is Your Priority
User Job Role RACF Siebel CRM Share Point
Last Login
Risk Score
John Doe
Product Manager
Manage Customer
Manage Opportunity
Access Dev Specs
Sep 5 2011 at
9am EST 95
Jim Harris Sales Rep
Manage Customer
Manage Opportunity
Change Pricing
Jan 12, 2000 at 10am PDT
97
Steve Brown HR Manager
Manage Customer
Manage Opportunity
Sep 5 2011 at 10am
EST from Nigeria
98
ExcessAccess
SoD Violation
ExcessAccess
Copyright © 2011, Oracle. Proprietary
Video – Audit Eye
Copyright © 2011, Oracle. Proprietary
Prioritize based on economics and impact
Consolidate & CorrelateEntitlements
AutomateIdentity-basedControls
Define Enterprise Roles
Assign Accessvia Roles
Monitor & Enforce via Roles
Access Certification
& SoD
Role Administration &
Governance
Role-based Provisioning
Activity Monitoring&
Entitlements Management
BuildIdty Warehouse
Copyright © 2011, Oracle. Proprietary
Solution: Create a Sustainable Program
User Job Role RACF Siebel CRM Share Point
Last Login
Risk Score
John Doe
Product Manager
Manage Customer
Manage Opportunity
Access Dev Specs
Sep 5 2011 at
9am EST 95
Jim Harris Sales Rep
Manage Customer
Manage Opportunity
Change Pricing
Jan 12, 2000 at 10am PDT
97
Steve Brown HR Manager
Manage Customer
Manage Opportunity
Sep 5 2011 at 10am
EST from Nigeria
98
Disable Access
Closed Loop Remediation
Disable Access
Copyright © 2011, Oracle. Proprietary
• Compliance Command Console• Actionable Dashboards, Business Reports & Comprehensive Analytics
• Accelerated and Sustainable Compliance Automation• Access Certification, IT Audit Policy Monitoring, Closed-loop Remediation, SoD Engine
• Intelligent Role Governance• Change Management, Attestation, Consolidation & Audit, Role Mining, Identity Cleansing
• Rich Identity Warehouse• Optimized for Analysis, Mining, Correlation, Reporting on Identity, Access and Policy Data
Oracle Identity Analytics 11gRapid and Sustainable Compliance Automation
IT Audit Policy Monitoring
Role Governance
Access Certification
IdentityWarehouse
Compliance Command Console
Identity/Access Data Sources
Oracle Identity Manager
Oracle Access Manager
Copyright © 2011, Oracle. Proprietary
DemoOracle Identity Analytics
Copyright © 2011, Oracle. Proprietary
Report BuiltAnd Results Stored in DB
4
Archive (Audit)Attested Data
Attestation Actions
Delegation Paths
Delegate
Reject
Certify
Decline
Reviewer Selections
Comments
Access Certification FlowOracle Identity Analytics
Set Up PeriodicReview
1 Reviewer Is NotifiedGoes to Self Service2
Automated Actionis taken based on Periodic Review
3
Who Reviews It?
What Is Reviewed?
Start When? How Often?
Notify Delegated Reviewer
Notify the Process Owner
Automatically Terminate User
Email Resultto User
Copyright © 2011, Oracle. Proprietary
• User provisioning and de-provisioning (after Certification)• Password reset & self-service account requests• Delegated administration• Approval and request workflow• Compliance reports
Closed-Loop ProvisioningOracle Identity Analytics + Oracle Identity Manager
Oracle Identity Manager
Mainframes
Databases and LDAP
Custom Apps
Enterprise Applications
GRANT or REVOKE
Oracle Identity Analytics
Roles
Entitlement Rules
SoD Checks
Resource Data Entitlements Data
IdentityWarehouse
Copyright © 2011, Oracle. Proprietary
COMPANY OVERVIEW
• A global bank with HQ in Europe, presence in NA, Asia and Emerging Markets
• Over 90K employees, > 1000 apps, 500 DBs, 6000 servers, and 1.1 M user accounts
CHALLENGES/OPPORTUNITIES
• SOX Compliance a challenge with over 3.8M actions
• Complex feed from multiple platforms – UNIX, Wintel, DBs
SOLUTION
• Implemented Oracle Identity Analytics (formerly Sun Role Manager)
RESULTS
• 3.8M actions reduced to 26K
• Annual cost reduction = Euro 3.7M
• 90% app SOX certification complete in 1 week, 100% in 2 months. SOX compliant!
• 3 month manual process now takes <2 weeks
Case Study: Accelerating ROIFinancial Services Example
Copyright © 2011, Oracle. Proprietary
18 | © 2011 Oracle Corporation – Proprietary and Confidential