AYTS: Summary of Identity Governance Session img48

AYTS: Summary of Identity Governance Session

Recently started the Oracle program: Are You The Smartest.
For me it is an opportunity to test my current knowledge level and to extend my knowledge.
After every session I follow, I will write a brief summary as part of the preparation for the test.
I will continue with the summary of the following session.

ARCHITECTS TRAINING – SECURITY – Identity Governance

This session was divided into the following three parts:

  • Overview Oracle Identity Governance Suite (30 minutes)
  • Demo (50 minutes)
  • Project requirements (40 minutes)

Oracle Identity Governance Suite

What is Governance?

Some definitions
“Governance is the act of governing. It relates to decisions that define expectations, grant power, or verify performance
“IT governance primarily deals with connections between business focus and IT management. The goal of clear governance is to assure the investment in IT generate business value and mitigate the risks that are associated with IT projects”
“ IT Governance Institute expands the definition to include foundational mechanisms: “… the leadership and organisational structures and processes that ensure that the organisation’s IT sustains and extends the organisation’s strategies and objectives

  • Performance: match agains set goals
  • Risks: according set rules
  • Foundation mechanisms: manage change

Business Drivers

  • Explosion of scale (getting the RIGHT access profile is hard and even more difficult when using the cloud):
    • a lot of systems, apps, users, entitlements
    • and few adminstrators, handful of audit staf, too many privileged accounts.
  • Business Agility
  • Privacy

Fragmented Governance

  • multiple Access Request tools
  • multiple Privileged Access tools
  • multiple Provisioning tools

risks

OIGS

OIM: all user accounts for different applications (central location for all rules/policies)
OPAM: e.g. root user, system user. Can’t drop them. Sort of super users (but sort of anonemous user)
OIA: driver by the other two

provision

Periodical review: identity certifications
Glossary is key 2 succes: contains explenation why someone has specific rights

provision2 deprovision

Access Catalog

  • Catalog Definition
  • Harvesting
  • Catalog Enrichment

Right are based on job/function description and not like: I need access to application X.
Not at one-on-one level and in business language (not in technical terms).

Approvals

  • View and take action on approval tasks via email, mobile (browser) and self-service UI
  • Add comments and attachments
  • See current and future approvers
  • Prioritize and organize tasks

Demo

The following funtionality is demonstrated:

  • Identity Governance Catalog
  • Request & Flows
  • Scalable Certification
  • Closed-Loop Remediation
  • Quick look @ Mining
  • Privileged Accounts

A number of screen shots and some notes.

  • screens can be personalized (2)

img6

  • Request profile for example for a new hire (6)
  • checkin/checkout (9)

img14

  • Multiple entitlements can be associated to each other by defining a profile for them (16).
  • A request can have sub-requests (17).

img23

  • check users of role, entitlements of role, role definition to certify. Must happen by someone who’s involved (e.g. the manager) and not by an IT person somewhere down the basement.
  • Identity analytics is used to summon the correct responsibilities to the right people (to approve/reject entitlements).
  • Rules can be used for certification and access rights
  • If a user lacks a role, the different entitlements must be judged one-by-one. To avoid this labour-intensive occupation a role model is very important.

img25

img34

img45

  • Set cut-off percentage to find equivalent people (45)

img48

  • Common Platform
    • Common Workflows
    • Common Catalog
    • Common Connectors
  • Common Governance
    • Define Roles and Policies
    • Approve and fulfill access
    • Audit and certify access
  • Closed-loop Remediation
    • Monitor Access
    • Reduce Risk
    • Improve Compliance

Project Requirements (case telco)

How Projects were introduced?

  • This project is about identity managment for customers
  • RBAC versus ABAC (Role- versus Attribute-  Based Access Control)
  • Increase customer satisfaction: Less complexity, Less credentials to remember
  • One Customer, One IAM
  • Improved time to market & cost reduction for new projects
  • Improve customer intimacy (Cross & Up sell) … Household ?

People say: this is what we need

solution

proposed1

PEP – Policy Enforcement Point
PDP – Policy Decision Point
PIP – Policy Information Point
Virtual PIP

proposed2

Master Data Management

Some Challenges:

  • Customer Data Lifecycle Management
  • How to Manage Households
  • How to manage Business relations
  • User Lifecycle Manager capabilities will be seriously challenged without …

Some Facts:

  • Excessive duplication of data results in security risks and adds complexity
  • Contract info, Is CRM the Only source ?
  • Product and Bundle Definitions ?
  • Customer enabled Services: available in CRM, Order Management system, Operational Support system or Billing ?
  • What about Potential Limitation because of the Device model in use . …
  • Customer Profile Consolidation
    • Households, Roles, B2B, B2C
    • Data de-duplication
    • Data cleansing and intelligent merge
    • Data Steward
    • Data enrichment
    • Gold Record
    • Rich extensible data model
  • User Account Consolidation
  • Asset/Contract Consolidation
  • Reuse Common Security Services

Master data is not only a content holder. Succes is to know the customer.

proposed3

proposed4

Keep in mind theirs a difference between customer and account