An Oracle White Paper March Access Certification: Addressing and Building On a Critical Security Control

Similar documents
Oracle CPQ Cloud Solutions for enterprises and Fast Growing Companies

ORACLE ADVANCED ACCESS CONTROLS CLOUD SERVICE

An Introduction to Oracle Identity Management. An Oracle White Paper June 2008

Oracle SCM Cloud Support for Contract Manufacturing

Oracle Management Cloud. The Next Generation of Systems Management

Supply Chain Innovation Fuels Success SAP ERP and Oracle Supply Chain Management: A Case for Coexistence. An Oracle White Paper

Oracle CPQ Cloud for Channel Sales Streamline the Sales Process for Channel Partners

Delivering Effortless Knowledge Everywhere

Seven Steps to Building a High- Impact Learning Culture. Employees increasingly value a workplace that nurtures learning

Oracle CPQ Cloud and Salesforce.com Integration

Oracle Product Hub Cloud

Oracle Hyperion Capital Asset Planning

An Oracle Strategy Brief November Better Business Intelligence for Insurers: Three Ways to Think Differently

An Oracle White Paper June Running Oracle E-Business Suite on Oracle SuperCluster T5-8

Oracle Inventory Management Inventory Management Integration with Projects

Oracle Autonomous Data Warehouse Cloud

An Oracle White Paper December HCM Succession Planning

ORACLE FINANCIAL SERVICES DATA WAREHOUSE

Implementing Supplier Audit History

January Oracle Real Time Decisions Statement of Direction

Oracle Financial Services Data Foundation

An Oracle White Paper July The Impact of the Financial Crisis on Core Systems Replacement

Oracle Autonomous Data Warehouse Cloud

Oracle WebCenter: The Center of Engagement for Business

Oracle Discrete Cost Management Information Discovery

Accelerate Your Response to the EU General Data Protection Regulation (GDPR) with Oracle Cloud Applications

Oracle BigMachines CPQ Cloud Service Products Document Engine Feature

Oracle Crystal Ball and Minitab O R A C L E W H I T E P A P E R N O V E M B E R

The Internet of Things: Unlocking New Business Value. Let Oracle energize your business with IoT-enabled applications.

The New Digital Reality for Manufacturing

Oracle Inventory Management Inventory Management Integration with Projects

Oracle Utilities Mobile Workforce Management Release Utility Reference Model MWM Manage Fieldworks

Defining the Leading Edge in Value and Innovation

Oracle Utilities Meter Data Management Release Utility Reference Model Manage Contacts

Overcoming the Limitations of Conventional Application Performance Management

Five Minutes on Empowering Modern Procurement. Why Transforming Procurement Is a Top Priority for the Modern Business

The State of Mobile Security in CIO Executive Interview

Siebel Enterprise Marketing Suite

Enterprise Rating Agility Improves Payer Response to Healthcare Reform ORACLE WHITE PAPER JULY 2014

Oracle Financials Accounting Hub

Running Oracle Supply Chain Collaboration Cloud with Standalone Planning Solutions

BCBS 239. Next Steps in the Journey to Compliance: Emergence of the Chief Data Officer ORACLE STRATEGY BRIEF NOVEMBER 2014

Accelerating Speed to Market in the Highly Competitive Automotive Industry

TABLE OF CONTENTS DOCUMENT HISTORY 3

Utilities Incremental gains through EPPM O R A C L E W H I T E P A P E R O C T O B E R 2016

Information That Predicts

An Oracle White Paper January Upgrade to Oracle Netra T4 Systems to Improve Service Delivery and Reduce Costs

THE NEW HYPER-CONNECTED ENTERPRISE. Improve collaboration. Enhance customer experiences. Streamline business processes.

ORACLE SYSTEMS MIGRATION SERVICES FOR IBM ENVIRONMENTS

PEOPLESOFT ebill PAYMENT

SYSTEM MONITORING PLUG-IN SYBASE ADAPTIVE SERVER ENTERPRISE

Oracle Banking Enterprise Collections

Oracle Utilities Customer Care and Billing 2.5 Benchmark Report

The Benefits of Consolidating Oracle s PeopleSoft Applications with the Oracle Optimized Solution for PeopleSoft

JD Edwards EnterpriseOne General Ledger

2018 FALL PRODUCT UPDATE. What s New in Oracle HCM Cloud

Compliance Regulatory Reporting Applications Pack Release

ORACLE ADVANCED FINANCIAL CONTROLS CLOUD SERVICE

ORACLE PROJECT PORTFOLIO MANAGEMENT CLOUD

Managing Unpredictability using BPM for Adaptive Case Management

An Oracle White Paper October Why Projects Fail: Avoiding the Classic Pitfalls

ORACLE FUSION FINANCIALS

Oracle Revenue Management Cloud

An Oracle White Paper July Capital Markets Technology Spending: Tight Budgets, High Expectations

Oracle Business Intelligence Cloud Service Boot Camp. Release 1.0

ORACLE FUSION FINANCIALS CLOUD SERVICE

Accelerating Billing Infrastructure Deployment While Reducing Risk and Cost

Addressing FRTB with Oracle Financial Services Analytical Applications

Oracle Utilities Mobile Workforce Management Benchmark

An Oracle White Paper June Delivering Business Value through Target-Driven Optimization

Manufacturing in a Box ERP Solution Pack. Supply Chain Management, Consulting UKIE

Tapping into the Potential of Pricing and Revenue Management Getting the Price Right with Oracle

WebCenter Content. Complete and Versatile Content Management

ORACLE TASK MANAGEMENT CLOUD

Asset Register Report

SCM Cloud B2B Messaging Strategy

JD Edwards EnterpriseOne Mobile Applications

Oracle Process Cloud Service

Oracle Enterprise Manager 13c Cloud Control

ORACLE PROJECT PORTFOLIO MANAGEMENT CLOUD

An Oracle White Paper December Reducing the Pain of Account Reconciliations

ALL OF YOUR WORK. OPTIMIZED.

Oracle Linux Management with Oracle Enterprise Manager 13c Cloud Control O R A C L E W H I T E P A P E R M A R C H

Overcoming the Management Challenges of Portal, SOA, and Java EE Applications

Oracle s Platform for SAP Solutions

An Oracle White Paper June Oracle Fusion Applications Creation of a View Only Role in Procurement

Transform the Future of Trade Finance. Empowering Smarter Trade Finance Operations

Oracle Cross Channel Customer Experience for Communications. The Singularly Delightful Customer Experience That Drives Long-Term Profitable Growth

Title: Leveraging Oracle Identity Manager (OIM) to Improve Costs and Control. An Oracle White Paper March 2009

Agile PLM on Oracle Ravello Cloud Service ORACLE WHITE PAPER AUGUST 2017

MANAGEMENT CLOUD. Leveraging Your E-Business Suite

Oracle Knowledge Solutions for High Technology. Answers that Reduce Costs and Improve Service

WEBCENTER PORTAL CLOUD. Create Engaging, Integrated Digital Experiences

Oracle Planning and Budgeting Cloud Service

Delivering Financial Close Transparency: Financial Consolidation, Reporting, and Analysis Solutions for Federal Agencies

Introduction. Top Enterprise Performance Management Cloud Trends for

Siebel Service. Building Strategic Service Management. Deliver a Superior Customer Experience with Cross Channel Customer Service

Transcription:

An Oracle White Paper March 2010 Access Certification: Addressing and Building On a Critical Security Control

Introduction Today s enterprise faces multiple multifaceted business challenges in which the management of employees and partners access to enterprise resources is vital. Foremost among these is the challenge of complying with an ever-growing number of regulations governing the integrity and privacy of enterprise data. With the need to protect data comes, of course, the need to closely manage access to it by knowing at all times who has access to resources and whether their access is appropriate, and by providing documentation of this information in the event of an audit. However, compliance is not the only challenge in today s enterprise. Even more critical is the need to operate an agile business that can respond quickly and competitively to business opportunities and competitive threats. Operating a successful business under these conditions is hard to achieve. To succeed, a company must have an identity and access management (IAM) infrastructure in place to ensure that people have access to all the resources they need, but none of those they don t, and to prove in audits that access is being managed correctly and in compliance with internal security policies and external regulations. Moreover, this infrastructure must have a base of efficient and effective processes that free people to focus on the growth of the business, without having to devote undue time and budget to its security. This white paper examines these often conflicting demands on the enterprise and shows how access certification technology makes it possible to meet them, first, by enabling access control compliance and second, by laying the foundation for a strong IAM infrastructure. The document Describes the forces driving security controls related to access Explains how access certification addresses these issues Discusses the key criteria for an access certification solution Introduces Oracle Identity Analytics for access certification Presents real-world examples of Oracle solution deployments 1

Access Certification Technology Access certification technology is an invaluable tool for helping an enterprise manage its efforts to comply with the many regulations that govern businesses across a variety of industries today. Automating the certification process increases certification accuracy and effectiveness, which in turn improves compliance and reduces risk. An identity compliance solution provides the organization with a clear understanding of its users identities and access rights to critical business information and services, and establishes compliance controls for ensuring that access is correct and remains correct. It allows the organization to answer key questions: Who has access to what, and when? Who approved those access privileges? Are the access rights in line with policy? The complex requirements of meeting and providing proof of compliance, with minimal cost to the organization, are simple with an automated solution. Additionally, using the information gathered in a compliance exercise to refine an IAM program enables extending cost savings across the enterprise. Access control compliance is an ideal first step toward strengthening the security of business services and information and reducing risk by evolving identity management practices. The Forces Driving Security Controls Related to Access From Sarbanes-Oxley (SOX), with its emphasis on the integrity of financial information, to the Health Insurance Portability and Accountability Act (HIPAA) and other industry-specific laws protecting data privacy, regulations continue to force companies to focus on access. Ongoing and Growing Pressure to Prove Compliance In the alphabet soup of regulations that govern business around the world today, one of the most pressing concerns is the integrity and privacy of data. SOX, HIPAA, and other industry-specific regulations have led to increased scrutiny of assigned access to enterprise systems, applications, and data. It is vital for companies to know and even more important, to be able to prove who has access to what, whether that access is appropriate, and that corrections take place when it is not. Insider Threats Resulting from Inappropriate Access The need for close governance of access to systems and resources extends beyond complying with regulations to protecting enterprise assets. The threat posed by inappropriate access is grave. You can look all the way back to the 1990s, when accounting fraud caused the collapse of the oldest merchant bank in London, Barings Bank, and when unauthorized trading resulted in nearly 1.3 billion (US$2 billion) in losses for the London Metal Exchange. In addition, such problems have continued to proliferate; consider, for example, the 2008 Société Générale trading loss incident in which fraudulent transactions by an employee caused the bank to lose billions. Clearly, these insider threats must be 2

eradicated, and an important step toward that is eliminating opportunities for inappropriate access to systems by rogue traders and other insiders. Need to Expand Reach and Manage Risk Security is critical to preventing business losses; however, there is also a need for balance with the openness that is equally critical to achieving business agility in the Web 2.0 era. Systems must be locked down to the extent that they keep out malevolent efforts to gain access from inside or from outside the enterprise. At the same time, they must be open enough to ensure that everyone who is working in the best interests of the enterprise can get their jobs done. Open access must be coupled with access control to achieve this careful balance between agility and security. A business that is secure in its ability to control appropriate access to its resources will be empowered to apply those resources to bold and confident growth and expansion. Using Access Certification to Address Critical Issues The forces described in the previous section are leading companies to take action to address the following: Understanding who has access to what systems, applications, and data Validating that the assigned access is correct and appropriate Documenting and providing evidence for both of the above An automated access certification solution will allow the enterprise to address these issues and, in the process, maintain security and manage risk. Understanding, Validating, and Documenting Access An effective technology solution for access certification can provide a clear and comprehensive understanding of who has access to what resources. By automatically consolidating and correlating entitlement data from throughout the enterprise, and then reporting on user access across enterprise systems and applications, a company has insight into data access. In addition, such a solution will use automation to speed and increase the accuracy of access review and validation automation. An effective solution will empower decision-makers to revoke any inappropriate access that it detects so that the enterprise can enforce policies in areas such as segregation of duties (SoD) and least privilege. Finally, the solution will provide reports leveraging the resulting audit trail to provide evidence of the review and correction (when necessary) of assigned access. Maintaining Security Within and Beyond the Enterprise Access certification is critical to maintaining security, particularly in guarding against access violations that could lead to security breaches. Regularly scheduled access reviews ensure the appropriate assignment of the minimum access necessary for users to do their jobs and no more. Transfers, 3

promotions, and terminations trigger event-based access reviews to ensure that internal employees do not aggregate access as they move throughout the organization and that both internal and external users do not retain access when their relationships with the organization end. Laying a Foundation for Identity and Access Management Initiatives to Manage Risk IAM is the cornerstone of an enterprise s ability to extend its reach while still managing business risk. Access certification technology lays the foundation for initiatives in this area in several ways. It accomplishes the fundamental work of consolidating and correlating identity and access data the same data that can be used in provisioning and role management. The entire process of certification by its very nature cleanses the consolidated data, leaving an excellent foundation on which to build. Key Criteria for an Access Certification Solution In evaluating an access certification solution, organizations should consider a few key criteria. First, the system should automate the entire certification process. Second, it should integrate seamlessly with external partners as well as a company s provisioning and role management processes. Finally, it should come from a reliable vendor who can reconcile core identity challenges, processes, and solutions. Comprehensive Automation An effective access certification solution should automate the entire certification process, from building a warehouse of entitlements to scheduling and monitoring certifications to providing ongoing tracking and reporting. The solution should automatically Import entitlement data from the existing IT infrastructure and from any enterprise application, and correlate entitlement data from multiple sources to a single identity Schedule both manager and application owner certifications based on business priorities, and monitor to ensure that reviews are completed on schedule Track revocations of, or modifications to, access and ensure that the appropriate changes are made throughout the IT infrastructure Generate reports to alert administrators to existing or potential access policy violations, remediation, and exceptions, and demonstrate compliance with regulatory requirements Minimal Customization and Programming Requirements As an enterprise extends its reach to include increasing numbers of external partners and their resources, it becomes increasingly important for the access certification solution to work seamlessly with those partners and their systems, applications, and data. It should not require substantial customization or programmatic development to work with external resources. 4

Integration with Provisioning and Role Management An access certification solution that integrates with a company s provisioning and role management processes enables complete lifecycle management of security policy violations and the access revocations that are associated with those violations. This closed-loop approach makes it possible to Efficiently and effectively automate the removal of inappropriate access while capturing the appropriate audit information Increase compliance effectiveness by ensuring that business roles are consistently being defined based on correctly assigned access Get to the point where the company is able to assign, attest, and audit access using roles Depth of Vendor Expertise An access certification solution should come from a vendor with a deep understanding of the interrelationships among core identity challenges, processes, and solutions. The vendor should Provide expertise in compliance management that encompasses expertise in inextricably related areas such as provisioning, role management, and directory services Demonstrate an understanding of, and the ability to effectively respond to, challenges in areas such as Web access management and secure Web services Have the experience, expertise, and services to serve as a strong architecture and design resource that can guide efforts to build an effective identity infrastructure Oracle Identity Analytics Designed specifically for easy integration with existing and planned components of the enterprise identity infrastructure, Oracle Identity Analytics is a comprehensive solution for automating every aspect of the access certification process. Comprehensive Capabilities Oracle Identity Analytics serves as a platform for automating the full range of existing manual compliance processes relating to access certification and access policy enforcement. The solution has the following capabilities: Automatically collects and correlates identity data from multiple enterprise resources Dynamically generates certification populations to ensure that certifications are performed by the appropriate business owners 5

Automates detection of existing and potential policy violations in critical compliance areas such as SoD and unauthorized aggregation of privilege Reports extensively on certification status, policy violations, and other access-related information, reducing the need to manually gather this type of data for audits Easily Integrated with Existing Infrastructures Oracle Identity Analytics leverages both agentless connectors and a general-purpose extract, transform, and load based data collection capability for correlating entitlement data generated from any enterprise resource. This can dramatically Reduce the time, cost, and complexity of implementing the solution Simplify the process of working with growing numbers of external partners and their applications Accelerate business value, with ROI typically achieved within 90 days of implementation Part of a Complete Portfolio of Identity Solutions Oracle Identity Analytics is part of Oracle s complete identity management portfolio for ensuring security and maintaining compliance, which means that it can Integrate seamlessly with Oracle Identity Manager for user provisioning and identity administration Oracle Access Management Suite for comprehensive authentication, authorization, identity federation, and entitlement management Oracle Directory Services solutions for identity data synchronization and storage Integrate seamlessly with other identity access management products and with leading security information and event management vendors and IT governance, risk, and compliance vendors to provide a comprehensive compliance solution From the Recognized Leader in Identity Management The Oracle identity management family of products has consistently been positioned as a leader in a number of analyst reports, including Gartner s User Provisioning Magic Quadrant and Magic Quadrant for Web Access Management reports and Forrester s The Forrester Wave: Identity and Access Management, Q4 2009. Oracle Offers expertise not just in access certification, in particular, and compliance management, in general, but also in user provisioning and identity administration, access and entitlement management, and directory services 6

Goes beyond the technology to provide solution expertise and global support Teams with business consulting and systems integration firms to help deliver complete value for customer success Oracle Identity Analytics at Work in the Real World The financial industry is undoubtedly one of the most highly regulated in the world, subject not only to broadly applied regulations such as SOX, but also to a growing number of industry-specific regulations. Accurately certifying user access particularly with regard to high-risk transactions is an important part of complying with the various laws that govern the industry. To improve its regulatory compliance, a leading global investment bank automated its access certification process using identity management technology from Oracle. Goal: Improve Access Certification With 350,000 users distributed across more than 40,000 business units, and with more than 100,000 accounts having access to high-risk transactions, the company required an effective solution for certifying access on a very large scale. The Oracle solution made it possible to automate the entire access certification process through an implementation that included Building an identity warehouse to serve as a common repository for application security data and user entitlement data for 350,000 users, along with business descriptions for entitlements Ensuring that SoD policies are defined and enforced across all users and applications, with more than 200 SoD policies defined and applied to the 350,000 users Generating more than 10,000 certifications (for 100,000 user accounts) and routing them to 15,000 business unit managers all within a 60-day time frame Performing a mass cleanup of orphaned accounts that were identified during the data-loading phase, which involved remediating 200,000 financially critical transactions across various applications Identifying SoD policy violations in more than 60,000 user accounts and routing them to the appropriate business owners to revoke the errant access Deployment of the Oracle solution allowed the organization to achieve the following benefits: Reducing the amount of time and budget devoted to access certification by automating its traditional manual process Reducing the security and compliance risk associated with access to high-risk transactions Ensuring compliance with SoD policy by automating its enforcement across the enterprise Lessening the risk of being cited for noncompliance by accelerating the time required to certify access in general and to identify and remediate violations in particular 7

Conclusion With numerous regulations governing businesses across a variety of industries today, access certification technology is a valuable tool for helping an enterprise manage its compliance efforts. Automating the certification process increases certification accuracy and effectiveness, improving compliance and reducing risk. An identity compliance solution provides the organization with a clear understanding of its users identities and access rights to critical business information and services, and establishes compliance controls for ensuring that access is correct and remains correct. The complex requirements of meeting and providing proof of compliance, with minimal impact to an organization s bottom line, are simple with an automated solution. Using the information gathered in a compliance exercise to refine IAM programs enables cost savings across an enterprise. Access control compliance is an ideal first step toward strengthening the security of business services and information, and reducing risk by evolving identity management practices.. 8

Access Certification: Addressing and Building On a Critical Security Control March 2010 Oracle Corporation World Headquarters 500 Oracle Parkway Redwood Shores, CA 94065 U.S.A. Copyright 2008, 2010, Oracle and/or its affiliates. All rights reserved. This document is provided for information purposes only and the contents hereof are subject to change without notice. This document is not warranted to be error-free, nor subject to any other warranties or conditions, whether expressed orally or implied in law, including implied warranties and conditions of merchantability or fitness for a particular purpose. We specifically disclaim any liability with respect to this document and no contractual obligations are formed either directly or indirectly by this document. This document may not be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without our prior written permission. Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners. Worldwide Inquiries: Phone: +1.650.506.7000 Fax: +1.650.506.7200 oracle.com AMD, Opteron, the AMD logo, and the AMD Opteron logo are trademarks or registered trademarks of Advanced Micro Devices. Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. UNIX is a registered trademark licensed through X/Open Company, Ltd. 0110

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback