Identity Management and Data Security Richard Schad Senior Director Oracle Technology Business Unit.
-
date post
18-Dec-2015 -
Category
Documents
-
view
213 -
download
0
Transcript of Identity Management and Data Security Richard Schad Senior Director Oracle Technology Business Unit.
Identity Management and Data SecurityRichard SchadSenior DirectorOracle Technology Business Unit
Agenda
• How big is the Higher Ed IDM problem?• What is Oracle doing?• What are universities doing?• What is next?• Identity Management overview
50% of all reported breaches since Feb. 2005…
…were at colleges and universities!!
UCLA - 800,000 identities
Texas – 200,000 identities
San Diego State – 178,000 identities
Ohio University – 137,000 identities
…over 4 Million IDs
There is a growing problem in Higher Ed
The Case for Doing the Right Things Right Now
20061. Security and Identity Management2. Funding IT3. Administrative/ERP/Information
Systems4. Disaster Recovery/Business
Continuity5. Faculty Development, Support, and
Training6. Infrastructure7. Strategic Planning8. Governance, Organization, and
Leadership9. Course/Learning Management
Systems10. Web Systems and Services
20071. Funding IT2. Security3. Administrative/ERP/Information
Systems4. Identity/Access Management5. Disaster Recovery/Business
Continuity6. Faculty Development, Support, and
Training7. Infrastructure8. Strategic Planning9. Course/Learning Management
Systems10. Governance, Organization, and
Leadership
Source: Top-Ten IT Issues, 2007, May/June 2007, Educause ReviewSource: Top-Ten IT Issues, 2006, May/June 2006, Educause Review
Top Ten IT Issues in Higher Education
“Why do you rob banks? Because that is where the money is!”
• Profit = Rev ($10 per identity) – Cost to acquire
• Fertile Environment Characteristics:• Abundance of Personal Identifiable Information PII• Quality of Information
• Identities good for many years and likely have strong credit• Rich PCI data
• Not difficult to access• Open & Decentralized environment with limited budgets for security• Often lower cost and more fluid IT employees
Why are Universities Being Targeted?
The Value of Risk Reduction was Determined by the
Considering the Losses Incurred by Others.
A Security Breach Can Cost Millions
Best Case (Thousands)● Embarrassment● Notification, credit watch● Disciplined staff● Executive time
Worst Case (Millions)● Lost funding (Alumni, Grants)● Millions in legal fees● Notification, credit watch, etc.● Terminated executives
Source: The security breach data listed on this slide is publicly available at www.privacyrights.org
“Expenses average more than $10 per individual whose personal data have been exposed”
AIG – Chronicle of Higher Education October 13, 2006
What is Oracle doing?
Ask yourself…
“Are higher education institutions doing all that can be done to safeguard the personal data of their students, employees, and customers? And, when breaches do occur, are the universities doing everything they're supposed to be doing?”
--Campus Technology, April 2007
Source: David Nagel, "Once More unto the Breach," Campus Technology, 4/13/2007, http://www.campustechnology/article.aspx?aid=46725
Oracle’s Roadmap to Campus Security
• 3-5 day collaborative process• Involves both IT and business• A view into industry best practices around security and compliance
• Mapping institution’s processes and technologies against IT compliance standards
Engagement Overview
• Summary findings delivered in an executive level presentation
• Detailed recommendations in an enterprise level roadmap
• High level business metrics
Engagement Outputs
What are our universities doing?
Key Findings from Universities
• Provisioning & deprovisioning are painful and incomplete• Examples: new medical staff, deceased users.
• SSNs are everywhere
• Even simple protective steps are slow to be adopted:• 55% use strong passwords• Less than a third use multifactor authentication.
• Unstructured data issues (fileshares, laptops, etc)
• Difficulties with the Business Case for IDM
• Some non-IT sponsorship and funding increases chance of success for IDM initiatives
Recommended Actions: PPP
People, Processes & Policies:• Complete university wide identity inventory
• Develop an identity data ownership/stewardship policy – less than half of universities have done this
• Document and institutionalize hierarchies for various workflows, e.g. approvals
• Create/strengthen access and data sharing policy
• Develop rationalized and standardized business processes
Technology & Data:
• Implement a provisioning system
• Standardize on common, robust access management and password (SSO) systems
• SSN remediation - “Secure SSN Vault”
• Leverage workflow technology
• Encrypt and secure confidential data
• Standardize/rationalize role & attribute data to support access
• Incremental improvements will demonstrate successful impact and business benefit
Recommended Actions: Technology
Initiative Analysis & Prioritization
Low
Complexity
Hig
he
st
Me
diu
mH
igh
Va
lue
High
“Targets”“Secondary
Targets”
2
4
16
85
9
7
3
10
1. Implement user provisioning (phased approach)
2. Implement user provisioning (campus-wide)
3. Remediate SSN use4. Audit reporting5. SSO (ESSO)6. Workflow7. Common university-
wide roles and attributes
8. Directory consolidation9. Virtual directory10. Federation
What’s Next: Key Areas of Focus
Federation
Globalization
AttestationUnstructured
Data Problem
Collaborative
Research
Sharing ID
Across
Institutions
Rising User
Expectations
What our customers are saying…
“Boise State is currently reviewing policies, procedures and practices associated with its online business processes. To assure a new, unbiased and knowledgeable eye during this review, the university has tapped the expertise from one of its technology partners. Oracle's Insight Program brings experienced and knowledgeable issue specific experts to the table. No sales pitch. No product bias. Just sound logic and process assessments with clear understandable recommendations. This is what good technology advise and counseling is all about.”
--David O’Neill, CIO, Boise State
What our customers are saying…
“I have read many audits and other security-related reports in the past, the one your team has put together is the best I have seen for providing a clear and specific roadmap to improving data security. Our team will use your report as the basis of an action plan that, when completed, will certainly reduce our exposure to a variety of threats. You clearly listened to our concerns and the report is a reflection of that.”
--Rich Fagen, CIO, Cal Tech
What does Oracle provide?
What is Identity Management?
“Identity management refers to the set of business process, and a supporting infrastructure, for the creation, maintenance, and use of digital identities”
--the Burton Group
Oracle’s Security Strategy
• Complete, unified security solution• No point product integration required
• Common security across applications and data• Protecting business processes and web services (SOA)• Protecting data in transit and at rest• Protecting against internal and external threats
• Hot-pluggable• Standards-based• Works across leading applications, web servers, application
servers, portals, databases, and other IT systems
Identity Management is an Enterprise Architecture
NOS/DirectoriesOS (Unix)
Systems & RepositoriesApplications
SAP CRM HR Mainframe
Auditingand
Reporting
Workflow & Orchestration
Data Abstraction Layer
EmployeesIT StaffPartners
External
SOA Applications
Customers
Internal
Identity Management Service
Access Management Identity Administration
Directory Services Identity Provisioning
Monitoringand
Management
JDE
AccessAccessControlControl
Identity & Access Mgmt. Functions
DirectoryDirectoryServicesServices
IdentityIdentityAdministrationAdministration
Authentication & Authentication & AuthorizationAuthorization
Single-Sign-OnSingle-Sign-On
FederationFederation
ProvisioningProvisioning
Identity LifecycleIdentity LifecycleAdministrationAdministration
Role & MembershipRole & MembershipAdministrationAdministration
Compliance AutomationCompliance Automation
VirtualizationVirtualization
SynchronizationSynchronization
Access Control
• Authentication – Who are you?• Multiple factors to verify identity• Password, Smart Card, tokens, Kerberos, PKI, biometrics, …
• Authorization – What are you allowed to access?• Allow access to authorized resources only• Enforce authorization policies at all levels
• Federation – Access across identity domains• Establish trust between identity provider + service provider• Goal of seamless SSO between business partners
Identity Administration
• Identity lifecycle administration• Manage add change suspend reactivate lifecycle• Self service and delegated administration
• Role and membership administration• Static and dynamic memberships• Enable role and attribute based process automation
• Provisioning• Manage and police application entitlements• Automate approval and provisioning workflows
• Compliance automation• Periodic attestation of roles, entitlement, and control
mechanisms• Segregation of duties monitoring and enforcement
Directory Services
• Virtualization• Rapid identity data integration and application development• Enhance identity data integrity
• Synchronization• Entity level synchronization between directories• Precise control of data to synchronize
Open Standards Based
•Identity Management Standards• SAML XACML
Liberty ID-FF SPML WS-Fed X.509, etc.
•Security Standards• XKMS XML-SIG PKCS
WSS XML-ENC TLS PKI SSL S/MIME LDAP Kerberos etc.
•Platform and Integration Standards• WSDL SOAP
WSRP Oracle Jdeveloper JSR-115 Oracle BPEL Designer JCP Oracle TopLink and ADF
•Web Services Standards• WS-Security WS-Policy
WS-Fed WS-Trust
AQ&
APPENDIX AOracle Identity Management Suite
Oracle Identity Management
•Most Comprehensive, Best-In-Class Suite
•Hot-pluggable and Open
•Application Centric Identity Management
April ‘06 Gartner Magic Quadrant
Heterogeneous Support
Applications
Directories
Application/Web Servers
Operating Systems
Groupware
Portals
Open Standards Based
•Identity Management Standards• SAML XACML
Liberty ID-FF SPML WS-Fed X.509, etc.
•Security Standards• XKMS XML-SIG PKCS
WSS XML-ENC TLS PKI SSL S/MIME LDAP Kerberos etc.
•Platform and Integration Standards• WSDL SOAP
WSRP Oracle Jdeveloper JSR-115 Oracle BPEL Designer JCP Oracle TopLink and ADF
•Web Services Standards• WS-Security WS-Policy
WS-Fed WS-Trust