Identity Management and Data SecurityRichard SchadSenior DirectorOracle Technology Business Unit

Agenda

• How big is the Higher Ed IDM problem?• What is Oracle doing?• What are universities doing?• What is next?• Identity Management overview

50% of all reported breaches since Feb. 2005…

…were at colleges and universities!!

UCLA - 800,000 identities

Texas – 200,000 identities

San Diego State – 178,000 identities

Ohio University – 137,000 identities

…over 4 Million IDs

There is a growing problem in Higher Ed

The Case for Doing the Right Things Right Now

20061. Security and Identity Management2. Funding IT3. Administrative/ERP/Information

Systems4. Disaster Recovery/Business

Continuity5. Faculty Development, Support, and

Training6. Infrastructure7. Strategic Planning8. Governance, Organization, and

Leadership9. Course/Learning Management

Systems10. Web Systems and Services

20071. Funding IT2. Security3. Administrative/ERP/Information

Systems4. Identity/Access Management5. Disaster Recovery/Business

Continuity6. Faculty Development, Support, and

Training7. Infrastructure8. Strategic Planning9. Course/Learning Management

Systems10. Governance, Organization, and

Leadership

Source: Top-Ten IT Issues, 2007, May/June 2007, Educause ReviewSource: Top-Ten IT Issues, 2006, May/June 2006, Educause Review

Top Ten IT Issues in Higher Education

“Why do you rob banks? Because that is where the money is!”

• Profit = Rev ($10 per identity) – Cost to acquire

• Fertile Environment Characteristics:• Abundance of Personal Identifiable Information PII• Quality of Information

• Identities good for many years and likely have strong credit• Rich PCI data

• Not difficult to access• Open & Decentralized environment with limited budgets for security• Often lower cost and more fluid IT employees

Why are Universities Being Targeted?

The Value of Risk Reduction was Determined by the

Considering the Losses Incurred by Others.

A Security Breach Can Cost Millions

Best Case (Thousands)● Embarrassment● Notification, credit watch● Disciplined staff● Executive time

Worst Case (Millions)● Lost funding (Alumni, Grants)● Millions in legal fees● Notification, credit watch, etc.● Terminated executives

Source: The security breach data listed on this slide is publicly available at www.privacyrights.org

“Expenses average more than $10 per individual whose personal data have been exposed”

AIG – Chronicle of Higher Education October 13, 2006

What is Oracle doing?

Ask yourself…

“Are higher education institutions doing all that can be done to safeguard the personal data of their students, employees, and customers? And, when breaches do occur, are the universities doing everything they're supposed to be doing?”

--Campus Technology, April 2007

Source: David Nagel, "Once More unto the Breach," Campus Technology, 4/13/2007, http://www.campustechnology/article.aspx?aid=46725

Oracle’s Roadmap to Campus Security

• 3-5 day collaborative process• Involves both IT and business• A view into industry best practices around security and compliance

• Mapping institution’s processes and technologies against IT compliance standards

Engagement Overview

• Summary findings delivered in an executive level presentation

• Detailed recommendations in an enterprise level roadmap

• High level business metrics

Engagement Outputs

What are our universities doing?

Key Findings from Universities

• Provisioning & deprovisioning are painful and incomplete• Examples: new medical staff, deceased users.

• SSNs are everywhere

• Even simple protective steps are slow to be adopted:• 55% use strong passwords• Less than a third use multifactor authentication.

• Unstructured data issues (fileshares, laptops, etc)

• Difficulties with the Business Case for IDM

• Some non-IT sponsorship and funding increases chance of success for IDM initiatives

Recommended Actions: PPP

People, Processes & Policies:• Complete university wide identity inventory

• Develop an identity data ownership/stewardship policy – less than half of universities have done this

• Document and institutionalize hierarchies for various workflows, e.g. approvals

• Create/strengthen access and data sharing policy

• Develop rationalized and standardized business processes

Technology & Data:

• Implement a provisioning system

• Standardize on common, robust access management and password (SSO) systems

• SSN remediation - “Secure SSN Vault”

• Leverage workflow technology

• Encrypt and secure confidential data

• Standardize/rationalize role & attribute data to support access

• Incremental improvements will demonstrate successful impact and business benefit

Recommended Actions: Technology

Initiative Analysis & Prioritization

Low

Complexity

Hig

he

st

Me

diu

mH

igh

Va

lue

High

“Targets”“Secondary

Targets”

2

4

16

85

9

7

3

10

1. Implement user provisioning (phased approach)

2. Implement user provisioning (campus-wide)

3. Remediate SSN use4. Audit reporting5. SSO (ESSO)6. Workflow7. Common university-

wide roles and attributes

8. Directory consolidation9. Virtual directory10. Federation

What’s Next: Key Areas of Focus

Federation

Globalization

AttestationUnstructured

Data Problem

Collaborative

Research

Sharing ID

Across

Institutions

Rising User

Expectations

What our customers are saying…

“Boise State is currently reviewing policies, procedures and practices associated with its online business processes. To assure a new, unbiased and knowledgeable eye during this review, the university has tapped the expertise from one of its technology partners. Oracle's Insight Program brings experienced and knowledgeable issue specific experts to the table. No sales pitch. No product bias. Just sound logic and process assessments with clear understandable recommendations. This is what good technology advise and counseling is all about.”

--David O’Neill, CIO, Boise State

What our customers are saying…

“I have read many audits and other security-related reports in the past, the one your team has put together is the best I have seen for providing a clear and specific roadmap to improving data security. Our team will use your report as the basis of an action plan that, when completed, will certainly reduce our exposure to a variety of threats. You clearly listened to our concerns and the report is a reflection of that.”

--Rich Fagen, CIO, Cal Tech

What does Oracle provide?

What is Identity Management?

“Identity management refers to the set of business process, and a supporting infrastructure, for the creation, maintenance, and use of digital identities”

--the Burton Group

Oracle’s Security Strategy

• Complete, unified security solution• No point product integration required

• Common security across applications and data• Protecting business processes and web services (SOA)• Protecting data in transit and at rest• Protecting against internal and external threats

• Hot-pluggable• Standards-based• Works across leading applications, web servers, application

servers, portals, databases, and other IT systems

Identity Management is an Enterprise Architecture

NOS/DirectoriesOS (Unix)

Systems & RepositoriesApplications

SAP CRM HR Mainframe

Auditingand

Reporting

Workflow & Orchestration

Data Abstraction Layer

EmployeesIT StaffPartners

External

SOA Applications

Customers

Internal

Identity Management Service

Access Management Identity Administration

Directory Services Identity Provisioning

Monitoringand

Management

JDE

AccessAccessControlControl

Identity & Access Mgmt. Functions

DirectoryDirectoryServicesServices

IdentityIdentityAdministrationAdministration

Authentication & Authentication & AuthorizationAuthorization

Single-Sign-OnSingle-Sign-On

FederationFederation

ProvisioningProvisioning

Identity LifecycleIdentity LifecycleAdministrationAdministration

Role & MembershipRole & MembershipAdministrationAdministration

Compliance AutomationCompliance Automation

VirtualizationVirtualization

SynchronizationSynchronization

Access Control

• Authentication – Who are you?• Multiple factors to verify identity• Password, Smart Card, tokens, Kerberos, PKI, biometrics, …

• Authorization – What are you allowed to access?• Allow access to authorized resources only• Enforce authorization policies at all levels

• Federation – Access across identity domains• Establish trust between identity provider + service provider• Goal of seamless SSO between business partners

Identity Administration

• Identity lifecycle administration• Manage add change suspend reactivate lifecycle• Self service and delegated administration

• Role and membership administration• Static and dynamic memberships• Enable role and attribute based process automation

• Provisioning• Manage and police application entitlements• Automate approval and provisioning workflows

• Compliance automation• Periodic attestation of roles, entitlement, and control

mechanisms• Segregation of duties monitoring and enforcement

Directory Services

• Virtualization• Rapid identity data integration and application development• Enhance identity data integrity

• Synchronization• Entity level synchronization between directories• Precise control of data to synchronize

Open Standards Based

•Identity Management Standards• SAML XACML

Liberty ID-FF SPML WS-Fed X.509, etc.

•Security Standards• XKMS XML-SIG PKCS

WSS XML-ENC TLS PKI SSL S/MIME LDAP Kerberos etc.

•Platform and Integration Standards• WSDL SOAP

WSRP Oracle Jdeveloper JSR-115 Oracle BPEL Designer JCP Oracle TopLink and ADF

•Web Services Standards• WS-Security WS-Policy

WS-Fed WS-Trust

AQ&

APPENDIX AOracle Identity Management Suite

Oracle Identity Management

•Most Comprehensive, Best-In-Class Suite

•Hot-pluggable and Open

•Application Centric Identity Management

April ‘06 Gartner Magic Quadrant

Heterogeneous Support

Applications

Directories

Application/Web Servers

Operating Systems

Groupware

Portals

Open Standards Based

•Identity Management Standards• SAML XACML

Liberty ID-FF SPML WS-Fed X.509, etc.

•Security Standards• XKMS XML-SIG PKCS

WSS XML-ENC TLS PKI SSL S/MIME LDAP Kerberos etc.

•Platform and Integration Standards• WSDL SOAP

WSRP Oracle Jdeveloper JSR-115 Oracle BPEL Designer JCP Oracle TopLink and ADF

•Web Services Standards• WS-Security WS-Policy

WS-Fed WS-Trust