<Insert Picture Here>

Mark Robison, Enterprise Architect, ING

Neil Gandhi, Principal Product Manager, Oracle

ING: Scaling Role Management and Access

Certification to Thousands of Applications

This document is for informational purposes. It is not a commitment

to deliver any material, code, or functionality, and should not be relied

upon in making purchasing decisions. The development, release,

and timing of any features or functionality described in this document

remains at the sole discretion of Oracle. This document in any form,

software or printed matter, contains proprietary information that is the

exclusive property of Oracle. This document and information

contained herein may not be disclosed, copied, reproduced or

distributed to anyone outside Oracle without prior written consent of

Oracle. This document is not part of your license agreement nor can

it be incorporated into any contractual agreement with Oracle or its

subsidiaries or affiliates.

Speakers

Enterprise Architect

Mark Robison

Principal Product Manager

Neil Gandhi

Agenda

• Business Drivers

• Implementation

• The Platform Approach

• Results & Lessons Learnt

• Use Cases & Deployment

Synergies

• Q&A

ING Environment at a Glance

Oracle Access

Manager

• Fortune Global 500

• Over 29 M customers

• Over 16K US employees*

• 600 attested resources

• Centralized Security

• Full Auditability

*Includes managed contractors

State of Business Prior to Implementation

Oracle Access

Manager

Existing System – home grown and spreadsheet based

Project scope - Role Based

The problem of scale - 520 critical apps

Disparate systems – No single audit source

Key stakeholders – LoB, Security (CSO), IT

Business Drivers for ING

Oracle Access

Manager

Regulatory Compliance

• Scaling compliance across applications & users

Operational Efficiency

• Reduce redundant effort, administrative overhead

Personalized User Experience

• Improve user productivity, SLA

Risk Mitigation

• Close security gaps with instant and accurate user account/lifecycle management

ING IAM Implementation

Oracle Access

Manager

Current Scope

• Internal users

• User Population: 16K

• Initial focus on 520 SOX-critical applications

Immediate Goals

• Replace home grown system for scale, efficiency

• Single Platform to handle access management

Key Features

• Roles based

• Automatic user access attestation on transfer

• Integration with Oracle Identity Manager (OIM) for full lifecycle management

Phase-In Approach at ING

Perimeter Security Revokes (OIM) - 2009

• Automate the revoke of key perimeter security access for all employees that are terminated

• PeopleSoft HR is triggering system

• Network access (Active Directory)

• Email (Exchange)

• RACF (Mainframe)

• Benefits

• Real Time account disable on termination event

Password Management (Oracle ESSO)- 2007

• Provide mechanism for end user to have a single login for multiple applications

• Provide for self service password resets – 12/2010

• Benefits

• User does not have to memorize multiple credentials

• Reduced calls to help desk for password resets (40% reduction)

Retirement - Insurance - Investments 9

Phase-In Approach at ING

Access Attestation (OIA) – 11/1/2010

• Replaced custom developed attestation program with OIA product

• Provides quarterly manager based review for employee’s application access

• Currently supports over 600 application feeds (520 SOX critical)

• Integrated with PeopleSoft HR, Service-Now (Help Tickets and Configuration Management Database)

• Provides immediate manager review process for employee’s application access on employee transfer event

• Benefits

• Easier attestation experience for managers

• Audit compliance

Base Role Access (OIM) – 12/15/2010

• Automate Base Role Access on New Hire event from HR • Active Directory, Exchange, Ariba (Procurement), Service-Now (Help Desk, CMDB), Clarity (Time Tracking),

PeopleSoft HR (Benefits, Pay), ESSO, etc.

• Benefits

• Standardization of user setup

• Reduced new hire provisioning time (From 7 days to instant)

Retirement - Insurance - Investments 10

Phase-In Approach at ING

Simple AD Application Access (OIM) – 3/1/2011

• Automate simple AD security based applications and integrate with Service-Now for manager requested provisioning

• Benefits

• Consistent, timely provisioning

• Reduction of Security Fulfillment Staff (10 consultants)

Implementation of ING Contact Centers (OIA and OIM) - 2011

• Develop Role Matrix for all contact center staff

• Identify and integrate all applications into new provisioning process

• Where cost effective & technically viable, applications are automatically provisioned using OIM

• All other applications will be manually provisioned (from OIM) by integrating OIM to the Service-Now Help Desk ticketing system

Implementation of all ING Business Units (OIA and OIM) – 2012 +

• Develop Role Matrix for all other organizations

• Identify and integrate all applications into new provisioning process

Retirement - Insurance - Investments 11

Methods of Attestation – Initial Method with OIA

• Resource Based Attestation • Manager must attest to all employees

access in all applications

• Results in many attestation reports per

manager

• Manager does not “know” if level of

access is appropriate

• Encourages “rubber stamping”

Application A

Platform B

Application C

System D

Manager

Employees

Applications

Methods of Attestation – Future Plan with OIA

• Role Based Attestation • A Business Roles defines what IT

roles a user should have to perform

only their specific job function

• IT Roles determine the level of

access required within

application/platform

• Manager attests that employees are

in correct Business Role

• Business Role Owner attests that

the IT roles makeup the correct

access needed to perform job

function

• IT Role Owner attests that correct

application entitlements are set in IT

role

Application A

Platform B Application C

System D

Manager

Employees

Role A

Role B

Role C

Role A

Application C

System D

Application A

System D

Role B Role C

Business Role Owners

Business Roles

The Bigger Picture

Oracle Identity Analytics (OIA), Oracle Identity Manager (OIM), and Oracle

Enterprise Single Sign-On (OESSO) provide a comprehensive and

integrated suite of products that allow ING to effectively manage identity and

access management.

The applications are game changers that have greatly enhanced ING’s

Operational Efficiency.

Down The Road: Future Plans & Drivers

Increase Automated Provisioning

• Custom Connectors to Applications

Extend Scope to External Identities – Customers

• Provisioning/Attestations

Expand Identity Warehouse

• Support Additional Feeds

OIM and OIA Synergies at ING

OIA – The BRAINS

• Allows Modeling of roles

• Supports user attestation

• Supports Segregation of Duty checks

OIM – The MUSCLE

• Provisioning and Deprovisioning engine

• Access Reconciliation

• Identity Data Warehouse

ING Business Value

• The time to get new employees access to all required applications is reduced.

(<24 hours)

• The process of user access review is simplified. (Role Based)

• Closed Loop Remediation on attestation is accomplished using OIA and OIM.

• IT / Application roles are clearly defined, including the specific IT entitlements

so error rates and re-work efforts are significantly reduced.

• Where feasible, applications are automatically provisioned, based on pre-

approved business & application roles to reduce fulfillment time and errors.

• Reporting and fulfillment validation capabilities provide more complete audit

options while reducing the associated costs.

• Separation of Duties conflicts are easier to manage.

• Can manage the lifecycle of an identity from new hire, transfer, to termination.

Retirement - Insurance - Investments 17

Implementation Lessons Learned

IAM (Identity and Access Management) implementation projects cross organizational boundaries and require strong sponsorship to set direction and priorities

Governance function with engaged stakeholders from management, business, Information Technology is challenging to establish, but vital for the long-term

Executive Sponsorship

Achieve clarity on the business challenges being addressed by the IAM solution

Identify business drivers – Compliance, Risk Management, Cost Control, Business Facilitation – based upon enterprise needs and determine priority with stakeholders

Business Focus

Obtaining organizational buy-in for moving from application-specific to enterprise identity and access management is an exercise in diplomacy

Provisioning project spans the whole organization - 75% Process + 25% Technology

Curb your enthusiasm – don’t over-scope your Phase 1 implementation

Change Leadership

Initial IAM projects should deliver "quick wins" to build business support for continuing the IAM program

The “big-bang” implementation approach is unlikely to build stakeholder trust and involvement required for continuing along the IAM maturity curve

Value Delivery

Retirement - Insurance - Investments 18

Implementation Lessons Learned

In order to reduce the risk and avoid testing in production, non-production target environments are required to test connectors (AD, Exchange, RACF)

It is critical for non-production target environments to have the same data and schema as the production target environments

Non Production Target Environments

Account ID format conventions in use could present challenges or constraints on uniqueness, consistency, and ease to remember

Opportune time to standardize the login ID May require multiple standards based on platform limitations, a handful of standard patterns are better

than free form

Standard User ID

Determine point of diminishing returns for automated and manual processes

Pilot the implementation to prove the solution

Implement the solution by delivering in phases (top value first)

Test performance and functionality

Technology Integration

IAM projects have unique characteristics, so domain experience is vital

IAM projects are complex, demand effective managers who can not only track schedule and budget, but effectively communicate with a diverse set of stakeholders and make sure everyone is pulling in the same direction

IAM Experience

Retirement - Insurance - Investments 19

Scale and Simplicity

• A Few Administrators

• Handful of Help Desk Staff

• Key front-office features automation:

• Access Request & Access Certification

• Cross product knowledge of common

identity data and policies

• Role-based User Administration

• Preventative Separation of Duties (SoD)

Enforcement

• User Risk Aggregation and Auditing

• Analytics and Reporting

Oracle Identity Manager – Oracle Identity Analytics Use Cases

Oracle Identity Manager – Oracle Identity Analytics Unique Value Proposition

User On-

boarding

User Access

Change

User Off-

board

SOD

Checking

Aggregate

Risk Score

• Access Request and Access

Certification Automation

• Risk Aggregation throughout

User Lifecycle • Scales & expedites

certification process

• Builds in accuracy

• Closed-Loop Remediation

• Streamlined User, Role

Management

Platform Reduces Cost vs. Point Solutions

46%

Cost Savings

Source: Aberdeen “Analyzing point solutions vs. platform” 2011

Benefits Oracle IAM Suite

Advantage

Increased End-

User Productivity

• Emergency Access

• End-user Self Service

• 11% faster

• 30% faster

Reduced Risk • Suspend/revoke/de-

provision end user access • 46% faster

Enhanced Agility • Integrate a new app faster

with the IAM infrastructure

• Integrate a new end user

role faster into the solution

• 64% faster

• 73% faster

Enhanced

Security and

Compliance

• Reduces unauthorized

access

• Reduces audit deficiencies

• 14% fewer

• 35% fewer

Reduced Total

Cost

• Reduces total cost of IAM

initiatives • 48% lower

48% More Responsive

35% Fewer Audit Deficiencies

Oracle Identity Management Platform Complete, Innovative and Inter-operable

Identity Administration,

Governance

• Password Management

• Self-Service Request & Approval

• Roles based User Provisioning

• Analytics, Policy Monitoring

• Risk-based Access Certification

Access Management

• Single Sign-On & Federation

• Web Services Security

• Authentication & Fraud Prevention

• Authorization & Entitlements

• Access from Mobile Devices

Directory Services

• LDAP Storage

• Virtualized Identity Access

• LDAP Synchronization

• Next Generation (Java) Directory

Platform Security Services Identity Services for Developers

Why Oracle ?

• Strategic Partner

• Platform Synergies

• Comprehensive, Best-in-Class

• Proven Solutions, Team

Aberdeen Online Identity Assessment Benchmark Your Identity & Access Program

www.oracle.com/Identity

New York April 12th

Toronto April 17th

Boston April 19th

Chicago April 10th

Aberdeen Group Event Series Featuring Analyst Derek Brink

San Francisco May 22nd

Platform Best Practices Agilent Technologies

February 15th 2012

(Replay available)

Live Platform Webcast Series Customers Discussing Results of Platform Approach

Cisco’s Platform Approach Cisco Systems

March 14th 2012

Platform for Compliance ING Bank

April 11th 2012

Platform Business Enabler

Toyota Motors May 30th 2012

Register at: www.oracle.com/identity

Identity Management at COLLABORATE 12 Deep Dive, User-Driven Sessions, and More

Register at: http://w3.ioug.org/C12IM

• April 22 – 26, Las Vegas

• Sunday, Apr 22, 9 am – 3 pm

Security and Compliance for your Oracle Systems

• Multiple Security, Identity Management sessions

(Keyword search: Identity Management)

www.facebook.com/OracleIDM

www.twitter.com/OracleIDM

blogs.oracle.com/OracleIDM

www.oracle.com/Identity

Q&A

Enterprise Architect

Mark Robison

Principal Product Manager

Neil Gandhi