11

Sun Identity Managerand

Integration withSAP GRC

Hakan TerziogluSolution ArchitectSun Software Practice

Agenda

• Business Drivers for Identity Management• Sun’s Identity Management Solution• Sun Java System Identity Manager

> Provisioning/Workflow> Profile Management> Password Management> High-scale provisioning> Auditing> Reporting

• SAP GRC Overview• Integrating Sun IdM and SAP GRC• Summary and Questions

Pressure Points for IT

Auditor Perspective:Show me processes for prevention AND show me proof

Top 10 Control Violations• Unidentified or unresolved segregation of duties • OS access controls on financial apps or portal not secure• DB access supporting financial applications not secure• Dev staff can run business transactions in production• Lots of users with access to “super user” transactions • Previous employees or consultants have system access• Posting periods not restricted within GL application• Custom programs, tables and interfaces are not secured• Procedures for manual processes do not exist or not

followed

• System docs do not match actual process

Source: Ken Vander Wal, Partner, National Quality Leader, E&YISACA Sarbanes Conference , 4/6/04

Auditing & Provisioning Integration

Preventative Detective

Monitoring and Enforcement• Reporting • Audit Policy • Periodic Access Review• Separation of Duty Checks• Monitoring of Excessive Access• Role & Policy Reconciliation

Prevention• Password Management• Delegated Admin• Synchronization• Automated provisioning• Approval Workflow • Reporting

Identity Auditing: Addressing the Need for Monitoring and Enforcement“What should a user have access to” “What does a user have access to”

Vision: Monitoring and Enforcement of Identity Controls

(Identity LifecycleManagement)

IdentityAuditing

BusinessProcess Controls

IdentityControls Provisioning

Password Mgmt

RoleMgmt

ERP Compliance(e.g. Approva, Virsa)

BPM/SOA

Config MgmtDocument

Mgmt

ILM

Security Event Management

IntrusionDetection

Information Controls

Security Controls

Compliance Landscape:Identity Auditing Is The Intersection Point

PhysicalAccess

Security Event Management

IntrusionDetection

PhysicalAccess

IdentityAuditing

Provisioning

Password Mgmt

RoleMgmt

ERP Compliance(e.g. Virsa, Approva)

BPM/SOA

Config Mgmt

DocumentMgmt

ILM

IdentityControls

Information Controls

Security Controls

Vision: Extending Identity Controls

BusinessProcess Controls

10

Sun Identity Management Suite

3+ Billion Identities Under Management

Access/FederationManager

• Partner single sign-on• Account linking• Global log-out

Identity Manager

• Automated Provisioning• Password Management• Identity Synchronization• Identity Auditing

Open Directory Server

• Next Generation Directory Server

• Open source• 100% Java• Fully tested and documented

Open Single-Sign On

• Open Source Web Single Sign On

• Includes Federation Services

Role Manager

• Role Engineering• Role Maintenance• Role Certification• Identity Compliance

Directory Server

• Directory services• Virtual directory services• Security/failover services• Data distribution services• AD synch services

New Users

Provisioning Lifecycle

Users Leave

Change Events& User

Support• Employee status updated in HR• Partner contact changes• Customer closes account• Accounts disabled & removed• Non-digital resources retrieved and/or cancelled

• User info entered in HR or user self-registers

• Accounts provisioned to enterprise systems, applications, directories

• Non-digital resources assigned and/or initiated

• Job/role/status changes• Password changes and resets• Profile information changes• Additional requests for account

access or non-digital resources

Provisioning Challenges

SkeetiFrenetcSmileysEntraldNovachoAlvaragNarlershWoodstNicklausjHoganbPalmeraDimarcocPerrykBeardscw33FusarPoliMargaglioLithowanVanagasLightesNauganoFootmanFigureasLupeshArganishDelegant

SequenshWelchjPettyrRobertsjJulianrNantpreEnagetJhancockJohnhHanwayvComposiInitalialycwooSticklerBourneFusarMargoliaoNavkaKoskomaHackinsaNewjersSharaAlexanderSashaReubenStruedltangor

BbanksLsulleyLbitmoreLtimbleAboyleBcoldwelDparisClriotEtearSmackayMturnerMmclainMcpaschJpaschclaytonwTdeanJtorvilleCdeanNreaganRnixonGbushJvanceJcarpentMstewartLchristiaJbenleyjmackay

A49320A39943A49454A93934A39485A49382A48382A49382A39485A29483A49583A49382A49302A42845A20184A49284A49248A50824A42948A49274A37520A49294A03749A49274A33993A38288A48228

CooperlTinleyjHarrisdwoocRowlandrBensonsQuinleysHarminbTravoltaFrancekLipperdSkateeMarinoeFlamingoRussiakCrowdPazzazDaoudcLoufPeizeratAnissinaFerrisbLupersLobachFrenchjNavratoldellm

JberryEsiegelJrowlandMfriedelSbensonThanksJwayneTcarrolSharrisBwhiteDdaileyEheidenLballHwigginsCjohnsonCwillisc_woo MthomasBrowlandMprehnGgoodnowSlakeBblakeFjohnsonGalonsoSlippessalger

Identity Management• Account Discovery• Account Mapping• Account Risk Analysis• Account Disable / Removal• Account Provisioning

NT Exchange RACF AD SecurID Oracle

• NT c_woo• Exchange claytonw• RACF A49382• AD woo2• SecurID cw33• Oracle cwoo

ralnc493 ralnc493ralnc493ralnc493 ralnc493ralnc493

The solution must provide• Central audit trail/accountability• Secure delegation of administration• Automated workflow/approvals• Security policy enforcement• Standards-based interfaces

Clayton Woo

ClaytonWoo

Provisioning Today:Fragmented, Manual and Insecure

Human Resources System Call CenterFacilities/PurchasingHelp Desk

FormerEmployees

Partners CustomersEmployees

Other AssetsSiebel CRMOracle FinancialsExchange and Active Directory Chargeable Assets• Mobile phone/service• Conference call account• Credit card

• Office space• Phone• Laptop

Provisioning with Sun IdM

Approving Manager

Other AssetsSiebel CRMOracle FinancialsExchange and Active Directory Chargeable Assets• Mobile phone/service• Conference call account• Credit card

• Office space• Phone• Laptop

HR Manager

FormerEmployees

Partners CustomersEmployees

• Reduced risk• Complete view of user’s identity • Efficient, automated operations

ProvisioningAgent-less Connector Architecture

Custom Application

NT/Active Directory

Gateway

Resource Adapter Wizard

Native Security Protocols ie: SSA, SSH, SSL etc.

• Minimizes agent deployment• Eliminates agent administration• Enables faster deployment

Identity Manager

Provisioning Identity Synchronization

Profile ManagementPassword Management

Directories

Mainframes

Databases

Operating Systems

Business Applications

Business Applications

App Server

Databases

• Minimizes deployment time• Eliminates operational challenges• Manage centrally, enforce locally

“Virtual Identity Manager”

ProvisioningVirtual Identity Manager, works in Real Time

Identity Manager

Provisioning Identity Synchronization

Password ManagementProfile Management

Directories

Mainframes

Databases

Operating Systems

Business Applications

Business Applications

App Server

Databases

ProvisioningAccount Auto-Discovery

• Logical management of multiple disparate identities

•Reduces risk of “orphaned” privileges

“Virtual Identity”

Joe Smith

Business Application

Email Application

Directories

jms

Jsmith

SmithJ

Identity ManagerIdentity Synchronization

Profile ManagementPassword Management

Identity Manager

Provisioning Identity Synchronization

Profile ManagementPassword Management

ProvisioningWorkflow• Capable of complex processes

> Multi-step approvals> Robust notification framework> Silent Directory data transformations> Can include digital and non-digital assets

• Task persistence> Task recovery > Administrator queues> Escalation

• Automatic network/resource error compensation with notification• Diverse execution models

> Synchronous, concurrent or hybrid workflows> Independent thread forked processes> Deferred/scheduled processes to execute at a preset time

• Ease of Development with NetBeans IDE

NetBeans UI – Workflow Editor

NetBeans UI – Source Code View

Profile Management

• Single-point end-user account self-service> Basic account self-service and attribute management

>e.g. name, address, email address, etc. > Single-point password sync/reset> Integrated challenge/response for forgotten passwords

• Anonymous sign-up process > With full workflow/approval enablement> Full end-user self-subscription at Identity Server

“Service” level

• Integrated workflow, approvals & audit

Password Management Today:

Help Desk

Help Desk

TemporaryEmployees

Partners CustomersEmployees

Use

rsP

roce

ssE

nvi

ron

men

t

Oracle FinancialsExchange and Active Directory PeopleSoft Human Resources System

Siebel CRM Unix RACF

Password Management • Self-service password reset & synchronization

> Convenient access through:>Web browser> IVR system>Network log-in (Windows)

• Automated password policy enforcement> Password history store> Password exclusion dictionary> Help desk integration to track password-related activity

• Reporting on self-service password resets> Number of password resets> Number of password changes

Use

rs

Password Management With Sun

TemporaryEmployees

Partners CustomersEmployees

Interactive Voice Response (IVR)

Pro

cess

En

viro

nm

ent

Oracle FinancialsExchange and Active Directory PeopleSoft Human Resources System

Siebel CRM Unix RACF

Auditing: It’s all about Control• Creation and management of audit policies• Audit Scanning• S.O.D. Reporting• Remediation/mitigation of audit violations using Workflow• Periodic Access Review (a.k.a. Attestation/Recertification)• Partnerships for deep ERP compliance (SAP, Approva)• Auditing Reports available OOTB

> Separation of Duties Report> Audit Violation History Report> Audit Policy Summary> Resource Violation History> and more!

Periodic Access Review

Identify & Correct

Violations• Once all issues are resolve, manager is confident and can then attest/recertify access rights for direct reports

• Manager is requested to perform a PAR on a quarterly basis• Logs into Identity Manager and initiates the audit scan

• IM generates PAR report detailing employees’ access rights and potential violations• Manager chooses to Mitigate and/or Remediate

Attestation Recertification

Begin Audit

Reporting

Example reports include:• Number of password resets• Number of password changes• Number of Resource Accounts created• Number of Resource Accounts deleted• Ability to create your own usage reports

Reports can be customized!!

Technology Partners

Business Role ManagementEnterprise Application Controls Management ESSO

29

SAP GRC Overview

30

31

32

33

34

35

36

37

38

Integrating SAP GRC with Sun IdM

39

40

41

42

43

Sun is the leading Identity infrastructure

provider

• Business Centric

> Identity is a business problem first, technology second

> Bringing business and IT strategy to deliver secure business processes, services, applications

• Open

> Open Source, Open Access, Open Standards

> Reduces risk, improves transparency

• Best in Class

> Complete, market leading, highly modular

> Delivers scale and performance

Why Sun ?

44

Web Pagesun.com/identity/rolemanager

Identity Insightsa membership program for

identity management

Podcasts

& Videos topical discussions and interviews

White Paperssolutions for business-level issues

Learn More

45

Questions & Answers

46

Thank You

Hakan Terzioglu

hakan.terzioglu@Sun.com

46