Date post: | 07-Apr-2015 |
Category: |
Documents |
Upload: | burak-semir |
View: | 262 times |
Download: | 6 times |
11
Sun Identity Managerand
Integration withSAP GRC
Hakan TerziogluSolution ArchitectSun Software Practice
Agenda
• Business Drivers for Identity Management• Sun’s Identity Management Solution• Sun Java System Identity Manager
> Provisioning/Workflow> Profile Management> Password Management> High-scale provisioning> Auditing> Reporting
• SAP GRC Overview• Integrating Sun IdM and SAP GRC• Summary and Questions
Pressure Points for IT
Auditor Perspective:Show me processes for prevention AND show me proof
Top 10 Control Violations• Unidentified or unresolved segregation of duties • OS access controls on financial apps or portal not secure• DB access supporting financial applications not secure• Dev staff can run business transactions in production• Lots of users with access to “super user” transactions • Previous employees or consultants have system access• Posting periods not restricted within GL application• Custom programs, tables and interfaces are not secured• Procedures for manual processes do not exist or not
followed
• System docs do not match actual process
Source: Ken Vander Wal, Partner, National Quality Leader, E&YISACA Sarbanes Conference , 4/6/04
Auditing & Provisioning Integration
Preventative Detective
Monitoring and Enforcement• Reporting • Audit Policy • Periodic Access Review• Separation of Duty Checks• Monitoring of Excessive Access• Role & Policy Reconciliation
Prevention• Password Management• Delegated Admin• Synchronization• Automated provisioning• Approval Workflow • Reporting
Identity Auditing: Addressing the Need for Monitoring and Enforcement“What should a user have access to” “What does a user have access to”
Vision: Monitoring and Enforcement of Identity Controls
(Identity LifecycleManagement)
IdentityAuditing
BusinessProcess Controls
IdentityControls Provisioning
Password Mgmt
RoleMgmt
ERP Compliance(e.g. Approva, Virsa)
BPM/SOA
Config MgmtDocument
Mgmt
ILM
Security Event Management
IntrusionDetection
Information Controls
Security Controls
Compliance Landscape:Identity Auditing Is The Intersection Point
PhysicalAccess
Security Event Management
IntrusionDetection
PhysicalAccess
IdentityAuditing
Provisioning
Password Mgmt
RoleMgmt
ERP Compliance(e.g. Virsa, Approva)
BPM/SOA
Config Mgmt
DocumentMgmt
ILM
IdentityControls
Information Controls
Security Controls
Vision: Extending Identity Controls
BusinessProcess Controls
10
Sun Identity Management Suite
3+ Billion Identities Under Management
Access/FederationManager
• Partner single sign-on• Account linking• Global log-out
Identity Manager
• Automated Provisioning• Password Management• Identity Synchronization• Identity Auditing
Open Directory Server
• Next Generation Directory Server
• Open source• 100% Java• Fully tested and documented
Open Single-Sign On
• Open Source Web Single Sign On
• Includes Federation Services
Role Manager
• Role Engineering• Role Maintenance• Role Certification• Identity Compliance
Directory Server
• Directory services• Virtual directory services• Security/failover services• Data distribution services• AD synch services
New Users
Provisioning Lifecycle
Users Leave
Change Events& User
Support• Employee status updated in HR• Partner contact changes• Customer closes account• Accounts disabled & removed• Non-digital resources retrieved and/or cancelled
• User info entered in HR or user self-registers
• Accounts provisioned to enterprise systems, applications, directories
• Non-digital resources assigned and/or initiated
• Job/role/status changes• Password changes and resets• Profile information changes• Additional requests for account
access or non-digital resources
Provisioning Challenges
SkeetiFrenetcSmileysEntraldNovachoAlvaragNarlershWoodstNicklausjHoganbPalmeraDimarcocPerrykBeardscw33FusarPoliMargaglioLithowanVanagasLightesNauganoFootmanFigureasLupeshArganishDelegant
SequenshWelchjPettyrRobertsjJulianrNantpreEnagetJhancockJohnhHanwayvComposiInitalialycwooSticklerBourneFusarMargoliaoNavkaKoskomaHackinsaNewjersSharaAlexanderSashaReubenStruedltangor
BbanksLsulleyLbitmoreLtimbleAboyleBcoldwelDparisClriotEtearSmackayMturnerMmclainMcpaschJpaschclaytonwTdeanJtorvilleCdeanNreaganRnixonGbushJvanceJcarpentMstewartLchristiaJbenleyjmackay
A49320A39943A49454A93934A39485A49382A48382A49382A39485A29483A49583A49382A49302A42845A20184A49284A49248A50824A42948A49274A37520A49294A03749A49274A33993A38288A48228
CooperlTinleyjHarrisdwoocRowlandrBensonsQuinleysHarminbTravoltaFrancekLipperdSkateeMarinoeFlamingoRussiakCrowdPazzazDaoudcLoufPeizeratAnissinaFerrisbLupersLobachFrenchjNavratoldellm
JberryEsiegelJrowlandMfriedelSbensonThanksJwayneTcarrolSharrisBwhiteDdaileyEheidenLballHwigginsCjohnsonCwillisc_woo MthomasBrowlandMprehnGgoodnowSlakeBblakeFjohnsonGalonsoSlippessalger
Identity Management• Account Discovery• Account Mapping• Account Risk Analysis• Account Disable / Removal• Account Provisioning
NT Exchange RACF AD SecurID Oracle
• NT c_woo• Exchange claytonw• RACF A49382• AD woo2• SecurID cw33• Oracle cwoo
ralnc493 ralnc493ralnc493ralnc493 ralnc493ralnc493
The solution must provide• Central audit trail/accountability• Secure delegation of administration• Automated workflow/approvals• Security policy enforcement• Standards-based interfaces
Clayton Woo
ClaytonWoo
Provisioning Today:Fragmented, Manual and Insecure
Human Resources System Call CenterFacilities/PurchasingHelp Desk
FormerEmployees
Partners CustomersEmployees
Other AssetsSiebel CRMOracle FinancialsExchange and Active Directory Chargeable Assets• Mobile phone/service• Conference call account• Credit card
• Office space• Phone• Laptop
Provisioning with Sun IdM
Approving Manager
Other AssetsSiebel CRMOracle FinancialsExchange and Active Directory Chargeable Assets• Mobile phone/service• Conference call account• Credit card
• Office space• Phone• Laptop
HR Manager
FormerEmployees
Partners CustomersEmployees
• Reduced risk• Complete view of user’s identity • Efficient, automated operations
ProvisioningAgent-less Connector Architecture
Custom Application
NT/Active Directory
Gateway
Resource Adapter Wizard
Native Security Protocols ie: SSA, SSH, SSL etc.
• Minimizes agent deployment• Eliminates agent administration• Enables faster deployment
Identity Manager
Provisioning Identity Synchronization
Profile ManagementPassword Management
Directories
Mainframes
Databases
Operating Systems
Business Applications
Business Applications
App Server
Databases
• Minimizes deployment time• Eliminates operational challenges• Manage centrally, enforce locally
“Virtual Identity Manager”
ProvisioningVirtual Identity Manager, works in Real Time
Identity Manager
Provisioning Identity Synchronization
Password ManagementProfile Management
Directories
Mainframes
Databases
Operating Systems
Business Applications
Business Applications
App Server
Databases
ProvisioningAccount Auto-Discovery
• Logical management of multiple disparate identities
•Reduces risk of “orphaned” privileges
“Virtual Identity”
Joe Smith
Business Application
Email Application
Directories
jms
Jsmith
SmithJ
Identity ManagerIdentity Synchronization
Profile ManagementPassword Management
Identity Manager
Provisioning Identity Synchronization
Profile ManagementPassword Management
ProvisioningWorkflow• Capable of complex processes
> Multi-step approvals> Robust notification framework> Silent Directory data transformations> Can include digital and non-digital assets
• Task persistence> Task recovery > Administrator queues> Escalation
• Automatic network/resource error compensation with notification• Diverse execution models
> Synchronous, concurrent or hybrid workflows> Independent thread forked processes> Deferred/scheduled processes to execute at a preset time
• Ease of Development with NetBeans IDE
NetBeans UI – Workflow Editor
NetBeans UI – Source Code View
Profile Management
• Single-point end-user account self-service> Basic account self-service and attribute management
>e.g. name, address, email address, etc. > Single-point password sync/reset> Integrated challenge/response for forgotten passwords
• Anonymous sign-up process > With full workflow/approval enablement> Full end-user self-subscription at Identity Server
“Service” level
• Integrated workflow, approvals & audit
Password Management Today:
Help Desk
Help Desk
TemporaryEmployees
Partners CustomersEmployees
Use
rsP
roce
ssE
nvi
ron
men
t
Oracle FinancialsExchange and Active Directory PeopleSoft Human Resources System
Siebel CRM Unix RACF
Password Management • Self-service password reset & synchronization
> Convenient access through:>Web browser> IVR system>Network log-in (Windows)
• Automated password policy enforcement> Password history store> Password exclusion dictionary> Help desk integration to track password-related activity
• Reporting on self-service password resets> Number of password resets> Number of password changes
Use
rs
Password Management With Sun
TemporaryEmployees
Partners CustomersEmployees
Interactive Voice Response (IVR)
Pro
cess
En
viro
nm
ent
Oracle FinancialsExchange and Active Directory PeopleSoft Human Resources System
Siebel CRM Unix RACF
Auditing: It’s all about Control• Creation and management of audit policies• Audit Scanning• S.O.D. Reporting• Remediation/mitigation of audit violations using Workflow• Periodic Access Review (a.k.a. Attestation/Recertification)• Partnerships for deep ERP compliance (SAP, Approva)• Auditing Reports available OOTB
> Separation of Duties Report> Audit Violation History Report> Audit Policy Summary> Resource Violation History> and more!
Periodic Access Review
Identify & Correct
Violations• Once all issues are resolve, manager is confident and can then attest/recertify access rights for direct reports
• Manager is requested to perform a PAR on a quarterly basis• Logs into Identity Manager and initiates the audit scan
• IM generates PAR report detailing employees’ access rights and potential violations• Manager chooses to Mitigate and/or Remediate
Attestation Recertification
Begin Audit
Reporting
Example reports include:• Number of password resets• Number of password changes• Number of Resource Accounts created• Number of Resource Accounts deleted• Ability to create your own usage reports
Reports can be customized!!
Technology Partners
Business Role ManagementEnterprise Application Controls Management ESSO
29
SAP GRC Overview
30
31
32
33
34
35
36
37
38
Integrating SAP GRC with Sun IdM
39
40
41
42
43
Sun is the leading Identity infrastructure
provider
• Business Centric
> Identity is a business problem first, technology second
> Bringing business and IT strategy to deliver secure business processes, services, applications
• Open
> Open Source, Open Access, Open Standards
> Reduces risk, improves transparency
• Best in Class
> Complete, market leading, highly modular
> Delivers scale and performance
Why Sun ?
44
Web Pagesun.com/identity/rolemanager
Identity Insightsa membership program for
identity management
Podcasts
& Videos topical discussions and interviews
White Paperssolutions for business-level issues
Learn More
45
Questions & Answers