FEATURE

As Published In
Oracle Magazine
January/February 2011

  

Positive Identification

By David Baum

 

How SUNY and ING increase compliance and decrease risk with Oracle Identity Management 11g

IT security is not so much about creating stronger walls as it is about creating better-functioning doors and windows. And when deploying identity management solutions, those better doors and windows equate to more-complete provisioning operations, more-comprehensive ways to manage identity, and greater flexibility for authorizing people to access enterprise information assets. These are a few of the reasons why the State University of New York (SUNY) and global financial institution ING deployed Oracle Identity Management 11g—which consists of a variety of solutions, ranging from single sign-on and access control to directory services, toolkits, and more. SUNY and ING use these solutions to manage user identities, provision IT resources, and enable trusted online business partnerships while simplifying access procedures for end users and improving governance and compliance activities for auditors. 

Federated Identity Management

SUNY is the largest comprehensive system of public higher education in the United States, with 64 geographically dispersed campuses, more than 88,000 faculty and staff members, and 465,000 students. 

Since 1980, SUNY has relied on distributed identity management and user authentication processes at each institution. When the State of New York asked SUNY to also define each of SUNY’s 88,000 employees in the state’s own user directory, SUNY worked with Oracle to devise a federated identity management solution that would leverage SUNY’s existing security architecture, user IDs, and passwords for each staff member to permit access to New York State’s services.

Dave Powalyk, chief technology officer (CTO) in the SUNY Office of Information and Technology (OIT), says the goal was to permit campus employees to access both SUNY and state resources with their existing security credentials by connecting SUNY’s identity management system to the state’s identity management system. SUNY succeeded by using Oracle Identity Federation 11g, a complete solution for securely exchanging identity information between two independent entities. This flexible, multiprotocol federation server works with existing identity and access management systems, reducing the need to manage multiple accounts for each user.

“Oracle Identity Federation 11g gave us an out-of-the-box solution for interacting with the New York State Office for Technology as both an identity provider and a service provider via SAML [Security Assertion Markup Language] 2,” says Powalyk. “This was a first-ever federation between a New York State government entity and the university, and it clearly demonstrated the power of the Oracle approach. In addition to Oracle Identity Federation 11g, we are evaluating Oracle Access Manager 11g and Oracle Identity Manager 11g for upcoming projects.”

Identity Management Glossary

 

 Attestation

Compliance mandates often require periodic attestation—or confirmation/authentication—of users’ access to critical applications. Attestation requires that a defined approval workflow periodically reauthorizes access to sensitive information (typically financial data) that falls within a particular compliance mandate such as the Sarbanes-Oxley Act (SOX).

 

 Federated Identity

The technologies and standards that provide portability of identity information across security domains to enable users of one domain to securely access data or systems of another domain seamlessly, and without the need for completely redundant user administration.

 

 Resource Access Control Facility (RACF)

An IBM security system that provides access control and auditing functionality for the z/OS and z/VM operating systems.

 

 Security Assertion Markup Language (SAML)

An XML-based standard for exchanging authentication and authorization data between security domains—for example, between an identity provider (a producer of assertions) and a service provider (a consumer of assertions).
SAML is an XML-based standard for exchanging authentication and authorization information among security domains. Oracle supports both SAML and Shibboleth, a popular federation standard in the higher education arena. Adherence to these standards ensures that SUNY can securely share identities with other campus systems without having to manage, maintain, and administer additional identities and credentials.

“With Oracle Identity Federation 11g, Oracle has created an effective and efficient way of deploying a federation model,” continues Powalyk. “This release reflects some of the specific features we requested from Oracle. Oracle took the time to understand exactly what we needed, and it developed this software with its customers’ needs in mind. This is just another great example of a true partnership between Oracle and SUNY.”

SUNY extended the default Oracle Identity Federation 11g behaviors by using the supplied third-party extension classes to leverage SUNY’s existing Java entitlements, access services, and LDAP directories. Paul Lienhard, a programmer/analyst at SUNY and the lead Java architect for this project, says the process took only eight weeks from start to finish. “We have 64 campuses with their own LDAP directories, and we needed to access all of them,” he explains. “Now users log in to the familiar identity management portal, and Oracle Identity Federation 11g brokers the exchange with the outside SAML service provider.”

“Oracle Identity Federation 11g enabled us to take advantage of our existing infrastructure and wrap it within an SAML identity provider,” adds Ken Runyon, the program manager for identity management at SUNY OIT. “Tens of thousands of campus employees can access resources from the State, even though the campus and the State use two completely different federation technologies. Oracle’s standards-based, SAML 2.x approach enabled us to easily establish secure communications and pass all requested and required attributes between these two independent entities.”

SUNY now provides federated access to New York State’s online training classes to faculty and staff at every SUNY campus in a seamless and integrated manner. Other online resources will be available from the State in the future. “The best part of the whole process is that we provided these services quickly and in a manner that was best suited for our community,” Runyon says. 

Adhering to Standards

Integration with Oracle Identity Federation 11g enables the SUNY community to seamlessly access federated services provided by other higher education institutions as well. According to Lienhard, as long as it is a SAML 2–compliant identity management solution, Oracle Identity Federation 11g can work with that solution in a straightforward fashion without any modifications to the SAML federation and communication architecture. “Support for several industry federation standards in Oracle Identity Federation 11g enables SUNY to continue its support of its custom ‘federation-like’ infrastructure as well as other federation technologies, such as Shibboleth, within its existing federated identity infrastructure,” he says. “We were able to link the 64 campuses that currently use our custom solution relatively easily, using the software Oracle provided, right out of the box.” 

SUNY worked closely with Oracle to develop the identity management solution. “The Oracle Identity Federation 11g production team was very helpful and supportive,” says Runyon. “They provided a specific implementation that we could leverage, including a robust API for integrating our custom Java security layer, which includes a fine-grained entitlement system and access management solution.”

According to Amit Jasuja, vice president of development, identity management, and security products at Oracle, SUNY is confronting a common problem that leads many organizations to federated identity management solutions. “As organizations request business services from partners outside of their firewalls, or attempt to offer a cohesive set of information resources to dispersed user communities, a federated identity management solution simplifies the information landscape for users and streamlines administration for IT professionals,” he explains. “They might be outsourcing payroll and benefits functions, or perhaps they are making their business applications available to nonemployees. In addition, some companies need to aggregate services from multiple sources and present them to consumers as a single cohesive offering.”

Snapshots

 

 The State University of New York

Headquarters: New York
Industry: Higher education
Number of users: 553,000 students and faculty
Oracle products and services: Oracle Identity Management 11g solutions, including Oracle Identity Federation, Oracle Access Manager, and Oracle Identity Manager; Oracle Consulting

  

 ING

Headquarters: Amsterdam, the Netherlands
Industry: Financial services
Number of internal users: 10,000
Oracle products and services: Oracle Identity Management 11g solutions, including Oracle Identity Manager and Oracle Identity Analytics; PeopleSoft Human Resources; PeopleSoft Financials; Hyperion applications; Oracle Database; Oracle Consulting
Partner services: Deloitte, Tata Consultancy, Infosys

In all these scenarios, Oracle Identity Management 11g provides single-sign-on access to applications and services across disparate security domains—without forcing IT pros to add large numbers of users to an enterprise directory or requiring people to manage multiple identities online.

“Ideally there should be an established trust mechanism that allows people who have been authenticated in one domain to be trusted in a second domain,” adds Jasuja. “Yet without an effective federation strategy, organizations confront delays adopting applications, they must contend with runaway costs for onboarding and management, and they lack a cohesive strategy for addressing new security threats. SUNY is solving these issues with Oracle software.” 

Investing in Security and Compliance

With Oracle Identity Management 11g, Oracle has devised the industry’s first service-oriented security architecture, simplifying application security by making identity functions available as discrete, reusable Web services. According to Jasuja, this unique approach enables developers to create a centralized security infrastructure for multiple applications, resulting in faster development cycles, greater deployment flexibility, and lower integration costs. 

“Oracle uses the term service-oriented security to refer to externalization—for example, handling the administration, authentication, authorization, and auditing outside of applications by providing well-defined external identity management services and a standardized, centralized infrastructure to deliver these services, which might sound pretty simple at first glance,” explains analyst Martin Kuppinger, cofounder of Kuppinger Cole, a leading Europe-based analyst company for identity-focused information security. “However,” Kuppinger continues, “it involves changing how security is implemented in applications. The advantages are obvious: standardized, consistent security; quicker implementation of security; reduction of security holes; faster time to market for secure applications; easier testing of applications; and so on.”

It’s partly as a result of this flexibility that identity management software is gaining momentum in the financial services industry, where increasingly stringent regulatory compliance issues are driving many companies to bolster their user provisioning and access management processes. ING, a global financial institution that offers banking, investments, life insurance, and retirement services, is staying ahead of the regulatory curve with an identity management solution based on Oracle Identity Manager and Oracle Identity Analytics.

“The increased cost of managing our heterogeneous environment, coupled with security concerns and reliance on manual processes, has generated the need for a centralized identity management solution,” says Mark Robison, enterprise architect at ING U.S. Financial Services (USFS). “Our goal is to automate the current ID request and approval processes and the access change and termination processes for ING employees, as well as to simplify our entitlement attestation processes to meet various regulatory compliance requirements.”

ING USFS has a vast array of systems and applications accessed by approximately 10,000 employees. Previously these people relied on cumbersome manual processes for identity management, access request, and attestation activities, frustrating users and negatively affecting productivity. When ING employees requested identity services, such as permission to use a new set of applications, it took as long as 10 days to complete the request, mainly because the organization’s identity management processes were not capable of reconciling user identities across applications and did not offer effective controls for regulatory compliance.

“Our business community was frustrated by a confusing set of procedures,” admits Robison. “Every manager was responsible for reviewing each entitlement. Not only was it time consuming, but it was not effective.”

ING currently has 96 IT professionals supporting provisioning, deprovisioning, compliance checking, approvals, and attestation. “The provisioning alone entails about 20,000 transactions per month,” adds Brian Cox, a security manager in ING’s access management organization. “Now we are leveraging the Oracle Identity Management suite to automate a lot of the manual approvals.” 

Earning High Yields on User Provisioning

ING deployed Oracle Identity Manager and Oracle Identity Analytics after evaluating other identity management solutions from CA Technologies and IBM. Robison says ING chose the Oracle Identity Management suite because Oracle had a well-integrated toolset that is easy to use with both Oracle and non-Oracle applications. 

“Our plan was to automate the provisioning of users, including adds, changes, and revokes, with access approvals facilitated via automated workflow processes,” says Robison. “We especially like Oracle’s open and extensible architecture. Oracle Identity Management 11g includes a lot of out-of-the-box connectors, along with a connector factory where you can build your own.”

ING worked with consultants from Deloitte to devise 16 use cases for integrating the new software with third-party access management solutions from Passlogix (now a wholly owned subsidiary of Oracle), along with Oracle’s PeopleSoft applications and custom ING applications.

“Our first deliverable was to replace a manual perimeter revoke process with automatic perimeter revokes from Oracle Identity Manager, which was quick and easy to complete,” says Robison. “Now when someone is terminated in our HR system, we instantly terminate them from all the perimeter systems to keep them from accessing our Microsoft Exchange Server, Active Directory, and several layers of RACF [Resource Access Control Facility] security on our mainframe systems. We have improved business efficiency by automating ID request processes, approval processes, access change processes, and termination processes.”

Next the team implemented Oracle Identity Analytics for handling quarterly attestation processes in more than 500 information systems. Attestation is a quarterly review process in which managers verify that their employees can only access certain information systems.

Next Steps


 LEARN more about Oracle Identity Management 11g
 

 WATCH the Oracle Identity Management Webcast
 

 READ the Oracle Identity Management 11g data sheet

 Download Oracle Identity Management
 

 CONNECT
Oracle Identity Management
Oracle Identity Management on Facebook
Oracle Identity Management on Twitter
Oracle Identity Management Pros on LinkedIn
 

“Oracle Identity Analytics works hand in hand with Oracle Identity Manager to define the roles and handle the attestation,” says Cox. “It feeds that information to Oracle Identity Manager, which is the provisioning engine, setting up accounts and access-control requirements for each information system.”

Cox believes the Oracle software could cut the manual efforts expended by ING’s 96-person access management organization by 75 percent. “We can’t fully get away from some manual processes, but the Oracle software will help us reduce the effort significantly,” Cox says. “It will also help us increase productivity for the business community, since people won’t have to wait to have their access requests fulfilled. More importantly, when somebody is terminated from ING, we can instantly revoke their access privileges and keep them out of the system. The potential payback in terms of risk avoidance is huge.”

As ING deploys the solution into wide production, it is improving business efficiency and reducing costs by systematically automating manual access processes—including granting users access based on their ever-changing roles and responsibilities within the organization.

“Oracle has the best integrated suite of identity management tools in the industry, and it is just getting better,” says Robison. “Oracle is really moving us forward with our risk and ID management strategy. They have delivered a good product with a good process right out of the box.”

 


David Baum (david@dbaumcomm.com) is a freelance business writer based in Santa Barbara, California.

  

Send us your comments