Security on the MoveBy David Baum
Organizations use Oracle Identity Management solutions to secure operations in the cloud and on the go.
As corporate computing services become more diverse and the underlying IT infrastructure gets more complex, authorizing people to use enterprise information systems becomes progressively more challenging. How do you handle identity administration, authentication, trust management, access control, directory services, and governance for a roving workforce that expects a consistent experience, whether they use an iPad at a coffee shop or boot up a computer in the office?
Ideally, your information systems should recognize users in the same way and support access, permissions, and password security across all devices and all locations. Provisioning mobile, desktop, and every other type of system access must also be simple, cost-effective, and—of course—secure.
Organizations held to the highest security standards—including healthcare and telecom—are turning to Oracle Identity Management solutions for their ability to deliver comprehensive, business-focused provisioning solutions for any device accessing all enterprise resources—on premises or in the cloud.
Health on the Go
Founded in 1945, Kaiser Permanente (KP) is one of the nation’s largest not-for-profit health plans, serving more than 9 million members. With 36 hospitals, 533 medical offices, 15,853 physicians, 172,997 employees, and thousands of visiting physicians, authenticating users and provisioning IT resources is an immense task.
Previously, access provisioning at KP varied from region to region and application to application. With nine different systems for provisioning users, KP had to gather nine sets of documentation to respond to auditors. KP decided to move to a centralized provisioning model in response to steady growth and tighter government regulations, which continue to get more stringent and require finer levels of control.
“We didn’t have a consistent way to enable access to all of the applications that new hires needed to use,” explains Kurt Lieber, executive director of identity and access management (IAM) and security compliance at KP. “We adopted Oracle Identity Management software to achieve faster Day One provisioning and also to meet the increasing expectations of regulators in a cost-efficient manner.”
Lieber and 90 other IAM specialists support a workforce of about 260,000 people, including internal staff, visiting physicians, and other medical personnel. Several years ago, KP deployed Oracle Access Management Suite, a solution that now enables Web-based, secure single sign-on (SSO) for about 100 applications, simplifying computing tasks for the entire workforce. Over the last couple of years, KP added Oracle Adaptive Access Manager to add risk-control services to critical Web-based applications.
Today KP’s IAM implementation supports major applications for finance, HR, and many clinical domains. IT pros have one interface to the directory groups that control access to various file systems and data sets, which dramatically simplifies resource provisioning chores. “Provisioning tasks that used to take days or weeks now take minutes or hours,” says Lieber.
Keeping its information systems accessible, secure, and online has become even more important as KP makes headway with its electronic health record initiative. “All of our health records are entirely electronic, and they are stored in a single application called KP HealthConnect,” explains Lieber. “Our care providers are dependent on our electronic health record system to enter and retrieve patient information. It’s very critical to have 100 percent uptime to ensure that we can provide the appropriate care to our patients.”
“Multiapplication SSO is easy in a browser world; not so on a mobile client,” says Amit Jasuja, vice president of development and security and identity management at Oracle. “Today’s iPhone and iPad apps cache your password so you don’t have to continually log in, which is very insecure. Another issue is where you are—the context is different if you are using public Wi-Fi or your company network. Organizations granting access to corporate applications need to figure this out before they serve up sensitive data.”
Oracle is addressing mobile access challenges with Oracle Identity Management 11g Release 2, which includes features for mobile devices and support for the iOS operating system. The Oracle software incorporates standards such as OAuth and OpenID and RESTful interfaces to enable custom application development, device registration, context-sensitive authorization, and certificate and credential management, backed by device usage reports and analysis. IT professionals can administer the whole suite through the integrated management packs in Oracle Enterprise Manager.
Lieber and his colleagues have been testing Oracle Identity Management 11g Release 2, partly to evaluate its mobile application security capabilities. “We’re looking at how to make these experiences as seamless as possible without introducing an additional level of risk,” he says. “We like Oracle’s comprehensive roadmap for where they are taking identity and access management, with respect to mobile computing and other emerging domains. Every dollar we can save on IT is a dollar more that we can put toward patient care.”
BT (formerly British Telecom) is a global provider of communications solutions and services that operates in 170 countries. Five years ago, the communications giant tracked user roles and privileges with a basic directory, but a mounting series of compliance and audit issues drove BT to deploy a more robust identity management solution. Successful deployments of Oracle Financials, Oracle’s PeopleSoft applications, and Oracle Fusion Middleware components made Oracle Identity Management a logical choice.
“Our focus was on establishing a security layer above the directory infrastructure to provision and deprovision users and make sure that the data flows were good,” explains Peter Boyle, head of identity services at BT. “Oracle supplies a common set of application services and a common application development framework that works across all of the middleware tiers. That makes things much simpler and much more standard for us. Previously we had several solutions for onboarding users, and now we have only one agreed-upon process, which has clarified things a lot. Consolidating multiple HR systems into one global instance has further simplified our infrastructure.”
Boyle’s team is responsible for enabling around 89,000 employees and about 50,000 third parties to access BT’s enterprise resources. In addition, many of BT’s customers, from individual consumers to government departments to multinational corporations, access the company’s information systems at some level.
BT’s global deployment of Oracle Identity Management supports anyone who needs access to BT’s internal systems for development or support of BT’s products and services. Boyle foresees additional simplification as the company adopts Oracle Identity Management 11g Release 2. “The flexibility of the user interface in Oracle Identity Management 11g Release 2 is a major advantage,” he notes, “especially being able to search for entitlements and rules and being able to put them in a shopping cart. It’s a much easier experience that draws on people’s comfort with popular e-commerce solutions such as eBay and Amazon.”
Sally Hudson, research director of security products at International Data Corporation, believes that Oracle is ahead of the curve with the new entitlement capabilities in Oracle Identity Management 11g Release 2. “Using a catalog or shopping cart metaphor to associate entitlements with specific employee functions makes it easier to meet compliance requirements and ensure business integrity,” she notes. “Managers are starting to work with IT in a partnership to better respond to these business requirements. Given these trends, this type of interface will be welcomed and embraced by the business community.”
“Previously we did this on an application-by-application basis, but with Oracle Identity Management 11g we will be able to do it centrally based on the Oracle toolset. That’s a big move forward that will save a lot of resources,” he says.
Like most companies, BT must accommodate a growing portfolio of services. In some cases those services are set up to support credentials from third-party social networks. Boyle advises IT managers to proceed with caution in these instances and to make sure that the type of authentication matches the level of trust. “A user’s Facebook credentials may be appropriate for accessing an online game, but you wouldn’t use those credentials to authorize a bank payment,” he points out. “There are tiers of accreditation within the enterprise, and you must match the right level of authentication to each particular service.”
David Baum (firstname.lastname@example.org) is a freelance business writer based in Santa Barbara, California.
Send us your comments
|Submit your completed online subscription form by April 11, 2014 and your subscription begins immediately with the May/June 2014 issue.|