Participate in Oracle Customer Programs
The Hong Kong Housing Society (HKHS) was formed in 1948 with a donation of £14,000 from the Air Raid Distress Fund of the Lord Mayor of London. The money was used to build homes for people left homeless by the Second World War. Today, HKHS continues to provide housing for people in need at nonprohibitive rates.
In late 2006, HKHS completed a study that revealed gaps in its identity management approach. The organization had basic single sign-on and access control processes, but lacked a comprehensive identity management infrastructure. There was no centralized control over user provisioning and access authorizations, which meant employees sometimes had to wait days to access critical business systems, such as the organization’s integrated property management system. Security was also an issue, as the single sign-on could not provide clear audit trails on accessibility.
To overcome these challenges, HKHS chose Oracle Identity Management solutions to help improve and secure its business operations. Following the implementation, the organization has cut user provisioning times from two to seven days to the same day; improved security; and enhanced the user experience by integrating, streamlining, and automating access across its major applications, including Oracle’s JD Edwards EnterpriseOne Financials and PeopleSoft Enterprise Human Capital Management systems, its integrated property management system, Microsoft’s Active Directory and Exchange systems, and a number of bespoke applications with a large user base
HKHS has 1,300 staff members and 60 offices across Hong Kong. Approximately 900 employees work in the property management division, and around half of them are site staff. These staff members usually relocate to different site offices within six months to carry out property management and maintenance services.
Prior to the Oracle implementation, employees had to request changes of access to location-dependent documents repositories, database applications, and e-mail groups.
“People inevitably forgot their login names and passwords because there were too many for them to remember,” said Patricia Fong, manager, IT Projects, Hong Kong Housing Society. “This meant the IT team spent a lot of time resetting logins and passwords, which distracted them from higher level work.”
Much of this provisioning work had to be completed manually, as the organization did not have automated facilities for user account provisioning. Staff could wait up to seven days before they were granted their access requests, preventing them from completing their property management duties. HKHS also lacked centralized user account management and authorization and enterprisewide role management, which exposed the organization to security risks, as it could not accurately track access rights based on an individual’s role.
HKHS decided to implement a comprehensive identity management platform to gain centralized control over user provisioning and authentication by user profile. First, the organization integrated its PeopleSoft Enterprise Human Capital Management system with Oracle Internet Directory and Oracle Virtual Directory to create a central user repository. Second, Oracle Identity Manager was used to provide a comprehensive range of user identity and role lifecycle functions. Finally, Oracle Access Manager was used to provide authentication, Web single sign-on, access policy creation and enforcement, and reporting and auditing.
In the past, a staff member changing roles or business units would submit a request to the IT team asking for authorization to access different applications. Depending on the complexity of the request, it could take two to seven days to grant access. A complication could occur if requests were received during frozen periods―when access to the PeopleSoft Enterprise Human Capital Management system is stopped for up to five days per month due to scheduled activities, such as a payroll calculation. The lengthy wait times meant staff could not access the applications they needed to do their jobs, leading to user frustration and lower productivity.
Oracle Identity Management automated user provisioning, enabling granting access requests on the same day or the next business day (more complicated requests may take up to three days). “We receive about 100 provisioning requests a month and can grant almost all of them on the day they are received,” said Fong.
Similarly, when a staff member resigns from the organization, the user accounts is automatically deactivated. After HR staff makes a note in the employee’s record that the person is leaving, the information flows through to the Oracle Identity Management system, which then automatically deactivates the user account at the close of business on their last day. Previously, this was not always possible, and there was a risk that users could access applications after they had left.
Automation has reduced the time the IT team spends on managing user identities of a dozen frequently used IT systems. Fong estimates that more than 12 hours is saved for each system per month by eliminating the need for IT staff to attend to 20 login failure incidents. Users as a whole save up to 10 hours because they no longer have to wait for the IT team to fix login failures. The IT team also saves close to seven hours by automating user account creation and assignment.
“This means members of the IT team can be redeployed to higher value work in security and quality assurance,” said Fong.
“Oracle Identity Management products are very user-friendly, so that makes the job of our IT team much easier,” she added. “More importantly, we have significantly improved corporate security, giving us peace of mind that confidential business and client information is protected from unauthorized access.”
Property officers and managers need to access at least eight key applications in their estate management and maintenance roles. These include e-mail, financial management, property management, cash management, MIS reporting, document management, electronic workflow, and PeopleSoft Enterprise Human Capital Management systems.
Applications can only be used at a specific location and cannot be accessed from another office. For example, a manager can only approve a repair request for Estate A from the Estate A location. They cannot view and approve an Estate A repair request from Estate B. This also applies to their e-mail and reports.
The challenge for the IT team was to ensure that staff had access to the right applications at the right location. In the past, if an employee needed access to a certain application for a specific estate, it could take days before the access request was granted.
By setting up a central access policy, access requests can be automatically completed immediately after receiving approval from users’ managers. The system knows which applications and e-mail groups users need for their work and can restrict access to systems and reports that they don’t need. Automated user provisioning also means staff no longer have to wait days to access applications, increasing productivity and user satisfaction.
“If employees can access the systems they need, it enables them to better serve our customers; that is, we can provide public housing assistance to the people who need it most and ensure they live in safe, comfortable, and well-maintained apartments,” said Chester Lau, IT security and quality assurance manager, Hong Kong Housing Society.
Staff is happier because they no longer have to remember multiple logins and passwords. Today, users only have to remember their Windows login password. Each time they reset their Windows password, it is automatically applied across all the applications they need to access. The organization’s security policy requires staff to change their password every 90 days.
The Oracle identity management system has introduced access protocols at HKHS that have improved overall security. For example, it records every access request, allowing senior IT managers to ensure IT staff follows access authorization procedures. All errors or issues can be traced back to the source.
Another example of improved security is first-time password delivery. Previously, the organization had one default, first-time password. Now, first-time passwords are automatically generated and each one is unique, reducing security risks.
Audit reports generated by the system are submitted to an internal audit and governance committee, as well as external auditors. “The reports enable us to show our audit and governance committee that the IT team is enforcing and complying with corporate security policies,” said Lau.
HKHS intends to implement a Service-Oriented Architecture, having purchased Oracle SOA Suite in preparation for this move. According to Fong, the Oracle identity management system will constitute a very critical part of the organization’s SOA.
“We need access control for every Web service module and intend to use Oracle Identity Management to expose our infrastructure to Web services,” she said. “We have already used Oracle Service Registry to make Web services available under policies established in Oracle Web Services Manager.
“To strengthen SOA governance in relation to security, we also piloted authentication and authorization services based on user profiles and policy rules using Oracle Web Services Manager and Oracle Internet Directory. This has improved the traceability and maintainability of the services access control, and will result in a stronger foundation for SOA governance.
Oracle Identity Management solutions were chosen mainly because they supported HKHS’s SOA ambitions.
“A truly comprehensive, integrated identity management solution is a critical success factor for any organization seeking to improve the maturity levels of its enterprise security framework and its service delivery―both internally and externally,” said Peter Miao, head of IT at the Hong Kong Housing Society. “The completion of this extensive and extremely complex project is a major achievement. The benefits are already making an impact on our daily operations.”
As an Oracle user, it also made sense for HKHS to select identity management solutions from the same vendor. “Choosing Oracle would make it easy for us to integrate identity management with our Oracle Database and JD Edwards EnterpriseOne and PeopleSoft Enterprise applications,” said Fong. “This was important as most of the integration involved extracting information from the Oracle Database, particularly the central user repository. Oracle’s complete suite of middleware eliminated risk and helped speed up implementation time.”
“Oracle Identity Manager and Oracle Access Manager provide us with an array of reports that vastly strengthen our compliance and IT governance capabilities,” said Lau. “It also simplified information security management and enhanced quality assurance activities.”
The Oracle Identity Management solution was deployed in three stages, beginning in 2007. In that year, HKHS designed and built a central user repository to provide a consolidated view of all its staff, listing their common and agreed attributes. Access rights would be granted, based on these attributes. It was completed in late 2008. Next was the single sign-on platform, built using Oracle Access Manager and launched in late 2009.
Work began on the final element―the user provisioning platform―in 2008, and it was completed in 2010. HKHS engaged HP to deliver this platform.