Merck & Co Adopts Federated Identity Management Model to Streamline Authorized Access to Applications While Ensuring Security and Compliance
 
Oracle 1-800-633-0738
Find an Oracle Specialized Partner
Oracle Customer Programs
 
 

Merck & Co Adopts Federated Identity Management Model to Streamline Authorized Access to Applications While Ensuring Security and Compliance

  • Oracle Customer:  Merck & Co., Inc.
    Location:  Whitehouse Station, New Jersey
    Industry:  Life Sciences
    Employees:  86,000
    Annual Revenue:  Over $5 Billion

One of the world’s largest pharmaceutical companies, Merck & Co., Inc. discovers, develops, manufactures, and markets a broad range of innovative products to improve human and animal health, directly and through its joint ventures. At the heart of Merck’s operations are thousands of researchers and scientists who invent, develop, and test new pharmaceutical products in a network of laboratories around the world.

As a pharmaceutical company, Merck operates in a highly regulated environment. As such, it must ensure that its employees, as well as other partners, can access the resources that they need to conduct research, while maintaining the ability to prevent unauthorized access to sensitive information and deprovision employees rapidly when needed, such as following completion of a research initiative. Merck required an identity management system that could simplify the access management process for 160,000 internal users and approximately 90,000 external users.

Merck selected Oracle Identity Management 11g and Oracle Identity Governance Suite to help the IT department establish a centralized, repeatable federated identity management service that not only effectively provisions access to Merck’s extensive Web-based research applications but also enables security professionals to easily control and audit which users can access which resources at which times to ensure compliance with various regulatory mandates, such as the Health Insurance Portability and Accountability Act (HIPAA).

The company also created a foundation for a paradigm shift in its approach to identity and access management. With Oracle Identity Management 11g Release 2 the company hopes to launch a business-centric approach to identity management and access control that will enable users to select the entitlements they need, put them in an electronic shopping cart, and check out. The system will enable users to view only entitlements for which they are authorized, based on their roles and responsibilities.

 
 

 
 

Challenges

A word from Merck & Co., Inc.

  • “Compliance is all about demonstrating that you have control of your world. With Oracle Identity Management 11g, we have taken big steps forward when it comes to managing privileged accounts. Oracle streamlines the process for accepting trusted identities and granting access to target applications in a very holistic way.” – Keith Respass, Director, Identity and Access Management Center of Excellence, Merck & Co., Inc.

  • Maintain constant control over user access to the company’s Web-based life sciences research applications and data assets to ensure compliance with HIPAA and other industry regulations designed to ensure the privacy of patent data
  • Provide authorized researchers and clinicians with access to information when they need it to support research and development (R&D) productivity
  • Enable industry partners to gain access to job-specific information while ensuring information security
  • Ensure a sustainable identity and access management strategy as the company migrates from Oracle’s Sun identity management platform to newer Oracle technology

Solutions

  • Deployed Oracle Identity Management 11g to enhance identity management and access control for Merck’s 160,000 internal users, outbound credentials for hosted applications in the cloud, and inbound credentials for its approximately 90,000 external users
  • Implemented privileged account management capabilities—including a password checkout system for root, database, and application accounts—while ensuring compliance to HIPAA patient data protection standards
  • Improved ability to efficiently manage authorization with automated entitlement reviews that identify individuals who no longer need access to a research application or data asset, as well as auto expiration capabilities
  • Streamlined the process for accepting trusted identities and granting access to target applications, accelerating access for researchers and supporting objectives to improve R&D productivity
  • Provided business managers with control over their domains to make entitlement decisions in a timely and efficient manner, while meeting compliance requirements
  • Allowed third-party users to directly request access and permissions through the Oracle environment—enabling quicker information access and capabilities that facilitate collaboration
  • Utilized Oracle Identity Governance Suite to better understand which users need which privileges, allowing Merck to create preset roles and identities for users to seamlessly pick up when they join a specific team or clinical environment
  • Created a foundation for a business-centric approach to identity and access management with Oracle Identity Management 11g Release 2, which will enable users to select the entitlements they need from a catalog of pre-authorized entitlements, put them in an electronic shopping cart, and check out rapidly
  • Gained a coexistence path so that Merck can continue to use Oracle’s Sun identity management solutions while it upgrade to newer Oracle technology, as Oracle Identity Management recognizes the Sun protocols―allowing the company to keep the same plug-ins and intercept user calls to applications, and the same checks to the policy engine