1 / 32

Identity Management and Data Security

Identity Management and Data Security. Richard Schad Senior Director Oracle Technology Business Unit. Agenda. How big is the Higher Ed IDM problem? What is Oracle doing? What are universities doing? What is next? Identity Management overview. There is a growing problem in Higher Ed.

cargan
Télécharger la présentation

Identity Management and Data Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Identity Management and Data Security Richard Schad Senior Director Oracle Technology Business Unit

  2. Agenda • How big is the Higher Ed IDM problem? • What is Oracle doing? • What are universities doing? • What is next? • Identity Management overview

  3. There is a growing problem in Higher Ed 50% of all reported breaches since Feb. 2005… …were at colleges and universities!! UCLA - 800,000 identities Texas – 200,000 identities San Diego State – 178,000 identities Ohio University – 137,000 identities …over 4 Million IDs

  4. 2006 Security and Identity Management Funding IT Administrative/ERP/Information Systems Disaster Recovery/Business Continuity Faculty Development, Support, and Training Infrastructure Strategic Planning Governance, Organization, and Leadership Course/Learning Management Systems Web Systems and Services 2007 Funding IT Security Administrative/ERP/Information Systems Identity/Access Management Disaster Recovery/Business Continuity Faculty Development, Support, and Training Infrastructure Strategic Planning Course/Learning Management Systems Governance, Organization, and Leadership The Case for Doing the Right Things Right Now Top Ten IT Issues in Higher Education Source: Top-Ten IT Issues, 2006, May/June 2006, Educause Review Source: Top-Ten IT Issues, 2007, May/June 2007, Educause Review

  5. Why are Universities Being Targeted? “Why do you rob banks? Because that is where the money is!” • Profit = Rev ($10 per identity) – Cost to acquire • Fertile Environment Characteristics: • Abundance of Personal Identifiable Information PII • Quality of Information • Identities good for many years and likely have strong credit • Rich PCI data • Not difficult to access • Open & Decentralized environment with limited budgets for security • Often lower cost and more fluid IT employees

  6. The Value of Risk Reduction was Determined by the Considering the Losses Incurred by Others. A Security Breach Can Cost Millions Best Case (Thousands) • Embarrassment • Notification, credit watch • Disciplined staff • Executive time Worst Case (Millions) • Lost funding (Alumni, Grants) • Millions in legal fees • Notification, credit watch, etc. • Terminated executives “Expenses average more than $10 per individual whose personal data have been exposed” AIG – Chronicle of Higher Education October 13, 2006 Source: The security breach data listed on this slide is publicly available at www.privacyrights.org

  7. What is Oracle doing?

  8. Ask yourself… “Are higher education institutions doing all that can be done to safeguard the personal data of their students, employees, and customers? And, when breaches do occur, are the universities doing everything they're supposed to be doing?” --Campus Technology, April 2007 Source: David Nagel, "Once More unto the Breach," Campus Technology, 4/13/2007, http://www.campustechnology/article.aspx?aid=46725

  9. Oracle’s Roadmap to Campus Security Engagement Outputs Engagement Overview • Summary findings delivered in an executive level presentation • Detailed recommendations in an enterprise level roadmap • High level business metrics • 3-5 day collaborative process • Involves both IT and business • A view into industry best practices around security and compliance • Mapping institution’s processes and technologies against IT compliance standards

  10. What are our universities doing?

  11. Key Findings from Universities • Provisioning & deprovisioning are painful and incomplete • Examples: new medical staff, deceased users. • SSNs are everywhere • Even simple protective steps are slow to be adopted: • 55% use strong passwords • Less than a third use multifactor authentication. • Unstructured data issues (fileshares, laptops, etc) • Difficulties with the Business Case for IDM • Some non-IT sponsorship and funding increases chance of success for IDM initiatives

  12. Recommended Actions: PPP People, Processes & Policies: • Complete university wide identity inventory • Develop an identity data ownership/stewardship policy – less than half of universities have done this • Document and institutionalize hierarchies for various workflows, e.g. approvals • Create/strengthen access and data sharing policy • Develop rationalized and standardized business processes

  13. Recommended Actions: Technology Technology & Data: • Implement a provisioning system • Standardize on common, robust access management and password (SSO) systems • SSN remediation - “Secure SSN Vault” • Leverage workflow technology • Encrypt and secure confidential data • Standardize/rationalize role & attribute data to support access • Incremental improvements will demonstrate successful impact and business benefit

  14. Initiative Analysis & Prioritization “Secondary Targets” “Targets” Implement user provisioning (phased approach) Implement user provisioning (campus-wide) Remediate SSN use Audit reporting SSO (ESSO) Workflow Common university-wide roles and attributes Directory consolidation Virtual directory Federation 6 2 1 Highest 4 3 5 7 8 Value High 10 9 Medium Low High Complexity

  15. What’s Next: Key Areas of Focus Collaborative Research Globalization Rising User Expectations Federation Sharing ID Across Institutions Attestation Unstructured Data Problem

  16. What our customers are saying… “Boise State is currently reviewing policies, procedures and practices associated with its online business processes. To assure a new, unbiased and knowledgeable eye during this review, the university has tapped the expertise from one of its technology partners. Oracle's Insight Program brings experienced and knowledgeable issue specific experts to the table. No sales pitch. No product bias. Just sound logic and process assessments with clear understandable recommendations. This is what good technology advise and counseling is all about.” --David O’Neill, CIO, Boise State

  17. What our customers are saying… “I have read many audits and other security-related reports in the past, the one your team has put together is the best I have seen for providing a clear and specific roadmap to improving data security. Our team will use your report as the basis of an action plan that, when completed, will certainly reduce our exposure to a variety of threats. You clearly listened to our concerns and the report is a reflection of that.” --Rich Fagen, CIO, Cal Tech

  18. What does Oracle provide?

  19. What is Identity Management? “Identity management refers to the set of business process, and a supporting infrastructure, for the creation, maintenance, and use of digital identities” --the Burton Group

  20. Oracle’s Security Strategy • Complete, unified security solution • No point product integration required • Common security across applications and data • Protecting business processes and web services (SOA) • Protecting data in transit and at rest • Protecting against internal and external threats • Hot-pluggable • Standards-based • Works across leading applications, web servers, application servers, portals, databases, and other IT systems

  21. Identity Management is an Enterprise Architecture External Internal SOA Applications Customers Partners IT Staff Employees Identity Management Service Access Management Identity Administration Auditing and Reporting Monitoring and Management Workflow & Orchestration Data Abstraction Layer Directory Services Identity Provisioning Applications Systems & Repositories JDE SAP CRM OS (Unix) HR Mainframe NOS/Directories

  22. Identity & Access Mgmt. Functions Access Control Identity Administration Directory Services Authentication & Authorization Single-Sign-On Federation Provisioning Identity Lifecycle Administration Role & Membership Administration Compliance Automation Virtualization Synchronization

  23. Access Control • Authentication – Who are you? • Multiple factors to verify identity • Password, Smart Card, tokens, Kerberos, PKI, biometrics, … • Authorization – What are you allowed to access? • Allow access to authorized resources only • Enforce authorization policies at all levels • Federation – Access across identity domains • Establish trust between identity provider + service provider • Goal of seamless SSO between business partners

  24. Identity Administration • Identity lifecycle administration • Manage add  change  suspend  reactivate lifecycle • Self service and delegated administration • Role and membership administration • Static and dynamic memberships • Enable role and attribute based process automation • Provisioning • Manage and police application entitlements • Automate approval and provisioning workflows • Compliance automation • Periodic attestation of roles, entitlement, and control mechanisms • Segregation of duties monitoring and enforcement

  25. Directory Services • Virtualization • Rapid identity data integration and application development • Enhance identity data integrity • Synchronization • Entity level synchronization between directories • Precise control of data to synchronize

  26. Open Standards Based • Identity Management Standards • SAML XACML Liberty ID-FF SPML WS-Fed X.509, etc. • Security Standards • XKMS XML-SIG PKCS WSS XML-ENC TLS PKI SSL S/MIME LDAP Kerberos etc. • Platform and Integration Standards • WSDL SOAP WSRP Oracle Jdeveloper JSR-115 Oracle BPEL Designer JCP Oracle TopLink and ADF • Web Services Standards • WS-Security WS-Policy WS-Fed WS-Trust

  27. Q & A

  28. APPENDIX AOracle Identity Management Suite

  29. Most Comprehensive, Best-In-Class Suite • Hot-pluggable and Open • Application Centric Identity Management Oracle Identity Management

  30. April ‘06 Gartner Magic Quadrant

  31. Heterogeneous Support Portals Application/Web Servers Groupware Applications Directories Operating Systems

  32. Open Standards Based • Identity Management Standards • SAML XACML Liberty ID-FF SPML WS-Fed X.509, etc. • Security Standards • XKMS XML-SIG PKCS WSS XML-ENC TLS PKI SSL S/MIME LDAP Kerberos etc. • Platform and Integration Standards • WSDL SOAP WSRP Oracle Jdeveloper JSR-115 Oracle BPEL Designer JCP Oracle TopLink and ADF • Web Services Standards • WS-Security WS-Policy WS-Fed WS-Trust

More Related