Bridging the Cloud Sign-On Gap

Kuppinger Cole Webinar
Bridging the Cloud Sign-On Gap
Sebastian Rohr, Kuppinger Cole
sr@kuppingercole.com
Matt Berzinski, Oracle
matthew.berzinski@oracle.com
February 9th, 2012
This Webinar is supported by

2 © Kuppinger Cole 2012
• Call for Speakers: http://www.id-conf.com/events/eic2012/callforspeakers
• Propose your project for the European Identity Awards: http://www.id-
conf.com/events/eic2012/award
• Become an Event Partner: bb@kuppingercole.com
• 500+ delegates
• 50+ Partners and Exhibitors
• 4 Session Tracks
• 100+ Speakers
Educate.Innovate.Connect.

Some guidelines for the Webinar
You are muted centrally. You don‘t have to mute/unmute
yourself – we control the mute/unmute features
We will record the Webinar – the podcast recording will be
available tomorrow
Q+A will be at the end – you can ask questions using the Q+A
tool anytime which we will pick at the end or, if appropriate,
during the Webinar
© Kuppinger Cole 20123

• Sign-on (and other) challenges in internal IT
• Reaching out for/to the cloud
• Specific issues around hybrid deployments
Part 1:
Presentation by
Sebastian Rohr
• How to „Bridge the Gap“
• Tackling sign-on, authorization and governance
• Extending the reach of internal solutions
Part 2:
Presentation by
Matt Berzinski
• Additional Questions can be placed using the
GoToWebinar Tool – area „Questions“
Part 3:
Discussion
4
Bridging the Cloud Sign-On Gap–
Extend your Enterprise SSO reach to the Cloud

Business just wants
the services they
need to do their job
and to keep corporate
information protected
adequately (hopefully)
5
What business really wants:
Service delivery and Information Security

IT Technology & Delivery
Centralized Mainframe
1980 1990 2000 2010 20201970
MidSize
Client/Server Web
1960
Client Server
In-house
In-house
In-house
Outsourced
Hosting
Outsourced
ASP Web
Managed
Service
as-a-Service
SW-
Platform-
Infrastr.-
In-house/outsourced

Serving demand with a mix of Cloud and “classic” services
Offering adaptable Strong Authentication
Safeguarding Audit Trails in all delivery methods
Staying in Compliance with (multiple) Legislations/Regulations
Providing reliable & authentic Billing/Accounting information
Providing proper means of Access Control to sensitive data
7
Challenges your IT faces today

With kind permission by E. von Faber 8
Serving IT demand with a Cloud-Mix
Distributed, scalable
Cloud-Computing
ERP, CRM, SCM, Office etc.
Software-as-a-Service
RTE (i.e. .Net, Java), Database
Platform-as-a-Service
Systems in remote Datacenter
Hosting
Maintenance, Configuration Changes
Managed Services
Remote Monitoring Service
Monitoring & Support
Hardware, MIPS, Memory
Infrastruct.-as-a-Serv.
Application
Plattform:RTE,DB
Hardware,Infrastructure
Datacenter+Network
shared
dedicated
DCof
Customer
OneDCofService
PoviderMulti-DC
(distributed)
OnetoOneOnetoMany
Control/Knowledge
AttackVectors/Threats
+
–
–
+

Offering Strong Authentication
Username/Password are all over the place
• Hard to remember (the plethora)
• Not always secure enough – other methods needed!
• Two-factor Auth & Strong Auth often a requirement
• Not every internal app can use 2FA/SA natively
• Even harder for (multiple) Cloud services
• Context-aware Auth often not available (XACML)
• „Step-up“ Auth not supported by Cloud Service

Safeguarding Audit Trails
• Hard enough to tell in internal apps
• Keeping track of a Access Rights & Permissions
Who did
what?
• Webservices/WebGUI
• Fat Client
By which
means?
• Workflows established?
• Role-model and „need-to-know“
Who
requested it?
• Multi-approver support in work-flows
• Re-Certification of once deployed permissions
Who
authorized it?
Get that for your Cloud-Services! At least partially…

• National laws & regulations
• Regional laws & regulations
Where do you
do business?
• Healthcare
• Food/Pharmaceutical
• Financial…
In which
verticals?
• Do you need to know where your data is located?
• Do you need to keep your data in your country?
Special
Requirements
• Safeguarding compliance through central logs
• Probably establish SIEM with specific filters
How to keep
track?
11
Staying in Compliance

Many internal IT services are paid „by consumption“
Number of transactions processed
Time spent „using“ the service
Processing cycles, bandwidth or memory used
How to make that available to other departments?
12
Providing usage based invoicing

Proper means of Access Control
• Needs some legal clarification beforehand
• Relatively complex to establish
Federation
• Not feasible with „real“ Cloud Services
• Too much technical effort & risk (trust, legal)
Direct
integration
• Easier to establish/extend
• Easier to „tear down“ and maintain
Web Access
Management
• Quick & easy to extend
• Good manageability
• Often times already proven deployment
Enterprise
SSO

Using Hybrid Cloud Deployments
Challenges
 May add Complexity
 May tamper with Security
 Will provide Elasticity
 Impacts Networking
– Discovery
– Communication
– Latency
– Availability
Recommendations
 Stay secure from the start
– Create proper process, then
– Build on trusted technology
– No „experiments“, please!
 If possible, Federate (later)
 Extend your enterprise
security architecture & tools
 Remain in control
 Maintain Know-How inside

Touch-Points – do NOT re-invent!
What you need
 Strong Authentication
 Proper Audit trails
 Accounting/Invoicing
 Governance + Risk Mgmnt.
 Provisioning
 Access Control
Where to get it
 Re-use internal Auth + SSO
 Re-use internal Access Control
 internal Auth + Access Control
 above + internal GRC + add-in
 Extend internal IdM tools
 See above, but: do not forget
Cloud-PAM!
And now let´s see how this could be achieved!

<Insert Picture Here>
Bridging the Sign-On Gap to the Cloud

17 Copyright © 2010, Oracle. Proprietary and Confidential
This document is for informational purposes. It is not a
commitment to deliver any material, code, or functionality, and
should not be relied upon in making purchasing decisions. The
development, release, and timing of any features or functionality
described in this document remains at the sole discretion of
Oracle. This document in any form, software or printed matter,
contains proprietary information that is the exclusive property of
Oracle. This document and information contained herein may not
be disclosed, copied, reproduced or distributed to anyone outside
Oracle without prior written consent of Oracle. This document is
not part of your license agreement nor can it be incorporated into
any contractual agreement with Oracle or its subsidiaries or
affiliates.

Cloud applications are proliferating
• More services being offered in a hosted manner
– CRM
– Personal Productivity Products
– Business Intelligence
• Provide many benefits to the organization
– No need to procure large and complex infrastructure
– No deployment or maintenance costs associated
– Provides easy access to information from anywhere

Drawbacks of cloud applications
• Add another set of credentials for users to maintain
• Securing access to those applications
– Federation can lead to more legal fees than IT fees
• Controlling access to only those who need it
– Changing roles
– Termination
• Auditing access to the application

Oracle ESSO Suite Plus
Solves Enterprise Access Challenges
ESSO Authentication
Manager
ESSO Provisioning
Gateway
ESSO Logon Manager
ESSO Password Reset
Sign-On ESSO Kiosk ManagerESSO Anywhere
ESSO Logon Manager
Sign-on

ESSO Logon Manager Overview

Access the cloud anytime,
from anywhere
Cloud Application

Provides a security challenge
Cloud Application

How to combat this?
Increase Security
– Strong Authentication
• Site Specific
• Not associated with
business
• Another infrastructure
to maintain
– Tougher Passwords
Decrease Productivity
– Loss of Strong
Authentication Device
– Forget Passwords
– Account Lockouts

ESSO LM Bridges the Sign On Gap
• Enforces strong password policies
• Optionally can generate random passwords not known by
users
Manage
Passwords
• Leverage corporate strong authentication deployment
• Challenge for re-authentication prior to providing credentials
to the application
Integrate
Strong Auth
• All logon events are audited and associated to an enterprise
user name
• Track all password change events to comply with security
• Generate reports showing inactive accounts
Ensure
Compliance

ESSO creates Strong Passwords
Randomly Generated Password look like this:

Controlling User’s Access
• More challenging then conventional applications
– Hosted applications can be accessed from anywhere
– Disabling network ID does not terminate application access
• ESSO LM does not allow user’s to reveal passwords
• This allows easy removal of access
– Disable windows account
– Remove SSO password through ESSO Provisioning Gateway

ESSO from Anywhere
Remote
PC ESSO-LM
Agent
Cloud Applications

ESSO Enables Cloud Apps
• Simplify access to hard to connect cloud applications
through ESSO
• Increase security by maintaining user’s password and
extending existing strong authentication
• Audit all access to the application for Regulatory
Compliance
• Enforce all policies from any computer with internet access
• Deliver ROI by terminated inactive accounts

• Established track record
– Passlogix Founded in 1996
– Oracle Acquired Passlogix in Oct 2010
– Proven history of success
• Market-leading
– 10’s of millions of licenses sold
– Thousands of enterprise customers
– 10,000’s of applications
– Customers with millions of employees
• Patented technology
– Provides fast deployment, quick ROI
– 2 US patents and 7 foreign, additional
pending
Why Oracle ESSO Suite?

Recognized Leadership
“The company goes around a problem .... It is far
different from thinking out of the box. It's refusing
to acknowledge that the box exists in the first
place.”
2011 ESSO Marketscope
“Passlogix provides an excellent, lightweight, low
maintenance SSO solution, suitable for deployments
of any scale … and it is seen as a “best of breed”
enterprise SSO product – the general good opinion in
which it is held …”
“Passlogix has some highly functional ESSO
technology … they often pioneer in the
market…”
100% of customers would buy it again
100% of customers would recommend it to a peer
100% of customers said Passlogix keeps all promises
71% ranked Passlogix as their Best or 2nd Best Vendor
Magic Quadrant Disclaimer: The Magic Quadrant is copyrighted by Gartner, Inc. and is reused with permission. The Magic Quadrant is a graphical representation of a marketplace at and for a specific time period. It depicts Gartner's analysis of how
certain vendors measure against criteria for that marketplace, as defined by Gartner. Gartner does not endorse any vendor, product or service depicted in the Magic Quadrant, and does not advise technology users to select only those vendors
placed in the "Leaders" quadrant. The Magic Quadrant is intended solely as a research tool, and is not meant to be a specific guide to action. Gartner disclaims all warranties, express or implied, with respect to this research, including any
warranties of merchantability or fitness for a particular purpose. The Magic Quadrant graphic was published by Gartner, Inc., as part of a larger research note and should be evaluated in the context of the entire report. The Gartner report is
available upon request from Oracle
RATING
Strong
Negative
Caution Promising Positive
Strong
Positive
ActivIdentity x
Avencis x
CA Technologies x
Evidian x
IBM x
Ilex x
Imprivata x
i-Sprint Innovations x
Microsoft x
NetIQ x
Oracle x
As of 20 September 2011

Deployed by Leading Customers
Financial Healthcare / Pharmaceuticals
Energy Government

34 Copyright © 2011, Oracle. All rights reserved
Oracle ESSO Suite Is Integrated with
Oracle IAM
OAM ESSO
OIM ESSO
ESSO ODS
• Single Sign-On from Desktop
to Web Apps and Cloud
• Single login to access
enterprise apps and OAM
protected web apps
• Integrated with industry
leading provisioning solution
• Integrated with Directory
Services
• Leverage existing investments
in directory servers

35 Copyright © 2011, Oracle. All rights reserved
Cost Benefits of Oracle ESSO Suite
• Organization with 7000 users
• 1 Password Reset per quarter/user
• Average helpdesk call $40 140%
12 months
Payback period
ROI
Source: ESSO Buyer’s Guide:, Sep 2011
Link: http://bit.ly/OperantConditioning

Enterprise
Extranet
Cloud/
Mobile
Tools Point Solutions Platform Intelligence
Identity
Authentication
Administration
Audit
Risk Management
Certify
Access for
Millions of
Users &
Entitlement
s
User
Lifecycle In
Hybrid/Clou
d
Environmen
ts
Access Via
Mobile &
Social
Channels
Authoritati
ve ID with
Massive
Scale
Monitor
Behavior &
Detect
Improper
Access
Oracle Provides an Evolved IDM
Platform

46%
Cost Savings
Source: Aberdeen “Analyzing point solutions vs. platform” 2011
Benefits
Oracle IAM Suite
Advantage
Increased End-User
Productivity
• Emergency Access
• End-user Self Service
• 11% faster
• 30% faster
Reduced Risk • Suspend/revoke/de-provision
end user access
• 46% faster
Enhanced Agility
• Integrate a new app faster with
the IAM infrastructure
• Integrate a new end user role
faster into the solution
• 64% faster
• 73% faster
Enhanced Security
and Compliance • Reduces unauthorized access
• Reduces audit deficiencies
• 14% fewer
• 35% fewer
Reduced Total Cost • Reduces total cost of IAM
initiatives
• 48% lower
48%
More
Responsive
35% Fewer Audit
Deficiencies
Oracle Platform Makes All the Difference

One Company, One Solution, One Stack
 Proven vendor
• Acquire and retain best of breed technology
and talent
• Battle-tested for large, mission-critical
applications
• Referenceable, award-winning customer
deployments
 Most complete and integrated best-of-
breed portfolio
• Service-Oriented Security
• Interoperable components
 Future proof investment
• Standards-based and hot pluggable for easy
integration
• Established deployment best practices
• Large implementation ecosystem

Learn More

Get a Jumpstart with Oracle Consulting Services
 Thought leaders that
provide customers
with tightly integrated,
comprehensive and
superior services as
part of the Oracle
brand
 Q2FY11 Forrester
Wave report rates
Oracle Consulting as
the leader
 World’s top experts in
User Life Cycle
Management
Pre-Install
• Oracle Identity
Management
Deployment
Strategy
• Oracle Identity
Management
Vendor
Transition
Strategy
Install
• ESSO
Quickstart
• Oracle Identity
Manager
Quickstart
• IDM
Virtualization
service
• Directory
Services
Quickstart
Post Install
• Oracle Directory
Services &
Identity
Management
Health Checks
• ESSO Health
Check

© 2010 Oracle Corporation – Proprietary and Confidential 41
Join the Oracle IDM Community
Oracle.com/identity
Twitter
twitter.com/OracleIDM
Facebook
facebook.com/OracleIDM
Oracle Identity Management blog
blogs.oracle.com/OracleIDM

Bridging the Cloud Sign-On Gap

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (20)

Destaque

Destaque (20)

Semelhante a Bridging the Cloud Sign-On Gap

Semelhante a Bridging the Cloud Sign-On Gap (20)

Mais de OracleIDM

Mais de OracleIDM (20)

Último

Último (20)

Bridging the Cloud Sign-On Gap

Notas do Editor