ING implemented Oracle Identity Manager and Oracle Identity Analytics to manage access to over 16,000 users and 16,000 applications. This replaced a homegrown system that did not scale. The implementation was phased, beginning with automating revokes on termination and password management. Later phases automated provisioning of base roles and application access based on roles. Role-based attestation improved on resource-based attestation. The platform approach reduced costs and improved auditability, compliance, and user experience versus disparate systems.
1. <Insert Picture Here>
Mark Robison, Enterprise Architect, ING
Neil Gandhi, Principal Product Manager, Oracle
ING: Scaling Role Management and Access
Certification to Thousands of Applications
2. This document is for informational purposes. It is not a commitment
to deliver any material, code, or functionality, and should not be relied
upon in making purchasing decisions. The development, release,
and timing of any features or functionality described in this document
remains at the sole discretion of Oracle. This document in any form,
software or printed matter, contains proprietary information that is the
exclusive property of Oracle. This document and information
contained herein may not be disclosed, copied, reproduced or
distributed to anyone outside Oracle without prior written consent of
Oracle. This document is not part of your license agreement nor can
it be incorporated into any contractual agreement with Oracle or its
subsidiaries or affiliates.
4. Agenda
• Business Drivers
• Implementation
• The Platform Approach
• Results & Lessons Learnt
• Use Cases & Deployment
Synergies
• Q&A
5. ING Environment at a Glance
Oracle Access
Manager
• Fortune Global 500
• Over 29 M customers
• Over 16K US employees*
• 600 attested resources
• Centralized Security
• Full Auditability
*Includes managed contractors
6. State of Business Prior to Implementation
Oracle Access
Manager
Existing System – home grown and spreadsheet based
Project scope - Role Based
The problem of scale - 520 critical apps
Disparate systems – No single audit source
Key stakeholders – LoB, Security (CSO), IT
7. Business Drivers for ING
Oracle Access
Manager
Regulatory Compliance
• Scaling compliance across applications & users
Operational Efficiency
• Reduce redundant effort, administrative overhead
Personalized User Experience
• Improve user productivity, SLA
Risk Mitigation
• Close security gaps with instant and accurate user account/lifecycle
management
8. ING IAM Implementation
Oracle Access
Manager
Current Scope
• Internal users
• User Population: 16K
• Initial focus on 520 SOX-critical applications
Immediate Goals
• Replace home grown system for scale, efficiency
• Single Platform to handle access management
Key Features
• Roles based
• Automatic user access attestation on transfer
• Integration with Oracle Identity Manager (OIM) for full lifecycle management
9. Phase-In Approach at ING
Perimeter Security Revokes (OIM) - 2009
• Automate the revoke of key perimeter security access for all employees that are terminated
• PeopleSoft HR is triggering system
• Network access (Active Directory)
• Email (Exchange)
• RACF (Mainframe)
• Benefits
• Real Time account disable on termination event
Password Management (Oracle ESSO)- 2007
• Provide mechanism for end user to have a single login for multiple applications
• Provide for self service password resets – 12/2010
• Benefits
• User does not have to memorize multiple credentials
• Reduced calls to help desk for password resets (40% reduction)
Retirement - Insurance - Investments 9
10. Phase-In Approach at ING
Access Attestation (OIA) – 11/1/2010
• Replaced custom developed attestation program with OIA product
• Provides quarterly manager based review for employee’s application access
• Currently supports over 600 application feeds (520 SOX critical)
• Integrated with PeopleSoft HR, Service-Now (Help Tickets and Configuration Management Database)
• Provides immediate manager review process for employee’s application access on employee transfer
event
• Benefits
• Easier attestation experience for managers
• Audit compliance
Base Role Access (OIM) – 12/15/2010
• Automate Base Role Access on New Hire event from HR
• Active Directory, Exchange, Ariba (Procurement), Service-Now (Help Desk, CMDB), Clarity (Time Tracking),
PeopleSoft HR (Benefits, Pay), ESSO, etc.
• Benefits
• Standardization of user setup
• Reduced new hire provisioning time (From 7 days to instant)
Retirement - Insurance - Investments 10
11. Phase-In Approach at ING
Simple AD Application Access (OIM) – 3/1/2011
• Automate simple AD security based applications and integrate with Service-Now for manager
requested provisioning
• Benefits
• Consistent, timely provisioning
• Reduction of Security Fulfillment Staff (10 consultants)
Implementation of ING Contact Centers (OIA and OIM) - 2011
• Develop Role Matrix for all contact center staff
• Identify and integrate all applications into new provisioning process
• Where cost effective & technically viable, applications are automatically provisioned using OIM
• All other applications will be manually provisioned (from OIM) by integrating OIM to the Service-
Now Help Desk ticketing system
Implementation of all ING Business Units (OIA and OIM) – 2012 +
• Develop Role Matrix for all other organizations
• Identify and integrate all applications into new provisioning process
Retirement - Insurance - Investments 11
12. Methods of Attestation – Initial Method with OIA
• Resource Based Attestation
• Manager must attest to all employees
access in all applications
• Results in many attestation reports per
manager
• Manager does not “know” if level of
access is appropriate
• Encourages “rubber stamping”
Application A
Platform B
Application C
System D
Manager
Employees
Applications
13. Methods of Attestation – Future Plan with OIA
• Role Based Attestation
• A Business Roles defines what IT
roles a user should have to perform
only their specific job function
• IT Roles determine the level of
access required within
application/platform
• Manager attests that employees are
in correct Business Role
• Business Role Owner attests that
the IT roles makeup the correct
access needed to perform job
function
• IT Role Owner attests that correct
application entitlements are set in IT
role
Application A
Platform B Application C
System D
Manager
Employees
Role A
Role B
Role C
Role A
Application C
System D
Application A
System D
Role B Role C
Business Role Owners
Business Roles
14. The Bigger Picture
Oracle Identity Analytics (OIA), Oracle Identity Manager (OIM), and Oracle
Enterprise Single Sign-On (OESSO) provide a comprehensive and
integrated suite of products that allow ING to effectively manage identity and
access management.
The applications are game changers that have greatly enhanced ING’s
Operational Efficiency.
15. Down The Road: Future Plans & Drivers
Increase Automated Provisioning
• Custom Connectors to Applications
Extend Scope to External Identities – Customers
• Provisioning/Attestations
Expand Identity Warehouse
• Support Additional Feeds
16. OIM and OIA Synergies at ING
OIA – The BRAINS
• Allows Modeling of roles
• Supports user attestation
• Supports Segregation of Duty checks
OIM – The MUSCLE
• Provisioning and Deprovisioning engine
• Access Reconciliation
• Identity Data Warehouse
17. ING Business Value
• The time to get new employees access to all required applications is reduced.
(<24 hours)
• The process of user access review is simplified. (Role Based)
• Closed Loop Remediation on attestation is accomplished using OIA and OIM.
• IT / Application roles are clearly defined, including the specific IT entitlements
so error rates and re-work efforts are significantly reduced.
• Where feasible, applications are automatically provisioned, based on pre-
approved business & application roles to reduce fulfillment time and errors.
• Reporting and fulfillment validation capabilities provide more complete audit
options while reducing the associated costs.
• Separation of Duties conflicts are easier to manage.
• Can manage the lifecycle of an identity from new hire, transfer, to termination.
Retirement - Insurance - Investments 17
18. Implementation Lessons Learned
IAM (Identity and Access Management) implementation projects cross organizational boundaries and
require strong sponsorship to set direction and priorities
Governance function with engaged stakeholders from management, business, Information Technology is
challenging to establish, but vital for the long-term
Executive Sponsorship
Achieve clarity on the business challenges being addressed by the IAM solution
Identify business drivers – Compliance, Risk Management, Cost Control, Business Facilitation – based upon
enterprise needs and determine priority with stakeholders
Business Focus
Obtaining organizational buy-in for moving from application-specific to enterprise identity and access
management is an exercise in diplomacy
Provisioning project spans the whole organization - 75% Process + 25% Technology
Curb your enthusiasm – don’t over-scope your Phase 1 implementation
Change Leadership
Initial IAM projects should deliver "quick wins" to build business support for continuing the IAM program
The “big-bang” implementation approach is unlikely to build stakeholder trust and involvement required for
continuing along the IAM maturity curve
Value Delivery
Retirement - Insurance - Investments 18
19. Implementation Lessons Learned
In order to reduce the risk and avoid testing in production, non-production target environments are
required to test connectors (AD, Exchange, RACF)
It is critical for non-production target environments to have the same data and schema as the production
target environments
Non Production Target
Environments
Account ID format conventions in use could present challenges or constraints on uniqueness, consistency,
and ease to remember
Opportune time to standardize the login ID
May require multiple standards based on platform limitations, a handful of standard patterns are better
than free form
Standard User ID
Determine point of diminishing returns for automated and manual processes
Pilot the implementation to prove the solution
Implement the solution by delivering in phases (top value first)
Test performance and functionality
Technology Integration
IAM projects have unique characteristics, so domain experience is vital
IAM projects are complex, demand effective managers who can not only track schedule and budget, but
effectively communicate with a diverse set of stakeholders and make sure everyone is pulling in the same
direction
IAM Experience
Retirement - Insurance - Investments 19
21. • Key front-office features automation:
• Access Request & Access Certification
• Cross product knowledge of common
identity data and policies
• Role-based User Administration
• Preventative Separation of Duties (SoD)
Enforcement
• User Risk Aggregation and Auditing
• Analytics and Reporting
Oracle Identity Manager – Oracle Identity Analytics
Use Cases
22. Oracle Identity Manager – Oracle Identity Analytics
Unique Value Proposition
User On-
boarding
User Access
Change
User Off-
board
SOD
Checking
Aggregate
Risk Score
• Access Request and Access
Certification Automation
• Risk Aggregation throughout
User Lifecycle
• Scales & expedites
certification process
• Builds in accuracy
• Closed-Loop Remediation
• Streamlined User, Role
Management
23. Platform Reduces Cost vs. Point Solutions
46%
Cost Savings
Source: Aberdeen “Analyzing point solutions vs. platform” 2011
Benefits
Oracle IAM Suite
Advantage
Increased End-
User Productivity
• Emergency Access
• End-user Self Service
• 11% faster
• 30% faster
Reduced Risk • Suspend/revoke/de-
provision end user access
• 46% faster
Enhanced Agility • Integrate a new app faster
with the IAM infrastructure
• Integrate a new end user
role faster into the solution
• 64% faster
• 73% faster
Enhanced
Security and
Compliance
• Reduces unauthorized
access
• Reduces audit deficiencies
• 14% fewer
• 35% fewer
Reduced Total
Cost
• Reduces total cost of IAM
initiatives
• 48% lower
48%
More
Responsive
35% Fewer Audit
Deficiencies
24. Oracle Identity Management Platform
Complete, Innovative and Inter-operable
Identity Administration,
Governance
• Password Management
• Self-Service Request & Approval
• Roles based User Provisioning
• Analytics, Policy Monitoring
• Risk-based Access Certification
Access Management
• Single Sign-On & Federation
• Web Services Security
• Authentication & Fraud
Prevention
• Authorization & Entitlements
• Access from Mobile Devices
Directory Services
• LDAP Storage
• Virtualized Identity Access
• LDAP Synchronization
• Next Generation (Java) Directory
Platform Security Services
Identity Services for Developers
26. Aberdeen Online Identity Assessment
Benchmark Your Identity & Access Program
www.oracle.com/Identity
27. New York
April 12th
Toronto
April 17th
Boston
April 19th
Chicago
April 10th
Aberdeen Group Event Series
Featuring Analyst Derek Brink
San Francisco
May 22nd
28. Platform Best Practices
Agilent Technologies
February 15th 2012
(Replay available)
Live Platform Webcast Series
Customers Discussing Results of Platform Approach
Cisco’s Platform Approach
Cisco Systems
March 14th 2012
Platform for Compliance
ING Bank
April 11th 2012
Platform Business Enabler
Toyota Motors
May 30th 2012
Register at: www.oracle.com/identity
29. Identity Management at COLLABORATE 12
Deep Dive, User-Driven Sessions, and More
Register at: http://w3.ioug.org/C12IM
• April 22 – 26, Las Vegas
• Sunday, Apr 22, 9 am – 3 pm
Security and Compliance for your Oracle Systems
• Multiple Security, Identity Management sessions
(Keyword search: Identity Management)