Archive for the ‘Usability’ Category

Do You Need To Reduce Your Audit Exposure?

August 31, 2011 Leave a comment

Today, managers are overwhelmed by the sheer volume of certification reviews and are just certifying users without the appropriate level of attention or analytics. Without proper visibility into user access, managers are unable to perform accurate certification reviews and the result can have negative financial and security consequences. In addition, this results in organizations not being able to sustain a periodic attestation cycle to review user access rights across a wide range of business applications and platforms, thus failing audits. And yes folks, the “Audit Eye” is real! Check it out:

Dazed Manager

Find out how Oracle can help you keep up with audit requirements.


Slapping Funny This One

August 24, 2011 Leave a comment

Funny or not, you tell me.

Slapping Funny This One

We have all been there! Too many passwords to remember is a bug we are all suffering from. From my first dog to my first friend in school, my grandmother, my son and everyone in between, they have all made their appearance on my passwords roll. Life was easy (albeit a lot less secure) when you could get away with just putting in the names. Now there needs to be a combination of letters, symbols, numbers and more. And, you have to change it every few weeks.  So, with a different password for each of the systems and applications, how many permutation-combinations are you dealing with? And did you know that a single call to the help desk can cost as much as $25 to reset passwords?

Stop the madness. Learn how Oracle can help? Register now for your complimentary guide to single sign-on salvation.

Oracle Identity Analytics 11g…all systems go!

Yesterday was a momentous day for the Oracle Identity Management team. With over 750 man months of development and 1300 man months of QA in this release, Oracle Identity Management 11g is a huge milestone! And Oracle Identity Analytics 11g is our first official release with Oracle post the Sun acquisition and the smooth migration of the highly successful Sun Role Manager product…and we are proud to have this strategic product moving forth in the Identity and Access Governance marketplace. I will take the time to discuss some of the great architectural innovations we have performed with this release and granted that primary work was done to assimilate Oracle Identity Analytics into Oracle Identity Management portfolio, our product engineering team was still able to fit in some great new features in here, which I will address.

Oracle Identity Analytics provides enterprise the ability to engineer and manage roles, automate critical identity-based controls and truly amalgamates Business Intelligence and enterprise security and access governance for cross product identity analytics. The various components of the products include:

1. Identity Warehouse

Identity Warehouse

Identity Warehouse

Identity Warehouse is the central repository that contains identity, access and audit data, optimized for complex analytical queries and simulations. This data is imported from one or more databases within your organization on a scheduled basis. The Oracle Identity Analytics import engine supports complex entitlement feeds saved as either text files or XML. A glossary entry, defined as a business friendly term for typically cryptic IT entitlements, can also be captured during the import process enabling business users to view and analyze user’s access rights in a business-friendly way. Oracle Identity Analytics provides strong and robust integration capabilities with the provisioning products including Oracle Identity Manager and Oracle Waveset.

2. Attestation of Access Rights with Cert 360

Identity Certification

Oracle Identity Analytics reduces operational risk exposure by providing a 360-degree view of users’ access – not just “who has access to what”, but whether access was appropriately assigned and how it is being used. Oracle Identity Analytics securely automates existing manual re-certification or attestation processes for certifying the user access rights by business managers and application owners. This significantly reduces costs associated with existing manual controls and enhances audit effectiveness, resulting in enforcement of “least privilege” across the enterprise. A significant amount of effort has gone into developing the next gen user interface of the attestation UI, focusing on the overall usability as well as the time to load a large amount of attestation data to the end user. Concepts such as paging, improved batching and lazy-loading allow for a much quicker sign-off experience for the end user and advanced searching, sorting and filtering capabilities enable the end user (or access reviewer) to view the data that matters to them the most and certify it with a single click.

3. IT Audit Policy Monitoring

Segregation of duties (SoD) enforcement prevents users from intentionally or inadvertently breaching security policy by having a conflicting combination of roles or entitlements. IT Audit Policy enforcement directly impacts an organization¹s ability to comply with explicit requirements of the Sarbanes-Oxley Act and multiple other regulatory mandates aimed at ensuring the integrity of enterprise financial operations.

4. Comprehensive Role Governance

Role Mining

Oracle Identity Analytics’ role mining feature allows customers to conduct role mining based on organization, user and entitlement attributes to clean up and organize existing entitlements towards a role-based setup.  The Identity Warehouse is used to capture the necessary information about users, entitlements and their relationships – allowing OIA to perform both top-down and bottom-up role mining.  The role-mining feature also provides rule discovery to correlate rules between approved roles and attributes for use in role assignment.  Once the roles are defined, role change management ensures approval workflow for any role creation and role definition changes along with version tracking to monitor the history of these controls. Comprehensive reports and dashboards to drill down and tweak role content are also provided with the solution. Roles defined across an enterprise are subject to evolve over time, and require a robust administration and governance process. Oracle Identity Analytics provides role approvals upon detection of associated entitlement updates and performs real time impact analysis for role consolidation before changes are applied in a live environment. The role change approval process combined with role versioning, role change “what if” simulations, and rollback features, provides a complete role administration solution. Oracle Identity Analytics also fully audits all the changes made to role definitions including role assignment rules and entitlement mapping policies.

5. Compliance Command Console

Compliance Command Console

Compliance Command Console

Oracle Identity Analytics provides comprehensive actionable dashboards and advanced analytics capabilities based on user identity, access and audit data residing in the Identity Warehouse. Oracle Identity Analytics provides various compliance and operational dashboards for a quick review of compliance and operational status in context of roles, segregation of duty policies, audit policies and other controls. While compliance dashboards are typically used for executive level compliance monitoring, detailed out of box reports enables IT staff, business users and auditors to structurally analyze the warehouse data. The dashboards can further be customized for business users, compliance and audit officers and other end users on need basis. While Oracle Identity Analytics provides close to 50 out of box reports, its data dictionary is published to allow customers to extend these reports and build custom reports.

For more information on Oracle Identity Analytics 11g, please visit us at the Oracle Technology Network.

How can we make User Attestations easier for Managers?

Frustrated ManagerIts that time of the quarter again! Lets do some User Access Reviews! Its pretty much the case with most organizations, managers do not look forward to performing attestations. And I wouldn’t blame them. Certifying a users access on a mainframe or Active Directory is not a manager’s dream job. As a vendor and product manager, some questions related to this problem arise:

1. How do we make it easier for managers to perform their access reviews?

2. How do we ensure that access reviews are a breeze, enabling our managers to move on to more important tasks?

3. How do we provide managers with sufficient information that allows them to make educated decisions on certifying a users access?

From a product perspective, a few solutions come to mind, that make it easier for managers to quickly and accurately get through their attestations:

1. User Interface: Make it a seamless, easy to use, UI that allows Managers flexible options to certify hundreds of user entitlements with fewer clicks, while presenting the information they need to see (no cryptic entitlements! use glossary!).

2. Flag High Privileged, High Risk Entitlements. Red Alert!

3. Display the type of account a manager is certifying to, is it a System Account, is it an Email Account, etc.

4. Was the account a part of a Segregation of Duties violation? Is the violation still open? Was the account a part of a Segregation of Duties violation and was accepted as a risk for a particular time period?

5. Flag access that was previously revoked in a prior certification. Red Alert! The users access was not cleaned up in Q1, IT sucks!

6. For ongoing attestations, display user access that was changed (added/modified) since the last attestation. Maybe grey out the access that was constant so the manager does not have to attest it again, unless they really want to. Makes it faster for a manager to go through a larger attestation, spanning multiple departments or cost centers.

7. Move towards Role based access control! Isn’t it easier for a manager to certify his employee accessing the “Accountant” role with access to underlying applications, that certifying on each individual application and their numerous entitlements itself?

8. Display any role assignment rules that were used to assign Roles to a user. Provides validation on why a user has access to them.

9. Integrate with your Provisioning solution (assuming it uses a self service interface and has approvals and workflow set up). Extract Workflow approval logs from the solution and display 1) Who Approved What? 2) When was it approved? 3) Approval Comments. This informs managers that the users entitlements went through a legitimate approval process and are a no-brainer to approve during the attestation.

10. Integrate with an SIEM Solution. How cool would it be for managers to not only see what entitlements a user has access to, but whether those entitlements were being put to good use or not? If a user has not logged into an accounting application for the past one year, but still has access to it, maybe he or she does not need it anymore. This would prove to be extremely valuable for managers to make quick decisions and move their users towards least privilege.

Lets make life easier for our managers…they have more important work to do! Oracle Identity Analytics is one of the industry leading attestation solutions in the market today and you can get more information on the product by clicking here.