Posts Tagged ‘Identity & Access Governance’

Do You Need To Reduce Your Audit Exposure?

August 31, 2011 Leave a comment

Today, managers are overwhelmed by the sheer volume of certification reviews and are just certifying users without the appropriate level of attention or analytics. Without proper visibility into user access, managers are unable to perform accurate certification reviews and the result can have negative financial and security consequences. In addition, this results in organizations not being able to sustain a periodic attestation cycle to review user access rights across a wide range of business applications and platforms, thus failing audits. And yes folks, the “Audit Eye” is real! Check it out:

Dazed Manager

Find out how Oracle can help you keep up with audit requirements.


On-Demand Webcast: Maximize Compliance ROI With Oracle Identity Analytics

August 23, 2010 Leave a comment


On-Demand Webcast:
Maximize Compliance ROI With Oracle Identity Analytics

The original event was broadcast on:
Thursday, June 24, 2010
10:00 am PT / 1:00 pm ET

Click here to view it on demand.

Compliance costs still running high? IT & audit processes still too complex, error-prone and disjointed?

Get the know how today! Learn how Oracle Identity Analytics, Oracle’s proven Identity & Access Governance (IAG) solution, is optimized to analyze, review, and govern user access in order to mitigate risk, build transparency, and satisfy compliance mandates quickly and effectively.

oin our technology expert on this complimentary webcast to discover how you can:

  • Automate critical identity-based controls such as attestation and segregation of duties
  • Analyze, mine, and correlate user roles for compliant and efficient user access
  • Build comprehensive reports for audit, compliance, and business purposes
  • Utilize business-friendly compliance dashboards and metrics
  • Give a 360-degree view of user’s access and achieve rapid compliance


Neil Gandhi
Principal Product Manager, Oracle Identity Analytics
Oracle Corporation

On Glossary Management…

August 2, 2010 Leave a comment

Talking to several customers where there is a strong desire for complete glossary management capabilities for entitlements being managed in their warehouse of user identities, I’ve come to realize that a major problem for them today is that most entitlements, especially around mainframes & target platforms such as Active Directory & Unix, are not clearly understood by the various lines of business when they perform their quarterly attestation reviews. More importantly, there are no tools available in the market today that provide a centralized view for creating (or importing existing glossaries, since most customers especially in the financial sector pay top dollar to create glossary definitions, all maintained in excel spreadsheets) and subsequently managing glossary definitions. The management piece is interesting since it is tied to adding security features that allow multiple owners across different businesses to manage glossary definitions, that can later be leveraged by not just an attestation solution, but also by provisioning solutions and other downstream applications that require end users to thoroughly understand the meaning of cryptic entitlements (such as a concise definition of a RACF group membership or the true meaning of an SAP role), before performing certain tasks.

This solution would truly provide an enterprise wide capability to effectively manage glossary definitions across applications and target systems, at the same time providing a means to attest to the validity of the entitlements themselves. According to another large banking customer, there is an entitlement creep that takes place in an organization across time, and these entitlements are never re-considered and remediated in the target systems. A mechanism to truly understand the meaning and whether the entitlement is indeed needed or not, is called for.

This begs for another question, in addition to regular glossary management capabilities (CRUD), do glossaries need to be audited when they are defined or modified? This would require strong historical reporting capabilities so that any additions/modifications made by designated “glossary owners” to glossaries are recorded in a centralized dashboard. Versioning and revert capabilities should also be provided, allowing glossary owners to switch back and forth between definitions if required. Moreover, glossary owners would then be required to attest glossaries, and most importantly, the  true need for all entitlements pertaining to a target system or application, to provide comprehensive evidence to auditors that unwanted entitlements are actually being revoked and/or consolidated from the target systems on a regular basis.

Oracle Identity Analytics 11g…all systems go!

Yesterday was a momentous day for the Oracle Identity Management team. With over 750 man months of development and 1300 man months of QA in this release, Oracle Identity Management 11g is a huge milestone! And Oracle Identity Analytics 11g is our first official release with Oracle post the Sun acquisition and the smooth migration of the highly successful Sun Role Manager product…and we are proud to have this strategic product moving forth in the Identity and Access Governance marketplace. I will take the time to discuss some of the great architectural innovations we have performed with this release and granted that primary work was done to assimilate Oracle Identity Analytics into Oracle Identity Management portfolio, our product engineering team was still able to fit in some great new features in here, which I will address.

Oracle Identity Analytics provides enterprise the ability to engineer and manage roles, automate critical identity-based controls and truly amalgamates Business Intelligence and enterprise security and access governance for cross product identity analytics. The various components of the products include:

1. Identity Warehouse

Identity Warehouse

Identity Warehouse

Identity Warehouse is the central repository that contains identity, access and audit data, optimized for complex analytical queries and simulations. This data is imported from one or more databases within your organization on a scheduled basis. The Oracle Identity Analytics import engine supports complex entitlement feeds saved as either text files or XML. A glossary entry, defined as a business friendly term for typically cryptic IT entitlements, can also be captured during the import process enabling business users to view and analyze user’s access rights in a business-friendly way. Oracle Identity Analytics provides strong and robust integration capabilities with the provisioning products including Oracle Identity Manager and Oracle Waveset.

2. Attestation of Access Rights with Cert 360

Identity Certification

Oracle Identity Analytics reduces operational risk exposure by providing a 360-degree view of users’ access – not just “who has access to what”, but whether access was appropriately assigned and how it is being used. Oracle Identity Analytics securely automates existing manual re-certification or attestation processes for certifying the user access rights by business managers and application owners. This significantly reduces costs associated with existing manual controls and enhances audit effectiveness, resulting in enforcement of “least privilege” across the enterprise. A significant amount of effort has gone into developing the next gen user interface of the attestation UI, focusing on the overall usability as well as the time to load a large amount of attestation data to the end user. Concepts such as paging, improved batching and lazy-loading allow for a much quicker sign-off experience for the end user and advanced searching, sorting and filtering capabilities enable the end user (or access reviewer) to view the data that matters to them the most and certify it with a single click.

3. IT Audit Policy Monitoring

Segregation of duties (SoD) enforcement prevents users from intentionally or inadvertently breaching security policy by having a conflicting combination of roles or entitlements. IT Audit Policy enforcement directly impacts an organization¹s ability to comply with explicit requirements of the Sarbanes-Oxley Act and multiple other regulatory mandates aimed at ensuring the integrity of enterprise financial operations.

4. Comprehensive Role Governance

Role Mining

Oracle Identity Analytics’ role mining feature allows customers to conduct role mining based on organization, user and entitlement attributes to clean up and organize existing entitlements towards a role-based setup.  The Identity Warehouse is used to capture the necessary information about users, entitlements and their relationships – allowing OIA to perform both top-down and bottom-up role mining.  The role-mining feature also provides rule discovery to correlate rules between approved roles and attributes for use in role assignment.  Once the roles are defined, role change management ensures approval workflow for any role creation and role definition changes along with version tracking to monitor the history of these controls. Comprehensive reports and dashboards to drill down and tweak role content are also provided with the solution. Roles defined across an enterprise are subject to evolve over time, and require a robust administration and governance process. Oracle Identity Analytics provides role approvals upon detection of associated entitlement updates and performs real time impact analysis for role consolidation before changes are applied in a live environment. The role change approval process combined with role versioning, role change “what if” simulations, and rollback features, provides a complete role administration solution. Oracle Identity Analytics also fully audits all the changes made to role definitions including role assignment rules and entitlement mapping policies.

5. Compliance Command Console

Compliance Command Console

Compliance Command Console

Oracle Identity Analytics provides comprehensive actionable dashboards and advanced analytics capabilities based on user identity, access and audit data residing in the Identity Warehouse. Oracle Identity Analytics provides various compliance and operational dashboards for a quick review of compliance and operational status in context of roles, segregation of duty policies, audit policies and other controls. While compliance dashboards are typically used for executive level compliance monitoring, detailed out of box reports enables IT staff, business users and auditors to structurally analyze the warehouse data. The dashboards can further be customized for business users, compliance and audit officers and other end users on need basis. While Oracle Identity Analytics provides close to 50 out of box reports, its data dictionary is published to allow customers to extend these reports and build custom reports.

For more information on Oracle Identity Analytics 11g, please visit us at the Oracle Technology Network.

Access Certification: Addressing & Building on a Critical Security Control

Please visit the Oracle Identity Analytics website on Oracle Technology Network, where you can download product briefs, whitepapers, case studies and deployment guides, in addition to downloading the product and accessing the product documentation. You can also download this great whitepaper on Access Certifications here.

How can we make User Attestations easier for Managers?

Frustrated ManagerIts that time of the quarter again! Lets do some User Access Reviews! Its pretty much the case with most organizations, managers do not look forward to performing attestations. And I wouldn’t blame them. Certifying a users access on a mainframe or Active Directory is not a manager’s dream job. As a vendor and product manager, some questions related to this problem arise:

1. How do we make it easier for managers to perform their access reviews?

2. How do we ensure that access reviews are a breeze, enabling our managers to move on to more important tasks?

3. How do we provide managers with sufficient information that allows them to make educated decisions on certifying a users access?

From a product perspective, a few solutions come to mind, that make it easier for managers to quickly and accurately get through their attestations:

1. User Interface: Make it a seamless, easy to use, UI that allows Managers flexible options to certify hundreds of user entitlements with fewer clicks, while presenting the information they need to see (no cryptic entitlements! use glossary!).

2. Flag High Privileged, High Risk Entitlements. Red Alert!

3. Display the type of account a manager is certifying to, is it a System Account, is it an Email Account, etc.

4. Was the account a part of a Segregation of Duties violation? Is the violation still open? Was the account a part of a Segregation of Duties violation and was accepted as a risk for a particular time period?

5. Flag access that was previously revoked in a prior certification. Red Alert! The users access was not cleaned up in Q1, IT sucks!

6. For ongoing attestations, display user access that was changed (added/modified) since the last attestation. Maybe grey out the access that was constant so the manager does not have to attest it again, unless they really want to. Makes it faster for a manager to go through a larger attestation, spanning multiple departments or cost centers.

7. Move towards Role based access control! Isn’t it easier for a manager to certify his employee accessing the “Accountant” role with access to underlying applications, that certifying on each individual application and their numerous entitlements itself?

8. Display any role assignment rules that were used to assign Roles to a user. Provides validation on why a user has access to them.

9. Integrate with your Provisioning solution (assuming it uses a self service interface and has approvals and workflow set up). Extract Workflow approval logs from the solution and display 1) Who Approved What? 2) When was it approved? 3) Approval Comments. This informs managers that the users entitlements went through a legitimate approval process and are a no-brainer to approve during the attestation.

10. Integrate with an SIEM Solution. How cool would it be for managers to not only see what entitlements a user has access to, but whether those entitlements were being put to good use or not? If a user has not logged into an accounting application for the past one year, but still has access to it, maybe he or she does not need it anymore. This would prove to be extremely valuable for managers to make quick decisions and move their users towards least privilege.

Lets make life easier for our managers…they have more important work to do! Oracle Identity Analytics is one of the industry leading attestation solutions in the market today and you can get more information on the product by clicking here.