Buyer’s Guide for a User Provisioning Solution ??2011-07-21Control: The organization ... well-implemented user provisioning solution provides essential ... Buyer’s Guide for a User Provisioning Solution Page 9 •

  • Published on
    06-May-2018

  • View
    213

  • Download
    1

Embed Size (px)

Transcript

  • Buyers Guide for a User Provisioning Solution An Oracle White Paper April 2007

  • Note:

    The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracles products remains at the sole discretion of Oracle.

    Buyers Guide for a User Provisioning Solution Page 2

  • Buyers Guide for a User Provisioning Solution

    Introduction ....................................................................................................... 5 User provisioning overview ............................................................................. 5

    Standards for user account controls........................................................... 6 Key requirements for user provisioning solutions................................... 6 Benefits of user provisioning ...................................................................... 7 Role of user provisioning in the enterprise security architecture .......... 8

    Oracles user provisioning solution: Oracle Identity Manager ................... 9 Solution overview ......................................................................................... 9 Oracle Identity and Access Management ................................................ 10

    User provisioning checklist............................................................................ 12 Functionality ................................................................................................ 12

    Identity and role administration........................................................... 12 Request administration and approval workflow................................ 13 Rules and policies ................................................................................... 15 Provisioning workflows......................................................................... 16 Integration framework........................................................................... 17

    Deployability and Manageability............................................................... 18 Deployment, diagnostic and management tools................................ 18 Solution architecture .............................................................................. 19 Enterprise scalability .............................................................................. 20 High availability ...................................................................................... 21 User interfaces ........................................................................................ 22 Vertical industry solutions..................................................................... 23

    Auditability................................................................................................... 23 Audit data capture .................................................................................. 23 Audit data reporting............................................................................... 24 Policy compliance monitoring.............................................................. 24

    Vendor capabilities ..................................................................................... 25 Product support...................................................................................... 25 Industry leadership................................................................................. 26 Vendor portfolio .................................................................................... 26

    Conclusion........................................................................................................ 27

    Buyers Guide for a User Provisioning Solution Page 3

  • Buyers Guide for a User Provisioning Solution Page 4

  • Buyers Guide for a User Provisioning Solution

    INTRODUCTION Organizations everywhere are taking a hard look at how they are implementing information systems security. There are a number of factors driving this interest, including:

    An elevated threat environment, with high-profile security and privacy breaches grabbing front-page headlines.

    Organizational demands to support new business models for customer and partner interaction, while simultaneously delivering higher service levels.

    Requirements to meet regulatory compliance goals, satisfy audits and demonstrate the exercise of due care in managing organizations information systems resources.

    Business demands pressuring IT organizations to do more with less.

    To address these needs, many organizations are turning to user provisioning solutions. User provisioning automates the creation and management of user accounts and entitlements to information systems throughout the enterprise. Organizations have found that by implementing user provisioning solutions such as Oracle Identity Manager, they are able to cost-effectively deliver vital security controls over their information systems and other company resources.

    This white paper describes the need for user provisioning, key requirements of a user provisioning system, and some of the business benefits of implementing user provisioning. Next, it provides a detailed list of product features and vendor capabilities customers should consider when evaluating their user provisioning needs.

    USER PROVISIONING OVERVIEW User provisioning solutions provide an automated means of managing user accounts and entitlements in organizations information resources. Enterprise users typically have accounts in a number of resources such as databases, directories, e-business applications and e-mail systems. User provisioning solutions create and manage user accounts on these systems and synchronize the user identities and password information. A well-designed user provisioning product can also deliver

    User provisioning automates user account and entitlement management for

    information resources throughout an organization.

    Buyers Guide for a User Provisioning Solution Page 5

  • other important functionalities, for example, generating reports on current and historical user entitlements, automating the periodic review of entitlements, and facilitating the management of non-IT resources. This section of the whitepaper examines the business need for user provisioning as well as high-level system requirements.

    Standards for user account controls In NIST Special Publication 800-53 (NIST 800-53), the U.S. Department of Commerces National Institute of Standards and Technology describes the baseline level of security controls needed to secure an information system environment. These controls are to be deployed as part of an overall program that includes periodic risk assessments, effective policies and procedures, awareness training and testing. While the guidelines described in the document are directed at executive agencies of the U.S. Federal Government, they are often looked to as guidance for developing best practices for securing commercial systems as well.

    Requirement AC-2 in the NIST 800-53 document addresses requirements for account management:

    Control: The organization manages information system accounts, including establishing, activating, modifying, reviewing, disabling, and removing accounts. The organization reviews information system accounts [Assignment: organization-defined frequency, at least annually].1

    Furthermore, for systems with moderate to high security assurance needs, the document directs that:

    The organization employs automated mechanisms to support the management of information system accounts.2

    These requirements for automated account management and review can be met with a well-engineered user provisioning solution.

    Key requirements for user provisioning solutions At a high level, requirements for a user provisioning solution can be considered in four categories: Candidate user provisioning solutions

    should be evaluated for functionality, deployability and supportability,

    auditability and vendor capabilities. Functionality Does the system deliver the key functionalities the

    organization and users require? These include administration of roles and identities, password management, flexible approval and provisioning workflows and the ability to support a wide array of target resources.

    Deployability and Supportability Does the system include the tools and interfaces for managing deployments, migrations and ongoing system administration? Does the system support the various application

    1 NIST Special Publication 800-53, Recommended Security Controls for Federal Information Systems, National Institute of Standards and Technology, February 2005. 2 Ibid., p. 40.

    Buyers Guide for a User Provisioning Solution Page 6

  • infrastructures deployed in the organization? Can it meet the organizations scalability and availability requirements, and are the user interfaces customizable and easy to deploy?

    Auditability Does the system support the organizations audit and reporting processes? Does it provide the ability to generate entitlement and usage reports as well as automate and track entitlement attestation processes?

    Vendor capabilities Does the vendor have the demonstrated ability to provide global support for the product? Does the vendor demonstrate technology leadership and continued investment in the product area?

    More detailed requirements associated with these high-level categories are provided in the next section. This white paper next considers some of the benefits of deploying user provisioning.

    Benefits of user provisioning The AIC triad summarizes the generally accepted three main principles of an information systems security program. Here, A stands for the availability of the systems or information under management, I stands for the integrity of that information, and C stands for the need to maintain confidentiality of the information managed by the system. The role that user provisioning plays in an information systems security program can be understood by its impact on the AIC triad:

    User provisioning impacts all three aspects of the AIC (availability, integrity,

    confidentiality) triad.

    Availability User provisioning impacts systems availability by accelerating the process whereby authorized users are granted access to applications, speeding the organizations response to events such as new hires and employee job changes.

    Integrity User provisioning impacts systems integrity by enforcing a least-privilege model for user access and by automatically removing users privileges to systems they are no longer authorized to access. User provisioning can prevent the creation of rogue or unauthorized accounts in managed applications, identify orphan accounts that are no longer connected to enterprise users, and police the accounts on connected applications through reconciliation. These functionalities promote integrity by preventing modifications to application data by unauthorized users.

    Confidentiality User provisioning impacts the confidentiality of systems data by ensuring that only authorized users can access applications and data on the various enterprise systems under management. It also promotes the confidentiality of identity information and passwords through functionalities such as self-service and delegated administration.

    A well-designed, well-implemented user provisioning solution provides essential information system security controls and represents a key component of an information security program.

    Buyers Guide for a User Provisioning Solution Page 7

  • Role of user provisioning in the enterprise security architecture Enterprise security architectures are integrated, coherent sets of services for securing applications and data throughout the organization. As opposed to a security infrastructure, an enterprise security architecture reflects the strategic decisions on the part of an organizations management that guide application development, procurement and deployment decisions. Some of the advantages of adopting and deploying enterprise security architectures include:

    Enabling enterprises to deliver a consistent level of application security across all of the applications deployed in the enterprise.

    Reducing the cost of securing and managing applications by allowing all applications to leverage a common set of services and interfaces.

    Permitting application developers and administrators to more easily leverage best practices for securing and managing applications.

    Providing a framework for application-level interaction with other organizations doing business with the enterprise.

    Providing a basis for better application procurement and deployment decisions.

    The user provisioning system is an essential component of an effective enterprise security architecture. Figure 1 provides an overview of the identity management-related components of enterprise security architectures. These include:

    User provisioning should be considered in the context of enterprise security

    architectures.

    Access control services, for securing access to web-based, legacy and web services applications, both within and across the extended enterprise.

    Identity administration services, including administration of users, automatic provisioning of users to applications, and automation of periodic compliance-driven processes such as attestation.

    Directory services, including repositories for storing and managing identity information, as well as integrating identity information from across the organization.

    Audit and compliance services for recording information on changes in the identities and privileges managed in the environment, and enforcing key administrative controls such as separation of duties.

    Management services, which ensure that the other services within the architecture are deployable, manageable, and deliver the required service levels.

    Buyers Guide for a User Provisioning Solution Page 8

  • AccessAccessControlControl

    DirectoryDirectoryServicesServices

    IdentityIdentityAdministrationAdministration

    Authentication & Authentication & AuthorizationAuthorization

    Single SignSingle Sign--OnOn

    FederationFederation

    Web Services SecurityWeb Services Security

    Identity LifecycleIdentity LifecycleAdministrationAdministration

    Role & MembershipRole & MembershipAdministrationAdministration

    Provisioning &Provisioning &ReconciliationReconciliation

    Compliance AutomationCompliance Automation

    VirtualizationVirtualization

    SynchronizationSynchronization

    StorageStorage

    Service Levels Configuration Performance Service Levels Configuration Performance AutomationAutomation

    ManagementManagement

    Audit Data...

Recommended

View more >