2. Agenda
• Panel Discussion
• Challenges and Implementation Overview
• The Solution Behind the Implementation
• Q&A
3. Panel Discussion
Jason W. Zellmer Rex Thexton Viresh Garg
Director, Strategy and Information Managing Director, Advisory Director
Management Services
Kaiser Permanente Information
Security PricewaterhouseCoopers Oracle Identity Management
6. PwC - Oracle Security Overview
Our practice has years of experience in Security and Identity &
Access Management with over 1000 professionals in NA.
•PwC is the leading Oracle IdM partner for five consecutive years
•PwC has completed over 150 implementations over the last 4 years
•PwC is the only Oracle partner to be a four time Titan Award winner
•PwC has conducted more 11g implementations than any other Oracle partner
•PwC has been nominated to Oracle’s Deputy CTO program since its inception
•PwC is involved in a significant % of all large Security Deals at Oracle
•PwC is the only Diamond Partner with advanced specialization area in identity
PwC 6
7. Kaiser Implementation Overview
Kaiser
Permanente’s Goals
• Resolve significant deficiencies identified by internal audit for access management controls
across the enterprise
• Develop sustainable and cost effective compliance processes through the automation of
access management and recertification
• Standardize on a new IAM product suite (Oracle – OIA/OIM) and retire the legacy IAM
technology stack (IBM Tivoli)
• Collapse existing IAM functions (help desks, security admins) within the regional business
units by expanding the footprint of centralized IAM services
• Implement self-service functionality to enable business users and reduce administrative
burden for care delivery staff (doctors, nurses, etc.)
• Objectives to span across:
• 7 major business units
• 150+ SOX applications
PwC 7
• 1300+ HIPAA applications
8. Kaiser Identity Management
Identity Administration Overview at KP (Current State)
• Access Review by Applications
• Access Review performed by line
managers - view users access
specific to one application .
Key Pain Points:
• Lack of Holistic View
• Absence of automated remediation
and remediation validation
mechanisms.
• Inability to perform role certification.
Identity Administration Overview at KP (Future State)
KP-OIM
Refine • Authoritative Source for Identities
• Automated Roles based
Role Life-cycle provisioning
Management • Identity Synchronization
New
Verify Define Users
Identity Life-cycle
Management
KP- OIA Users
Change Leave
• Authoritative Source for Events
Roles
• Role Life-cycle Management
• Advanced Role Certification 8
Capability
PwC 8
9. Old data learns new tricks:
Managing patient privacy and security on a new data-sharing
playground
ublished: Fall 2011
ata is quickly becoming one of the health
industry’s most treasured commodities. Yet,
health organizations are acutely aware that
sensitive data can be easily compromised. In just
the last year and a half, a breach of personal
health information occurred, on average, every
other day. Breaches erode productivity and
patient trust. They’re costly, unpredictable, and
unfortunately quite common. More than half of
healthcare organizations surveyed by PwC have
had at least one privacy/security-related issue in
the last two years.
ownload this report from PwC at
www.PwC.com/us/HITprivacysecurity
PwC 9
11. Managing Risk and Enforcing Compliance in
Healthcare with Identity Analytics
Viresh Garg, Director, Identity Management, Oracle
12. This document is for informational purposes. It is not a commitment
to deliver any material, code, or functionality, and should not be relied
upon in making purchasing decisions. The development, release,
and timing of any features or functionality described in this document
remains at the sole discretion of Oracle. This document in any form,
software or printed matter, contains proprietary information that is the
exclusive property of Oracle. This document and information
contained herein may not be disclosed, copied, reproduced or
distributed to anyone outside Oracle without prior written consent of
Oracle. This document is not part of your license agreement nor can
it be incorporated into any contractual agreement with Oracle or its
subsidiaries or affiliates.
13. Healthcare Challenges Are Unique, Acute
HITECH
Sarbanes-Oxley
HIPAA EHR Access
IT/Helpdesk
Costs Staff
Meaningful Use
Productivity
VIP Cases
Patient Care SLA
Secure Access Control
Sustainable Compliance Practices
15. Building User’s Risk Profile
Identity Warehouse
Applications
Risk Assignment
Identity Data
Sources
Resources Identities Entitlements Roles Events
DB
Risk Aggregation
Mainframe
Low Risk Med Risk High Risk
Auto Certify Cert360
Approve
Reject
16. Closed-Loop Feedback
User On-
• IT and Business Roles
boarding SOD
Checking
SOD Checks
• Preventative
User Access
User Off-
Change
Aggregate
• Remedial
board
Risk Score
• Risk Feedback
• User Administration
• Access Certifications
17. Automating User Administration
Oracle Identity Manager
GRANT
REVOKE
GRANT
REVOKE
GRANT
REVOKE
Employee HR System Workflow Applications, Systems
• Automate Roles Based Provisioning / Deprovisioning
• Identify orphaned accounts and take remedial action
• Self-service requests including password management
• Provide risk feedback and audit trail for compliance reporting in Identity Analytics
18. Automating Compliance Certification
1
Set Up
Periodic 2 Reviewer Is Notified
3 Automated Action
4 Report Built
Goes to Self Service is taken based on And Results
Review
Periodic Review Stored in DB
Reviewer Selections
Email
What Is Certify Result
Reviewed? to User
Automatically
Reject Terminate
User
Who Decline Notify the
Reviews Process
Owner
It? Archive
Delegate Notify
Delegated Attested Data
Reviewer
Attestation
Start Actions
Comments
When? Delegation
How Paths
Often?
20. Platform Reduces Cost vs. Point Solutions
48% Cost Savings
46% More
Responsive
35% Fewer Audit
Deficiencies
Source: Aberdeen “Analyzing point solutions vs. platform” 2011
21. Summary
• Boost Security & Compliance
• Enforce and prove compliance, prevent privilege
abuse with Identity Analytics
• Improve patient care SLA, curb unauthorized
access, reduce costs with Identity Manager tied
to Identity Analytics
• Boost user productivity by 80%
• For More Information
• Contact: Richard.Caldwell@oracle.com
• Call him: 1-781-565-1779
• www.oracle.com/identity
• Blogs.oracle.com/OracleIDM
22. Q&A
Jason W. Zellmer Rex Thexton Viresh Garg
Director, Strategy and Information Managing Director, Advisory Director
Management Services
Kaiser Permanente Information
Security PricewaterhouseCoopers Oracle Identity Management
Editor's Notes
Events include: Last Attestation History, Open Audit Violations and Provisioning Method. Based on the resources the use has access to, the entitlements privileges, the way access was granted or the user assigned to a role, all these factors contribute to a user’s risk profile. The Identity Warehouse aggregates this info from across all resources and builds the user’s risk profile. To take the subjectiveness out of it, instead of assigning a risk #, the users are bucketed into Low Risk, Med Risk, High Risk making risk aggregation objective & intuitive. Since the reviewers focus should rightfully be on high and med risk profiles rather than the low risk ones, you can use the risk aggregation to build checks & balances for your med & high risk profiles, do a Cert360 on those users to completely assess their entitlements profiles while low risk users can even be bulk certified using an automated, intuitive web interface. Risk analytics really takes advantage of the new interface, where your reviewers can now really focus on "what matters most" and quickly access users, roles, accounts, etc. with ease
Identity Administration helps solve the provisioning/de-provisioning challenge and many other common issues. Let’s take a look at how this works. Oracle Identity Manager automates all aspects of administering user identities. It’s key capabilities can be broadly broken down into 3 buckets It automates provisioning and de-provisioning of users. Typically when an employee joins the company, they are entered into the HR system. OIM can automatically detect this addition/change, and kick off a workflow process for provisioning them with access to the systems they would need. After receiving the necessary approvals, OIM automatically creates accounts for this user in all the relevant applications. Similarly, when an employee departs, since OIM knows everything she has access to, it can quickly revoke access from all systems. Additionally, as folks change roles they are automatically de-provisioned from systems they no longer need, and added to new ones relevant to their new role. This ensures that users do not “collect” privileges over time, another common security vulnerability. Another immediate benefit organizations realize as soon as they implement OIM is they’re quickly able to identify and remediate orphaned accounts – live accounts whose owners are no longer with the organization OIM also provides much improved visibility across enterprise-wide security controls, quickly able to produce reports such as “who has access to what”. As we’ll discuss later, this also greatly eases the cost of compliance. Finally, another great source of cost savings is through end user self-service. Users can use a web interface to reset forgotten passwords, request new accounts and more, thus eliminating a significant volume of help-desk calls
Access Certification or attestation is a key part of Sarbanes-Oxley compliance and a highly recommended security best-practice. Oracle Identity Analytics offers a best-in-class attestation feature that can be deployed quickly to enable an enterprise-wide attestation process that features automated report generation, delivery and notification. Attestation reviewers can review fine-grained access reports within an interactive user interface that supports fine-grained certify, reject, decline, and delegate actions. All report data and reviewers’ actions are captured for future auditing needs. Reviewer actions can optionally trigger corrective action using Oracle Identity Manager’s workflow engine. The new OIA attestation UI is quite dynamic. Like the ipad, There really is no wrong way of holding it. u can sort and filter and view users and their access the way u want to, but always go back to that "original" view
Complimentary functionalities must be harnessed to achieve true end to end enterprise class security. Oracle has the most complete identity and access management offering in the industry because we are executing on a complete vision of security. Oracle Identity Management is a comprehensive offering of several best of breed products. Oracle IdM is the most complete and integrated IDM suite in the industry today. It is hot-pluggable and supports most leading third party platforms and applications. It is built on a unique architectural approach called Service Oriented Security which enables security to be externalized from applications and centralized using a standards based IDM framework. At Oracle, we like to think of IdM as being composed of some distinct functional areas: We have Identity Administration which is all about user provisioning and role lifecycle management. Oracle Identity Manager - our two flagship product in the Id Admin space. Then we have Access Management which is all about access control – authentication, authorization, single sign on and federation. In addition, Oracle also offers next gen access management technologies for risk based access control, for fine grained authorizaton, for web services security and information rights management for securing sensitive, unstructured business information. We also have Directory Services for centralizing and consolidating user identities. With Oracle Id analytics and the new Oracle Security Governor, we now offer comprehensive Identity & Access Governance. Of course, OPSS is the security foundation across all of Middleware and Fusion apps.