If you receive errors when attempting to view this white paper, please install the latest version of
Adobe Reader.
"Oracle has been helping customers like you manage your business systems and information with reliable, secure, and integrated technologies."
Source : Oracle
How Midsize Businesses Can Reduce Costs, Secure Data, and Ensure Compliance with an Identity Management Program
Identity management is also known as :
Information Strategy,
Information System,
Information System Analysis,
Management System,
Identity Management Solutions,
System Methodology,
Electronic Identity Management,
Identity Management System,
IMS,
Identity Management,
Identity Management Systems,
Network Information Service,
Identity Repository,
IMS Profiling,
Identity Engineering,
Identity Paradigm
Identity Management Program
EXECUTIVE SUMMARY
Midsize businesses are doing more with less, in large part by basing their business
models around the Internet and developing collaborative environments that connect
employees, customers, partners and vendors. People form the foundation of all
business transactions. And, for people to communicate, collaborate and transact
business, they must be able to identify who they are dealing with in a secure and
reliable manner. However, today’s midsize businesses need to strike a balance between
the needs of authorized users for open access and the duty to maintain information
security and privacy.
A strong identity management platform plays the dual roles of gatekeeper and
guardian of business intelligence and information. Midsize businesses cannot
operate effectively without the ability to control access to their networks and business
systems. To further complicate matters, many midsize businesses must report on this
information for compliance purposes.
This whitepaper highlights the unique needs of midsize businesses and explores the
factors driving them toward stronger identity management platforms, such as Oracle
Identity Management.
FACTORS DRIVING THE MOVE FOR STRONGER IDENTITY
MANAGEMENT
Identity management is defined as the technology and processes that apply to
maintaining and managing a digital user profile throughout a lifecycle—on-boarding,
modification and, ultimately, termination.1 More simply put, it involves ensuring the
right people have secure access to the right resources and information. For midsize
businesses, there are a number of factors driving their move to stronger identity
management.
Growing Regulatory Compliance Mandates
Legislation such as Sarbanes-Oxley, Gramm-Leach-Bliley, the Health Information
Portability and Accountability Act (HIPAA) and the European Union Directive
on Data Protection has put information security in the limelight. Small and large
businesses alike are forced to comply with these mandates or face stiff fines and even
prison terms for their corporate executives. Unfortunately, many midsize businesses
are trying to comply using manual and inefficient processes.
IDC Research shows that the identity and access management (IAM) market,
estimated at $3.4 billion in 2006, will reach more than $5 billion in revenue by
2010. Compliance is the primary driver and accounts for 70 percent of the growth
in this space.
Midsize businesses have the same challenges as larger companies when it comes to
compliance—any company doing business with a publicly traded company generally
needs to comply with the same regulations. However, the problem is that compliance
is expensive and does not just involve setting up systems and processes, but it requires
control and proof of compliance practices—all of which need to run efficiently and be
sustainable for the long term.
Manual processes are often the main culprit for compliance failures and out-ofcontrol
costs. Many errors are often made when granting privileges. It is simply
too hard to manually track all accesses to sensitive and proprietary information
(i.e., Excel spread sheets and emails). Without an automated process in place, it
becomes difficult for midsize businesses to audit and cross-reference identities or
changes across departments, partners and the organization in order to confirm or
establish access or segregation of duties.
Building Operational Efficiencies
A healthy and sustainable business, in large part, comes from keeping operations
within budget and continually seeking ways to reduce costs. For midsize businesses,
cost-reduction directives and "having to do more with less" are daily facts of life.
Improved operational efficiencies can often be achieved by automating processes
within a select group (i.e., IT), across departments (i.e., HR and IT) and throughout
the entire organization (i.e., employees and partners).
Most midsize businesses run multiple applications to keep operations running
smoothly. In turn, each application requires access by a number of different users.
A typical midsize business running even just a few dozen applications might have
to manage varying levels of access across hundreds of users that include employees,
partners and vendors. So, it is easy to see how quickly costs and security can get out
of control without automation in place.
IT staff can easily get bogged down spending dozens of hours every week provisioning
(i.e., setting up) or changing accounts. And, depending on the internal operational
landscape of the midsize business, this process can take as long as several weeks after
hire. At this point, the issue of the costs associated with weeks of lost productivity
comes into play as employees sit idle waiting for access or password resets.
According to The Burton Group and Gartner studies, password resets represent 30
percent of all help desk calls 3 with the average call cost estimated between $25 and
$50.4 Herein lies another problem; users are human and they forget passwords and
user IDs. They call the help desk and get assigned new passwords. On the surface, it
does not appear to be a major issue. But, taking a look at the big picture, the costs
associated with just managing user passwords and access can grow exponentially for
a midsize businesses if this information is viewed on a per-year, per-employee basis.
Increased Need for Improved Security
As long as companies and people continue to house and exchange sensitive
information, content, data and transactions, the risk of security breaches will always
persist. Today’s criminals use the open nature of the Internet to create highly
successful, criminal strikes on a global scale. They continue to exploit the inefficiencies
of online applications and networks, and they have aggressively performed with
increasingly more sophistication.
Privacy and the protection of personally identifiable information (i.e. Social
Security numbers, age, address, phone, etc.) are some of the biggest concerns today.
Unauthorized access to user, employee, and client data often results in cases of
identity theft and other forms of fraud. Accordingly, more regulations to protect this
type of sensitive information can only be expected as consumer awareness grows.
However, security threats also include "inside jobs," where people have at least some
type of valid credentials—often traced to disgruntled employees intent on stealing or
corrupting data to get even. Gartner estimates more than 70 percent of unauthorized
access to information systems is committed by insiders, as are more than 95 percent
of intrusions that result in significant financial losses.
Without some type of automated identity management system, unfortunately, midsize
businesses are often easy targets. Because each application often has its own built-in
security, it is often hard for midsize businesses to establish consistent standards and
policies (i.e., passwords) across multiple platforms within the organization. This type
of situation affords little control over who needs and gets access. Not to mention, it
offers few guarantees for proper deprovisioning, or termination of access rights.
Emergence of the Flat World
In his best-selling book "The World is Flat: A Brief History of the Twenty-First
Century," Thomas Friedman analyzes the progress of globalization and its impact on
how business gets done today. In Friedman’s flat world, midsize businesses can now
drive competition within a "level, global, Web-enabled playing field."
However, as midsize businesses find themselves immersed in today’s dynamic and
interconnected global economy, they have also come to realize conventional business
systems and processes of the past are not designed to consolidate, integrate, federate
and automate work that takes place in a flat world. Today, identity management
solutions need to address the dynamic interaction and different relationships that
connect an midsize business’s employees, trading partners and key stakeholders. The
virtual line that defines a company’s internal and external audiences is now erased.
The new collaborative nature of today’s business drives the need for single-source
identity management solutions connected across applications, departments and
enterprises. The key is to balance control, making information, processes and systems
available to appropriate users without compromising security.
A CONSTELLATION OF PAIN POINTS
Oracle Identity Management is a suite of solutions that allows midsize businesses to
manage the end-to-end lifecycle of user identities across all enterprise sources, both
internally and beyond the firewall. Oracle Identity Management offers the control
and automation for processes that govern what users access and when.
Through a range of components, Oracle Identity Management provides centralized,
single-source administration for provisioning and deprovisioning users; self-service
access and password management; federated identity and access management outside
traditional corporate boundaries; and complete auditing and reporting capabilities.
The Oracle Identity Management solutions address the constellation of pain points
that plague many midsize companies:
- Limited IT resources and expertise: Midsize companies do not have
the flexibility or the big budget to add new headcount to address
identity management issues. Adding functionality should not mean
adding responsibility in a department where "do more with less" is
a daily mantra.
- Need for immediate return on investment: In order to stay competitive,
midsize businesses need an affordable, overall solution that delivers
immediate value in terms of streamlining the management of
information with established work processes while improving efficiencies
and productivity — without sacrificing security.
- Requirements for ease in purchase, deployment and integration: Midsize
businesses migrate to vendors that understand their unique set of needs
and offer exceptional customer service. They have little time, resources
or money to waste on complex solutions and drawn-out integrations.
Midsize businesses need quick as well as seamless and transparent
deployments so operational interruptions are kept at a minimum.
- Need for flexible and extensible solutions: In order to keep pace with
a midsize businesses’ agility and development, identity management
solutions should support security and business growth now as well
as into the future. They should rely on solutions created with open,
standards-based design in order to support the integration and operation
with future technology products and services.
- Necessity for solutions that are easy to use and maintain: In order to
compete with larger enterprises, midsize businesses must have the same
levels of protection and automation. However, the systems and processes
must be as easy to use and administer as possible. If too difficult and
companies cannot adapt quickly enough, then users will find a way
around the system. If the identity management system is too loose,
then midsize businesses leave themselves exposed to risk.
BUSINESS BENEFITS OF ORACLE IDENTITY MANAGEMENT
Identity management involves a number of departments including HR, security, IT,
audit, lines of business, legal and others. Historically, identity management solutions
have been too expensive and complex for midsize businesses. However, Oracle’s
Identity Management now offers midsize businesses the same enterprise-class
functionality that only larger firms could previously get.
Oracle Identity Management is a comprehensive, best-in-class solution that addresses
every aspect of identity management while focusing on unique midsize business
requirements. Oracle Identity Management is sold as a complete solution, yet midsize
businesses have the flexibility to select the complete suite or stand-alone components.
More specifically, Oracle Identity Management offers:
- Directory Services: Directories provide centralized storage and
presentation of user information, scalable up to millions of users.
In addition, Oracle offers a highly innovative Virtual Directory product
that integrates multiple directories in real-time, without ever having to
synchronize data;
- Identity Administration: Identity administration governs how digital
identities, groups and organizations are created, maintained and
leveraged throughout the organization;
- Identity Federation: Federated identity management provides a means
to link internal employees to external constituents (i.e., partners,
vendors) without the burden of managing identities and credentials
in both places;
- User Provisioning: User provisioning automates the tedious process
of linking logical identities to physical accounts in various systems,
including the changes that happen throughout the user lifecycle whether
it is on-boarding, change of access rights, or, ultimately, termination;
- Auditing: This function highlights the end result of doing everything
else right, by providing a dashboard of governance and compliance
where midsize businesses can attest to and verify what access a user has,
for what reason, when and who approved it; and
- Web Services Security: Web services exposes business applications and
information to the Internet for use by customers, business partners
and employees.
Oracle Identity Management solutions help midsize businesses address many of
the issues and challenges they face in a business landscape filled with ongoing security
threats, sweeping compliance initiatives, and the continual drive to keep costs in
control.
With this in mind, the Oracle Identity Management solution is able to deliver these
benefits.
Strengthened Network Security
Oracle Identity Management defends an organization from internal threats by
applying a centralized security policy to users and applications, ensuring a high level
of consistency across the entire organization. Uniform user access and rights can be
granted from a single repository and removed at a moment’s notice, helping prevent
the accumulation of "orphan" accounts and their associated security vulnerabilities.
But, internal security measures are not enough—customers, partners and other
third parties all demand self-service access to data. The challenge is in making sure
information is available to legitimate users while still ensuring its security.
Information sharing becomes extremely complex once the information needs to be
secured across boundaries such as for business partners, dealers or outside consultants.
Oracle Identity Management lets midsize businesses set up federated identity
management systems so trusted partners can securely access applications; for example,
when a distributor wants to check product-availability status from a manufacturer, or
a travel agency wants to provide self-booking tools to the employees of its clients.
A cohesive identity management strategy across applications lets midsize businesses
securely facilitate these exchanges without placing undue strain on IT resources. It
also makes it easier to develop and expand business practices, because it is less costly
and time-consuming to leverage existing policies and procedures than to create new
ones from scratch.
Oracle Identity Management centralizes activities, views and administration. This
solves many ongoing security issues. Midsize businesses can now get a big-picture
view, knowing what people are accessing and when. It automates tasks that users have
had to rely on someone else to do.
Improved Enterprise Compliance
Any compliance system requires auditing capabilities that help deter unauthorized
user behavior. A midsize business cannot achieve compliance-level accountability
unless it centrally manages user identities as well as their access rights.
To achieve this, midsize businesses need to enforce segregation of duties and restrict
access by maintaining tight control over user permissions, privileges and profile data
and by strictly controlling who has access to what, and when.
Oracle Identity Management enforces segregation of duties, automates and
manages access, and delivers an aggregated audit and reporting capability. Unlike
stand-alone identity management solutions, Oracle Identity Management is an
integral component of the comprehensive Oracle compliance architecture, an
interoperable framework of solutions that address the wider compliance needs of
the entire organization. Oracle Identity Management reduces several months
of liability into more sustainable compliance.
Lower Administrative and Development Costs
Although the information technology industry acknowledges that centralized
identity management is the ultimate goal, most midsize businesses are far from
achieving it. Oracle Identity Management allows organizations to manage access to
sensitive information and to provision users across a range of disparate systems and
applications. Rather than granting access to individual applications in a "one-off "
fashion, Oracle supports policy-based security and single sign-on to applications—so
users can access multiple applications with just one password. This enables workers
to be more productive, even as it reduces the costs of security maintenance and
administration.
By removing authentication and authorization from individual applications and
centralizing it, Oracle Identity Management eliminates duplicated efforts across tens
to hundreds of applications.
The cost savings are not only in the development of these applications but also in
the centralized management of user identities and the ability to share administration
capabilities by delegating them to line-of-business managers (i.e., HR managers) who
are responsible for those functions. Research conducted by The Radicati Group, Inc.
shows that an identity management solution can reduce administrative costs by up
to 78 percent.7 In addition, self-service capabilities—such as resetting and recalling
passwords—eliminates up to 30 percent of incoming help desk calls.
All in all, Oracle’s ability to deliver a comprehensive, best-in-class suite of solutions
that easily integrate with all leading business applications, operating systems, servers,
databases and portals makes it an attractive midsize business identity management
solution.
SILICON IMAGE REDUCES HELP DESK TICKETS BY MORE THAN
60% WITH ORACLE IDENTITY MANAGEMENT
Silicon Image, Inc. is an example of a midsize business that has realized the
provisioning and compliance benefits of deploying Oracle Identity Management
solutions. This 600-employee high-tech company, which designs and sells various
types of integrated circuits, needed to improve its provisioning, ensure regulatory
compliance, build a single source for identity information, and sync multiple
password policies. Any new identity management products and services also
needed to be scalable and flexible enough to work within the existing company
architecture.
By implementing Oracle Identity Management solutions, Silicon Image has
facilitated Sarbanes-Oxley compliance and reduced help desk tickets by more
than 60 percent for on-boarding and off-boarding. In addition, the company
has been able to provide single sign-ons across multiple applications, automatically
linking employee records with application user accounts, and substantially
improving provisioning.
CONCLUSION
Managing identities is a small part of the overall challenge midsize businesses face
as they conduct business today. Managing access to critical resources and proprietary
information is the main issue. However, midsize businesses cannot manage access
without managing identities if they want to secure data and ensure compliance.
Compliance as well as maintenance cost will continue to be key drivers of
innovation, forcing midsize businesses to strengthen and consolidate security across
the organization. Regulatory legislation, in particular, will continue to evolve. There
will also be new applications, mergers, acquisitions and partners that marry midsize
businesses, employees and diverse IT platforms. As midsize businesses continue to
partner with outside vendors and consultants to improve their competitive edge, the
movement toward the federated side of identity management will grow as business
partners request more access to midsize business systems.
Midsize businesses must take an automatic and unified approach not only to
enhance security, but also increase efficiency, relying on fewer people and a single
system to fully provision and deprovision user access and privileges. In addition,
midsize businesses will need the ability to considerably speed account creation while
streamlining business processes and ongoing maintenance, ultimately lowering
administrative costs.
As demonstrated by Silicon Image Inc., midsize businesses can streamline key
processes, starting when users are first entered into the system by HR upon hire.
Company-wide credentials are automatically created with privileges associated with
the employee’s specific job responsibilities. Thus, account creation happens
instantly—as part of a single business process.
Midsize businesses need flexible, interconnected solutions to serve as foundations for
well-rounded identity management in order to address more long-term needs well
into the future.
As midsize businesses consider identity management solutions, they must define
objectives in order to find features that meet their needs, whether reducing help desk
calls for password resets, automating the provisioning and deprovisioning process, or
complying with federal or industry regulations. Midsize businesses need to select
vendors that not only support current standards and objectives, but also have a vision
for services that embrace and champion evolving standards.
No longer considered as a product or technology, identity management as a
"service" is part of the Oracle vision for midsize businesses. Oracle has the ability
to build identity management into the next generation of business applications,
allowing for fewer stand-alone solutions, more easy and rapid deployments, as well
as increased features and functionality. Oracle is leveraging its expertise to build better
midsize business services to address the business needs for today’s (and tomorrow’s)
identity-driven world.