IDM concepts

Sun Java™ System Identity ManagerInnovative Identity Management

Customer PresentationSun Microsystems

Sun Proprietary/Confidential: Authorized Partner & Internal Use Only 2

Business Imperatives

Identity management solutions must address multiple, conflicting business goals

ImproveAccess &Service

BecomeMore

Secure

ReduceCosts

Web Services

Extranets

Portals

DynamicUser Base

OperationsHelpDesk Development

Integration

CorporateGovernance

InternalThreats

ExternalThreats

LegalMandates


Sun Identity Management


Fosters productivity, strong business relationships and increases revenue

● Single Sign-on improves service and ease of use

● Automated provisioning ensures rapid access to required resources

● Self-service account management and password reset

● Federation to enable trusted partnerships and new revenue opportunities

Lowers risk and ensures compliance with policies and mandates

● Automatic detection of potential risks such as dormant accounts

● Role- and rules-based access control to protect enterprise resources

● Centralized visibility and control across divisions and departments

● Enterprise-wide identity auditing and reporting

Improves operational efficiencies & bottom line results• Reduces administrative costs through automation, delegation and self-service

• Reduces total cost of ownership and speeds deployment times

• Reduces development and integration costs through open, integratable architecture


BecomeMore

Secure

ReduceCosts




Identity ManagerDirectory Server

Enterprise Edition

Access Manager

● Comprehensive software portfolio that includes● Directory Services ● Access Control, Single Sign-on,

Federation● Provisioning and Meta-

Directory Services● Open and integratable to reduce

integration cost and complexity


Sun Identity Management Products

AccessManager

Federation

Single Sign-On

Access Control

IdentityManager

Synchronization Services

Password Management

User Provisioning

DirectoryServer EE

AD Sync Services

Security/Failover

Directory Services

Web-Based Administration

Audit & Reporting


Network Identity Architecture Template

Source: Burton Group Telebriefing, Enterprise Identity Mgmt, The Strategic Infrastructure Imperative


Sun Java System Identity Manager ● Automated user provisioning to

improve operational efficiency and enhance security

● Secure, automated password management to improve service levels and lower costs

● User self-service and delegated administration to lower support costs

● Automated data synchronization to lower workloads associated with handling change

● Non-invasive, flexible architecture to speed deployment and ROI

● Comprehensive auditing and reporting to improve security compliance

A comprehensive solution for managing identity profiles and permissions throughout the entire identity lifecycle

● Enhanced security

● Lowered costs● Improved

productivity

Add

Change

Delete

Business Drivers for Identity Management

The rising importance of Information SecuritySecurity audits: Operations must be able to demonstrate the ability to control, audit and report on what users have access to

Legislative compliance: HIPAA, Gramm-Leach-Bliley Act, Sarbanes Oxley, 21 CFR Part 11, European Data Protection Directive, etc.

The increasing amount of change in enterprise environments

Acquisitions, divestitures, reorganizations, workforce reductions

The growing need to control costs “Do more with Less”

Recurring charges for non-digital resources that were not de-provisioned

Spiraling help desk costs for password resets

Provisioning ChallengesFragmented, Manual and Insecure

Other Assets

Human Resources System

Call CenterFacilities/PurchasingHelp Desk

Siebel CRMOracle FinancialsExchange and Active Directory

Chargeable Assets

• Mobile phone/service

• Conference call account

• Credit card

• Office space

• Phone

• Laptop

FormerEmployees

Partners CustomersEmployees

• Where are my risks?

• Who should have access?

• Who does have access?

• What assets have been provided?

• How much does this cost?

Provisioning with Identity ManagerStreamlined, Automated and Secure

Approving Manager

FormerEmployees

Partners CustomersEmployees

HRSystem

Other AssetsSiebel CRMOracle FinancialsExchange and Active Directory

Chargeable Assets

• Mobile phone/service

• Conference call account

• Credit card

• Office space

• Phone

• Laptop

Reduced riskComplete view of user’s identity Efficient, automated operations

Identity Manager Capabilities

Automated user provisioning

Synchronization services

Auditing and reporting

Delegated administration

Password management

Cross platform support

Noninvasive, flexible architecture

Features and BenefitsSmart Forms

AutoDiscovery

Virtual Identity manager

Agentless Adapters

ActiveSync

Rules Engine

Dynamic Workflow

Centralized password policy management

Help desk integration

Pass-through authentication

Technical Architecture Diagram

Mainframe

Unix Systems

Directories

Custom Apps

Groupware

RDBMS

NT/ADS

Asset Database/Directory• Laptop Serial Number

• Office Number

• Mobile Service Plan

• Mobile Phone Model

Custom

JDBC

Servlet

• Conference Call Account

• Credit Card

Partner Web App

SOAP/XMLRPC

ADSI

3270

JNDI

LDAP/JDBC

SSH

RDBMS orLDAP Directory

LighthouseVirtual ID Store

JDBC/LDAP

Agent-less

Gateway

Agent

Approving Manager

Any WebBrowser

End UserSelf-Service

Any WebBrowser

HTTPS

SMTPHTTPS

J2EEApplication

Any App Server

HR

ExternalWorkflow

WSBPEL

AuthoritativeSource Adapters

JMAC/ABAP/JDBC

HelpDesk

TROUBLE TICKETCREATION


Identity Manager Resources

More than 50 out-of-the-boxConfigured with resource wizardsMost defined and tested in minutes

Types of resourcesMainframe security managersDatabasesDirectory ServicesApplicationsOperating SystemsERP SystemsMessaging platforms

Identity Manager Resource Adapter Types

Agentless connectivity

Easily intergrated in existing environments

Single maintenance point for upgrades

Eliminates most technical/political objections

Gateways where appropriate

Crossing OS/AIP boundaries

Follows platform interface requirementsProvides compatiblity over time using recommended APIs

Custom Adapters

Unusual or proprietary resources

The RDK is a clean and effcient approach

Lots of custom skeletons to reuse

Identity Manager Workflow Features

Management of complex business processesCapable of comples processes

Multi-step approvalsRobust notification frameworkSilent Directory data transformationsCan include digital and non-digital assets

Task persistence

Task recoveryAdminstrator queuesEscalation

Automatic network / resource error compensation with notification

Diverse execution models

Synchronous, concurrent or hybrid workflowsIndependent thread forked processesDeferred/scheduled processes to execute at present time

Identity Manager Virtual Identities

Lightweight

Real-time interaction with managed resources

Can modify operation of connected application NOW!

No complex replication infrastrucre

Ability to generate reports on native data in resources

Virtual Identity Composition

Identity Manager ID

Basic Information (name, email)

List of resources

Key information for each resource

Extendable

Identity Manager Synchronization

Multiple synchronization types to best fit a given resource

ActiveSync

Smart Polling

Event Listener

Full IDM workflow is availableExecute complex business logic

Approvals and notifications

Converting to and from flat data or nodal structures

Secondary system lookups

Reconciliation and Discovery

Bulk activity – Where batch process is needed.


Identity Manager Auditing & Reporting

Every action in Identity Manager is loggedStored in the IDM repositoryDiscrete entries for each activity

Allows for aggregate queriesExtendable, Ex: signed logging

Extended logging for compliance reporting


Identity Manager Auditing and Reporting (cont.)

Reporting typesUser and AdministratorSummary ReportsUsageRoleResource

Report output optionsAd-hocScheduledVisualFormatted for export

Risk analysis reportsWizard to create new reports


Identity Manager Interface Options

Zero footprint web based applicationsAdministrator interfaceEnd user self administration

SOAP/SPMLProvides standards based interfaceHTTP connectivity

Java API for custom applicationsConsole

ScriptableBulk process

IVR (legacy InnerVoice Bright)Business Process Editor (Java Swing)


Identity Manager Objects and Containers

UsersResources

Any external data managed by Identity ManagerRoles and resource groups

Contain multiple resourcesContain behaviorApply rules and policy

Organization and Virtual OrganizationsVirtual Organizations map to org structures in remote directories

Relationships between objects and containers


Identity Manager Delegated Administration

CapabilitiesDiscrete

Can be assigned to a user that perform only one function

N-level delegationCan be assigned from one administrator to another providing true n-level delegation

Administrators are createdGranular authority

Any user can be an administratorUser's administration privileges may be limited

To a specific capabilityIn a specific organization

Using the web interfacceUsing rules, forms or workflow

Technical Differentiators

Industry's first integrated Provisioning and Meta-directory solutionPatent-pending, noninvasive technology that enables rapid deployment and efficient ongoing management:

Auto-discoveryVirtual Identity ManagerAgent-less AdaptersActiveSyncRules EngineDynamic Workflow

Java System Identity ManagerCompetitive Chart

Microsoft NovellSun

Yes

Yes

Yes

via Silverstream

No

No

IBM

Limited

Limited

Yes

No

No

Integrated offering

noninvasive, flexible architecture

Delegated Administration

Workflow Capabilities

Cross Platform Support

Single Connector strategy

Yes NoNo Yes?

Yes

Yes

No

No No

No

Identity Manager Validation

“We've reduced the turnaround time on user requests for account changes such as additions and deletions by up to 50% and have been able to expand the responsibilities of the user registration group.” Rick Perry, Director of Enterprise Operations and Security, BNSF

“We selected Sun because of it's flexibility and scalability. They were able to address our self-service password management needs of today as well as provide a platform that can extend into full user provisioning in the future.” Manager Information Protection and Security

Customers

IDM concepts

Documents

Transcript of IDM concepts