|
Sun adds industry-leading identity management to an enterprise-wide Oracle deployment
 Hello again, Sun Inner Circle readers — it's Bob Worrall here from the CIO's office at Sun. As I've written in the past, my office has recently been the scene of long planning and strategy sessions as Sun undertakes a massive, enterprise-wide project to reduce cost and complexity through changes in business processes and IT application consolidation.
Over the life of the project, called the Integrated Business Information Solution (IBIS), more than 500 legacy applications will be replaced with a streamlined set of 70+ Oracle E-Business Suite modules. The new software will be the basis for almost all of Sun's business and Web applications, which are used by nearly every line of business in the company.
We chose Oracle because its applications suite meets the fundamental business needs of Sun. We also needed to solve compliance and control issues, which are critically important in a project as far-reaching as IBIS. My colleagues and I concluded that to deal with these challenges, Sun needed to pair Oracle operational capabilities with best-in-class identity management tools.
We didn't have to look far, because Sun offers some of the industry's best identity management solutions — solutions that address compliance more thoroughly than enterprise applications. Gartner, for example, has placed Sun Java System Identity Manager and Sun Java System Access Manager in the leadership position of its Magic Quadrant overview of identity management tools.
Pairing best-in-class technologies is a well understood concept. Yet many people in the industry seem surprised when I tell them that Sun uses its own identity management tools on top of Oracle applications.
To explain how Sun added its identity management portfolio to the Oracle E-Business Suite, allow me to introduce my colleague Yvonne Wilson, Sun IT director for security and application strategy. Yvonne has graciously agreed to provide Inner Circle with an overview of how Sun identity management tools bolstered the regulatory compliance capabilities of Sun's IT consolidation project.
So without further ado, take it away, Yvonne.
 Single Sign-On Illuminates the Audit Trail
Thanks for asking me to contribute to your column, Bob. The ability to comply with financial and business regulations is an integral part of Sun's IBIS consolidation project. To put this challenge into perspective, your readers should consider that ensuring compliance revolves around securely managing the identities of over 50,000 users. These identities must be actively managed to comply with countless financial and information regulations that govern Sun operations throughout the world.
As most IT managers know, not being able to rapidly de-provision accounts means increased risks to security and compliance.
Like many large organizations, Sun once used custom scripts and manual processes for identity management. This approach increased the risk of both human error and regulatory noncompliance. At Sun and other organizations, employees need access to numerous internal and external applications, and this usually increases the number of passwords and identities that IT organizations provision and manage.
Add more identities and auditable user information becomes harder to find. If user accounts are unmanaged and scattered across numerous applications, it becomes nearly impossible to de-provision accounts in a timely fashion. And as most IT managers know, not being able to rapidly de-provision accounts means increased risks to security and compliance.
Single sign-on, or SSO, is now a key building block of identity management at Sun. For users, SSO means fewer passwords to remember. And with fewer sign-ons to manage, IT has a single location where it can quickly provision and de-provision users, as well as one centralized point to implement new, stronger authentication mechanisms.
Yet to gain SSO capabilities for IBIS applications as well as other applications hosted by outside vendors, the Sun IT team needed more identity management capabilities than Oracle E-business Suite could provide. As it turns out, Oracle E-Business Suite is designed to work only with the legacy Oracle Application Server 10g SSO module, which cannot be used to authenticate users for other enterprise Web applications.
Linking identities and providing users with SSO was straightforward: The IT team simply installed a Sun Java System Access Manager policy agent on top of an Oracle Application Server 10g SSO component and then configured the policy agent to point users to Access Manager for SSO access.
Today, users accessing Oracle applications are redirected to Access Manager for SSO log-in, as are users logging into other Web applications. This comprehensive linking of identities provides an audit trail of any activity associated with business application use.
Automating Access Adds to Compliance Capabilities
While Access Manager solved part of the identity management problem, application provisioning and access management challenges remained. Sun Java System Identity Manager proved ideally suited for the challenge.
The IT team implemented Sun Java System Identity Manager to authenticate and log all requests and approvals for access to Oracle E-Business Suite applications. Once access requests are approved, Identity Manager automates the provisioning of access rights, in the form of roles and responsibilities, into the Oracle E-Business Suite data store.
Meanwhile, the compliance dashboard reports of Identity Manager act as a safeguard against inappropriate application access. These reports provide Sun IT staff with centralized visibility and control over access activities, and include segregation of duty checks, workflow oversight, and audit scans. When policy violations are detected, Identity Manager can either suggest remediation or immediately suspend the account or accounts in question, depending on the severity of the violation.
To implement both SSO and access management, the IT team analyzed the capabilities of each Oracle application module and methodically added provisioning workflows and policy checks appropriate to each situation and application. The combination of provisioning accounts and access with Identity Manager and SSO authentication with Access Manager made for faster and more auditable provisioning — as well as greater convenience for end users.
As with any large ERP deployment, integrating new applications with other applications was a major challenge. We streamlined much of this work by using the Sun Java Composite Application Platform Suite (Java CAPS) as the sole back-end integration point for the IBIS deployment.
To simplify further, the Sun IT team implemented a single interface between IBIS and Java CAPS so that Java CAPS also acts as the sole graphical connection point for interfaces to numerous legacy applications. And because JCAPS manages all message handling, data is passed seamlessly through both Oracle and legacy applications.
Comprehensive Identity Management Reduces Costs
By consolidating identities, Sun realized net savings of $400,000 in the first year of operation and expects more savings as the IBIS project advances. By replacing custom scripts and manual processes with configured application provisioning workflows, the IT staff has fewer identities to manage. Activities such as user onboarding and shutoff also require far less time.
More importantly, the speed at which identity matters are automatically managed helps improve compliance. For example, some employees may be given the ability to enter expense requests because Identity Manager will recognize the appropriate accounts able to make these requests. Use of Identity Manager also means that the access requests and processes are visible, authenticated, and logged, while compliance reports and separation-of-duty checking are automated.
By simplifying identity management within IBIS and many legacy applications, Sun can more easily federate identities across the entire IT ecosystem. Success with identity management has also allowed new projects, such as smartcard authentication, to move forward more quickly than in the past.
I want to note one other element of successful identity management capabilities: Whether or not they know it, users of IBIS applications also play a part in better compliance. Logging into systems and applications takes much less time because there are fewer passwords. Not surprisingly, users find this convenient — and when things are convenient, users are more likely to comply with the requirements of new IT environments.
Bob Worrall
CIO, Sun Microsystems
| 
