Sun Java™ System Identity Manager

Innovative Identity Management Customer Presentation Sun Microsystems

Business Imperatives
Identity management solutions must address multiple, conflicting business goals
Portals Extranets Web Services Dynamic User Base Corporate Governance Internal Threats

Improve Access & Service Reduce Costs

Become More Secure

External Threats Legal Mandates

Operations Help Desk Development

Integration

Sun Proprietary/Confidential: Authorized Partner & Internal Use Only

2

Sun Identity Management
Fosters productivity, strong business relationships and increases revenue

Lowers risk and ensures compliance with policies and mandates

Single Sign-on improves service and ease of use Automated provisioning ensures rapid access to required resources Self-service account management and password reset Federation to enable trusted partnerships and new revenue opportunities

Improve Improve Access & Access & Identity Service Sun ServiceManagement Reduce Costs

Become More Secure

Automatic detection of potential risks such as dormant accounts Role- and rules-based access control to protect enterprise resources Centralized visibility and control across divisions and departments Enterprise-wide identity auditing and reporting

Improves operational efficiencies & bottom line results
• Reduces administrative costs through automation, delegation and self-service • Reduces total cost of ownership and speeds deployment times • Reduces development and integration costs through open, integratable architecture
Sun Proprietary/Confidential: Authorized Partner & Internal Use Only

3

Sun Identity Management
Directory Server Enterprise Edition Identity Manager

Comprehensive software portfolio that includes ● Directory Services ● Access Control, Single Sign-on, Federation ● Provisioning and MetaDirectory Services Open and integratable to reduce integration cost and complexity

Access Manager

Sun Proprietary/Confidential: Authorized Partner & Internal Use Only

4

Sun Identity Management Products
Web-Based Administration

Access Manager
Access Control Single Sign-On Federation

Identity Manager
User Provisioning Password Management Synchronization Services

Directory Server EE
Directory Services Security/Failover AD Sync Services

Audit & Reporting

Sun Proprietary/Confidential: Authorized Partner & Internal Use Only

5

Network Identity Architecture Template

Source: Burton Group Telebriefing, Enterprise Identity Mgmt, The Strategic Infrastructure Imperative

Sun Proprietary/Confidential: Authorized Partner & Internal Use Only

6

Sun Java System Identity Manager
A comprehensive solution for managing identity profiles and permissions throughout the entire identity lifecycle

● ●

Enhanced security Lowered costs Improved productivity

Change Add

Automated user provisioning to improve operational efficiency and enhance security Secure, automated password management to improve service levels and lower costs User self-service and delegated administration to lower support costs Automated data synchronization to lower workloads associated with handling change Non-invasive, flexible architecture to speed deployment and ROI Comprehensive auditing and reporting to improve security compliance

Delete
Sun Proprietary/Confidential: Authorized Partner & Internal Use Only

7

Business Drivers for Identity Management
The rising importance of Information Security
Security audits: Operations must be able to demonstrate the ability to control, audit and report on what users have access to Legislative compliance: HIPAA, Gramm-Leach-Bliley Act, Sarbanes Oxley, 21 CFR Part 11, European Data Protection Directive, etc.

The increasing amount of change in enterprise environments
Acquisitions, divestitures, reorganizations, workforce reductions

The growing need to control costs “Do more with Less”
Recurring charges for non-digital resources that were not deprovisioned Spiraling help desk costs for password resets

Provisioning Challenges
Fragmented, Manual and Insecure

Partners

Employees

Customers

Former Employees

• Where are my risks? • Who should have access?
Human Resources System Call Center Help Desk

• Who does have access? Facilities/ What • Purchasing assets have been provided? • How much does this cost?

Exchange and Active Directory

Oracle Financials

Siebel CRM

Chargeable Assets • Mobile phone/service • Conference call account • Credit card

Other Assets • Office space • Phone • Laptop

Provisioning with Identity Manager
Streamlined, Automated and Secure

Partners

Employees

Customers

Former Employees

HR System

Reduced risk Complete view of user’s identity Approving Manager Efficient, automated operations

Exchange and Active Directory

Oracle Financials

Siebel CRM

Chargeable Assets • Mobile phone/service • Conference call account • Credit card

Other Assets • Office space • Phone • Laptop

Identity Manager Capabilities
Automated user provisioning Synchronization services Auditing and reporting Delegated administration Password management Cross platform support Noninvasive, flexible architecture

Features and Benefits
Smart Forms AutoDiscovery Virtual Identity manager Agentless Adapters ActiveSync Rules Engine Dynamic Workflow Centralized password policy management Help desk integration Pass-through authentication

Technical Architecture Diagram
Agent-less External Workflow Gateway Unix Systems Agent

End User Self-Service Any Web Browser
HTTPS

SSH WSBPEL Custom

Custom Apps

RDBMS JDBC

JMAC/ABAP/JDBC

HR

Authoritative Source Adapters

J2EE Application

Servlet JNDI 3270

Groupware

Directories

Help Desk

TROUBLE TICKET CREATION

ADSI Any App Server SOAP/ XMLRPC JDBC/LDAP

Mainframe

NT/ADS Partner Web App
• Conference Call Account • Credit Card

SMTP HTTPS

RDBMS or LDAP Directory

LDAP/ JDBC

Approving Manager Any Web Browser Lighthouse Virtual ID Store

Asset Database/Directory
• Laptop Serial Number • Office Number • Mobile Service Plan • Mobile Phone Model

Identity Manager Resources
More than 50 out-of-the-box
Configured with resource wizards Most defined and tested in minutes

Types of resources
Mainframe security managers Databases Directory Services Applications Operating Systems ERP Systems Messaging platforms

Sun Proprietary/Confidential: Authorized Partner & Internal Use Only

14

Identity Manager Resource Adapter Types Agentless connectivity
Easily intergrated in existing environments
Single maintenance point for upgrades Eliminates most technical/political objections

Gateways where appropriate
Crossing OS/AIP boundaries Follows platform interface requirementsProvides compatiblity over time using recommended APIs

Custom Adapters
Unusual or proprietary resources The RDK is a clean and effcient approach Lots of custom skeletons to reuse

Identity Manager Workflow Features Management of complex business processes
Capable of comples processes Multi-step approvals Robust notification framework Silent Directory data transformations Can include digital and non-digital assets Task persistence Task recovery Adminstrator queues Escalation Automatic network / resource error compensation with notification Diverse execution models Synchronous, concurrent or hybrid workflows Independent thread forked processes Deferred/scheduled processes to execute at present time

Identity Manager Virtual Identities
Lightweight
Real-time interaction with managed resources Can modify operation of connected application NOW! No complex replication infrastrucre Ability to generate reports on native data in resources

Virtual Identity Composition
Identity Manager ID Basic Information (name, email) List of resources Key information for each resource

Extendable

Identity Manager Synchronization Multiple synchronization types to best fit a given resource
ActiveSync Smart Polling Event Listener

Full IDM workflow is available
Execute complex business logic
Approvals and notifications Converting to and from flat data or nodal structures Secondary system lookups

Reconciliation and Discovery Bulk activity – Where batch process is needed.

Identity Manager Auditing & Reporting
Every action in Identity Manager is logged
Stored in the IDM repository Discrete entries for each activity
Allows for aggregate queries Extendable, Ex: signed logging

Extended logging for compliance reporting

Sun Proprietary/Confidential: Authorized Partner & Internal Use Only

19

Identity Manager Auditing and Reporting (cont.)
Reporting types
User and Administrator Summary Reports Usage Role Resource

Report output options
Ad-hoc Scheduled Visual Formatted for export

Risk analysis reports Wizard to create new reports
Sun Proprietary/Confidential: Authorized Partner & Internal Use Only

20

Identity Manager Interface Options
Zero footprint web based applications
Administrator interface End user self administration

SOAP/SPML
Provides standards based interface HTTP connectivity

Java API for custom applications Console
Scriptable Bulk process

IVR (legacy InnerVoice Bright) Business Process Editor (Java Swing)
Sun Proprietary/Confidential: Authorized Partner & Internal Use Only

21

Identity Manager Objects and Containers
Users Resources
Any external data managed by Identity Manager

Roles and resource groups
Contain multiple resources Contain behavior Apply rules and policy

Organization and Virtual Organizations
Virtual Organizations map to org structures in remote directories

Relationships between objects and containers

Sun Proprietary/Confidential: Authorized Partner & Internal Use Only

22

Identity Manager Delegated Administration
Capabilities
Discrete
Can be assigned to a user that perform only one function

N-level delegation
Can be assigned from one administrator to another providing true n-level delegation

Administrators are created
Granular authority
Any user can be an administrator User's administration privileges may be limited
To a specific capability In a specific organization

Using the web interfacce Using rules, forms or workflow
Sun Proprietary/Confidential: Authorized Partner & Internal Use Only

23

Technical Differentiators
Industry's first integrated Provisioning and Meta-directory solution Patent-pending, noninvasive technology that enables rapid deployment and efficient ongoing management:
Auto-discovery Virtual Identity Manager Agent-less Adapters ActiveSync Rules Engine Dynamic Workflow

Java System Identity Manager
Competitive Chart
Sun
Integrated offering noninvasive, flexible architecture Delegated Administration Workflow Capabilities Cross Platform Support Single Connector strategy Yes Yes Yes Yes Yes Yes

IBM
No No No Limited Limited No

Microsoft
No

Novell
Yes? No

Yes No No

via Silverstream No No

Identity Manager Validation
“We've reduced the turnaround time on user requests for account changes such as additions and deletions by up to 50% and have been able to expand the responsibilities of the user registration group.” Rick Perry, Director of Enterprise
Operations and Security, BNSF

“We selected Sun because of it's flexibility and
scalability. They were able to address our selfservice password management needs of today as well as provide a platform that can extend into full user provisioning in the future.” Manager
Information Protection and Security

Customers