Top 10 Ways to

Increase Enterprise Security

While Reducing Costs
An Oracle White Paper
November 2005

Top 10 Ways to Increase Enterprise Security

While Reducing Costs

INTRODUCTION

The Internet continues to transform business processes at unprecedented speeds.

Even the most agile enterprises have found that they can do more with less by
rebuilding their business models around e-mail, Web-based commerce, and
network-centered applications. Moreover, they have revamped their once; closely
guarded business networks as new, collaborative environments connecting their
employees, customers, partners, and suppliers.
By linking everyone involved in their e-Business initiatives, these innovators have
harnessed the potential to increase revenue, reduce costs, and improve productivity.
But to realize this competitive advantage, companies must overcome a
technological challenge at the core of e-Business: how to securely and costeffectively manage the expanding number of people, in a wide variety of roles,
requesting access to information.
Based on Oracles experience addressing these challenges in various industries with
its Identity and Access Management solution, the list of concepts below
significantly contributes to improve security in a cost-effective manner:
1.

Identity is the core

2.

Borders dont matter

3.

Adjusting to a changing world

4.

Its about security of inclusion

5.

Think privacy and compliance

6.

Consistent business rules must be applied across the enterprise

7.

Centralized security lowers costs

8.

Administrative costs can be equitably distributed among partners

9.

Automated approval processes save time and money

10.

Infrastructure services can be re-used

1. Identity is the core.

Regardless of a companys area of business, its specific initiatives or how it

conducts transactions online, offline, or both one fact is always true: people are

Top 10 Ways to Increase Enterprise Security While Reducing Cost

Page 2

at the center. For people to interact, collaborate, and transact business they must be
able to identify who they are dealing with in a secure and reliable manner.
The concept of verifying identity is simple. We are familiar with this notion from
everyday life. A drivers license or passport is commonly used as a form of
identification. It is a trusted way to store and provide attributes about an individual
such as name, address, and age and to validate that persons access to certain
locations, services or privileges. However, when this simple concept is applied to
the electronic world, one used for conducing business across corporate boundaries,
it quickly becomes complex.
A key success factor for e-Business initiatives is to treat identities as a fundamental
piece of the infrastructure exposed and consumed by multiple applications or
systems, rather than focusing on identities on a per-application basis. The
investment made in building this part of the infrastructure, typically yields
sustainable returns in the long run.
2. Borders dont matter.

In todays environment the extended enterprise is comprised of a company, its

employees, trading partners and key stakeholders. The distinction between "inside"
and "outside of" the company goes away.
Companies require a single architecture to manage users through the intranet and
the extranet. Organizations need a solution that enables one company with its own
security domain to seamlessly interact with another company also with its own
security domain.
So, while the breaking down of borders can certainly facilitate e-Business, it poses
its own set of problems. The key is a balance of control: to make information,
processes and systems available without compromising their security.
Adherence to known, proven standards in areas like Identity Federation and Web
Services Security will prove wise, when requirements for integration beyond the
firewall boundaries proliferate. And whether the organization is a consumer or a
provider of services in such integrations should be easily accommodated flexibly.
3. Adjusting to a changing world.

Nothing stays the same. There will always be new software, platforms and
applications, mergers and acquisitions that marry companies with different IT
environments, and regulatory legislation that will continue to evolve. Companies
need a flexible, interoperable solution that can serve as a foundation for a broad
Identity and Access Management infrastructure moving forward.
Solutions that do not offer the integration and interoperability required, or that do
not support open standards, and that require customers to lock-in to a technology
thats often not best of breed, will likely fail at addressing the long-term needs of
the organization.
Therefore, when selecting vendors to address Identity and Access Management
needs, Companies need to carefully weigh in not only the current standards being
supported, but also the commitment of the vendor to continue embracing and

Top 10 Ways to Increase Enterprise Security While Reducing Cost

Page 3

supporting evolving standards. In the long run this strategy will maximize the
return on the overall IT infrastructure investment.
4. Its about security of inclusion.

The "old" security model was based on constructing a firewall to keep "outsiders"
out. In todays e-Business environment, a new model offers precise, authorized
entry to partners or individuals with different needs, roles, and levels of
responsibility. Differentiation comes from providing the right level of access to the
right user, which is often referred to as security of inclusion.
The key is to create, for each authorized user, an individualized access control
scheme that:

Provides access to all company resources, or only to those resources that an

individual needs at the moment

Can instantaneously extend or block entry into specific resources when

either the individuals role or a business initiative changes

Can immediately and effectively withdraw access privileges when that

individual no longer has a legitimate connection to the company

Can confidently track and audit the operations and events that relate to a
specific identity, which in most cases enables Companies to achieve
regulatory compliance needs.

The most successful approach to providing security of inclusion is by leveraging a

tightly integrated Identity Management and Access Control infrastructure. With
these two functions tightly integrated, real-time security actually exists.
If a change is made to someones identity information, or if someone leaves the
company, that change is immediately reflected in their access to applications. For
example, if someone leaving the company subsequently attempted to access
information they would not be able to do so because control is entirely in the
hands of both the line of business executive and IT.
Some less sophisticated identity architectures store information in a cache that
periodically updates. This should not be confused with real- time.
5. Think privacy and compliance.

As Companies deploy application across different geographies (possibly different

countries), and deal with sensitive information (financial, personal, healthcarerelated), it is fundamental that the security infrastructure ensures privacy and
compliance.
The security infrastructure should eliminate the risk of exposing sensitive data,
whether this is by encrypting the network connections (say via SSL v3), encrypting
or hashing the particular data element in-flight or as it is stored in the backend
database or directory, or all of the above. Likewise, accessing sensitive applications
or data, should require stronger authentication mechanisms that mitigate identity
theft and non-repudiation risks.

Top 10 Ways to Increase Enterprise Security While Reducing Cost

Page 4

Furthermore, the compliance requirements that most companies face, call for a
flexible security infrastructure that can audit each and every event at a granular
level, preserving the identity of the end user; and likewise can provide reporting and
mining tools that can analyze this audit data warehouse and produce business level
reports that can satisfy the needs of auditors or business stakeholders.
6. Consistent business rules are applied across the enterprise.

The issue of business rules is very important. A robust Identity and Access
Management solution will apply the same business rules and practices to its online
business that it applies to business conducted offline, providing the flexibility to
manage, evaluate and enforce access decisions to various applications via
enforcement points
Business rules are the core of your organizations operation, and should not change
as a result of technology limitations. Oracles best practice is to adopt a business
level, role-based security model that is abstracted from individual applications or
systems, and through well-defined rules of inclusion, exclusion and exception can
map to specific entitlements or rights within specific applications. The Identity and
Access Management solution should provide the framework to consistently manage
and apply these rules as a part of an enterprise wide infrastructure rather than as a
vertical security "silo." Identity and Access Management cannot be an add-on or
down the line decision when a company realizes that managing user identities could
spin out of control.
7. Centralized security lowers costs.

The first and foremost benefit of implementing the correct Identity and Access
Management solution is cost reduction. How do companies achieve cost reduction?
Cost reduction is generated primarily as a result of creating the Identity and Access
Management infrastructure. In this model companies centralize Identity
Management and Access Control for all Web-based applications. This means that
rather than each application using its own individual infrastructure to manage users,
roles and control access, it creates a single, centralized Identity and Access
Management infrastructure across the company, as well as the extended enterprise.
Once the Identity and Access Management infrastructure is in place it is much
quicker and less expensive to turn on and deploy new applications. The new
application can tie into a centralized architecture creating a cost-effective way to
ensure compliance. Furthermore, the same infrastructure can be leverage as a
collection of services in a Service-Oriented Architecture (SOA), where applications
can consume identity information or enforce access control rules by invoking
services of the Identity and Access Management infrastructure.
In addition, it is important to understand the cost savings of single sign-on. Single
sign-on across multiple domains allows users access to an entire suite of
applications after signing on only once. Single sign-on can be applied across portal
networks so the user can access any number of applications through a portal.

Top 10 Ways to Increase Enterprise Security While Reducing Cost

Page 5

One Oracle customer, a large aerospace manufacturer, is saving close to $4 million

per month, consolidating 7 passwords down to one, and providing single sign on to
Web applications for more than 130,000 employees.
8. Administrative costs must be equitably distributed among partners.

The Identity and Access Management infrastructure should provide systems,

controls, and practices required to keep the sheer magnitude of changes necessary
in a large, diverse, distributed environment. For example, Oracle Access Manager
features delegated administration for managing changes to personal identity
information for users, groups, and organizations.
Through delegated administration the responsibility of maintaining identity
information (such as a persons title and phone number) and security information
(such as different access rights for tier-1 and tier-2 partners) can be delegated
throughout a network of internal and external users. Delegated Administration also
gives companies maximum flexibility to align Identity and Access Management
practices with their established business processes. For example, Oracle Access
Manager allows e-Business to precisely control

Which individual attributes different people are allowed to control based on

business rules

Which interface different users see

And even the ability to assign temporary responsibilities while personnel are
out of the office

9. Automated approval processes saves time and money.

By having an automated workflow solution for approval processes, many formerly

manual processes become automated, again driving the savings of time and money.
The value of this functionality with regards to security is that these processes can
ultimately determine a users level of access to a system, and can be used to enforce
segregation of duties as it relates to managing user access.
Companies should be able to set up specific, easily scalable workflow processes
consisting of one or more related steps to implement, approve, and execute tasks.
These tasks may include creation, deletion, and modification of identities (user,
groups, accounts or roles); user self-registration, partner (company) self-registration,
subscribe/unsubscribe to groups or roles.
Because these workflows can be made available transparently to internal or external
users, e-Business constituents do not have to know where to send requests for
changes to their identity profiles.
Furthermore, by exposing these processes as services in a SOA environment, in
which applications hosted within the intranet or outside the firewall can trigger
these workflows, further automates and integrates a consistent process for
managing user access throughout the enterprise, without imposing changes to
existing applications. For instance, several Financial Services customers leverage a
SOAP-based interface in Oracle Access Manager, called IdentityXML, to provide a
seamless experience of creating and updating user profiles from within their several

Top 10 Ways to Increase Enterprise Security While Reducing Cost

Page 6

branded portals and applications, while following a consistent user and access
management process.
10. Infrastructure services can be re-used

By building an Identity and Access Management as a services infrastructure in a

SOA-enabled environment, companies can leverage the same framework used to
control and manage identity information within their Enterprise Services Bus,
where integration and orchestration of commonly used services within greater
business services, not only saves money and time by re-using common services, but
it furthers the business value of the Identity and Access Management solution. At
the same time, this approach allows for consistency in authorization and auditing,
as the identity of the end actor is preserved throughout the service processing.
An insurance company is able to authenticate users logging into their extranet
portal, and provide them single sign-on to a number of applications through Oracle
Access Manager. As users interact with applications and trigger transactions, via
SOAP messages; the middleware layer servicing these transactions, understand the
user session thats part of the security header of the SOAP message and connects
to Access Manager to validate the session and verify that the user is indeed
authorized to perform the operation, after which is proceeds with the actual
transaction. Now the same service can be triggered by a different application hosted
in the internal portal. This model makes security ubiquitous and transparent to the
application, and application development is streamlined as it is basically re-using
and integrating common services.
Bottom line

Oracle customers have seen clear and tangible cost reduction after deploying
Oracles Identity and Access Management solution. For example, CUNA Mutual
provides a variety of financial services to 97% of the credit unions in the United
States. After they implemented Oracle Access Manager, they were able to reduce
annual costs $500,000 to support the identity administration needs of their 2000
employees. Perhaps more significantly, by leveraging the self-service and automated
aspects of Access Manager for managing the user rights of their client credit unions
and their consumers, they were able to save roughly $3-4 million in annual help
desk support calls.
Earlier we discussed a large aerospace manufacturer that is saving close to $4
million per month, consolidating 7 passwords down to one and providing single
sign-on to Web applications for worldwide employees.
Similarly, Southwest Airlines is seeing cost reductions in two very important ways.
First, the airline estimates a cost savings of nearly $1.2 million per month for
reduced password and identity administration costs for their employees. Next, they
have driven cost and achieved competitive advantage by allowing their mechanics
to have seamless access to plane maintenance information on their aircraft suppliers
Web portal by leveraging Oracle Identity Federation. Southwests IT administrators
do not have to duplicate the management of mechanics identities and access rights
at both Southwest and the aircraft supplier. This information can be managed and

Top 10 Ways to Increase Enterprise Security While Reducing Cost

Page 7

stored once, at Southwest and then through an online trust relationship, facilitated
by Oracle Identity Federation, mechanics now have immediate access to
maintenance information, without having to sign in separately to the suppliers
portal.
With compelling evidence gained from customers success and a portfolio of bestin-class products, proven in the marketplace, Oracle Identity and Access
Management solution brings demonstrable results to companies looking to increase
security while reducing overall cost in running their e-Business environment.

Top 10 Ways to Increase Enterprise Security While Reducing Cost

Page 8

Top 10 Ways to Increase Enterprise Security While Reducing Cost

November 2005
Authors: Wynn White , Frank Villavicencio, Hormazd Romer
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores, CA 94065
U.S.A.
Worldwide Inquiries:
Phone: +1.650.506.7000
Fax: +1.650.506.7200
oracle.com
Copyright 2005, Oracle. All rights reserved.
This document is provided for information purposes only and the
contents hereof are subject to change without notice.
This document is not warranted to be error-free, nor subject to any
other warranties or conditions, whether expressed orally or implied
in law, including implied warranties and conditions of merchantability
or fitness for a particular purpose. We specifically disclaim any
liability with respect to this document and no contractual obligations
are formed either directly or indirectly by this document. This document
may not be reproduced or transmitted in any form or by any means,
electronic or mechanical, for any purpose, without our prior written permission.
Oracle, JD Edwards, and PeopleSoft are registered trademarks of
Oracle Corporation and/or its affiliates. Other names may be trademarks
of their respective owners.