Webinar Recording

Bridging the Cloud Sign-on Gap

Log in and watch the full video!

KuppingerCole Webinar recording

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Subscribe to become a client
Choose a package  
Hello, and good afternoon and welcome to our co webinar bridging the cloud signon gap supported by Oracle. Welcome to this afternoon session. My name is SUAS. I am a senior Analyst with co Cole and, and today with me bringing to you, the second half of this webinar is Matt Brazinski of Oracle, who is a principal product manager for the security solutions. And he is located in Washington, DC. Some organizational stuff just have, you will have the ability to put questions in your panel, just to brows, to your organizational panel and the go to a webinar bar and then type your questions there. They will be answered at the end of the session once we finalized the presentation. So for the first organizational pieces, I'd like you to turn your minds to the European identity and cloud conference 2012 happening in April 17th to twenties and Munich, it has become one of the major identity centric events in Europe.
And you are welcome to come there and meet all the identity experts that are currently driving identity and access management, and also the cloud technology. So those topics that we are covering today, some guidelines for this webinar, you will mute centrally. So you don't have to mute on mute your self. And we will also record this webinar so you can download it as a podcast and probably get access to that one tomorrow, as I already mentioned, QA will be at the end of the session. So I'll just type away with your questions and we will gather them and answer them at the end of the webinar. Today's webinar is supported by Oracle. So the first part of the presentation will be by me, I'll introduce you to some of the sign on and other challenges that internal it has with using cloud deployments today, how it and organizations are reaching out for and to the clouds today and the specific issues around those hybrid deployments.
The second part will be brought to you by Meki of Oracle. And he's going to introduce you to an approach, how to bridge the gap between your internal it systems and the cloud applications that your organization is deploying. He will also take a little deep dive on how to tackle, sign on authorization and the governance issues, and will explain to us how this can be done by extending the reach of solutions used internally before, as I mentioned, the third part will be an open discussion. So please put your questions into the question bar, and we will answer them at the end of the session. So to start with my part of the presentations, we say that businesses really want to have a service delivery. And at the same time have their information security covered. They just want the services, they need to do their job.
And they like to have the corporate information adequately protected. And at least we hope they want this to be that way. That means that sometimes they are just reaching out to the cloud and buying some services there because it helps them to be more agile and to be more proactive around new stuff that comes up in business and be more responsive to the changes in the market. What we see is that the it technology and the delivery methods that it chose to deliver those services have absolutely changed over the past five decades. So when only centralized mainframes were available, it was a clear in-house solution, which now has made its way out of the house. So it's sometimes outsourced and done by specialized consultancies and outsourcing providers, but in the early stages, that was definitely an in-house technology moving to the midsize and flying server delivery methods that was boast more in-house and client server business.
And the actual management of those has become a business model that has been outsourced, but for sure, the servers and also the clients do have their location on premise and are not sitting somewhere in the cloud. The first step for a more externally based technology, where the clients server web, the organization models, where the servers were actually sitting in the cloud somewhere. And that was the, the, the beginning, I'd say of what we see as cloud services today with a intermediary step, what we call application service providing. And now we see as a service models where the software platform infrastructure are somewhere outside our organizations.
So the challenges that your it faces, they are really, really multidimensional. First of all, there is a demand to have a mixed servicing from cloud based and classic services. So no organization is able to get all the it services they need from the cloud. You just can't virtualize your whole computer. It still needs to be serviced and maintained at the location of your employees desk. If it's not the mobile device, that is, you still need to have some sort of adaptable, strong authentication means if you want to access data that needs to be protected and has a high protection profile. Also the safeguarding of the audit trails in all delivery methods is something that needs to be covered because companies are going to large efforts to protect the audit trails and, and generate audit trails in their internal it. But once everything has moved to the cloud, it becomes really, really different, difficult to see who actually access what data using what service and when, and also who gave whom access to those services and that data in some certain point of time, that leads us to the problem that staying in compliance is absolutely something organizations struggle was today, especially since cloud services usually span multiple geographical regions.
And that many of those services from the cloud are only available from different regions on the globe. So namely us or agent nations, that house, those services, there has been a struggle to create European based data centers, but some of the services are still not available from EU grounds. Many organizations have moved into some sort of billing and accounting internally to make the different departments pay for the use of certain information technology on a peruse basis. So billing and accounting is something that becomes a vital information for an internal it department to sustain itself. So having reliable and authentic billing and accounting information for the use of cloud services is absolutely something that needs to be achieved to have all the departments get their right billing and accounting information and charge them what they are using from the web. All those topics above have one thing in common, you need to have proper means of access control to all the sensitive data that is inside those different objects.
So the real it demand will be served by a cloud and internal mix. And I have a kind permission by Mr F fava to use this really nice slide here. We have different means different breaking points in the infrastructure where you have a dedicated technology that you can use on premise where you have a full control off seen here under the lowest level. And up here on the highest level, we have that what we would call real cloud computing, which is really distributed and really, really stable. You have a service provider who uses multiple data centers itself to bring this service to you. The infrastructure they are deploying is really shared between many, many customers, and they do have control over the application stack down to the hardware they are running the service on.
That brings us to the problem that the higher you move up in that stack, you lose control and knowledge about what you are consuming and the attack vectors and threats are growing. So you really need to be aware of what you are doing, and you have to have some sort of control over what you are doing and what your it is doing and what your departments in the business are doing with those cloud services. And this is what we need to take care of strong authentication. If you use cloud services and internal applications today, username and passwords are all over the place, but as you all know, those are hard to remember, especially if it's so many of them and organizations are moving towards other ways of authentication, be it two factor or strong authentication and other stuff that actually helps them cope with the risk that is inherent in those applications.
So they are using step up authentication and they have complex solutions set up to actually integrate those to their internal applications. But what about doing that for the cloud applications? If you have to do that one by one, it will become a nightmare. And you gotta take care of that. I already mentioned the audit trails. So you really have to keep track of who has what access rights and permissions who gave it to them and how can they access all this data? Is it only a web service or a graphical web interface, or do they use a fat client for that? Well, that client shouldn't be used in a cloud service here, but it needs to span both of those technologies. So who requested it? How do you, as an employee request access to a web service, your company has subscribed to and who is going to authorize it.
So you really gotta take care that those cloud services are bound into your internal identity and access management. And that you can make sure that all the auto trails that you need are actually being recorded. We also mentioned the multiple compliance issues that we have. So you need to take care of where you do business and where the cloud service provider is located with the services that they are offering. So it's not only national and regional laws and regulations, but also possibly those of your cloud service provider. Again, it is very important to know in which vertical you are working so that different vertical compliance issues can be tackled, especially in full pharmaceutical, the financial or the healthcare segments. Some special requirements may also apply. Especially if you take sensitive for customer data and attributes of that data, there are countries that forbid you to actually use and store the data of birth of one of your customers outside the country.
So if you require your customer to actually give data of birth, you need to make sure that it's only stored inside your country and that this data is not leaving your organization's data center in your own country. So it's really, really hard to keep track of all these different compliance needs and safeguarding, those compliance needs through central logs and deploying security information and event management, especially if you're using cloud services. So have you tried getting your cloud service provider, give you access to their security logs and have them integrated into your security information and event management system might be a very special challenge.
I introduced the concept of the usage based invoicing internally. So many internal it services are already being paid by consumption by all the departments. And you need to have a means of measuring the consumption. If you are using cloud services or internal services, if you have not sort of access of who accessed the cloud service, when, and for what duration or how many transactions were actually done in that session, you do have an issue internally. You have your processing cycle to the bandwidth are memory used, but how do you make that data available to your departments to get a user based invoicing up and ready? This might become a challenge for EU as it guys.
The next big step would be a proper means of access control to the services that you want to deploy. First thing that comes to mind is definitely Federation, but deploying Federation actually needs some legal clarification before you move into the technical part of getting this set up and ready, and it's still sort of complex to establish, especially if your organization or the cloud service provider organization does not have a Federation endpoint established already. You could also go for a direct integration, but this is usually not feasible with a real cloud service due to the fact that it's a multi-tenant service and you'd be interfering with the service modes that your other co users of that service are trying to get into. It's also lots of technical effort and also risk included, especially for the cloud service provider and yourself. So if you have a direct integration and you mess up with their internal infrastructure, you'll get the some angry phone calls, I guess.
So direct integration is not really what you will be fancying. If you use cloud services, one approach to tackle those cloud services will definitely be an integration into your web access management solution. This is way easier to establish and extend. And also it's easier to maintain and tear down in a matter of hours or days, I guess the easiest and quickest way to get access to those services is to include them into your enterprise single sign-on because this is quick and easy to extend. If your solution supports such a service, it offers a good means of manageability, and it is definitely a proven deployment method.
So when it comes to using those hybrid and cloud deployments, you will definitely see some, some challenges, the parallel use of internal proven technology and the new and fancy cloud services may add complexity to the whole managing aspect of your internal it, if you do not use those cloud services in an organized manner, and if you don't have the proper means of provisioning the access to those services and controlling the access to those services, you will definitely have a, an issue cause it will temp with your security. People will be using those services freely. And if something goes wrong, well, nobody can actually be blamed. What those cloud services definitely will do for you is they will provide elasticity and make your organization more agile to react to different flows and trends in the markets. So it is definitely an option that you will need to look into, but it will also impact your overall networking.
How can your employees actually see what cloud services you have subscribed to? How do they communicate? How is the latency and the availability of those cloud services. It's not only your internal network, but it's highly dependent on your internet connectivity. So there are a few recommendations that we from copy your call, like to give to you, to have a good start into using those cloud services. You need to have a proper business process to stay secure. So have something in place before you go out and buy some cloud services, ask your legal department, ask your architects, your network architects, and your application architects on what other methods will be there and how to procure and manage those services.
If possible, build on trusted technology and do not move outside your sort of protected castle, right from the start, do not experiment, but do proof of concepts and a, a real good managed way of adopting those services because sooner or later, you will have some, some issues otherwise that it can absolutely be out ruled. If you have a proper process in front of it, if possible, ask your service provider to federate, because this is definitely something that you would like to use. Also, if they have support for a new technologies, such as skim, then ask for that and try to integrate on those technology basis later on. But first make sure that your internal enterprise security and architecture are ready to use cloud services, make sure that you have the tools necessary to manage those services, to give those services to your users in a safe and secure manner and to deprovision those services from your users. Also, the big thing here is try to remain in control over those services, because it's really vital that you do not have a usage of cloud services that you do not oversee from inside your it department and especially maintain the knowhow inside. If you do not have it yet, do build up that knowledge and maintained insight. So you can keep track of the changes, the movements, and all the new standards that are coming up regarding cloud management and cloud security.
There are a few touchpoints that I'd like to stress. And the most important thing that I'd like to stress here is do not try to reinvent the wheel because for most of your needs, there is proven technology around that will help you with your different issues you might have by deploying web and cloud services. So what do you need? You absolutely need to get strong authentication for all those services that are critical and have sensitive data inside where to get it. Well, if you have an internal authentication or SSO solution, try to get the cloud service covered by that. If that SSO solution has an integration with strong authentication, even better, you will just have an easy way of providing strong authentication for a cloud service that does not support strong authentication from the start, try to get proper audit trails, right from the start.
And again, try to reuse your internal access control mechanisms. If it's a web access management solution, use it. If you need to have an accounting and invoicing based on the usage of services, again, turn to your internal authentication and access control technologies and evaluate if those may be able to cover those web services and those cloud applications. Sometimes the integration effort is really, really minimal. And you can extend the reach of your solution there regarding the overall governance and risk management. It's the same use. The above mentioned internal often access control methods, and also try to reuse your governance risk management in compliance solutions. This is a really, really young market segment. And the vendors of the GRC solutions are really, really extending the reach of their solutions. And they know that cloud is a big topic and big concern for most of the users.
So ask your GRC vendor, if they support certain cloud solutions, maybe there is an add in needed, but use it and deploy it, especially provisioning access to those cloud services for your internal users is a big issue. The most important thing to remain in control is see who is accessing the service, who needs access to that service. And you can for sure try to extend your internal identity management tools. Mouse, big vendors are offering extensions for cloud identity management already. Some of the big vendors also announced that they will be supporting skim as a protocol. And if both are not supported by your vendor, there are add-ons from third parties that can cope with the situation lasting here on that slide is the access control itself. And one thing I'd like to stress here, you can definitely use single sign on. You can definitely try to use your strong authentication means, but somebody needs to administer your cloud service.
So if you have a cooperate subscription to one of those cloud services providers, you will definitely have a sort of an delegated administration account to create all those discrete user accounts for your employees. Take care of the privileged account for this, and try to get a cloud enabled privileged account management. And that concludes the first half of today's sessions. I am curious to see how met SK of Oracle will now show us some details and give us an insight of how bridging the sign-on gap to the cloud can be done with Oracle solutions. I'd like to say, thank you from my side and hand over to Matthew now who will conclude the session with his presentation.
Well, thank you very much, Sebastian, for that great introduction to the challenges that face organizations as they deploy and access cloud applications. So one of the things that we're seeing is that cloud applications are proliferating in a lot of organizations. Now, this is due to multiple reasons. First of all, more services are available from the cloud than ever before. You have CRM systems, you have personal productivity tools like word and calendars and other tools along those lines that are accessed out there as well as many business intelligence reporting and market information that are also available. So as the level of services, proliferates and grows available from the cloud, you're seeing more organizations want to take advantage of those. And some of the reasons that organizations wanna do this is that it lessens the infrastructure cost that they need the support, their end users, it limits the maintenance cost for their end users.
And then the last thing it does is for their end users, it provides easy access to information, but every being on the go these days, it's very important that they can, that they can get their information wherever they, they are. So there's a lot of great benefits to accessing cloud applications. You know, they don't cost much to deploy. You can get pretty much anything you want from 'em and people can get access to 'em from anywhere, but there are drawbacks. Some of those things is, first of all, you've just added another username and password that end users have to maintain. We already know that end users struggle with having 4, 5, 6, 8 username and passwords. You've just added another one. The securing the access to these applications is also a little bit more complex. And then the last thing that you really want to wanna look at is auditing who has access to these applications and how do I control the access when people were changing roles or during termination, as Sebastian pointed out, not all these services are integrated with an identity management system.
So changing roles and revoking access becomes a challenge in the cloud. So what we're gonna talk about is how the Oracle enterprise single sign on suite plus can help enable cloud applications in a simplified way for end users, as well as a secure and audit way auditable way for the organization. So quick overview of the suite here, the Oracle enterprise suite plus consists of seven components. The first one being the Esso log on manager, the logo manager is the core piece of the suite in that it is the piece of software that actually detects your log on pages and injects your credentials for you. It also manages your passwords on behalf of the end users as well. And we'll get into a little bit more detail about that component of, of the suite as we go through the presentation. Other things I wanted to talk about here is we have the Esso password reset, Esso password reset.
What that does is that helps manage your active directory windows password. If you've deployed enterprise single sign on to manage not only your cloud applications, but your enterprise applications. Normally the last password people have to remember is their Microsoft active directory password this enterprise. So the password reset product allows users from their desktop without logging on to reset their password and get on their Merry way. The other thing I wanted to talk about on the authentication side is the Esso authentication manager or universal authentication manager. The big component, the big part about this component is it was built to extend strong authentication devices that are already available in your organization to enterprising sign on. So this means we can leverage any smart card you have, whether that's a national ID card, a cafeteria card, or any other card that your organization recognizes as an authentication device to log onto your computer or gain access to your applications.
We can also leverage the proximity cards that are used to get into buildings or the biometric fingerprint sensors that are located on, on many laptops for additional authentication events. On the other side of the circle over here, I wanted to talk about Esso provision gateway. This allows the Esso logo manager and your identity management system, such as Oracle identity manager to talk to each other. So as Oracle identity manager provisions accounts into applications, we can automatically send those credentials to the Esso logo manager so that an end user's credentials are never exposed in clear text, left in a voicemail or written down. And finally, another very important component to how you solve the cloud problem is Esso anywhere and Esso anywhere allows you to download the Esso client on any, any workstation that, that you might be beyond without requiring administrative privileges. I'll talk a little bit more about that in the presentation as well.
So now that you have an overview of the Esso suite, I just wanted to take a second to break down a little bit more on how Esso logo manager works. So what we do is we actually store your credentials in a cash, whether that's in a central repository or whether that's local on your workstation. And so what we've done is we've managed your, your username and password as you launch your applications, whether they're desktop applications or here, we're talking about SaaS applications in web browsers, as you launch your, your applications, Esso log on manager, he texted his application, responds to his applications by inserting your username and password and pressing enter for you. You go right by the log on screen. You don't even see it happen. Meanwhile, we audit to an event cash that can be local on, on your workstation and completely synced back to your corporate repository.
Every time that that you connect, that you were the person who accessed that application at that time. So basically what this does is this takes the burden of management of passwords away from the end user and gives organizations the ability to know when their end users access the applications that, that provision to them. So we talked about access from the cloud. It's access, anytime it's access from anywhere I can access from my home, my hotel, a coffee shop, what have you, even inside my organization and for end users, they think this is the best thing in the world because now they can get access no matter where they are, whenever they have a great idea. As we talked about for organizations, this is good because they don't have to set up all the infrastructure, manage it and maintain it. The downside is, is once you've opened up access to that cloud application from anywhere, especially anywhere outside your corporate firewall and organization, you've removed a layer of security to that application.
So now bad guys can go and pull up that website, just like your end users can and can start doing brute force, password attacks, or other types of hacking attacks that they would not be able to do if they had to get inside the corporate firewall first. So how do you combat this? I mean, the first thing you wanna do is you wanna increase security, right? So you wanna add strong authentication. You want that you, the problems with the strong authentication that comes from the SaaS providers is that each one would be site specific and it wouldn't be associated with the business. So this means if you go to one SaaS provider, they're gonna say, well, we use SMS OTP. You go to another task provider. They say, well, we, we can provide you secure ID, Don, that you need to carry around. And other, other people might have picture pick lists that you go through.
So now not now what you've done is you've not only made it more difficult for end users to get access. Now they have to carry around three different things, or they have to remember three different forms of strong authentication. Not only that, but it's another infrastructure for the organization to maintain, even if they have to maintain it externally from, from the SaaS provider. So the other way to do this is to make tougher passwords. You know, everybody, everybody says, you know, you need to have your password. It has to be eight to 12 characters. It can't look like a word. It has to have uppercase lowercase numbers, special characters, and end users really don't like that. Cause it just makes it very difficult for them to get access. So how do you do that? If you increase security, what you're usually gonna do, you're gonna decrease productivity, right?
So you're gonna have a loss of the strong, strong, a thing, strong authentication device. You're gonna forget the password. If you make 'em tougher, which is gonna result in account lockouts. And since the, the service is being hosted, it's not something your organization can handle very easily. It's something they have to go through that service for. And probably when they do that, there's an additional charge associated with that as well. So what Esso logo manager brings to the table and how it helps with the sign on gap is, as I said, it manages the end users passwords. And one thing we can do is we can enforce those strong password policies. So we can have a user set up their new password and in their new password, we can say it has to meet these these criteria, or we're not gonna allow you to change your password.
Second thing is, is we can actually generate random passwords that aren't even known by the end users. So we can really make sure that the use that the passwords that are going into those SAS and cloud based applications are strong and secure. And we can also make sure they're changed on a regular basis so that even if they are compromised, that window is shortened. The second thing we can do is integrate strong authentication. I talked about a little bit with the universal authentication manager, but what we can do is we can integrate the strong authentication to the application sign on event. So what that does is that says, as you launch the application, we're gonna challenge you for that biometric that's on your laptop or that proximity badge that you use to get in the building that you have with you every day. So that makes sure that's basically tying you're strong off to that application access, especially if you're a generator random passwords that the end users still know.
And finally, to ensure compliance, we can, as I said, longer manager logs, every event, every log on event and every password change event. So you can see that people are changing their passwords on time, and you can see when people are accessing the application. All other thing you can do through these reports is you can run a report that shows accounts that haven't been active or hasn't haven't been used in the past 60 or 90 days. This gives you the ability to go back to your service provider and say, look, we're not using these accounts. Maybe we need to lower our license costs. And they're, you're saving money by only having active accounts, only being billed for active accounts against the SaaS provider.
So here's just a, a diagram or the picture that shows you in our administrative console, the different controls you can set up for strong passwords here. We made the password length, at least seven characters, only 12 with the most allow upper case. And there has to be two, there has to be two lower case characters as well, as well as two numbers. And that there has to be one special character. So that shows you how strong we can make the password policies. And we can make end users comply with those, whether end users develop their own passwords, or you do randomly generated passwords, randomly generated passwords, look like this. And these are impossible for people to start trying to act or trying to guess along the way.
The other thing we wanna look at is how do I control the user's access? It's more challenging now that there's SaaS applications, as opposed to being in, inside an organization. We've had organizations come to us that said, you know, we just, we just had a round of layoffs that we had a thousand users that, that we had to lay off. Then the next day, these people still had access to their SaaS applications, right? And one of the reasons is that their identity management system isn't completely hooked into SaaS applications. So yes, you've terminated all their accounts inside the organization. It can no longer get access to, to any resource inside the organization. But if you have very valuable data sitting in your cloud applications, this doesn't pertain until you go complete the manual process of deleting each one in that SAS application. So what we can do is through random passwords and through the ability to not reveal the passwords, which we're showing here. So any users don't know what their passwords are. They have no ability to reveal their passwords and write the password down before they leave. What this means is as soon as you disconnect their access to active directory, take away their, their corporate laptop or their access to get the Esso logo manager client, they no longer have the ability to access that cloud application as well.
So I did wanna talk a little bit about Esso anywhere, Esso anywhere. The way it works is it's a remote Esso log on manager agent. So a user can go to the directory of the repository and a website hosted by the corporation from any PC. They can authenticate to that website, download a client that remains in the local local sandbox there on that machine, pulls down all their credentials. As they launch cloud applications. We respond for 'em. As soon as that connection is disconnected back to that corporate repository, the software removes itself from the workstation and removes any data that was left behind. So this is a safe way to give people access to their Esso credentials from, you know, an internet cafe, for example, or anywhere else that they might be using a shared type of, of PC. And they also can do this from home as well, so that they can get access to their SaaS applications from home in a controlled and way.
So just to go over this one more time, if so we enable the cloud applications. First of all, we make it easy to connect to those hard app, hard cloud applications. You know, Sebastian talked a little bit about Federation and how Federation can sometimes have more legal fees and more legal work than it work ESSL since it's set up to just automatically detect a webpage and respond to it from the client side, you don't have to integrate with the cloud provider at all, and you don't have to do any technical integration. All of it can be done on the corporate side. Second of all, we're gonna increase security by maintaining strong passwords and extending strong authentication to those application logs. We're gonna audit all the access for regulatory compliance, and we're gonna enforce all these policies from any computer, with internet access through our Esso, anywhere client finally, we're gonna deliver not only stronger authentication, but we're gonna deliver ROI through the, through the fact of more productivity and less lockouts for end users, as well as giving you the ability to determine what counts are inactive and, and allowing you to adjust your licenses accordingly.
So just a little bit about the Esso suite just wanted to give you a little bit of history. It was the pass logics product that was founded in 1996. Oracle acquired the pass logics product in October of 2010. Things I just wanted to show here is that we've enabled tens of thousands of applications for thousands of enterprise customers around the world. So we have a strong, proven, proven track record of success. And we've had recognized leadership in all the organizations in the industry that do an analysis of this type of software. Finally, we're deployed by leading customers in many different key market segments. Another segment that's not listed on here, that we have a very strong deployment or really strong customer base in is the retail segment. As well as organizations struggle to meet all the PCI requirements. They, they have to do the Oracle ESS O suite is integrated with the rest of the Oracle identity and access management.
First of all, we have an integration with the Oracle web access management system or Oracle access manager. And what that does is that allows us to have a single sign on session between your Esso session and your, your OAM session, which means no matter what you do from the time you log on to your Esso session, we can keep your web session alive. As soon as your Esso session is no longer alive, it's, it's terminated for whatever reason we can terminate your OAM session as well. So it provides just a single session for authentication. As I discussed before, we're integrated with Oracle identity manager. So as you issue accounts, revoke accounts, change accounts for users as they're changing roles or being as they're changing roles in the organization are terminated. You can automatically remove those from enterprising will sign. So in the case of SAS applications, if any users don't know their application, their, their passwords, and you change the role from, from sales to engineering, you can remove all their access to the sales, to the sales cloud applications, and then provision their, their, their development applications and users won't be able to access those SaaS applications.
Even if you haven't gone to the cloud provider and remove the role there or remove their access at that point in time. There finally, the Esso suite runs on the Oracle directory services, and you can leverage all the existing investments you already have in the directory servers and the high availability across your organization, cost benefits of the enterpri single sign on suite. We've seen in organizations with six to 10,000 users, the amount of expenses they have on password resets. So if you have a large user base that has to reset one password per quarter, you're looking at a very large amount of money that's gonna be spent on password reset. So what we've found is that you basically have a 12 month payback period on your enterprise single sign on suite investment. And over the course of five years, you're gonna look at 140% ROI.
The enterpri single sign on suite sits on the Oracle identity management platform. And the Oracle identity management platform is a platform that provides an evolved approach to managing all your access needs. The first thing you need in any identity management platform is to manage an identity. You need to know who a person is and what they have access to. The second thing you need to be able to do is now authenticate the user that you know, who is and make sure they only authenticate to the things they they're supposed to have access to. Then you need to have the administrative ability to change that user around whether that's termination role change or anything, other, anything else along those lines,
Once you're able to identify the user, authenticate them and change their, their roles inside the organizations, then you need to be able to audit, to show that you're in compliance and that everything is going according to the rules that, that have been set up by your organization. So auditing becomes very important, especially with all the regulations that are out there these days. And finally, once you have all those things in place, you really wanna start getting into how do I harvest all the data I have in my organization and start making more intelligent risk based decisions. And the newer identity management platform has these components to be able to say, am I supposed to give this person access to this application based on the other applications they have, they have access to, or on the authentication side, you can say, Hey, should I really authenticate this person based on their past behavior?
Have they just tried to authenticate from Washington DC and Germany within the past five minutes, which I know there's no way that that person could travel that fast. So maybe I don't really want to do that authentication. So these are all the pieces that you need to have to control an identity in your organization. The other thing you need to make sure that when you're looking at these is that they're scalable. So it's one thing to be able to manage identities for 5,000 users, but then you need to manage identities for a hundred thousand users. Or if you're looking at, at a consumer model, you need to manage identities for millions of users. The Oracle platform definitely has proven scalability into those, into those numbers.
Other thing we wanted to talk about is that the platform makes all the difference in an Aberdeen report. Basically they looked at the differences between by invest brief point solutions versus deploying a platform in an organization. And as you can see, there's a 48% cost savings by having a platform that is built and designed to work as an integrated unit, the platform providers are gonna be more responsive because they understand that it's their problem to solve. And they're not gonna point to the different components or the different point solutions to say, well, they should do it. We should do it. It's just, here's the problem we'll solve it. Then there's 35% fewer audit deficiencies in platform deployments due to the fact that the platform knows that they have to cover everything. And they're not only focused on being the best of breed of their one solution. So with that, Oracle is one company, one solution, one stack. We're a proven vendor in the organization that acquires the best of breed technology. We're able to be referencable with award-winning deployments. We have a very complete and integrated solution. And, you know, with the Oracle solution, you're gonna future proof yourself against what's coming down the line.
So if you wanna learn more, you can find out more about our consulting services. You wanna learn more, you can find out more about Esso quick start and all of our solutions at, at oracle.com and you can also join our community on Twitter, Facebook, and our, our blogs at Oracle identity management blog. With that. I think I'm gonna open it up for questions.
Yeah, absolutely. And thanks Matt for the presentation and the overall showing of what can be done and achieved by just extending existing technology to make them available for cloud solutions. We have a couple of questions from the audience here, and I will just read them aloud. So the first question is, is it possible to choose different authentication methods for different users and user groups across the organizations? Because some may need another form of strong or not strong authentications, and some could just rely on username and password.
Yeah, that's a great question. And that is absolutely possible to control through your users and groups in your central held repository. We can set up not only on a user level of what type of authentication must they have, but you can also set that up on a per application level as well. So if you had say a human resources type of application in the cloud that you wanted to make sure you had stronger authentication for, you could set that up to be biometric or a smart card, whereas just a productivity tool of word or, or calendar something along those lines, you could trust the initial username and password, or only for username and password at that application level.
Okay. So the next question would be, does the provisioning gateway use SPM L instructions to talk to target systems, if not what technology is used?
Yeah, the, the provisioning, the provisioning gateway, just to further clarify what the provisioning gateway is. It's a gateway between the Oracle identity management system, which is targeting to your provisioning to your target systems. And ESSL, so the provision gateway is not talking to your target systems directly. It's receiving information from the Oracle identity management solution and then giving the credentials that Oracle identity management created in those target applications to the enterprise single sign on logo manager.
Okay. So there is some completely different question which components of the Oracle IDM suit itself are available as cloud services.
Many of, of the, of the ability, excuse me, one second. So the identity and access management stack is available in what's called an on demand addition where you can set things up in your own private cloud. And then what Oracle also announced in the fall is that we're moving a lot of these services. And I am not sure, a hundred percent on all of, of, of exactly which ones they are moving them to the Oracle cloud nine. So they'll be available as part of the public cloud as well, but they're definitely out there and available for users.
Okay. So there is a, another question, hold on. I'll just need to bring it up. Oh, are there already reference customers for ESS O including cloud solutions in Germany or central Europe?
We do have reference customers for the ESSL in that, in that region. And we can definitely organize a, a phone call to make sure that, that you can discuss your deployment and your strategy with them.
Okay. So another question is more regarding the deployment and especially around partners here in the da region, is there a, a partner available or are their partners available who have experience with deploying ESS O for cloud technologies in Germany?
I'm not sure that we have a partner specifically in Germany. I do know we have partners in the AMEA region that have the expertise in how they're deploy the Esso solution, including enabling your cloud applications. I do know that the partners that we have do cover Germany and have assisted us in deployments there as well.
Okay. A more technical questions regarding the clients. How can the ESS O suite deployed on multiple end user machines? Do you need to install the full suite on each machine?
The key component to install on the machines is the enterprise single sign on log on manager. If you want to incorporate strong authentication, you would install the authentication manager as well. So what that means is that you would install those portions of the suite on the application, on the machines that you want to, people to be able to access their single sign on applications. From, as I also mentioned, we have the Esso anywhere component, which allows you to download that from a website, download that component and have it run on the machine in a temporary manner for, for machines that are not controlled by your enterprise or your organization.
Okay, good. So let me see one more technical question. If you could describe how Esso actually learns the end users passwords for the first time, can this be automated?
So there are two ways in which Esso learns the end user's passwords for the first time. The first way is if you have a provisioning system and you have provisioning gateway as is, credentials are provisioned to the target application, you can then send them to ESSL. So as far as the end user is concerned, there is no application first time use or learning experience.
The majority of the way they're learned is what we call silent credential capture. So you've deployed SSO users are already using cloud applications. They go to their, their cloud application, their website, they type in their username and password. While they're doing that, we capture the username and password out of the log on fields. And we just learned the password at that point
In time. Okay. Thank you. So this would actually conclude our session here. If you have any more questions, this is your chance to just to type them into the question field. And while I give you that opportunity, one more technical question. So could you Oracle integrate Oracle ESS O with a non Oracle directory server, like active directory or novel E directory as an authentication directory?
Yes, absolutely. The enterpri single sign on suite is designed to run in many different types of LDAP directories. I would have to say a large, a large portion of our deployment is on active directory, and we do support deployments on the Nobel E directory as well. So we support the Oracle directories as well as all the other leading directories in the marketplace.
Oh, okay. Wonderful. So thanks Matt for, for answering those questions. I do not see any new questions coming up now. So I'd like to take the opportunity to say thank you to our audience for attending and providing that many interesting technical non-technical questions. It was a pleasure to have such a good response and answer those questions. Thank you, Matt, for showing us what can be achieved by extending the reach of internal solutions to cloud technologies. And so I'll just give you the, to give some closing remarks, and I'll just say, thank you for today.
Thank you, Sebastian, for the, the presentation and outlining some of the challenges that organizations face and giving us the opportunity to present our solution as a way, organizations can quickly face those challenges and solve the problems of their organizations. Thank you everybody for your time. And if you have any other questions or inquiries, please feel free to reach out to us.
Absolutely. So thanks Matt. Thanks the audience. You will be able to review this webcast, I guess tomorrow, sometime around noon. You will find the recording online. Thanks again for attending. Have a great afternoon and see you soon. Bye.

Stay Connected

KuppingerCole on social media

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00