Workday integration with IDM systems

<<This article has outdated information as some of the IGA vendors like SailPoint and Okta now provide out-of-the-box connector for Workday>>
Identity Management (IDM) systems commonly use an Authoritative or Trusted Source as their source of user information which flows down into the system. In other words, Creation, Modification and Deletion of user Identities are originated in an Authoritative Source. A corporate Directory (LDAP store) is a good example, but in most of the cases, HR management system is used as a Trusted Source of user information. There are many HR management systems today which have been used in organizations to fulfill the need of their HR Processes. Some common examples are Oracle EBS, SAP HCM, Workday, and PeopleSoft.

It wouldn’t be wrong if I call IDM’s integration with Authoritative Source as “Backbone of the IDM implementation”, as the most important information for an IDM system, User Identity, is being reconciled from this source. A well implemented integration with user identities source adds great value and quality throughout the value chain of Identity Management implementation.

Most of the IDM systems today, include a rich set of pre-defined (built in) connectors to integrate with common Directories, Databases, Operating Systems and Enterprise Applications including HR Management Systems. When a predefined connector is available, IDM Systems recommend it as a preferred integration method to connect with target system. It’s due to the fact that predefined connectors are designed specifically for that application, and offer the quickest integration method. These built-in connectors use target system recommended integration technologies and are pre-configured and pre-tested with target system-specific attributes.

Though we can always custom build an IDM integration with Trusted Source by using available integration option which could be a Flat File, a Database staging table, a Direct pull based access to source data (DB, LDAP etc.), an Abstract pull from source data (using API, Web Service etc.) or an Event Driven push from Authoritative source to IDM system. But a pre-built connector should always be prioritized to avoid complexities (trust me there are a lot :) ) of connecting two different technologies especially in case where Trusted source is an HR system.

Almost all famous IDM systems provide a list of pre-defined connectors for known business applications including HR systems (Oracle EBS, PeopleSoft, SAP HR and JD Edward etc.) and technology applications (Microsoft AD, Unix, Databases, RSA ClearTrust etc.). Unfortunately, Workday HRMS is not in the list of pre-defined connectors of any known IDM vendor, which compels IDM experts to implement a custom integration with Workday system whenever required.

Following is a list known of IDM systems that have also been nominated as Leaders in Gartner Magic Quadrant for Identity Governance and Administration 2015.

•          SailPoint IdentityIQ
•          RSA Via LifeCycle
•          Oracle Identity Manager
•          IBM Security Identity Manager
•          Courion Identity Manager
•          NetIQ Identity Manager

All (or at-least most) of the above IDM systems have been providing pre-defined connectors for common authoritative sources i.e.

•           Oracle E-business suite
•           Peoplesoft
•           SAP HR
•           MS Active Directory
•           Siebel
•           Salesforce
•           Azure Active Directory

Same is true for following other well-known IDM systems, which have also been providing pre-defined connectors for famous HR systems except Workday.

•          CA Identity Manager
•          SAP  IDM
•          NetIQ Identity Manager
•          Dell One Identity Manager
•          Hitachi ID Identity Manager
•          OpenIAM Identity Manager
•          Microsoft Identity Manager
•          ForgeRock OpenIDM

As pre-defined connectors of IDM systems are not built without the support of target system and require a handshake between both the parties, I hope Workday will soon be ready to support and provide public documents and external interfaces for such integrations.

What’s New in Oracle Identity Manager 11gR2 PS3?

Since autumn 2014, I have been keenly participating in workshops and demonstrations conducted by Oracle to announce features of Oracle Identity Management 11gR2 PS3. However, I decided not to pen my thoughts about it until the release date is formally announced. The official date for release has still not been announced until now but expected release date is somewhere in current month (April 2015).

Below are some of the main features that have been announced in Oracle Identity Manager 11gR2 PS3.

• Business Friendly Self Service Experience

UI Simplification has been a continued agenda item for Oracle’s Identity Manager which is further improved in PS3. Self Service Dashboard has been made very simple and Tablet-Friendly for end users. The icons also show notification badge/count of pending tasks and actions that require user attention. See below screenshot for icons of Certifications, My Open Tasks and Pending Approvals.

• Intelligent Access Catalog

The selection of accesses in a request has been made simple through guided navigation, recommendations on the basis of pre-defined & user access criteria and smart search form. 

The user will be provided a list of recommended accesses as well as a new tab to request bundles of accesses together. The bundle of similar accesses has been made available through Request Profile feature. A good use case would be a request profile of all accesses, mandatory for new hires with the name of “On-Boarding accesses”.

Start and End Date of an access can also be mentioned while requesting an access.

• Preventative SOD Analysis

SOD Analysis has been made efficient and preventative by warning user about violation before the submission of request. User can submit request with violations of security policy, which will be shown to approvers as well. Also it will be marked as high risk during Access Certification process.

• Intelligent and Flexible Certifications

UI for Certification process has also been made simple and business friendly. I am not going to write detail of Certification Tasks and Approval screens one by one but following screenshots are quite self-explanatory.

• Comprehensive Role Lifecycle Management

Role Management has also been made available in Oracle Identity Manager and simple for business users to create and change easily. Comprehensive role analytics allows business users to see the impact of new roles and changes to existing ones.

Role Owners can reduce role explosion by reviewing the effectiveness of existing roles and consolidate new roles with existing one. Comprehensive auditing and prior versions of roles has also been made visible to Role Owners.

I will cover Access Management, Directory Services and Mobile Security parts of PS3 after official release of the product, so stay tuned :)

7th Annual Oracle EMEA Customer Advisory Board for IAM

This year the EMEA Customer Advisory Board (CAB) for Identity & Access Management was held in Paris from 23rd to 25th March. Representatives from Oracle product management and A-Team met with customers from all over the Europe to discuss market trends, product direction, and to get feedback on current and future versions of products.

Day 1 started after the lunch when Christian Patrascu and John Waghorne welcomed all the attendees and conducted an introductory session. The first presentation was from Jim Taylor, Sr. Director IDM Product Management, who delivered an impressive presentation to address the Market Trends and future scope of Identity Management. Rest of the day was updates from Identity Governance and Access Management departments on PS3 features and 12c roadmap.

Day 2 started with a presentation from Oracle A-Team about avoiding common IAM deployment pitfalls. The presenter also highlighted, how A-Team works with customers and partners, to provide guidance on implementing best practices, architecture, troubleshooting and how best to use Oracle products to solve customer business needs. After A-Team’s presentation, Oracle Product Management gave an update on Mobile Security and Directory Services for PS3 and 12c releases. Rest of the day was a customer presentation where they shared the experience of successfully rolling out Oracle Mobile Security in their organization. The day ended with a moderated discussion about Enterprise Cloud Adoption. It was an interesting group discussion where customers talked about their plans and challenges of consuming cloud services.

The last day contained a customer go-live presentation where they presented challenges, opportunities and implementation process of Oracle IDM product in their organization. After customer presentation, product management gave an update on Enterprise Manager for IDM.  The last agenda item of CAB was a moderated discussion on Evolving Enterprise IDM and Oracle Cloud IDM Direction. After the end of official agenda, customers had also booked one to one sessions with Product Management teams to discuss their Organization specific use cases.

Overall, CAB was again a mutual success, which proved beneficial to both the Oracle Product Teams, who collected valuable feedback from customers, and for customers to hear directly from the product teams about upcoming product releases and direction.  Customers also showed great interest in hearing from other customers about their implementations and plans.

x

Selling IAM to Business

One question which I usually ask during IAM hiring sessions is “How to sell IAM to business” or “How to convince your Executives for IAM solution”. The answer normally is a long silence or a muddled explanation, confused between security and cost savings, which I believe can never seize attention of top management.

It’s not too long ago, when Identity & Access Management (IAM) was considered a helping tool for control user administration, but thanks to its successful shift from an “IT-centric” technology to a “Business Enabler” technology, IAM projects today have more potential than ever to attract funding, even at a time when budget for most IT projects remain tight.

Following are some of the key reasons to get approval of an IAM project.

• IAM improves critical processes & reduces operational costs
• IAM consolidates and simplifies the enterprise architecture
• IAM enhances security, risk management, privacy and compliance
• IAM improves user experience and effectiveness.
• IAM boosts business agility and profitability

Though all above points are valid reasons for an approval, but trust me, key focus of executives would be on Cost Savings :)

Following are two forms of cost savings that can be achieved by running an IAM initiative.

1. Reduced workload of staff
2. Productivity in terms of money

Now the question is, how and where to start these calculations? It’s always tricky to write an IAM business case, but here you go with a quick explanation.

Before you start actual calculations, collect some base numbers related to workforce i.e.

• Number of users in organization
• Number of work hours per annum per user
• Hours per day
• Number of Help Desk (Service Desk) Staff
• Number of Security Administration Staff
• Number of Access Provisioning/De-Provisioning Staff
• Productivity of a typical business user (in terms of hours)

Next level is to collect operational data i.e.

• Number of new hires each year
• Number of retirements/resigns each year
• Number of transfers/moves each year
• Average time a new joiner waits to get accesses
• Average time a mover waits to get accesses
• Average time spent by requesters/authorizers to fill the ‘access form’ or order access
• Productivity of a user waiting for access (in terms of percentage)
• Number of ‘access denied’ incidents on service desk each year
• Number of password reset requests on service desk each year
• Time spent to resolve service desk incidents
• Time spent on Password reset cases

Now cost savings can be calculated by considering reduced workload of following teams:

• Reducing cost on Security Administration staff
• Reducing cost on Service Desk staff
• Reducing cost on Provisioning/De-Provisioning teams (In case of Automatic Integrations)

As we also have operational data in numbers i.e. typical business user’s productivity, time required to get access, productivity of new user while waiting access etc., we can easily calculate following cost savings.

• Value of productivity increased due to the immediate access of new joiners
• Value of productivity increased due to the immediate access of moved/transferred staff
• Cost saved due to the time saved for requesters/authorizers
• Cost saved due to reduced service desk incidents related to ‘Access Denied’
• Cost saved due to Password reset requests for forgotten/locked passwords
• Cost saved due to proper de-provisioning of user accounts (User Licensing cost)

There can be a lot more scenarios, depending upon the organizational use cases and project scope, but hope it would be a good start to get approval of an IAM project.

6th Annual Oracle EMEA Customer Advisory Board for IAM held in Berlin

This year the EMEA Customer Advisory Board (CAB) for Identity & Access Management was held in the historic city of Berlin, Germany from 24^th to 26^th March.  Representatives from Oracle product management and engineering teams met with customers from all over the Europe to discuss market trends, product direction, and to get feedback on current products.

Day 1 started after the lunch when Christian Patrascu welcomed all the attendees and conducted an introductory session. The day focused on Market Trends of Identity Management and Mobile Security. Andy Smith delivered an impressive presentation to address the growing security needs created by the Bring Your Own Device (BYOD) movement. He also demonstrated the Oracle Mobile Security solution which Oracle had recently acquired from Bitzer Mobile. The day ended with the featured updates from Access Management team.

Day 2 started with Oracle’s Cloud Vision and plans for Identity as a Service (IDaaS). The rest of the day contained Product overviews for Identity Governance, Authorization and Directory Services. There were also some moderated discussions, led by Jim Tayler and Andy Smith, on Identity Governance and Enterprise Mobility.

The last day contained customer presentations by Telenor and Electrabel. Audience showed great interest in Telenor’s presentation and asked questions about their innovative implementation of customized layer over top of Oracle Identity Manager. The CAB meeting ended with a moderated discussion on Cloud IdM and Marcel Rizcallah’s presentation on Implementation Best Practices. After the end of official agenda, some of the customers had also booked one to one sessions with Product Management teams to discuss their Organization specific use cases.

Overall, this CAB was a glowing success, and proved beneficial to both the Oracle Product Teams who collected valuable feedback from customers, and for customers to hear directly from the product teams about upcoming product road maps and direction.  Several customers also mentioned that they really enjoyed hearing about other customers' implementations and plans.

IAM resources are going to be in demand

I am not sure what Nostradamus had predicted about IT Security and IAM but from Facebook to Adobe, 2013 was a tough year for companies looking to defend against cyber-crimes. There were hundreds of known data breaches in different organizations where billions of records related to personal and financial data were stolen or spilled due to security failures.

2014 would be even tougher as cyber security threats are increasing as quickly as organizations can implement measures against them. At the same time, they have to embrace virtualization and cloud, user mobility and heterogeneous platforms and devices. Protection of exploding volumes of sensitive data at cloud and smart devices would be a serious challenge for organizations of all type.

As IAM falls under the umbrella of IT Security and used to initiate, capture, record and manage user identities and their related access permissions in an automated fashion, 2014 can be predicted as a great year for IAM resources. According to major job sites and recruitment companies, job posting for IAM positions have incredibly increased over the period of last six months.

It’s not always the security; cost reduction has recently considered an important goal for most of the companies. IAM brings down the cost and provides Single Sign On, Automatic Provisioning and Certification Audit by replacing Service Desk staff, Dedicated Provisioning teams and Invalid accesses respectively. I am personally witness of more than 30% cost reduction on user licenses; whenever Certification Audit is first time applied on IT Systems of an Organization.

Another opinion is that Universities don't understand this specialty and IAM is generally not considered more than one lecture in System Admin’s class, or probably one or two demonstrations in Security Specialization. This could be the one reason that demand has consistently outstripped the supply of resources and could lead to a shortage of IAM experts.

A Journey from Customization to Standardization

It was a cold evening back in fall 2010 when a succinct but impressive cake cutting ceremony was held at Oslo’s massive indoor stadium, Telenor Arena. The ceremony progressed with some speeches and presentations, leading to a delicious cake and refreshments.  The gathering also comprised of brilliant IT Security and Identity & Access Management professionals, who were accompanied by personnel from other IT disciplines. Most of the audience showed great enthusiasm and pitched very interesting questions which were responded with great passion and confidence by those energetic professionals.

It was the launching ceremony of an application that received OracleFusion Middleware Innovation award at Oracle Open World, in the same year. The application was built on the concept of ‘Identity as a service’ for group companies and proved to be a great addition in application portfolio of our Shared Services organization.

Customized GUI over top of Oracle Identity Manager

The application was built as a customized layer upon Oracle Identity Manager 10g and offered user friendly Certification audits and Access Request Management, powered by a multi-tenant architecture. The features were a bit early of their time in IdM world and were key reasons to build customized layer over top of standard solution of Oracle. Though it was not the first time that we built customized application using APIs of standard identity manager, we had already done that in the form of “user creation management GUI” on top of Oracle Identity Manager 9i.

Shortcomings of Customized solution

Though customization results a product according to customer’s desire and fulfills requirements more precisely, but we shall have to believe that technology has somewhat matured recently and companies are offering off-the shelf solutions, better than the traditional tailored products.

Following are the major shortcomings of Customized solution that were faced.

• A tailored solution is always expensive than using an off-the shelf product. The logic is simple – customized product are made for a single customer and consequently all development expenses are borne by one entity.

• Upgrade to newer version is always a big challenge when using a customized solution, but it becomes even bigger when customization is heavily dependent upon the application interfaces (APIs and WebServices). I still remember the mayhem while upgrading from OIM 10g to OIM 11gR1 :)

• Maintenance and development of a customized solution (application) requires considerable time and resources as compared to the standard solution. A dedicated team of programming geeks is a must, for successfully running a tailored solution. Another relevant challenge is training and coaching of newly hired resources. Every time a new resource is hired to fulfill a vacant position, a hands-on training will be required for him to understand the architecture and approach used for customization.

• The product support community does not offer any support for a customized product, so if you get a bug or challenge in your customized solution, you will be the only one to resolve that.

• It is admitted by many of the solution providers, that customization has resulted in slow performance of their application instances. Allowed customization approaches use standard APIs or related interfaces to interact with core application, which have always been considered performance degraders due to the formalities of applications towards external interfaces. This challenge is not only true for Identity Management but similar feedback has been reported by experts of other products i.e. Oracle E-business suite and Oracle SOA suite.

Oracle’s Beta testing program

The Beta Testing Program is a joint venture featuring Oracle and its customers. This initiative provides a structured approach to include users of Oracle applications from selective organizations in the Beta Testing Programs. The overall goal is to allow selected users to perform in depth testing and analysis of Oracle's new products and releases in order to help Oracle deliver better products to market. As a beta testing participant, testers perform in-depth testing of the next generation of Oracle products. This also helps to build personal knowledge base, become an industry recognized technology leader, and help influence Oracle's future product direction.

Our organization, as a Shared Services Solution Provider of Identity and Access Management, was also involved in the beta testing for patch set 2 (PS2) of Identity and Access Management suite 11gR2. The focus area from our side was limited to Identity Governance – more specifically, features of Multi-Tenancy and Access Request Management. (See my article on PS2 features for more detail).

Decommissioning of Tailored layer and rollout of Off-The-Shelf Solution

It's a common misunderstanding that boundaries limit creativity. It may sounds unreasonable, but boundaries can actually boost creativity. Instead, we need to impose boundaries by tightening our processes and one way to achieve this effectively is with Off-The-Shelf solutions.

As involvement in beta testing program resulted in the confidence on much awaited functionalities, last week we have decided to decommission the customized layer by moving functionalities in OIM 11gR2 PS2. The work has actually been started and intention is to complete before summer vocation of 2014. We're crossing our fingers and hoping that the rollout of Off-The-Shelf solution stays fine.