1. © 2004 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice HP Identity Management Solution Suite Eric Krol eric.krol@hp.comric.krol@hp.com +31 651572233 14 september, 2006

2. HP Confidential2 2005 Priorities – What are yours ? http://www.csoonline.com/poll/results.cfm?poll=3080

3. HP Confidential3 Key goal for IT Moving budget from maintenance to innovation Source: HP IT department Future IT Application maintenance 15% Application innovation 45% Infrastructure innovation 10% Infrastructure maintenance 30% Former IT Application maintenance 30% Application innovation 23% Infrastructure Innovation 5% Infrastructure maintenance 42%

4. HP Confidential4 Security & Business Policy Administration & Approval Process Resources Typical Enterprise: Current State Customers Partner Data and Applications Databases, Directories Operating Systems Applications CRM, ERM HR, Finance Non IT Resources Messaging IT Admin Directory IT Admin OS IT Admin Messaging Network Services IT Admin Applications IT Admin HR, Fin. Admin Non IT IT Admin Network Policy APolicy BPolicy CPolicy DPolicy E Governance & Audit Process Policy FPolicy G Line of Business PartnersEmployees

5. HP Confidential5 Security & Business Policy Administration & Approval process Resources Typical Enterprise: Actual State Customers Partner Data and Applications Databases, Directories Operating Systems Applications CRM, ERM HR, Finance Non IT Resources Messaging IT Admin Directory IT Admin OS IT Admin Messaging Network Services IT Admin Applications IT Admin HR, Fin. Admin Non IT IT Admin Network Policy APolicy BPolicy CPolicy DPolicy E Governance & Audit Process Policy FPolicy G Line of Business PartnersEmployees

6. HP Confidential6 What is Identity Management? The set of people, processes and technologies supporting the creation, maintenance, and termination of digital identities to enable secure access to services, systems and applications. Do you know who your users/customers are? And their relationships with your services or organization?

7. HP Confidential7 IAM Defined — User Identities, Transactions, Roles, Policies and Privileges AuthenticateAuthorizeAdminister Identity Management (Administration) Access Management (Real-Time Enforcement) Service Mgt ITSM NAC Alarm/ Alerting Password Management Audit/Compliance Reduced Sign-On User life cycle management Role Engineering Identity Stores Access Management Federated Identity Management Authentication Services Source: Gartner

8. HP Confidential8 Employee moves naturally between roles Employee Accepts Job Offer Privileges are applied as requested Manual Provisioning Account Privilege Time Appropriateness of Access?How long? Who knows what privileges you have? How long to revoke? Employee Leaves Organisation BUSINESS IMPACT ?

9. HP Confidential9 Employee Accepts Job Offer Privileges are applied as requested Employee moves naturally between roles Employee Leaves Organisation HP IDM: Digital Provisioning Account Privilege Time GUARANTEED Appropriateness of Access! IT responsive to change

10. HP Confidential10 IdM Drivers: Audit & Compliance Do you have regular Audits? −How regular? Why? −How much of the audit process is automated? How do you model your audit controls? −Both preventive and detective controls? Only detective? −Leverage same KPIs & KRIs for different regulatory audits? What are your concerns over Identity theft and fraud? −What about Privacy? −Can you effectively distribute data subject to regulations? Are you part of your partners/suppliers audit processes? −Do you maintain your supplier/partner user data in your IT systems? What about liability and privacy of that data? Audit Only 50% of organizations attempt to audit rights on a regular basis Up to 60% of access profiles are no longer valid. In high turnover industries this can be as high as 80% (IDC) Regulatory issues raising stakes on audit 60% of organizations need to comply to some kind of privacy regulation (11% do well) (SCC)

11. HP Confidential11 IdM Drivers: Security & Risk Mgmt Is your business locking customers out, and locking employees in? −Is this inhibiting business? −What is desired? −What is the impact on business agility? How do you utilize your partner relationships to their best? −E.g. partners able to interact at all stages of the supply chain in real time? −Can you provide just in time services? −How do you empower partners to self manage? −How do you single sign off partners? How are you identifying customers today? −Tokens, certificates? −Passwords? −Variations and Combinations? Security At best only about 62% of a user’s access is removed upon termination (Meta). Orphan” accounts compound an organization’s risk of security breech by 23 X” Over 60% of the authorization / user profiles are out to date (Meta) 39% of all licenses are orphan accounts 81% of security breaches come from disgruntled employees (Computer Security, Issues, & Trends) Insider security lapses cost 250K per incident (FBI/CSI Computer Crime and Security Survey)

12. HP Confidential12 IdM Drivers: Cost Reductions Do you have more than 5 ways of Identifying customers? −How Many? How many different profiles? Do you have a documented Identity management strategy −Why did it start? Regulatory pressure, Audit, Cost? −What were the hurdles you overcame? −Who is your IdM sponsor? Is your IT department burdened with manual processes? −The 5 O'clock problem! IT works on boring tasks…. −What repetitive tasks should you automate? −Are lines of business able to manage themselves? Are they averse to using IT oriented tools? What about simple web based business tools? Cost Reductions Reduce Identity silos 40-60% of helpdesk workload deals with password mgmt (Meta and Intl Security Forum Report) $25 per call – lost productivity, cost of reset activity 5 hours per year for maintaining existing user profiles up to date (Gartner) 30% of dev / integration cost are security related Time to usefulness of employees or partners No waiting to perform job function

13. HP Confidential13 IdM Drivers: Efficiency and Productivity Do you have challenges managing business or IT change in your organization? −Organizational changes? Restructuring? Employee Turnover? Seasonal/temp employees? −Cross-functional or departmental projects? What is the impact of change on business continuity, user productivity and compliance? What is the cost of managing partner access? −Do the partners manage themselves or do you manage them ? How fast can you on-board a new employee/partner? −What about termination? Seasonal employees? −How much of the physical asset and user provisioning is automated? Efficiency and Productivity 15-25% of access and provisioning activities need to be redone due to paper and manual processing errors across the identity lifecycle (Intl Security Forum Report) 27% of companies take greater than 5 days to grant or remove access rights (Intl Security Forum Report) Externalized security increases time to market of business applications by 25%

14. HP Confidential14 IdM Drivers: New Business Models and Revenue opportunities Do you have a single view into your customer across all your services and products? −Leverage cross-sell opportunities across your products and services? −Leverage authentication methods and security standards Do you want to leverage cross-sell opportunities with your partners? −Loyalty programs, for example? Do you want to offer ‘identity services’ to any consumer? Are you taking advantages of web services to automate partner relationships ? −Is security and audit an inhibitor? −Have you standardized partner access integrations? −How do you Audit web services systems ? Federated Communities Solves the issue of different authenticaton methods Builds on standard web security webservices Covisint in automotive industry SecuritiesHub in Financial industry Employee Benefits (401K, Medical, Dental) Wireless Service Providers

15. HP Confidential15 Sales Marketing Finance Logistics Bottom line Employees Partners B2B Customers Security  81% of security breaches from disgruntled employees (Computer Security)  At best only 62% of a user’s access is removed upon termination (Meta Group)  Orphan accounts increase risk of security breech by 23 times ( Meta Group)  Insider security lapses cost 250K per incident. (FBI/CSI Computer Crime and Security Survey) Cost Explosion  The total cost of ownership for user administration is out of control The total cost of ownership for user administration is out of control  What is our cost for Compliance What is our cost for Compliance  What will happen if the business changes or if IT changes What will happen if the business changes or if IT changes  How many unnecessary licences are we paying for? How many unnecessary licences are we paying for? Productivity  15-25% of access /provisioning activities must be redone due to error (International Security Forum Report) 15-25% of access /provisioning activities must be redone due to error (International Security Forum Report)  27% of companies take more than 5 days to grant/remove access rights ( International Security Forum Report ) 27% of companies take more than 5 days to grant/remove access rights ( International Security Forum Report )  40- 60% of service desk calls are password related (Meta Group ) 40- 60% of service desk calls are password related (Meta Group ) Data Quality  Inconsistent user information is spread over numerous systems.  Data quality is having a detrimental impact on service  Up to 60% of access profiles are no longer valid. In high turnover industries this can be as high as 80% (IDC) Regulation conformance  Board responsibility for ensuring & reporting on effectiveness of internal controls Board responsibility for ensuring & reporting on effectiveness of internal controls  $10m + per company in expected fines for lack of compliance with new regulations (Sarbanes-Oxley, Basel II, EU Privacy, etc.) $10m + per company in expected fines for lack of compliance with new regulations (Sarbanes-Oxley, Basel II, EU Privacy, etc.)  Only 50% of companies attempt to audit rights on a regular basis Only 50% of companies attempt to audit rights on a regular basis  60% of organisations need to comply to some kind of privacy regulation (11% do well) (SCC) 60% of organisations need to comply to some kind of privacy regulation (11% do well) (SCC)

16. HP Confidential16 HP OpenView IT Operations Focus IT Process Focus Business External Focus Point ToolsConsolidated / Integrated Service Perspective

17. HP Confidential17 Learn to love what you have been taught to fear! Change is constant Change is unexpected Change is disruptive Business Organization Business objectives and strategy Computing environment Strategic partnerships Mergers and acquisitions Response to competitive moves Supply-chain integration Gov’t regulation/compliance IT consolidation Security threats Operating system upgrades Application migration System & network disruption Change presents opportunities The ability to adapt to change is a key advantage in business.

18. HP Confidential18 Forces of Change & Traditional IdM IT Lifecycle -Add, upgrade or retire apps and systems -New access modes (remote, mobile, etc) -Data center consolidation -Outsourcing & Hosted services Business Lifecycle -Mergers & Acquisitions -Reorganizations & Restructuring -Cross functional/ departmental initiatives or projects -Cross-company partner initiatives or projects -Regulatory Compliance Identity & Access Management User Lifecycle -Hiring & Terminations -Promotions & Transfers -Vacations, Leaves of Absences -Contractors, Part-time and Temporary workers -Subscriptions & Expirations

19. HP Confidential19 Automate change management across all enterprise lifecycles – business, IT and user lifecycles IT Lifecycle -Efficiency gains and IT business alignment is rapidly introduced because of service model for identities. Identity & Access Management Business Lifecycle -Higher level of abstraction allow for business environment change: -Merger / acquisition -Product introduction -Organization changes -Business autonomy User Lifecycle -Higher level of abstraction in service model of HP: manage on the level of business processes NOT on technology components. HP Identity Management

20. HP Confidential20 HP OV Select IDM solutions HP focuses on innovation and automation in IdM across change and compliance management processes −Automate change management across all enterprise lifecycles –business, IT and user lifecycles −Lower operational risk and Align change management and audit controls with your business and regulatory processes, both internally and externally with partners −Increase ROI and reduce TCO by automating change and compliance management processes across access, identity, federation and audit −Enable business and end users (not just IT) to participate and drive change and compliance management processes through revolutionary task and process driven user interfaces

21. HP Confidential21 HP IdM Suite Automate change management across all enterprise lifecycles –business, IT and user lifecycles Audit & Reporting Regulatory Compliance   Accounts & Policies PropagationRegistration Termination Maintenance       Web & Web Services Authorization Single sign-on Account linking & Cross-domain SSO Trusted partnerships Select Identity aligns users rights with the changing environment. Select Access ensures the environment is secure through the changes. Select Federation manages partners in the change process. And Select Audit ensures change process is compliant.

22. HP Confidential22 HP OpenView Project

23. HP Confidential23 Identity Management Selection Cycle & HP engagement IdM Solution Selection Cycle Requirements AnalysisSolution definitionSolution Selection Organisation is new to IdM business Compelling events Requirements: business/operational/ security Scoping Commitment in organisation Initial business case & budget Organisation has already defined goals and drivers, and started investigating solution in market. Plan Team Evaluate Business case review Budget and ROI Management approval Possible solutions have already been investigated, drivers and requirements are defines and issued an RFx. Response to RFx Demo / presentation / PoC Implementation planning Risk management Procurement and T&C’s

24. HP Confidential24 Need for business case Business case is required in 75% of the identified IDM projects Focus on business benefits first……. then align IT benefits IDM is ERP or ITRP for IT “At the beginning of a project you are most ignorant about the project and that is the time when you need to make the most critical decisions about the schedule and cost”

25. HP Confidential25 HP Business Case workshop Focuses on identification and estimation of potential savings and current costs against analysts and market experience Easy and quick way to approach I&AM with the stakeholders Establish common ground Ownership is there from the start

26. HP Confidential26 Who participates? CxOCorporate Accountability IT Director Ops costs/ ease of use Security /Compliance ManagerRisk/Policy /Compliance Service Desk ManagerProductivity HROwnership of the employee profiles BusinessData quality / ease of use / introduction of new services Many contact points!! According to a Forrester Research survey: “CISO’s usually hold responsibility for compliance directives related to system security, system integrity, or privacy-related components...” Nevertheless, “CISO’s can lack the budget authority that is necessary to fulfill those responsibilities, and often have to turn to the CIO for budget approvals.” Source: 2005 Forester Research

27. HP Confidential27 Thank You! eric.krol@HP.com Questions Phone: +31 651572233