Virtual Identity Dialogue

Comment/Question from my earlier post.

Question: "Hmmm. So requiring another license is semantically different than
requiring another product? I guess if everyone can't use it without
procuring something then he is correct. How about also supporting natively via LDAP without requiring either a license or another product?"

Answer: There is not a mere semantic difference here. I believe Mr. McGovern (whom I referenced in my first post but is not who asked the follow-up question) is confusing Enterprise User Security (EUS) as being the only way to integrate AD passwords with the database. EUS is functionality that makes it easier to manage users and roles in the database which also allows you to store your password verifiers (e.g. the password hashes normally stored in the database) in the directory. This allows simple username & password authentication to use passwords stored in the directory.

My point in my earlier post is that if you don't want EUS (and frankly if you just want password integration, EUS is probably not the option I would recommend since you're not getting any of the additional EUS features) - then you can use Kerberos or RADIUS.

However, I realized on my flight home that I left out one more option out that to to my knowledge doesn't require any other software or license - that is if both the Database Client and Oracle Database are running on Windows - then they will by default leverage "Windows Native Authentication" (WNA). The link is to the 11g docs but it is a feature that exists in at least 10g DB. WNA on the database can also allow you to use AD to maintain database roles.

But again this depends upon the database running on Windows & you needing to have enabled the Windows options on the database.

Again I don't believe WNA requires any additional license but I would suggest that you contact your account representative to confirm (I'm just the functional & technology guy - not licensing guru - in particular for products outside of my realm).

In another future post I will detail why the database works with LDAP via OID/OVD.

FYI - If you are interested in Database Security options - I would suggest reading David Knox's book on the subject - "Effective Oracle Database 10g Security by Design". David has spent most of his professional life dealing & implementing the subject plus is a really nice guy.

Yet another article talking about how easy passwords can be cracked.

I'm beginning to tire of these articles. Not that it isn't good reminder that passwords shouldn't be your only form of security - but they're the technical equivalent of repeated signs on the factory wall saying "breathing paint fumes can harm your health" while working in a paint factory.

Meaning - while technically correct - you can't easily avoid them so a sign without any other precautions (in the paint factory - things like gas masks) - are not very helpful.

In the technical world - while it's nice to think of ways of avoiding passwords using tokens, thumbprint readers or perhaps Vulcan mind-melds - these things don't catch on for various reasons. The reality is they're not going anyway anytime soon.

Which is why I am pretty excited by one of our newest products (it's still hard to fathom that we're now a rather old acquisition at just over 2 years) - Oracle Adaptive Access Management (OAAM) aka Bahrosa.

At the core what OAAM does is provide adaptive risk analysis. So for example on sensitive transactions you can build rules that say "normally you only move money from savings to checking between 9am and 4pm from an IP in Dallas" so that when someone tries to move money at 2 am from say El Salvador (just picking random place) - it can prompt you a security question. Or page someone. Or stop it. Or all of the above.

That way if you're on vacation and needing to get some more money to buy another drink at your resort hotel - you're cool. But if not - it will help protect you.

Another feature (and one that is very cool to see) is the strong authentication feature.

What the strong authentication feature does is that it uses some sophisticated technology to present alternative entry mechanisms to enter passwords.

For example instead of entering your password into a text field - it will present you a virtual keyboard. The keyboard is overlayed a picture (that you choose during registration). And everytime you're presented with the keyboard - the keyboard and image shift alignment a bit. And the image is timestamped.

Plus actual keys are never transmitted - thus it makes it very hard to Phish and keylog.

And while maybe we'll get past passwords in the future - you will probably still need fraud detection.

So if you are doing business online (either consumer or internally focused) you might want to check OAAM out.