Virtual Identity Dialogue

When you map a user in Enterprise User Security (EUS) - I found that you can indeed avoid mapping the user in Enterprise Security Manager (ESM) if you provide the complete syntax when creating/altering the user.

So for example:

alter user hr identified globally as 'cn=Mark Wilcox,cn=Users,dc=ovddemo,dc=com';

Should allow you to then login as Mark Wilcox using his uid value (e.g. mwilcox).

I'm sure I read that in Knox's book before but it didn't sink in until I was asked about this at OOW last week.

5 Password Utilities That Will Make Your Life Simpler -- Not really any coding tips but since passwords will be with us for a long time - these might be helpful for you and your users. Interesting they mentioned OpenID as one of the utilities but not InfoCards.

Pete Finnigan - Oracle [database] security information -- A page with various utilities to help test your local Oracle password security and tools to help with auditing the database.

James is on another rant. He has asked me to reply to a couple of other posts on LDAP topics, but I wanted to get clarity on one of his points.

9. I would use the same law and force Larry Ellison to make Oracle contribute more to open source. 

First - why single out Ellison and Oracle? Does he feel others like Microsoft or IBM or CA have done enough? And if so - what have they done for comparison.

Second - I would like to point our Oracle's contributions to Open Source. Most people are probably not familiar to the work we have done.

Start with our Open Source Site.

But just to give a summary:

1 - Oracle contributes heavily to Linux to help the database in particular work better. This is why we were able to offer Oracle Enterprise Linux.

2 - We have put significant effort - in terms of drivers and related work to various projects including PHP, Ruby, Spring and of course EclipseLink (aka open-source of Toplink)

3 - We effectively donated our entire next-generation UI library (ADF) to Apache to help provider a richer platform for Web applications.

4 - We doing all of the reference work for IGF in the open at openLiberty.

5 - It's now possible to run Oracle software on Amazon EC2. This is particular useful when it comes to the database - you can now have a full EE database instance running in 5 minutes without having to fiddle with any kernel or related parameters.

So James -what specifically do you want Oracle to do more of? And what would be the value for you to do so?  If you have specific items I'm happy to hear them & communicate them to the appropriate people.

Matt Flynn posted a paraphrased quote from Divya Sundaram of Motorola:

If you front-end data (or a data store) that you don't own (or don't have control of), then you need to replicate/sync data (instead of virtualizing the view).

And then asked if this is a litmus test for Meta vs Virtual.

My answer is that it depends.

This is because Sundaram's statement is a false assumption though it's a common belief.

It's a common belief because people want to be "in-control" of data and feel that unless they control everything, they are not truly in control.

This of course is patently false - we have mechanisms (such as contracts) to deal with boundary control issues without needing to actually directly control everything

And this is reflected in the fact that many (if not most) virtual directory deployments - the team that runs the virtual directory does NOT own the data sources they are connecting to. They systems they connect to are often run by different teams usually with different management chains. But virtualization works because those systems are already designed to be used by external client applications with proper level of Service Level Agreements & availability.

And virtualization is a way to make the most out of these existing capabilities.

Where "meta-directory" makes the most sense is really two cases:

1 - You want to reduce the number of storage systems in particular different LDAP servers. Thus you could collapse many ADAM, Sun, Novell, openLDAP, etc into a single enterprise-class storage system such as Oracle Internet Directory.

2 - You need a standardized, provisioning system to meet business process & compliance requirements. This is the environment which Oracle Identity Manager fills.

James was nice enough to ask more questions -  though I'm still curious as to how he thinks we specifically trail Microsoft in open-source contributions.

So here for the enjoyment of the readers is my response:

Maybe you could share on your next posting exactly how allowing closed source Oracle databases on the Amazon grid is open source?

[MEW]  I realize I should have clarified that point better. What I meant by this is that if you are a developer who needs to test your code against Oracle DB - there is not much easier way than using one of the pre-built EC2 images. Assuming you meet OTN requirements - you are probably only paying for EC2 fees. Which is still likely cheaper than having your own servers. I would think as an "enterprise architect" you would understand the value of this approach over having your developers having to become experts at installing Oracle database. And while sure you could have DBA's do that - it's still probably quicker/more flexible to do this (in particular for any research type work, or training on a new language/framework) than internally.

Likewise, there is a difference between open source and open specifications. Are you willing to say that all reference code will be of production quality?

[MEW] I don't know what you mean by production quality. I don't mean that to be sarcastically but rather a reflection that it is a relatively subjective question. What I can say is that code that we do contribute to OpenLiberty from our dev team will have gone through at least our base level software development process which includes design review, code review and automated regression tests. This is not to say that any identity attribute service on OpenLiberty will be 100% the same as Oracle's production version. Because we will be adding functionality to make it an actual product (such as UI and integration with Oracle audit/logging framework for example) that will not be part of the Project Liberty. But OpenLiberty is well, um, open - so you can participate as well.

Sun has open sourced LDAP. Would you as a product manager advocate the  same for virtual directories?

[MEW] Let's take a step back here. Sun did not open-source LDAP :). They have an open-source project that wrote from scratch an open-source ,storage-based LDAP server in Java. It's not the first open-source LDAP (UMichigan & OpenLDAP have that claim), nor the first open-source Java LDAP (even Apache isn't the first, but it's the longest-running) and heck even their C-based version was effectively open-source via the Fedora Directory Project. I am not sure why anyone at Sun thought starting from scratch was a good idea.  At the moment we are still able to grow the adoption of OVD (and OID), are able to improve upon the core product via customer feedback and have a plug-in API that allows for customers (whether themselves, partners or Oracle consulting) to extend the product to meet their needs - so I don't sense a valid reason to open-source OVD. I obviously cannot speak for any other virtual directory vendor/project.

OK, Kim Cameron of MS paid for implementations of Cardspace on other platforms in which MS is simply attempting to improve the ecosystem and won't make a cent off it. In many ways it actually competes with its own offerings. What is the Oracle equivalent?

[MEW] Microsoft has produced open specifications, a few examples and started the Information Card Foundation (which we are a member of) to help drive adoption of Information Cards.  I would argue we are on the same path on IGF via Open Liberty.  Except that since our work is done via Project Liberty we can avoid the need to create yet another foundation. The biggest difference is that since IGF is more middleware based, the visible bits have been slower to show though that is starting to change as you can see from Phil Hunt's (our lead technical person for IGF standard) DIDW presentation. And as mentioned in that presentation - we are releasing the IGF Attribute Service API as open-source (this is new code). The API will have at least 2 provider implementations - one using OVD (which I'm responsible for and is planned to be a core component of Fusion Middleware & Fusion Applications) and one based on Project Higgins. This is an open project - so you are welcome to go learn more.

This post is inspired by a conversation I had with one of our customers. They  have a team responsible for customer facing revenue applications and of course that team is trying to make sure they have strong security.

On the good news side - the team knows they need "two-factor" authentication. A factor is normally based on the concept of something you know (aka a password or answer to a security question) or something you have (digital certificate, fingerprint).

However, apparently it's the cool thing to do for certain web-sites to have "dual-cookies". One is persistent to store simple profile information (like what page do you want to go to when you login) - nothing secure. The other is your session cookie. And the perception in this team (and maybe they learned it from some magazine/conference) is that this is a type of two-factor authentication. And in particular they thought this would help protect access from "new unknown machines".

Any security professional knows this is not the case. Session cookies are often used to enable Web-based SSO. The persistent cookie is really just used to help manage profile information that can't be stored elsewhere. And just because there are two-cookies it does not make it two-factor authentication.

However, the better way to solve this problem isn't two cookies. It's to use actual multi-factor authentication and knowledge-based authorization. And Oracle can provide this via Oracle Adaptive Access Manager (OAAM).

Here is how OAAM could help in this scenario as quoted by one of our PM's in the Access Management Suite team:

OAAM uses many contextual information to determine the risk factor of any users performing any an action, whether it be viewing a resource or performing an action or or initiating a transaction.  The contextual information covers things like IP address, geo-location, time of day, day of week, device fingerprinting (which can be done as a persistent object on the client machine), and even user behavior.

If I drill down on the use case a little bit, I believe you guys are looking for a way to raise risk factors when a user is coming in from a machine that the user has never used.  The raised risk factor will require the user to answer an additional challenge question before the system can trust them enough to allow access to some resource.

So how does OAM and OAAM help accomplish the above?  One example would be as follows:

The first time a user attempts access to a protected resource, OAM initiates an authentication scheme that really calls OAAM in the backend.  OAAM then determines if the device has ever been used before based on device fingerprinting and if the machine is never used, then username, password, and a knowledge based question must all be provided before the user gets access.  Subsequently, the user attempts access again with the persistent object (or device fingerprint) that OAAM accepts, then only username and password is necessary.  This provides the knowledge based question as an added security measure if the user is coming from a machine that is never seen before.  Of course, this solution assumes that the knowledge based questions and answers has already been set up for all users. 

I also pitched a couple of other options - in particular if OAAM adoption would be slow to update for budget or time constraints:

1 - On sensitive pages - simply prompt for the password again. This would at least help with preventing someone who got access because the original person left the room.

2 - On sensitive pages - not only ask for a password but perhaps require a different pin code for that page.

3 - You could also use other authentication types  -like digital certificates but that has its own set of headaches.

Also you can read more about OAAM.

Posting early since I'm taking Friday off.

Crisis Begets accountability and transparency --  While not directly about software code it is an article that can be used as a "teachable moment" across many disciplines.  From a programming perspective, the lesson to be learned here is that accountability and transparency helps to make for a more secure environment. Additionally we will likely see more monitoring across different systems and changing of organizational structures. Thus we're going to need more code in more places that interoperate with each other to help security become a cohesive whole. Thus make sure you are taking steps to integrate secure auditing (such as Oracle Audit Vault), logging and of course enabling external fine grain access control leveraging standards like XACML.

ISC2 To Offer Certification For Software Lifecycle Security -- The organization that provides CISSP certification is launching a new certification for developers. It is a rather explicit industry acknowledgement that developer's are not taught security as a core competency. And thus it's not ingrained into training or expectations. It also (IMHO) acknowledges that CISSP is not about dealing with code-level security. They are two different types of disciplines and just because one is competent in one discipline does not necessarily mean you will be competent in another even though they maybe related.

Upcoming PHP 5.3 beefs up security -- If you are writing code in PHP - you will want to learn more about a couple of changes being made that likely will make your code more secure but may break some of your scripts.

Charles Andres from the Information Card Foundation posted a comment to correct my earlier post that Microsoft created the Information Card Foundation:

One small correction: Microsoft did not start the Information Card
Foundation.  A community of architects and designers including the creators
of the Higgins Project    created the organization before inviting any
corporations to join. The consensus of this community was that the visual
metaphor of a digital wallet and cards shared by  The Higgins Project
(which included open source components contributed by engineers from
Parity, Novell, Oracle, and IBM) Microsoft CardSpace, and other
researchers, is the best way to present controls for identity and personal
information to the widest possible user base.    The merger of these efforts
along with other components that can benefit from standards protocols  now
underway at OASIS,  makes ICF a common effort by many forward-thinking
companies who want to make the Internet a safer and simpler environment for
all transactions.  The decision by  Microsoft to join the ICF was a great
step for the industry to advance toward  a common unified way for users to
wield trusted verified claims.

Since comments don't usually get read - I wanted to make sure this correction was read.

Now when James McGovern repeats his question of "when will Oracle show how to write secure code" we can point him to this post :).

First - make sure to read and check-back with Oracle Secure Technology Center.This is basically one-stop place for all of our security information. Oracle covers everything from OS to applications. And this location covers that breadth with links to deeper-dives.

Second - our Chief Security Officer Mary Ann Davidson has been trying to get developer education ecosystem (e.g. CS programs and their cousins) to do a better job of teaching secure coding. I believe she articulated the problem very well in her post - "The Supply Chain Problem".

Third - read this book (Mary Ann Davidson recommends it in her Supply Chain Problem) - Foundations of Security: What Every Programmer Needs to Know.

Fourth - if you do anything with the database- David Knox's Effective Oracle Database 10g Security by Design is still the go-to resource. It's book #2 on my tech shelf- after my own (me being first is mostly a vanity thing :)).

As an addendum - if you are writing code in ADF you should check out the new tutorial based on the new demo application - "Fusion Order Demo" . Besides learning all of the cool things ADF/JDev bring to the table - Chapter 28 covers how to leverage the external security framework. I hope to be able to use this application to demonstrate more of our capabilities - in particular OVD/IGF but possibly others too. 

In the past 4 months I've taken a long vacation - a cruise to Alaska and a quick long-weekend trip to Abilene, Texas. 

In Alaska - we saw a number of Totem Poles. In Abilene cave and hide paintings are more common. These are remains from the "First Nations" people who were here first. We also sometimes refer to these people as "Indians" or "native Americans".

Both share common element  - they use stunning visual aides used to tell oral stories.

And the story-tellers are able to communicate very elaborate and exciting stories using these pictures as their guides.

These items are also amazing to look at but useless as information delivery systems without the story-tellers.

And not a single bullet point among them.

Let the support team know here how you would like to interact with support using a mobile device.

Enterprise Single Sign-on: It's Simple Economics -- For many of my readers this article will be old news - reducing the number of passwords saves money. The Oracle Identity and Access Management Suite provides products that enable this. Our directory services products allow you to re-use passwords (including AD passwords) in any environment that can use LDAP including enabling/simplifying this process in Unix Operating Systems and Oracle Databases. Oracle Identity Manager can synchronize passwords if the application can't externalize passwords. Oracle Access Manager provides Web-based SSO and Oracle Enterprise SSO provides SSO for "fat-client" applications.

Security is a State of Mind -- A nice interview with Bruce Schneier on Dr. Dobbs. In particular since Dr. Dobbs is where he was first published. And for those who might be reading and didn't get into computing until after the 'net - back in the day there were two magazines for hard-core geeks - Dr. Dobbs and Byte.

How to write injection-proof PL/SQL -- This paper is from us here at Oracle. Not my team but from someone with an @oracle.com email address. If you are writing code that calls PL/SQL you need to read this paper.

ITWire - Life in the trenches: an OpenSSH developer speaks -- This is an interesting interview with one of the developers of OpenSSH. If you are not familiar with OpenSSH it's the secure access protocol you use to access remote Unix/Linux servers. If you spend any time with Linux/Unix - you probably use SSH and this provides insight into something we all take for granted. As a developer it's good to hear about writing secure code from someone who has made it their life's work.

Security Becomes Mission Critical for Developers -- A high-level overview stating how that writing security-minded code is something all developers must adopt. I would also add this is why one should be sure to adopt standardized frameworks as much as possible because it is going to be easier to leverage their security than to try to learn all of the details in all possible components yourself.

3G Americas Publishes Research Paper on Trust and Security in Mobile Applications -- This article is a high-level summary of a new report from the 3G Americas trade organization (focusing on promoting 3G phone technology). Since mobile applications are one of the fastest growing areas and will likely continue to be so - this is an area we all should be paying attention to. The actual white paper is here.

I know it's a bit of a late notice but if you will be in the Silicon Valley area and want to spend a weekend learning about a variety of coding topics (and not just Oracle) this looks to be a great event. Oracle is one of the sponsors and according to the Code Camp web site:

"Attendance is FREE, but space is limited so you need to Register."

Here is my topic:

Prototyping user /role management with Oracle Virtual Directory and Oracle XE:
Most enterprise environments use LDAP for authentication and authorization. However, as a developer you might not have access to the enterprise LDAP server. Or perhaps you are not familiar using LDAP tools to manage users and roles. In this presentation you can learn how Oracle Virtual Directory can be combined with Oracle XE (or any other database) to simplify this component of the development process without needing to write any custom code. And then see how this simplifies moving your product into production

To Register: http://tr.im/svccrg

All sessions: http://www.siliconvalley-codecamp.com/Sessions.aspx

Oracle specific sessions: http://tr.im/svccor