Wednesday Apr 23, 2014

Time Still Left to Register: Webcast on Transformation of the Perimeter

As enterprises increase their usage of mobile devices, there is a fundamental question of "Where is the perimeter moving to, and how best to secure?" Corporate data now spans outside into service provider frameworks accessible from mobile device platforms, partners and even customers, and the pressures to minimize the risk are greater than ever. There is no longer the ability to secure at just the firewall. This presentation will discuss some of the challenges that corporations are facing as they externalize this data for the mobile generation of employees, partners and customers, and what steps that can be implemented to help reduce the risk of expanding the corporate perimeter to the mobile device. 

There is still time left to register for this event:

Date: Thursday, April 24, 2014
Time: 10:00 AM PDT

Wednesday Apr 16, 2014

Management and Provisioning of Mobile Devices - Dave Smith

Today we will explore provisioning and device management. These weren’t always considered to be related topics, but in a bring-your-own-device (BYOD) world, there are new relationships to consider…!

 So what is a device…? In the context of the Internet of Things, it potentially refers to anything having an IP Address, such as an automobile, refrigerator, etc. In the context of mobile security, it refers to smartphones and tablets. The mobile device is the new channel to access corporate content, applications and systems, breaking free from the traditional model of using a desktop computer or laptop to access these assets.

 It should be no surprise that from the perspective of enterprise security, “device management” means controlling the device or better yet, controlling what corporate assets can be accessed from this device. In a BYOD world, employees bring their personal mobile devices into the workplace in order to more flexibly access corporate assets. The BYOD phenomena defines not only an architecture, but also a cultural shift and quite frankly, an expectation of users that their personal devices will continue to provide the experience they are accustomed to for other mobile apps. Device management, therefore, must be carefully deployed, since it has to not only provide easy and familiar access for employees’ devices, while at the same time, must do so without sacrificing corporate security by providing limitless access to corporate assets. While on the surface device management seems to be a device-centric approach, it actually needs to be user-centric.

 So what does provisioning mean to mobile devices? Provisioning means managing access. Often this is associated with managing access to application accounts – e.g. create, update, retrieve or delete of accounts or managing the privileges or entitlements granted through these accounts. However, when considering mobile devices and device management, provisioning must also refer to managing access from the user’s device to corporate assets (content, files/shares, applications, services). So, provisioning includes both digital (e.g. accounts and access) as well as physical access (e.g. enabling network access to corporate assets). Managing someone’s access by group or role (e.g. role-based access control, RBAC) is much more scalable and less brittle than managing access on an individual user-by-user basis.

 Provisioning access can be triggered by a number of factors. One is “birth right” access, based on a new hire event. Another is driven by requests for new access (e.g. similar to online shopping, but where the cart holds new entitlements). With the introduction of mobile devices, a third example describes managing the available catalog of mobile apps that a particular person can download to his/her device, ideally based upon his/her job and role within the company.

 Closely related to provisioning is de-provisioning, which is the removal of access. Historically, de-provisioning occurs when the person leaves the company or when they change jobs and no longer need access. In a BYOD world, de-provisioning must extend to the mobile apps running on the person’s enabled devices. Furthermore, given the fact that mobile devices can be more easily lost or stolen, mobile device management dictates that access has to be de-provisioned or blocked from the device, when the device itself has been compromised.

 In the next blog, we will take a look into the concept of “secure containers”, which are provisioned to the device as a key component to a successful BYOD strategy.

Monday Apr 14, 2014

Follow up Identity Management 11g R2 PS2

If you joined our webcast on Thursday, thanks for tuning in.  Below is a link to the on-demand webcast and we have captured the Q & A from the session in-line.

On demand  Webcast: Click Here

Question: For the customers in the process of moving to cloud and mobile space, is PS2 the right version (whether access or Identity) to be on? : Answer: Absolutely. Particularly for Access with full OAUTH2 support.

Question:Has Consumer and Customer identity requirments for Retail been met full user experience and Admin/provisioning, federated access and delegated admin implemented? any large retail account or case study for the implementation available for sharing? Answer: Yes, we have several retail customers who have implemented unified, enterprise wide identity management to help grow their business (via customer loyalty apps and programs) and streamline/secure their business with complete Identity Governance and life cycle management. Click here to see customer examples:

Question:any large AppStore implementation and Global roll out? Answer: For the Oracle Mobile Security Suite we have some very large Fortune 5 customers with global rollouts including oil & gas, retail and banking.

Question: Can you elaborate on how security concerns were addressed about the form fill technology? Answer:The form fill technology in the Access Portal Service is built on Oracle ESSO Infrastructure. It leverages the same ESSO repository to store credentials and application configuration. It is compatible with the same business logic flows that exist in native ESSO . It fully supports bi-directional crypto between Java and CAPI code. The asymmetric key supports RSA and translation of PK pairs to/from MS PK & Java. The symmetric key support includes AES256 and TripleDES (for compat/upgrade). It fully supports encryption/decryption for ESSO Credentials in Java (compatible with CAPI). The Hashing / MessageDigest supports SHA1 and SHA 256 that is compatible with Java and CAPI

Question:Question from my Tweet - Will the new Access mgmt platform support SAML, OAuth as the standard instead of ObSSO token? Answer:We already support SAML and have now introduced support as an OAuth 2.0 server in PS2 while ensuring that these technologies work seamlessly in conjunction with session management and secure single sign on using OAM 11g technology.

Question:How do we provision deprovision users for Cloud Apps? Answer:We will provide auto provisioning of applications by allowing association to applications directly from the OAM console. Today auto provisioning is only possible using the Enterprise Single Sign-On provisioning gateway.

Question:  Is the Blitzer application available as part of the Oracle Access Manager product? Answer: The Bitzer technology is available in the Oracle Mobile Security Suite

Question: Does OAP provides support for Legacy application (Thick client) (Mainframe apps)? Answer: Access Portal - at this time - is for web-based applications only

Question:Does Cloud Security Portal works with OAM 10G version? Answer: Access Portal is an OAM 11gR2 PS2 service

Question: how do you compare Oracle PS2 with REST APU based security appliance like layer 7 etc? Answer: The Oracle API Gateway (OAG) component provides REST API security in the same way. This is already available and is widely deployed by our customer base -- particularly for their consumer and mobile facing applications.

Question: What are licenses needed for Automated Suite Installation for IDM which was spoken about ? Answer: The automated installation requires only licenses for the software that you are installing. There's not a separate license for the automation.

Question: Do you have PII, PCI compliance patterns implemented for SaaS eCommerce Apps globally? Answer: May need more info to answer this - but if Oracle accepts credit cards for any of its service then obviously it will need to follow PCI etc. Here is a link to a paper on how we align with PCI controls with IDM

Question: Do you see a push in the federal marketplace to implement the Oracle soft token approach to security or is the marketplace still leveraging traditional 2 factor and mobile technologies are lagging behind? Answer: We see a push across all verticals to use the soft token approach 

Question: As OMSS and IDM Suite come separately (2 different product suites) , then how exactly these get wired to achieve SSO. How difficult it is to wire it? Answer: These suites are separate from a licensing perspective  but utilize the same underlying platform.

When We Are All A Heartbeat Away From Data-Loss

Unless you have been sleeping under a rock the last few weeks, one of the biggest items of news in security has been around a vulnerability that has been around since December 2011. The vulnerability CVE-2014-0160, is more widely known as the Heartbleed Bug and is only now making its reputation known after researchers discovered the widespread impact of this vulnerability on data privacy.

The vulnerability is in an older version of the OpenSSL encryption routines used for secure web sessions. For example, when you go to your favorite banking or web email site, and after logging in, you see a padlock in the lower right corner. This “closed” padlock symbolizes that SSL (Secure Socket Layers) has initiated and secured a connection between your browser and the service you are connecting with to ensure nobody can intercept or monitor your communications. This is critical when filing taxes online, or sending private emails on Yahoo, or using cloud based file sharing services over a browser connection.

Without diving into the full details of the way the exploit works, in the simplest terms, this vulnerability allows a remote attacker to simply make a network connection to any remote system, and pull small chunks of data that is left in memory from the SSL session. While this does not mean that an attacker can pick and choose files from your system, it does mean that the kinds of information commonly found in memory are passwords, session IDs, encryption private keys and more. All of this of course is very sensitive information.

The biggest challenge here is that many consumers and corporate users recycle passwords and user names. User names are often their email address, and passwords often are re-used again and again, across all of their web services and web properties they access. So the challenge here is if an attacker is so lucky to collect one password for the online flower website they just purchased flowers on, chances are, that attacker will attempt to use that same user ID and password against mainstream email, financial, retail and services portals associated with that same user. 

The impact of the Heartbleed bug is global. It is as far reaching as any bug, as it affects hundreds of millions of online user accounts. Many researchers are advising to give a few more days until you attempt to change all of your online passwords. Why not sooner? Changing passwords when your systems and the services you connect to are still at risk of being vulnerable, is a wasted effort. By the end of this week, most of the online service providers you use will have all of their systems patched, most browsers will be updated and patched, and most smartphones and tablets will be secured. At that point, it will be highly recommended to change passwords. The best course of advice, check with your service provider such as your online banking website, or whatever your online service provider is, for when they give the "all clear" to reset passwords.

So what are the lessons here? Regardless if you are a member of a major corporation, a non-profit, or you are heading up a family of 3, it is the same advice. As a consumer or corporate user, you must practice implementing a new mindset around a password policy for yourself. Passwords and User IDs must be unique for each service and account you access. Passwords must not be personally tied to you in the sense that you should not have family names, or dates that are tied to you or family members. Rotating and refreshing these every 30 to 90 days is critical. This is called compartmentalizing the risk. The practice is used here so that if a password is compromised, only that one service is at risk, such as your online flower website. What is safe is, your personal banking, your company’s VPN password, your secure email passwords and more, all because you have maintained them separate.

In the corporate world, this can be greatly simplified through the use of Single Sign-On technologies that dozens of unique account credentials that would be hard to remember, and place them under one strong user ID and password that the employee can focus on remembering. For consumers, there are best practices around consumer oriented tools that can accomplish the same goal to help pull passwords together, but buyer be warned. For every one “reputable” product here worthy of storing your most sensitive information, there are 10 others that you should stay away from, as some even are malicious in nature designed to steal information – so be careful.

There are numerous online resources to help you research if your website is vulnerable, as well as many more security research articles that detail additional for administrators looking to remediate their websites.

For more information on how Oracle can help address your organizations needs around account provisioning, Single Sign-on and more, visit us at www.oracle.com/identity

Thursday Apr 10, 2014

Securing The Identity of Everything

Securing the Identity of Everything

Along with tremendous economic change, the Internet of Things (IoT) will transform the way IT organizations think about security. Instead of focusing on securing the network perimeter, IT departments will have to secure the new perimeter: people, data and devices. The new point of control will be user access to devices, data and applications. Each device will have an identity on the network, and companies will face the challenge of device tracking, registration and fraud detection. In this session, Ranjan Jain will discuss his current effort to manage the "Identity of Everything" and share how organizations can unlock the potential of this approach. Register now.

Ranjan Jain, IT Architect for Enterprise Identity and Access Management, Cisco 

Naresh Persaud, Senior Director, Product Marketing and Market Development, Oracle


Wednesday Apr 09, 2014

Webcast: Announcing The Oracle Mobile Security Suite



Oracle IDM 11gR2 PS2: Cloud and Mobile Strategy Update Webcast

As cloud applications and personal mobile devices continue to drive new business models, new security challenges for IT teams are on the rise. Oracle recently announced the availability of its latest Oracle Identity Management 11gRelease 2 PS2—which is heavily focused on securing the extended enterprise. 

This live webcast will provide you with an overview of key themes in Oracle Identity Management 11g Release 2 PS2, and cover salient aspects of the release’s cloud and mobile security strategy. You’ll also see a demonstration of the new cloud access portal and mobile security suite. The Twitter feed #OracleIDMPS2 can be used for questions during the live Q&A session at the end of the presentation.

Attend this webcast to:

  • Hear about the latest updates in Oracle Identity Management 11g Release 2 PS2 including new, strong authentication and installation automation features
  • See how Oracle is taking an application-focused approach to mobile security
  • Learn how you can secure your cloud applications with enterprise identity management

Register now to attend this important webcast. Tweet your questions using hashtag #OracleIDMPS2

April 10, 2014 – 10:00 am PST





<image008.gif>
Copyright © 2013, Oracle and/or its affiliates. 
All rights reserved.


Wednesday Apr 02, 2014

Analyzing How MDM and MAM Stack Up Against Your Mobile Security Requirements - by Matt Flynn

Mobile is the new black. Every major analyst group seems to have a different phrase for it but we all know that workforces are increasingly mobile and BYOD (Bring Your Own Device) is quickly spreading as the new standard. As the mobile access landscape changes and organizations continue to lose more and more control over how and where information is used, there is also a seismic shift taking place in the underlying mobile security models.

Mobile Device Management (MDM) was a great first response by an Information Security industry caught on its heels by the overwhelming speed of mobile device adoption. Emerging at a time when organizations were purchasing and distributing devices to employees, MDM provided a mechanism to manage those devices, ensure that rogue devices weren’t being introduced onto the network, and enforce security policies on those devices. But MDM was as intrusive to end-users as it was effective for enterprises.

In the MDM model, employees relinquished control of their devices to their employer. Big brother knew what was installed, how the devices were used, what data was on the device, and MDM gave organizations full control to wipe device data at-will. As a result, many people chose to carry two devices; one for personal use and the other for work. As device manufacturers dramatically improved products every six months, people quickly began using personal devices as the primary communication mechanism and work devices as-needed to perform certain tasks. It also drove people to insecurely send work data to personal devices for convenience increasing the risk of data loss. For these reasons and with the upswing of BYOD, MDM has been relegated to playing a supporting role in Enterprise Mobile Security.

Mobile Application Management (MAM) has emerged as a better alternative to MDM in the world of BYOD. MAM solutions create a secure mechanism for employees to interact with corporate data and apps without infringing upon personal apps and data. With MAM, organizations can control application and data access, how data is used on mobile devices, and to enable new mobile access scenarios without compromising security. MAM embraces the BYOD movement and encourages employee mobility while also locking down data, reducing exposure, and responding more efficiently to compliance mandates about how data is used. But MAM isn’t the end of the story.

Mobile access isn’t much different than other types of access. It’s just another access point that should be part of an Enterprise Access Management approach. Securing access via mobile devices shouldn’t require an entirely separate technology silo, another set of management interfaces, and yet another point of integration for corporate Access Governance. Also, most MAM solutions fall short on a variety of use-cases. By rationalizing MAM into an enterprise Access Management approach, organizations gain extremely valuable capabilities that are otherwise unavailable in MAM solutions alone.

For example, MAM-type on-device virtual workspace approaches don’t work very well in B2C scenarios where apps are delivered via well-known public app stores. Nor do they make sense from a user experience perspective in those scenarios. Also, for advanced Access Management scenarios such as risk-based transaction authorization, integrating basic app security with back-end adaptive access solutions provides extremely compelling benefits. With apps looking to leverage modern protocols such as REST to access legacy system data, there are benefit from Access Management infrastructure such as API Gateways that provide those services. Providing support for these advanced scenarios in a solution that provides a single point of management, single infrastructure, and unified audit trail is where Mobile security is heading.

Next generation mobile security solutions will see MDM and MAM features integrated into more traditional and enterprise-centric Access Management solutions. This single platform approach simplifies management, reduces cost, and enables an improved user experience. But more importantly, incorporating the capabilities of a robust Access Management platform opens new avenues through which to do business and engage with customers, partners, and the extended community. Oracle has a focus on providing exactly this kind of integrated and consolidated approach to securing the mobile platform through securing the device, applications and the access with the Oracle Mobile Security Suite.

In our next post in this series, we’ll look at the various deployment phases through which cloud technologies are being adopted by increasingly mobile workforces starting with cloud-based file sharing services.

Wednesday Mar 26, 2014

Multi Channel Architecture & Securing The Mobile Channel - by Ricardo Diaz

This brand NEW series from Oracle's Global Sales Support team will be dive into mobile security risks, dissect MDM, MAM and changes in the wind, device management, fraud, secure containers, extending IdM to mobile, application development and much more.

Multi-Channel Architecture (MCA) projects are trans-formative business trends brought on by I.T. modernization initiatives across industries.  As these customer, partner, vendor or employee channel's technology evolve to meet today's new business opportunities, security and privacy risks have never been greater.  Especially, the Mobile Channel.         


Let's look at one of my favorite industry's multi-channel architectures, BANKING, and why securing the mobile channel is a quickly becoming a priority for businesses globally.

A banks channels, ATM, Branches, Online, IVR, POS, PSE and Mobile, all need air tight information protection policy and rock solid security/privacy controls.  The Mobile channel on the surface, looms as the 800 pound gorilla in the room with many bank enterprise security architects because mobile security, to many, is so new.  In reality, with he right technology partner it doesn’t have to be. 

One of interesting and risky trend I noticed  working with Colombia, Mexico and Australia banks and their MCA projects is where the mobile application development group sits in the enterprise org.  These critical development teams were sitting outside of I.T. !  NO governance.  Weak security.  They did this to speed the development process of their apps.  I get it but this is a good example of what probably is more common than you'd think when it comes to the risks of mobile application development.   So is bringing these development teams under the I.T. umbrella going to secure their apps?  Not necessarily but his type of security challenge highlights the need for not just a good mobile security solution but one that isn't bound by organizational or political barriers.  All these MCA Banking projects had this challenge as a key business driver for a robust secure mobile channel.  Take a look INSIDE your organization.   Is security ubiquitous within your mobile business channel? Are short cuts being taken to speed up development and meet business demand?  Can you extend your enterprise security policy to these mobile devices if these apps were not built to your corporate enterprise architecture or security standard?

In the next GSS blog, we will highlight how the MDM/MAM space has evolved and why these technologies are part of the mobile security answer but not the final answer.

Tuesday Mar 25, 2014

Enabling access to Google Apps through Oracle IDM

Guest blog by Anand Murugesan

Adoption of cloud is enabling organizations to rapidly increase capacity and employee productivity while reducing their cost.  IT organizations are trying to play catchup to this accelerating trend and are faced with technological obstacles in enabling access to cloud applications.  When it comes to enabling employee access to cloud applications, organizations today are using cumbersome techniques including manual provisioning and de-provisioning process that causes delay in cloud enablement.  More over it leaves security vulnerabilities when employees leave the company or move between organizations.   Oracle Identity and Access Management suite (Oracle IAM Suite) addresses these issues with right set of technologies and tools to fast-track cloud adoption.  In this article we will discuss how organizations can enable their users to access Google Applications.  

Organizations can integrate Oracle IAM Suite with Google Applications through either Identity Federation or Identity Synchronization techniques.  The choice depends on the type of access needed for Google Applications.

First option is to use SAML 2.0 based Federation standards to integrate with Google Apps.  As per Google, “Google Apps offers a SAML-based Single Sign-On (SSO) service that provides customers with full control over the authorization and authentication of hosted user accounts that can access web-based applications like Gmail or Google Calendar.”   In this case Google Apps works as a Service Provider (SP).   Oracle Identity and Access Management Federation Service acts as an Identity Provider (IdP).  With this type of integration, when accessing the Google Apps through a web browser, the user is redirected to Federation Service hosted by customer for authentication.  Once authentication is complete the user is redirected back to Google Apps.  Federation Services supports both logout initiated by SP and IdP.  Customer still maintains full control of who has access to Google Apps.

Second option is to use two-way identity synchronization techniques.  Google Apps connector that ships with Oracle Identity Manager (part of Oracle IAM Suite) keeps both on-premise and cloud identities in sync.  This connector manages Google Apps as a ‘managed target resource’, enabling data about users created or modified directly on Google Apps to be reconciled into Oracle Identity Manager. More over the user accounts can be provisioned into Google Apps from Oracle Identity Manager.

Both Federation and Identity Synchronization techniques enable seamless integration with Google Apps.  When would you choose one over the other?   If the customer needs to enable only the web browser based access to the Google Application to their users, then SAML based Federation would be sufficient.  Setting up Federation is fairly simple process.  For more information refer to this white paper.  On the other hand, if the customer wants to enable user access beyond web browser to desktop or mobile clients such as outlook for Google Apps, identity synchronization would be a better option.  For more information on how to setup Google Connector, please refer to Oracle Identity Manager Google Apps Connector documentation.

Monday Mar 24, 2014

A European Perspective on Identity and Access Management

Guest blogger Marcel Rizcallah is the EMEA Domain Leader for Security at Oracle Consulting.

In the last 10+ years working with identity and access management  (IAM) customers, I have had the pleasure to work on different case studies throughout Europe that include specific industry requirements. In doing so, I have assisted customers with the definition of their IAM strategy and implementation roadmap, helping align security policies with business drivers.

I have learned that the European market is characterized by a high level of consolidation with merger and acquisitions in recent years. For example, most of the Telco organizations have consolidated through acquisitions, and now only a few giants remain such as BT, Orange, Vodafone, Telefonica and Telenor. The consequence is difficulty achieving compliance with regulatory laws and controlling operations costs as it’s challenging to get a single view of their European employees and centralize access rights across the various applications and systems, which unfortunately are still based on local and legacy solutions.

As most organizations used to have local and disconnected IAM solutions, they are now starting to rebuild consolidated and brand new IAM infrastructures based on the last versions of
Oracle IAM products. Thanks to the underpinning Oracle FMW stack, organizations can now provide the flexibility and scalability required by such huge implementations with 100 000’s of users and even millions of them, if we include their customers.

In the Public sector, governments and the European Union organization are working on citizen’s services integration to provide better user experience and harmonize citizen’s rights between countries, such as social security, unemployment and retirement services. For that, governments are adopting identity federation services based on SAML 2.0.  Federation is so strategic for them, that countries such as France were part of the Liberty Alliance foundation and were active in elaborating the federation standard with vendors such as Sun. Today, identity federation is also a key component of online government services, providing better citizen experience with access management single-sign-on and identity mapping when moving across online services such as unemployment or tax declaration.

European institutions such as national banks and borders agencies are providing access to their public agents to shared applications across countries. The complexity of such integration resides in the different approval workflows, which are specific to each country, and need to be processed across more than one organization. They have developed complex and custom workflows in their legacy IAM solutions which are difficult and expensive to maintain. This is where modern IAM platforms, with embedded workflows engines such as Oracle BPEL, can bring a strong added value.

In the finance sector, retail and private banks are looking to control critical application access based on employees’ job position and organization. Most of them have defined role models that need to be integrated with a provisioning solution to update accesses on user join, move or leave. Solutions usually rely on custom role modeling tools and corporate directories with groups associated to each role. Those directories must be designed to be highly available and performant to avoid being a single point of failure.

From those few examples we can see that IAM solutions have to address specific challenges per industry sector. Those challenges will increase with Mobile & Social, Big Data and Cloud computing! I will elaborate on this in a next blog.

Use the following links to learn more about Oracle IDM products and Oracle Consulting Services for IDM.

Friday Mar 21, 2014

What's New in PS2? The Cloud Access Portal

Cloud Application management is one of the main themes in the PS2 release.  I have asked Lee Howarth to explain a bit more about the new Cloud Access Portal Service.


With the advent of SaaS applications how do we solve password and single sign-on challenges…… again?

For many years Single Sign-On technology has provided various security and usability benefits, allowing organizations to simplify the user experience to gain access to multiple web and enterprise resources, while forcing more complex password policies to increase security.  Unfortunately this status quo is being challenged by the advent of Software-as-a-Service applications.

Once again users are being asked to remember multiple name and password combinations to their various SaaS accounts, a situation made even more frustrating by the fact that more and more users are accessing these sites from mobile devices.

The types of web applications accessed by a typical corporate user can be grouped into three main categories:

  1. Applications that require a name and password (corporate and SaaS) to be entered directly into a login form
  2. Applications that are protected via some form of Access Management solutions; and
  3. Applications that are federation enabled (corporate partner or SaaS application).

Addressing the password challenge across each of these categories, while simplifying usability and management are key benefits of the new Oracle Access Management - Access Portal Service.
The Access Portal provides:

  • A cross-platform logon portal for web-based applications that automatically adapts to the device form-factor.
  • Single sign-on to SaaS, web, partner and Oracle Access Management protected resources via Identity Federation, Form-Fill and Oracle Access Management session identifiers.
  • Centralized administration and wizard-based form-fill template generation to simplify administrative tasks.
  • RESTful interfaces to enable integration with existing corporate portals.

Administrators define application using the Oracle Access Management administration interface as one of three types – associated to each of the categories mentioned above.

  • Form-Fill Applications:  are applications that require a name and password to be entered into a login form.  The Access Portal service uses proxy technology to provide a form-fill service that supports login forms and can even sense when passwords have changed –perhaps due to password expiration - and enables the user to update securely stored credentials.
  • SSO Agent applications:  are applications protected by Oracle Access Management (OAM).  With this type of application the Access Portal simply represents OAM protected URLs.  Authentication is handled by standard OAM authentication and session management.
  • Federated Applications: are applications that required a federated authentication, be they partner or SaaS applications.  In this case the Access Portal applications are essentially IDP initiated authentication links, which use the Oracle Access Management – Federation Service to authenticate and assert their identity to a target application.

The following diagram represents the high-level architecture for the Access Portal Service (APS):

APS Architecture

For more information, please visit http://www.oracle.com/identity



 

Wednesday Mar 19, 2014

What's new in PS2? Many enhancements to Identity Governance

As you might know, our official IDM 11gR2 PS2 webcast will be held on April 10, 2014 @ 10:00 am PST

Register for our PS2 Webcast

#OracleIDMPS2 is our offical twitter handle for all things PS2!

In the run up to the webcast, I have asked the PM team to put together a series of blogs to help outline the big changes and new features that were introduced as a part of the PS2 webcast.  This week, the Identity Governance team has put together a post all about Identity Governance


Oracle Identity Governance is a suite of highly flexible and scalable enterprise identity administration solutions that provides operational and business efficiency by providing centralized administration & complete automation of identity and user provisioning events across enterprise as well as extranet applications. It provides role lifecycle management and privileged account management, ensuring consistent enforcement of identity based controls thereby reducing ongoing operational and compliance costs. New features introduced in the Oracle Identity Governance 11gR2 PS2 release are focused on customer success and improving overall reliability and reducing TCO of existing deployments. Highlights include: 

Dynamic Organization Membership

In a typical enterprise or extranet use case scenario, a user will be associated to their home organization but would require membership to other organization entities to perform related functions. For example, a global help desk user who belongs to the Support organization would require access to view and perform certain functions (like password reset) on other organizations like Finance, Sales etc. The solution has the capability to manually assign the help desk user to an Organization Viewer admin role, which is restrictive and more applicable to permission grants. 

Dynamic Organization Membership provides a way to specify a rule that would drive the membership of the user to one or more organizations based on their user attributes. The feature introduces the ability to specify a membership rule for organizations similar to how roles are handled. Once the user is dynamically associated to other organizations, they get implicit viewer privileges to view users, roles and privileges made available to those organizations as well. If certain users are needed to perform certain functions, like the help desk example above, they can still be associated to the corresponding admin role manually. Note that this is dynamic rule based organization membership (not virtual organization) that has to be associated with a physical organization in the solution.

Simplified Request Management

Oracle Identity Governance provides a centralized catalog of access rights, including enterprise and application roles, standard and privileged accounts and entitlements. The solution enables customers to create multiple views of the centralized catalog, like catalog by location, by department or a hierarchical catalog showing all applications along with associated entitlements etc., tailored to their needs. A list of beneficiaries can also be programmatically sent to the catalog enabling customers to integrate with other request initiating systems like a ticketing system.

Oracle Identity Governance provides a business user friendly catalog to request account entitlements. However it required the business user to know any entitlement related dependencies. For example, the user needed to know that they needed an e-Business account before they can request for an entitlement that grants them privileges to raise a purchase order in e-Business. OIG can now automatically request the account for a user when a related entitlement is requested, thereby reducing the burden of the business users to know the account-entitlement relationship.

Business users, requesters, approvers or access certifiers, often require detailed information on what a particular entitlement maps to in the target system. For example, granting an e-Business role or responsibility would grant a user a set of menu/button privileges. OIG now supports such critical hierarchical entitlement metadata to be imported and made available during request, approval and certification processes. Users typically would have more than one account in a target system and OIG supported multiple accounts to be associated with a user.

The solution now supports specifying to which account a specific entitlement in a request needs to be associated with during the request checkout process. In many cases, requesters are required to provide additional information during access request for each item requested. For example, in a request that involves multiple entitlements, the requester might be required to specify the start date and end date for each of the entitlements requested. OIG enables requesters to provide such information during request that can be carried all the way to approval and provisioning processes. OIG also provides an out-of-the-box scheduled task for entitlement grant and revoke based on the start and end dates specified.

Oracle Identity Governance also enables requesters to save the request cart enabling them to validate and submit requests at a later time.

Collaborative Certification Processes with Identity Auditor

Oracle Identity Governance introduces the capability of specifying additional levels of reviews in the certification workflow process. For example, OIG can now launch a certification review process whereby the business manager reviews the users that report to him/her, but is then followed by the managers' manager also reviewing the same access rights, while viewing the decisions made by their subordinate. In addition, collaborative Certification workflows with involvement from representatives from both Business lines and IT can also be launched for improved accountability and remediation. 

Improved Diagnostics

Oracle Identity Governance introduces a new operational console in Oracle Enterprise Manager that enables administrators a complete view of all the defined OIG operations, out-of-the-box and customer defined event handlers, child processes, workflow processes their state and error information without requiring to mine different server logs. This tool does not replace the larger IDM management pack in Enterprise Manager that provides a suite wide monitoring capability but serves as a useful diagnostic tool specifically for OIG. 

Privileged Account Session Management

Recent front-page security breaches have emphasized the fact that access control and monitoring of privileged accounts is critical. In some cases, privileged account password management alone is not enough. The OPAM solution in the OIG suite additionally provides session management and auditing capabilities to address extreme use cases. By creating a single access point to the target resources, OPAM’s Oracle Privileged Session Manager (OPSM) helps administrators to control and monitor all the activities within a privileged session.

 For more information on OPAM, read our blog here: New Session Management in OPAM

Tuesday Mar 18, 2014

What's New in PS2? Oracle Privileged Account Manager session management

As you saw in my previous blog there are a lot of new features in PS2 - and as we count down to our PS2 Webcast (April 10 @ 10:00 am PST - Register Here ) we will be posting a series of blogs detailing the new features.  In this blog, I have invited the PM team to talk about the new session management capability in OPAM.


11gR2 PS2 is an important release for OPAM where we made significant advances in many product areas. One such area is “Session Management”.

So, what is session management? In the past, privileged access management solutions focused on password vaults and providing secure access to the credentials stored in such vaults.

However, this approach raises certain questions:  

  • Can we prevent the end user seeing the actual privileged account password?
  • How can we control how the end user utilizes the password?
  • Can we capture the actions performed by the end user for audit purposes?


Session Management support in OPAM addresses all of these questions by focusing on the following areas:

Session Initiation

  1. Users can initiate a session as a privileged account without knowing the actual account password.
  2. Instead, the user just needs to authenticate himself and access to the target is granted based on the grants he has.
  3. Finally, since OPAM uses a gateway based approach the end user can connect using any protocol compliant 3rd party client.

Click for larger version

Thus privileged session initiation has been secured while not impacting the established working practices of the end user. The end user is still free to use the tools he is familiar with (ex. putty, openSSH etc.) and does not need to explicitly interact with OPAM for every checkout.

Session Control

  1. Sessions can be terminated based on usage policies (ex. after 30 mins)
  2. Sessions can be terminated by  security personal observing suspicious behavior


Since the sessions occur via OPAM’s Session Management server, there’s a controlled single entry point for privileged access. Additionally, since all sessions occur within OPAM’s purview we are able to control what occurs within a session and terminate it as needed.

Session Recording

  1. Session activity is recorded and stored in an Oracle audit database.
  2. It is indexed and searchable.

All action that occurs within a session is recorded, indexed and stored in the OPAM database. Therefore answering questions like who ran a certain command on the fileserver as admin between 9am and 10am on April 1st 2013 is trivial.

In summary OPAM’s Privileged Session Management is an important addition to the existing password vault solution, adding personal accountability and extending audit capabilities. In 11gR2 PS2, we focused on SSH since there is a very large footprint of SSH enabled target systems. However, moving forward we’ll be adding both new protocols and additional functionality as part of our session management offering.

For further details see Oracle Privileged Account Manager - Whitepaper



Thursday Mar 13, 2014

Major Themes of the IDM 11gR2 PS2 Release

On April 10, Amit Jasuja and his Product Management team will be hosting a webcast to explain all of the newest features in the PS2 release. (Register Here for the Webcast)

The PS2 release has 3 major themes: Cloud, Mobile & Simplification.

Oracle continues to expand our management capability for cloud applications, and one of the new features in the PS2 release is the Cloud Access Portal.  The Cloud Access Portal provides a single console for managing access to cloud applications.  Single sign-on, form-fill technology and federation capabilities, that runs on a full size browser, tablet or smart phone, make this new portal a must-have for organizations using cloud apps (who isn't?)

For Mobile application security, the PS2 release brings the introduction of the Mobile Security Suite. See our new web page devoted to specifically to mobile security.

Based on technology from the Bitzer Mobile acquisition, the Oracle Mobile Security suite allow organizations to separate and manage apps and data on mobile devices.  Here's a link to the new data sheet

The final major theme is simplification.  Oracle IDM is a secure, feature rich, highly scalable platform for protecting applications of all architectures.  To make this platform easier to install, patch and upgrade, PS2 introduces an installation automation wizard.  This wizard can capture details of an existing install, and save those parameters which can be used to clone an entire environment.  Installation times are dramatically reduced, as are patching and upgrade tasks.

In addition to these three major themes PS2 also contains: improved OAuth support, strong authentication features, new Privileged Account management features, as well as customizations and UI improvements throughout.

To learn more about the PS2 release: Register for our April 10, 2014 webcast


Wednesday Mar 12, 2014

Save the Date: April 10, 2014 @ 10:00 am PST - IDM 11gR2 PS2 Webcast

Oracle has recently released Patchset 2 for the Oracle IDM 11gR2 platform.  PS2 contains some important updates for Cloud & Mobile applications, as well as significant new features.  Register now to join us on April 10, where you will hear Amit Jasuja, SVP for IDM and Java talk about the focus on this release.  During this webcast, you will hear about:

  • Oracle's strategy for cloud application security - including a demo of the new Cloud Application Portal
  • New capabilities for full support of OAuth 2.0
  • Session recording and new management features for privileged account access
  • New features in the Mobile Security Suite - including a demo showing how business apps and data can be protected on a mobile device
  • New strong authentication functionality
  • All new automated installation wizard
  • Enhancements to Identity Governance

Register Now to Learn about the PS2 release: Webcast registration link

Wednesday Feb 26, 2014

Announcing Oracle Mobile Security Suite: Secure Deployment of Applications and Access for Mobile

Today, Oracle has announced a new offering, Oracle Mobile Security Suite, which will provide access to sensitive applications and data on personal or corporate owned devices.  This new offering will give enterprises unparalleled capabilities in how they contain, control and enhance the mobile experience.


A great deal of effort has been placed into analyzing how corporations are leveraging the mobile platform today, as well as how they will use this platform in the future. Corporate IT has spoken loud and clear of the challenges they face around lengthy provisioning times for access to applications and services, as well as the need for managing the increased usage of applications.  Recent industry reports show how significant the risks can be.  1 A detailed assessment of one of the most popular application marketplaces shows that 100% of the top 100 paid apps have some form of rogue variant posted within the same marketplace. As credential theft is on the rise, one of the targets this is being achieved is on the mobile device with rogue apps or Malware with embedded keystroke recorders or collection tools that send back other critical data from the device.

One of the great new features of the Oracle Mobile Security Suite (OMSS)  is through the use of containers.  Containers allow OMSS to create a secure workspace within the device, where corporate applications, email, data and more can reside. This workspace utilizes its own secure communications back to the back end cloud or corporate systems, independent of VPN.  This means that corporate information is maintained and managed separate of the personal content on the device giving end users the added flexibility of using personal devices without impacting the corporate workspace.  Remote wipe of data now doesn't impact the entire device, rather, only the contents of the corporate workspace.  New policies and changes in access and applications can be applied whenever a user authenticates into their workspace, without having to rebuild or re-wrap any applications in the process, unlike other offerings.  This is a very unique approach for Oracle.

More details on this new release at  http://www.oracle.com/us/corporate/press/2157116

Rounding out this offering, are capabilities that enable the complete end to end provisioning of access, Single Sign-on within the container, enterprise app store and much more.  

Technical Whitepaper: Extending Enterprise Access and Governance with Oracle Mobile Security

For the latest information on Oracle's Mobile Strategy, please visit the Oracle Mobile Security Suite product page, or check back for upcoming Mobile Security postings on the Oracle IDM blog page this March. 

1 2013 X-Force Internet Threat Report


Tuesday Dec 31, 2013

MDM + Oracle Fusion in the Cloud - Simeio Solutions

Introduction
In the previous posts in this series of blog posts, we covered many concepts, from Mobile Device Enablement, BYOD, Mobile Device Management (MDM), Mobile Application Containerization & Mobile Identity Management. While the focus on all the prior series were around the pro’s and con’s and best practices, we would like to take a detour in the conclusive post of this series and focus on  the cloud and how it co-relates to the “mobile” landscape.

BYOD, MDM and Cloud Computing by themselves are technologies that are becoming an integral part of the IT landscape at a rapid pace. While organizations have invested in infrastructures that allow their employees to work remotely via technologies like VPN, the technology stack in the advent of the MDM / BYOD age needs to extend to allowing for remote access via these mobile devices too.

Cloud Computing
In the information era, innovative concepts come along and emerge as a new trend. Not all trends are made equal. Cloud Computing is one such term that has not just emerged as a trend, but has enabled technology to take a leap forward in terms of  scale and usability. It has taken a quantum leap forward in terms of ambition. As with most technologies, there are many benefits that can be gained, but along with understanding the benefits, the business risks must also be evaluated.  While evaluating such benefits, it’s important to not just look at the short term benefits but also the long term objectives and goals of an organizations strategy.

What Is Cloud Computing
The definition of the term is just one of many that we have been introduced with in the industry. But what does it actually mean? Let’s take a brief look at a few definitions of the term:

Wikipedia: “Cloud computing is a phrase used to describe a variety of computing concepts that involve a large number of computers connected through a real-time communication network such as the Internet”

NIST: “Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared  pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released  with minimal management effort or service provider interaction”.

Merriam-Webster: “The practice of storing regularly used computer data on multiple servers that can be accessed through the Internet”.

For Dummies : “The “cloud” in cloud computing can be defined as the set of hardware, networks, storage, services, and interfaces that combine to deliver aspects of computing as a service”.

Before we provide you any more references to confuse you further, let’s take a pause here. We cited the top 3 sources of references. And each have their own variation of the definition. So which definition is more apt? Do they all mean something different or do they all mean the same? The short answer is, they are all the same. Any which way you read it, it translates to “cloud computing” being a model. A model that has certain characteristics.

The characteristics of a cloud network essentially are it being an on demand service, ability to scale to exponential proportions at a rapid pace, the ability to aggregate and resources from across multiple platforms and the ability of it being measurable.

The four fundamental deployment models of a cloud service are a public cloud, a private cloud and a hybrid cloud. Where the terms public private by themselves are indicative of its use, and the term hybrid as it’s itself definition goes is an amalgamation of the 2 models.

BYOD in the Cloud:
BYOD’s success is equivalently proportional to the variety of devices and platforms that it introduces to the IT systems. For organizations that are proponents of the BYOD ideology, the key factor that determines the ease of onboarding of users onto the corporate network is the use of Virtual Private Networking (VPN) technology. Enabling users to tunnel into the network via VPN allows organizations to enable their user to access files and/or control the applications on local machines that they require for their daily routines regardless of the platform or device they are using or their location as long as they are connected to the cloud.

Therefore, it is imperative that cloud connectivity plays an important role in enabling such access across platform or device agnostic systems.  BYOD needs to be part of a wider, holistic approach to Cloud computing.

Now take into account the general Cloud options. The problem with this is that you can lose control of the data while not losing responsibility for it. You don’t even know where it is. At a technical level, this might not be important; however at a legal and regulative level it definitely is. Moreover, your only ultimate control over your own data is your contract with the Cloud provider - and if the provider fails, contracts are no substitute for data.

The BYOD concept is evolving very quickly and the changes are influencing "how enterprises have adopted this technology" vary considerably. They are forcing IT section chiefs to think more intrusively and acquire tools to control this situation without restricting the end user experience. MDM or Mobile Device Management is one such very handy tool but as BYOD concept continues to spread, businesses would require many other services in integration with MDM. Two of such services are Mobile Device Management (MDM) and Content Management.

MDM in the Cloud:
Cloud based device management doesn't minimize application or operating system bloat but what it does do is leverage the Internet's bandwidth for delivery, monitoring and metering. If an organization is geographically dispersed and diverse, cloud based MDM becomes a necessity rather than a requirement. A smart way to setup a cloud based MDM solution is to place the organizations asset management system in the cloud and allow the processes to take place via user's personal bandwidth. It's kind of an extension of BYOD but in this case it's BYOB, where the "B" is bandwidth.

By using an employee's personal bandwidth for that "last mile" leg of the delivery process, the corporate network's bandwidth, even on a segregated network, remains available for monitoring, operating system delivery, server patching, administration, and other required maintenance activities.

Cloud-based MDM will be most effective with user devices, which will always outnumber data centered ones. User devices burn up the bandwidth due to the sheer numbers of them.

When we refer to MDM in the cloud, a key issue that pops into mind is “security”. Arguably the greatest challenge faced by organizations embracing BYOD is that of security; ensuring that personal devices aren't compromised in themselves and don't pose a security threat to the rest of the network. Allowing BYODs introduces many more vulnerabilities at various steps in the network and so there are many ways in which these risks can and need to be addressed.

The first step is to reduce the risk of the personal device being compromised in the first place. This is particularly pertinent where employees are bringing their own device in to connect to the businesses LAN. To achieve this, some organizations have conditions of use which require that the user's device has specific anti-virus and management software installed before it can be allowed onto the network. However, the risks can also be reduced by ensuring that personal devices are only allowed to connect to the local network via a VPN rather than a direct connection, even when the user is on site.

Using a VPN is a must for users in remote locations as the secure tunnel of a VPN prevents any information being intercepted in transit. It can be tempting for employees working off-site (or even on site) on personal devices to email documents, for example, backwards and forwards but the security of such communications can never be guaranteed.

What's more that approach requires that at least some work data is stored locally on the personal device - a cardinal sin in terms of data protection. Again both VPNs and cloud solutions can negate the need to store local data. Using a VPN will allow the worker to operate on the local network, accessing, working on and storing everything they need on there, rather than on their own device. Secure cloud services on the other hand can be used to provide collaborative workspaces where users perform all their work in the cloud so that colleagues, wherever they are, can access it. However care should be taken to check the security measures used by cloud providers before signing up to such services whilst the user must also ensure that someone who misappropriates a device can't then easily access their cloud account (through lack of device security and stored passwords etc).

Since MDM itself is a relatively new concept there is disparity in opinion regarding the implementation of a cloud based system. While most organizations prefer a cloud based solution, others are not willing to let go of a very recent transition made from traditional networks to MDM. Some however have opted for a hybrid solution where data processing is done on servers A purely cloud based solution however is more beneficial to the requirements of companies especially if they're on a small scale.

  1. Setup Time : The setup time for a cloud based system is very little. This is because the data is ultimately on a cloud and the creation of a system which gives access to multiple devices can be easily done.
  2. Setup Cost : Budget constraints are common problems faced by small companies. The BYOD automatically removes the strain of providing devices to employees whereas cloud systems enable mobile device management without the need of spending money on technical equipment such as server machines, cables, power outlets and switches.
  3. Maintenance : Regular maintenance of the server will be unnecessary. If the software has the latest updates and is working properly, chances are the server is providing optimal performance as well.
  4. Costs : One of the most appealing features of MDM is the low initial cost of set up. What is overlooked however is that the running or operating costs of the cloud systems are reasonable as well. Payment is done simply on usage basis and according to the number of devices connected to the cloud system.
  5. Ease Of Access : The cloud may be accessed from any locations which means that workers in remote locations will be able to work from home or other locations.

Oracle Fusion Middleware:

Cloud computing may appear to be spreading like wildfire with both enterprise and personal users jumping at the chance to take advantage of the cost effectiveness, scalability and flexibility that it offers. However, there is a strong debate amongst industry experts, and beyond, as to whether this uptake, however rapid, has been severely tempered by a lack of trust and understanding around cloud services from prospective clients.

Many propose that, as has been the case in many markets that have preceded cloud computing, the answer to client wariness is standardization with the aim of delivering transparencies. In other words, create a market where a client can shop between multiple providers and judge their security levels, data handling, performance and service stability on comparable metrics.

Oracle Fusion middleware does just that. It’s based on standards and enabled organizations to standardize their platform offerings.

Oracle Fusion middleware enables you to secure mobile (native and Web) applications with Oracle Access Management. This includes authenticating users with existing credentials; enabling two-factor authentication; and using mobile authentication to enable secure Web services and REST APIs, REST-to-SOAP transformation, and identity propagation.

Version 11.1.1.8 of the latest release of Oracle WebCenter Sites provides an integrated mobile Web solution that enables business users to author, edit, and preview content for different groups of mobile devices—all from within the same interface that is used to manage their main Website. Oracle WebCenter Framework is an Oracle JDeveloper design-time extension that breaks down the boundaries between Web-based portals and enterprise applications. It also provides the runtime portal and Web 2.0 framework on which all Oracle WebCenter technology runs.

The Best of Breed
With Oracle Fusion middleware, you gain access to the best of breed in technology platforms and tools that would not just enable your organizations BYOD program to sprint forward but would enable to enhance the service delivery model by providing your organization with the core tools and technology that would not just power your BYOD and MDM strategy but also enable you to leverage the exact same platform for your enterprise wide security strategy.

If you’d like to talk more, you can find us at simeiosolutions.com











Friday Dec 13, 2013

Passing the Puck to the CTO - BeachBody's Miracle Moment of Identity

BeachBody CTO, Arnaud Robert, was prepared for competitive business at an early age.  Showing success on the ice as a captain of his hockey team, taught Arnaud that there are many similarities between the game of hockey, in particular, the position of team captain, and that of today's CTO.  As Arnaud points out, today's CTOs must remain very nimble and capable of acting much like that of a team captain.  Regardless if we are talking pucks and tasks, periods and quarters or games and projects, the methodologies in managing has given Arnaud a focus with the BeachBody business that he has used to expand the BeachBody enterprise in the areas of Identity Management and Mobile Enablement.

Take a moment to watch this great video from Arnaud and see if you and your CTO can relate to the hockey challenges, and how you are responding in the areas of Identity.


Wednesday Dec 11, 2013

Facilitating Secure BYOD: Deep Dive - Simeio Solutions

In our first post, we explored BYOD, its imminent challenges and tool sets which one can employ to overcome these hurdles. The second post gave you peek into Mobile Device Management (MDM) and the set of problems it alleviates.

In this post, I will briefly introduce you to a relatively lesser know Mobile Security term known as 'App Containerization'. Then we will continue to explore the Oracle Access Mobile and Social product offerings. This time, the emphasis would be on 'How' OAMMS facilitates a secure mobile experience and help you gain insight into what really happens behind the scenes.

Mobile Application Containerization: What does it really mean?
As the name clearly indicates, it is a mobile 'application' level security mechanism as opposed to 'device' level protection with an emphasis on providing finer-grained application-level controls, not just device-level controls. Application Containerization can allow organizations to protect their data on any mobile device by ensuring that security restrictions are applicable only when the user interacts with the enterprise/official business applications.

How is it different from Mobile Device Management?
Mobile Device Management (MDM), empowers IT with device level controls such as executing remote data wipe, enforcing device password policy etc. It is an indispensable tool for corporations. However, from an end user perspective, MDM brings to fore, concerns such as

Employee privacy invasion - Why should the organization have ACCESS to my personal photos, emails etc?

Employee personal data sustainability concerns - What if my company wipes out ALL of my personal data on my device in order to reduce risk for couple of corporate applications?

All that matters is to keep enterprise data secure, not to intrude user's privacy.

'Containerization' is a technique which can help organizations combine the best of both worlds. It is categorized under the 'Mobile Application Management' (MAM) domain.  This is a new generation mobile security technology which ensures tight reign over corporate data on mobile devices without being too intrusive for the end user. Personal and Containerized applications can coexist on the mobile device, but each containerized application's data stays within the confines of its own 'container'. Communication to corporate servers or other 'containerized' applications are completely 'secure'.

App Containerization Fundamentals and Strategies

  • Works on the concept of 'Sand-boxing' the application execution.
  • Provides a secure run-time container for each managed application and its data.
  • Clearly segregates personal and corporate applications and associated data irrespective of the device.

Few of the techniques which are employed for application containerization have been listed below

Application Wrapping
This strategy involves processing the application via the 'App Wrapping' tool and creating a security wrapper around it. This process does not require any additional 'coding'.

Customized Code Based Integration
Specific Software Development Kits (SDKs) can be leveraged in order to 'code' the functionalities which cannot be delivered via 'Application Wrapping', Mobile application developers can use APIs in the SDK to weave the capabilities of the mobile security platform within the applications.

Dual Persona
This is a containerization technique wherein corporate and personal applications are installed under separate areas which are abstracted as 'personas'

Encrypted Space
Applications and data may be kept within the confines of an encrypted space, or folder.

A comprehensive App Containerization strategy combined with device level protection can go a long way in providing end-to-end mobile security.

Where does Oracle come into the picture?
Through its recent acquisition of Bitzer Mobile, Oracle's rich portfolio of mobile security offerings has been further strengthened.  Oracle can help organizations with comprehensive solutions in order to manage the security of enterprise data held on employee's mobile devices.

Why Containerize Your Apps?
Containerization  improves user experience and productivity as well as ensures enterprise safety and compliance by,

  • Enabling secure and seamless data and service sharing between containerized apps. Users can access, edit, sync, and share corporate documents or other workflows that require multiple applications to work in coherence with each other.
  • Restricting a user’s ability to access, copy, paste or edit data held within the application container.
  • Enforcing security policies that govern access to the containerized data
  • Allowing employees to switch between personal and corporate applications seamlessly, without risk of compromising company information.


Let us pick up the thread from the very first post of this series, and take a deep dive into the Oracle Access Manger Mobile and Social product offerings.

Oracle Mobile and Social Feature Set

OAMSS features can be broadly categorized into the following

Mobile Services
Mobile Services segment of the OAMMS connect mobile devices and applications to existing IDAM services and components and enables organizations to reap full benefit of its existing IAM investments
Salient features of 'Mobile Services' are as follows

Authentication
Under the hood, the basic Authentication process is powered by Oracle Access Manager.  A typical use case encapsulates the following set of events

  • The user launches the mobile application on his device which the him to the Mobile SSO Agent.
  • Assuming that the device is already registered, the Mobile SSO Agent sends the user name, password, and Client Registration Handle to the Mobile and Social server for validation.
  • Mobile and Social Server responds with a User Token as a result of the above process and this token is further utilized by the calling mobile application to request for an Access Token.
  • After fulfillment of Access Token by the Mobile and Social server, the business mobile application can leverage this token to make calls to the resources/enterprise applications protected by Oracle Access Manager or Oracle Enterprise Gateway.


OAMMS Authentication Process

Authorization
The Authorization is taken care of by Oracle Entitlements Server (OES) which is driven by policy-based configurations. OES manages authorization for mobile devices and application with the help of 'mobile device context' which is nothing but a type of 'Identity Context' attribute.

Identity Context is made up of attributes known to the multiple identity and access management components involved in a transaction and it is shared across Oracle’s identity and access management components

Single Sign On
With SSO in place, user can multiple mobile applications on the same device without having to provide credentials for each application. Mobile SSO can be leveraged by both native and browser-based applications. A mobile application installed on the mobile device needs to be designated as a mobile SSO agent in order for mobile bases SSO to work.

  • The Mobile SSO agent application acts as a mediator between the Mobile and Social server and the other applications on the device that need to authenticate with the back end identity services.
  • It orchestrates and manages device registration, risk based authentication.
  • Ensures that the user credentials are never exposed to the mobile business application.
  • It can time-out idle sessions, manage global logout for all applications, and help in selective device wipe outs.

Device Registration
Oracle Adaptive Access Manager (OAAM) policies are executed by the OAAM Mobile Security Handler Plug-in.

  • The OAAM Security Handler Plug-in creates two security handles
    • oaam.device handle, which represents the mobile device
    • oaam.session handle, which represents an OAAM login session for a client application
  • The above mentioned 'handles' drive the 'device registration' process
  • OAAM policies can be configures to force device registration process to require Knowledge Based Authentication (KBA) or One Time Password (OTP)

Oracle Mobile and Social leverages adaptive security measures such as OTP by delegating to specialized components such as Oracle Adaptive Access Manager (OAAM)

Lost or Stolen Device Management
The Mobile and Social service works hand in hand with OAAM and counters these risks by providing a way to tag a device as lost or stolen and then implement policies that are designed to be invoked when a compromised device tries to gain access to sensitive resources via the mobile applications.

  • If the device has been reported lost or stolen, OAAM can be configured to challenge a user before providing access to the mobile applications and its associated data.
  • OAAM policies can also be designed to wipe out the device data if the device attempts to communicate with the Mobile and Social server after being reported lost or stolen.
  • OAAM policies can be configured to protect against 'Jailbroken' devices and wipe out the data. Mobile and Social service needs to be configured with jailbreak detection on.
Internet Identity Services
Internet Identity Services allow Oracle Mobile and Social to act as a relying party and leverages authentication and authorization services from cloud providers. Mobile applications can consume Social Identities securely and customers to federate easily with social networking sites

These services benefit the end users as well as the developers

User centric - The users are presented with convenient multiple log-in options and can use their existing credentials from cloud-based identity services to log in to mobile applications.

Rich OOTB support - Currently, OAMMS supports major Social Identity Providers such as Facebook, Google, LinkedIn, Twitter, Yahoo, Foursquare and Windows Live

Extensible - Developers can add relying party support for additional OpenID and OAuth Identity Providers by implementing a Java interface and using the Mobile and Social console to add the Java class to the Mobile and Social deployment.



Oracle Mobile and Social services can be easily extended to support other service providers, thanks to its flexible architecture based on 'Open' standards such as OAuth and OpenID

End to end flow wherein Identity Services are used in conjunction with OAM (for authentication)
  • A protected application is accessed by the user which in turn is intercepted the WebGate.
  • The Mobile and Social server presents a login page to the user after OAM analyses the authentication policies applicable to the resource.
  • The login page presents a menu of Social Identity Providers (e.g. Facebook) and the user is redirected to the login page for the selected Social Identity Provider
  • The user types a user name and password into the Social Identity Provider's login page which is validated by the Identity Provider redirects the control back to the Mobile and Social server.
  • The Mobile and Social server further processes the Identity assertions supplied by the Identity Provider and after retrieving user identity information, redirects the user's browser to Access Manager. This time HTTP headers in the page request provide Access Manager with the user's authentication status and attributes.
  • Access Manager creates a user session and redirects the user to the protected resource


User Profile Services
User Profile Services allows mobile applications to perform a variety of LDAP compliant directory server tasks.

  • Directory administrative tools can be created wherein an authorized administrator can invoke CRUD operations on users and groups, manage passwords and entities like managers etc.
  • Corporate or community white pages are another common application using User Profile services.
  • These services are inherently secure and protected by either an OAM token or a JSON Web Token (JWT), and they can also require device and application registration
  • OOTB support for seamless integration with popular LDAP compliant directory servers such as Oracle Directory Server, Oracle Internet Directory, Oracle Virtual Directory, Active Directory etc

SDKs and REST APIs
SDKs help developers embed identity security features into mobile applications and promote usage of existing identity infrastructure services.

  • They promote ease of development of mobile applications by serving as a security layer and driving features like authentication, authorization, user profile services and secure storage.
  • The SDKs also serve as an 'abstraction layer' which allows system administrators to add, modify, and remove identity and access management services without having to update mobile applications installed by the user.
  • OAMMS provides dedicated APIs for each of its feature categories, namely, Mobile, Internet Identity and User Profile services

Oracle Mobile and Social Services provides separate client software development kits (SDKs) for Apple’s iOS and Google’s Android.

The SDK functionalities are segregated into four distinct modules

  • Authentication Module - Processes authentication requests on behalf of users, devices, and applications.
  • User Role Module - Provides User Profile Services that allow users and applications to get User and Group details from a configured Identity store.
  • REST Handler Module - Provides access to REST web services and automatic injection of tokens for Access Manager protected REST web services.
  • Cryptography Module - Provides simplified APIs to perform cryptography tasks like hashing, encryption, and decryption.
  • Secure Storage Module - Provides APIs to store and retrieve sensitive data using the preferences storage of Android.


Generic REST API
Oracle Mobile and Social Services exposes its functionality through a consistent REST interface thus enabling any device capable of HTTP communication to send REST calls to the Mobile and Social server. These can be leveraged when it is not possible for to utilize the SDKs directly for communicating with the Mobile And Social backend components.

API Security
Oracle API Gateway (OAG) acts as a filtration layer for inbound for REST calls into the Mobile and Social server. It integrates seamlessly with OAM and OES to provide authentication and access control.

In the Mobile and Social solution context, OAG provides services such as

  • Validating JSON Web Tokens (JWT) embedded within REST calls
  • Mapping of XML to JSON for consumption by mobile devices
  • Validation of HTTP parameters, REST query and POST parameters, XML and JSON schemas
  • Protection against Denial of Service (DoS), SQL injection, and cross-site scripting attacks.
  • Auditing and logging web API usage tracking for each mobile client.

OAG and OES leverage their individual capabilities to provide context-aware authorization of mobile business transactions, authorization for REST APIs, and selective data redaction in the response payload.
Sequence of steps involved in OES powered authorization and 'redaction' process

  • A mobile application request which is intercepted  by OAG delegates authentication to OAM.
  • OAG leverages an integration adapter called OES Java Security Service Module (SSM). to interact with OES to authorize the request.
  • After successful authentication and authorization, the user  is granted access to requested resource (business application).
  • Further authorization is driven by OES based on configured policies and it might end up in 'redaction' of some confidential information from the response.
  • OES thus provides the 'redacted' response to OAG which further propagates it back to the requester

OAG and OES working in tandem

Conclusion
I hope you have gained a fair idea of the challenges which enterprise mobility requirements poses and the various options which Oracle FMW product suite has to offer to modern day organizations to empower and enable to them overcome these hurdles and successfully mobilize their workforce. Customers who are already utilizing products such as Oracle Access Manager and Adaptive Access Manager can easily leverage Oracle Mobile and Social to extend the same security capabilities to mobile applications.  Our final post will introduce you to the nuances of Mobile Device Management (MDM) for facilitating secure BYOD programme in the 'Cloud'.

About the Author
Abhishek Gupta is a Senior IAM Engineer at Simeio Solutions. He has over 5 years of experience in the IAM space and has been involved in design, development and implementation of IAM solutions for Simeio's customers with a prime focus on Oracle IAM Suite.


Tuesday Dec 03, 2013

Mobile Device Management (MDM) Within Your Enterprise - Simeio Solutions

Introduction
One of the major challenges facing every enterprise in the Bring Your Own Device (BYOD) age is how to maintain control of the devices used to access proprietary data. In this post, the second in our four-part series on BYOD and the changing mobile landscape, we’ll take a look at this issue in more detail.

It’s difficult to overstate the challenge. As organizations enable broader access to more and more information – including highly valuable and sensitive intelligence and intellectual property – they need to ensure that the devices used to access that information are secure, that the devices can be remotely managed and de-authorized, and that information on those devices can be destroyed or disposed of securely. But at the same time, the rise of BYOD means giving up a large measure of control over those devices because they are no longer owned by the organization but rather by individuals who maintain full control and authority over them.

In just a few short years, we’ve moved from uniform, company-owned desktops tethered to the office to diverse, individually-owned mobile devices that can literally be taken – and lost  – anywhere in the world. This mobile revolution has enabled an entirely new kind of workforce and unprecedented productivity and business opportunities, but it has also created a concomitant surge in risk. Addressing this risk has become an organizational imperative, which is why Mobile Device Management (MDM) has become a high priority at most enterprises.

A Plethora of Platforms
When you consider all the moving pieces that are involved in mobile computing – multiple hardware device types and manufacturers, operating systems, applications, telecommunications carriers, and supporting back-end infrastructures – the challenge of securing your mobile devices can seem all the more daunting.

Most enterprises would consider securing the platform vendors, hardware providers and telecommunication carriers to be “out-of-scope” due to the sheer volume of platform vendors and the telecommunication carriers that provide the backbone service to users across continents. It is far more practical to control and enforce restrictions on the individual devices.

In the early days of mobile computing, organizations could select a single platform to support (e.g. Blackberry), which made the job far more manageable. The adoption of BYOD, however, means you’ll need to support a wide variety of platforms, including Google Android, Apple iOS, Microsoft Windows and Blackberry, the four primary players at the moment.

There is no right or wrong platform when it comes to addressing security and MDM. Each platform comes with its own set of features, benefits and associated risks:

  1. Blackberry : The Blackberry has enjoyed tremendous popularity among IT organizations. The Blackberry software provides enterprises with servers and software that offer unparalleled remote management capabilities, but it comes at a cost. Blackberry has also recently lost significant market share to competitors, and many are questioning its survival.
  2. Apple iOS: Many consider the iPhone and iPad to be the most innovative products when it comes to revolutionizing the mobile industry. Unfortunately, many also consider iOS to be one of the weakest platforms when it comes device management. While the ability to deploy and distribute apps is a breeze, managing these devices remotely could prove to be a quite a challenge. Apple has responded to this criticism with a new OS version and hardware with improved security and integrated MDM features.
  3. Google Android: Android is by far the most popular platform as measured by market share. However, it is also known for its notorious variety of devices and flavors of operating environments. Even with the diverse array of OS options available, some Android devices come with enterprise grade software services that enable remote management (although some do not).
  4. Microsoft Windows: Microsoft is a well known player in the mobility space, but the reliance on third party toolsets, systems and servers to manage devices by leveraging the vendor published device management protocol make it a complex deployment.

Despite the pros and cons, organizations today must be ready to support any and all of these platforms without compromising the organization’s security.  Securing the devices, the application and the data that these devices hold goes way beyond simple authentication platforms that are currently in place. There is also the need for compliance enforcement to ensure that each of these devices are secured and do not in any way become a pathway for exploits and intrusions into larger systems that form part of an enterprise’s proprietary infrastructure.

Past, Present and Future
As device adoption changes over time, it is crucial to be prepared to address these evolving changes as they occur. An oversized platform may reduce in size as time rolls by. Your organization might currently have predominantly iOS and Android devices, but could change to a predominantly Windows based service as time evolves, or vice versa. It is important to acknowledge these evolving patterns and gear up for an ever evolving device adoption strategy.

The current market adoption of the various platforms has Android at 61%, iOS at 20.5%, Windows at 5.2%, Blackberry at 6% and Other devices at 7.3%.


However, there is a huge difference between the overall market share and enterprise use, where Blackberry – despite its fall from grace with consumers – continues to be a dominant player. BlackBerry still has a market share of about 38% among businesses with more than 10,000 employees, as well as more than a 33% share in government and financial institutions . But this appears to be changing rapidly.

This is exactly the kind of situation where a good MDM strategy would enable organizations to traverse any change in market dominance that may occur over time.  Adoption and market share also tend to vary by geographic region. For example, Android adoption could be very high in Asia Pacific while relatively low in North America. Therefore it is necessary to also look at an organization’s geographic employee dispersion ratio while building a strong MDM strategy.

By 2015, it’s projected there will be 7.5 billion mobile devices globally. By 2016, it is estimated that global mobile device usage will grow by 20% in the Android space, 10% in the iOS space, 30% in Windows phones, and 3% more Blackberry users. According to a recent Forrester Research Report, mobility and BYOD programs in use by North American based information workers are expected to triple by 2014. Also, the use of tablets at work is rising at an exponential rate. Today there are 50% more tablets being used in the enterprise than just a year ago.

The bottom line is that the future could hold anything. It could be an exponential increase of one of the aforesaid platforms or an emergence of a new platform altogether. You must be ready in any case.



An Effective MDM Strategy
Building an effective MDM strategy is of great value to any enterprise. We believe there are three key criteria when chosing or developing an MDM solution:

1)  Develop a single, unified solution with the flexibility to address virtually any device or platform.

Given the rapidly shifting market shares and already large and rapidly growing number of mobile devices, it would be a Sisyphean task to maintain one device management tool per device. A better strategy is one that has a broader focus on converging technologies that power a variety of devices.

Having a unified MDM service allows for global policy enforcements. It also allows for rapidly provisioning and de-provisioning devices onto the network with split liability – where individuals agree to cede some control over their personal device, often in exchange for a stipend or sharing of expenses with the enterprise.

Such a unified MDM service gives employees more control over which devices they are allowed to bring in. It also gives employers more control over what these devices can do when on the corporate network.

2)  Cover the complete lifecycle – especially in between the two endpoints.

Your MDM solution shouldn’t be limited to the provisioning and deprovisioning aspects of a BYOD program but should focus more on the period in between those two endpoints, including the ability to:
  • Control what runs on the device when connected to the corporate network
  • Determine whether security protocols have been adhered to
  • Do an over-the-air (OTA) update of an applications, configurations or device firmware
  • Support audit requirements
  • Track the location of the devices themselves

3)  Look to the cloud

Organizations embracing “cloud computing” have been steadily increasing, which comes as no surprise with the increased growth in the mobility space. Cloud based Mobile Device Management solutions have emerged as well, which organizations can leverage in tandem with their internal cloud transformation processes.

Prioritizing investments in effective strategies not only allows for on-boarding a new MDM platform at a much rapid pace, but also helps ensure the security and integrity of systems that the organization exposes to the cloud in addition to the devices that are now onboarded into the organization’s network.


MDM Best Practices
At Simeio Solutions [http://www.simeiosolutions.com/], we’ve established a set of best practices to help our clients implement a successful enterprise MDM strategy. These include:

  1. Enablement for a multi-platform, vendor-agnostic device on-boarding. Even so, enterprises should allow only the mobile devices that have the best possible control and security built in.
  2. A strong security policy. Enterprises must strive to employ a good encryption methodology, which is a key to building a strong security policy. Device encryption methods can help encrypt the local storage, but enterprises must ensure that it covers all the risk areas including the internal and external systems as well.
  3. Maintain a device registry. Take a periodic inventory of all the devices connected to the corporate network.
  4. Remote over-the-air updates. It is essential to Identify unusual situations such as jail breaks, lost devices, device theft, number of repeated failed login attempts or failure to connect to the network for lengthy periods (e.g. more than a month), and enabling those mobile devices for remote wiping, automatic padlocking and account locks.
  5. Maintain an application white-list. Tentative white-listing of applications allows only authorized software to be installed on the mobile devices and prevents the malicious software from entering the corporate network.
  6. SSL and VPN Connectivity. Enterprises should employ VPN access to enjoy the benefits of shared networks without any security concerns in transmitting sensitive data over the internet, since VPNs encrypt the data in transit.
  7. Regular security updates and patches. Enterprises need to ensure that the mobile devices connected to their corporate network are installed with regular security updates along with updates of new upgrades and patches for the mobile operating systems (iOS, Android OS, Blackberry OS, etc).
  8. Deploy intrusion detection and prevention systems (IPS/IDS). IPS helps to proactively respond to security threats initiated on the corporate network by smartphones and tablets. Enterprises could extend their existing IPS systems to monitor mobile devices and help deter risks associated with remote attacks.


MDM and Security
Addressing security is a critical component of an effective MDM strategy. Inevitably, you’ll have a laundry list of security issues that must be considered and addressed. You may need to look at security from many perspectives, including how to secure the data on the device, or the security around how a device or use is authenticated prior to enabling access to information or resources, and even how the data being transmitted is secured from tampering and ensuring confidentiality.

Security as it pertains to MDM involves encryption algorithms such as RSA, MD5, and AES. It also involves token services like HOTP, OATH, TOTP. You will need to pay attention to protocols such as HTTPS, LDAPS, and other secure means of transmission. There are also session handlers, Two Factor authentication services, secure delete, and device management capabilities including remote wipe, remote lock, and remote install.

The three major component of a strong MDM security framework are:

  1. Data Access Security Mechanisms
    • User and Device authentication
    •  Authorization and policy enforcement
    • Integration with other token services  that leverages existing identity management infrastructure services to access services such as Salesforce.com or Box.net
  2. Data Storage Security Mechanisms
    • Encrypt data at rest, both on the device as well as on the server side applications and service components
    • Secure delete and the ability to overwrite existing data
    • Protection of keys credentials and tokens used to decrypt data and make the data available for use
  3. Data Transmission Security Mechanisms
    • Establishing a secure connection between the device and the company’s infrastructure
    • Creating and managing sessions for required set of transactions
    • Handling HTTP requests in the appropriate manner
    • Encryption of data transmitted over the channel

Bring it all together
Scaling to support all of the possible mobility enabled devices could incur significant hardware costs and create management complexity. Even though scalability may seem like a distant concern for some enterprises, the proliferation of mobile devices and applications growing at the current rate  will make that concern a reality sooner than later. Enterprises will do well to incorporate long-term scalability requirements into their plans early on.

Luckily, a variety of solutions have emerged to help organizations meet this challenge. Oracle, for example, has a suite of tools that can make it easier for organization to deploy a strong MDM solution. They can even make it easy for employees to onboard their own devices to the corporate infrastructure in split liability mode.

Oracle Beehive is one such tool. It provides an integrated set of communication and collaboration services built on a single scalable, secure, enterprise-class platform. Beehive allows users to access their collaborative information through familiar tools while enabling IT to consolidate infrastructure and implement a centrally managed, secure and compliant collaboration environment built on Oracle technology.

Oracle Utilities for Operational Device Management is another example. It was developed by Oracle solely for the purpose of meeting the needs of asset management for “smart devices.” The software manages devices such as meters, access points or communication relays and communication components attached to various devices that are too complex for traditional asset management systems. It handles critical functions, such as managing and tracking updates and patches, as well as supporting governance and regulatory audits and smart grid Network Operations Center (NOC) processes.

Oracle Platform Security provides an abstraction layer in the form of standards-based application programming interfaces (APIs) that insulate mobile app developers from security and identity management implementation details. With OPSS, developers don’t need to know the details of cryptographic key management or interfaces with user repositories and other identity management infrastructures. Thanks to OPSS, in-house developed applications, third-party applications, and integrated applications benefit from the same, uniform security, identity management, and audit services across the enterprise.

These are just a few examples of the tools available that can help you design and deploy an effective MDM solution. In our next post, we’ll take a look at Mobile Access Management, another key aspect of managing mobile devices in the BYOD age.

About the Author:

Rohan Pinto is a Senior IAM Architect at Simeio Solutions who is responsible for architecting, implementing and deploying large-scale Identity Management, Authentication and Authorization (RBAC, ABAC, RiskBAC, TrustBAC) infrastructures with specific emphasis in Security.


Monday Nov 25, 2013

Congratulations to Putnam Investments for winning the 2013 Oracle Excellence Award for Identity Management

This year, Putnam Investments won one of two Fusion Middleware Innovation Awards from a field of 31 organizations worldwide.

Pictured left to right: Aaron Perry, President of APTEC LLC, Marc Boroditsky Vice President of Product Mangement IDM, and John Xu Putnam Investments

Putnam Investments won the 2013 OEA award for their project that migrated 80 core applications from Sun Access Manager to Oracle Access Manager in a year’s time, and replaced a competitive Identity Management solution with Oracle Identity Manager to automate access requests and approval workflows.

They are the recipients of this year’s excellence award for their comprehensive vision of how identity management is transforming their business through a converged security infrastructure.

Congratulations to ANZ Banking Group for winning the 2013 Oracle Excellence Award for Identity Management

This year ANZ Banking Group won one of two coveted Oracle Excellence awards for Fusion Middleware Innovation in the Identity Management category.  ANZ and Putnam were chosen from a field of 31 entries submitted by organizations worldwide.

Pictured left to right: Paul Beresford, ANZ Banking Group, Marc Boroditsky, Vice President Product Mangement, IDM, Richard Watson, IDM Sales Director, ANZ

ANZ Banking Group won the 2013 OEA award for their project to migrate their award winning mobile banking application from a competitive product to the Oracle IDM Platform, which provides device registration, authentication, authorization and application SSO.

By leveraging the Oracle IDM Platform, ANZ is able to provide a consistent customer experience regardless of how customers access the system (Mobile, Web, ATM, etc.)  Their innovative design resulted in extremely high levels of code reuse and 60% reduction of interfaces needed internally.


Webcast: Oracle Mobile Strategy Update - Simplifying Enterprise Mobility (Register now)


[Read More]

Sunday Nov 24, 2013

Securing The Citizen Experience

Governments have often been the slowest to adopt new technologies - not any more. This video from the UK government's digital services strategy shares a vision for citizen services that will inspire. This phenomenon is not isolated to the United Kingdom. Across the world citizens are paying more in taxes and demanding better services. All of this is changing the way governments are thinking about security. The new experience is cross channel: mobile, social and online. If we are lucky we may never have to go back to the department of motor vehicles again.

The Pressure to transform:

Monday Nov 18, 2013

The Technology Stack of Mobile Device Enablement - Simieo Solutions

Introduction
Mobile computing has proven to be a game changer, revolutionizing the way we work, communicate and connect. Arguably, this revolution can trace its roots back to the ‘Personal Computer’, which freed individuals and organizations from the centralized mainframe operating model and we haven’t looked back since then. But what’s remarkable about mobile computing is the unprecedented pace of change and innovation it has brought about. Mobile devices are penetrating and transforming businesses today far faster than any previous generations of computing technologies ,including laptops and desktops.


Current landscape
Today, "going mobile" means a lot more than just modifying the content to fit a browser on a small screen size. Infrastructures can no longer afford to limit remote or mobile access to browser-based functionality. Users need access to more applications and data, from a wider variety of mobile and wireless devices.
Mobile device capabilities have reached new heights, which in turn has spurred demand for rich mobile applications that require access to private enterprise data in order to deliver functionality. These applications have become indispensable tools for end users. They are being inextricably woven into day-to-day business operations in an effort to improve productivity. In spite of the complexity, these devices are becoming a critical component of the computing environment because of their versatility.


Enter BYOD
Perhaps the single biggest driver of the mobile revolution has been the widespread adoption of “Bring Your Own Device” or “BYOD.” BYOD is the policy of permitting – or even encouraging – employees to bring personally owned mobile devices (laptops, tablets and smart phones) to their workplace, and to use those devices to access privileged company information and applications. Seemingly overnight, BYOD has supplanted the traditional policy of permitting only “corporate-liable” or “CL” devices, those that are owned and issued by the company.


The Benefits of BYOD
BYOD fosters business process efficiency by allowing employees to complete their tasks at any time and from anywhere – whether they are sales representatives, technical analysts in the field, customer-facing employees, manufacturing reps and the like. Every one of these employees needs access to data, which can enable them to make the right decisions, answer queries, come up with proposals, close deals and execute other vital tasks.
The benefits of BYOD include:

Improved workplace flexibility and productivity with secure "anytime, anywhere" access for employees. It promotes employee satisfaction. It also increases effective employee work hours in small increments per week, which in turn translates to a greater throughput from the workforce.

Increased sales revenues from quick, reliable access to business-generating applications on employee-owned devices.

  • Competitive appeal for market leadership and recruiting. Adopting innovative technology solutions such as mobility is valued by organizations for maintaining competitive positioning in their respective marketplaces. 
  • Reduced costs for acquiring, distributing and replacing corporate-liable (CL) devices.
  • Reduce complexity and costs from internally maintaining the mobility infrastructure.
  • Decreased help desk support with a reduction in the number of inbound calls for CL devices.
  • This is definitely not an exhaustive list, but it covers the common factors fueling BYOD adoption.


Imminent Challenges and Risks
It's not too difficult to lose a smart phone or tablet, resulting in confidential data being exposed to non trusted entities. Thus, accessing and storing corporate data on private devices presents unique security challenges to the enterprise.The IT security team and the CIO office are now dealing with questions such as:

Do our enterprise applications qualify as “secure” and “cloud ready”?

  • How do we manage security of the enterprise applications in a scenario where a plethora of mobile devices connect to them for accessing sensitive data?
  • How can my company enable social trust as a means of connecting to customers and employees?
  • What about securing the digital and intellectual property which has been exposed as a result of the BYOD scheme?
  • Some of the inevitable challenges for organizations adopting BYOD include:
  • Handling the deluge of BYOD demand (tablets, smart phones, smart watches and more)
  • Adapting to costs and risk that are no longer "per user" but rather "per device"
  • Avoiding the risk of revolt when applying corporate lock-downs and restrictions on devices owned by the employee
  • Addressing the increased threats associated with mobile
  • Obtaining increased budget to address the risk of mobile
  • Configuration management to reduce vulnerability exposure
  • Adopting configuration management to reduce vulnerability exposure
  • Managing what apps are allowed
  • Determining how to track and manage a personal device the same way as a CL device without violating personal privacy
  • Using mobile as an "enabling" component to the business instead of a roadblock

There are four primary areas that are putting consumers and enterprises at risk on mobile platforms:

  • Access based attacks – Privileged users who have access to more data than they should, or are using legitimate access to steal confidential data, and share or use it in ways that negatively affect the organization.
  • Device Loss – The loss of a corporate or personal device that contains confidential data on the device, or within secondary memory, due to loss or theft of the device.
  • Rogue malicious apps – Applications that have been compromised by attackers and posted on various app stores that contain hidden payloads that steal data, initiate connections, commit outbound toll-fraud or are used as a launching point for attacks inside a trusted corporate network.
  • SMS Attacks – Unwanted inbound SMS messages from attackers that trick users to take actions that can lead to installation of code or to increased carrier based charges.


Identity and Access Management to the Rescue
Luckily, corporations facing these risks and challenges don’t have to go it alone. The field of Identity and Access Management (IAM) has evolved just as rapidly with solutions designed to address key aspects of BYOD adoption:

  • Mobile Device Management (MDM)
  • Mobile Identity Management (MIM)
  • Mobile Application Management (MAM)

IAM solution providers, including our company, Simeio Solutions, have seen tremendous growth in these areas, with new tools, technologies, methodologies and best practices designed to help organizations adopt BYOD securely and effectively.

The need of the hour is seamless and secure digital connectivity for cloud and mobile integration in order for BYOD to prosper.
Here is where a product like Oracle Mobile and Social Access Management comes into the picture. Oracle Mobile and Social Access Management is a solution which enables an organization to secure mobile access to their enterprise applications. It includes a server which acts as a “secure wall” between external mobile client applications and the enterprise applications and data stores (which the mobile applications eventually access) by leveraging the existing back end identity infra services in order to regulate the interaction between both entities.

Oracle Mobile and Social Access Management Offerings


The Oracle Mobile and Social Access Management solution includes features in each of the following key areas: MDM, MIM and MAM.


Mobile Device Management

  • Device Enrollment – Oracle Mobile and Social Service components enforce device registration as a prerequisite to granting access to sensitive enterprise applications/data. A “Client Registration Handle” is used to process first-time device registration post user authentication via the Mobile and Social server.
  • Device Fingerprinting – Mobile and Social Access Server leverages the service from Oracle Adaptive Access Manager (OAAM) in order to deliver functionality such as Device Fingerprinting. OAAM provides capabilities such as One Time Password (OTP) and Knowledge Based Authentication (KBA) based on policies and risk assessments.
  • Device Blacklisting – Oracle Mobile and Social Access Services address the inherent risk of smart phone thefts. It provides capabilities to blacklist/block insecure devices and/or wipe out sensitive security information on the device as per threat levels.

Mobile Identity Management

  • Mobile User Authentication – Oracle Mobile and Social Services facilitate delegation of mobile user authentication to existing and trusted components such as Oracle Access Manager (OAM) and Oracle Adaptive Access Manager (OAAM for strong authentication)
  • Mobile User Authorization – Oracle Entitlements Server (OES), a fine grained authorization server, is leveraged to provide authorization services for mobile users based on its policy driven decision engine in order to enforce appropriate access for mobile users to backend enterprise applications.
  • Social Identity support – Oracle Mobile and Social Services facilitates the usage of social internet identities such as Facebook, Twitter, Google, LinkedIn, etc., for signing on users to less sensitive applications. Many of these providers are based on open standards such as OpenID and OAuth, and this in turn can be leveraged to provide rich user experiences.


Leveraging Social Identities


Mobile Application Management

  • Mobile Apps Single Sign-On (SSO) – A mobile user can run many mobile applications on the same device without having to authenticate to each application individually. The out-of-the-box software development kit (SDK) shipped as a part of Oracle Mobile and Social can be used to build and configure Mobile SSO agents which can be used as a centralized point from where authentication and SSO can be managed.
  • SSO functionality is also available to web based applications in addition to inter-application SSO.
  • Application Registration – In order to strengthen mobile application security, Oracle Mobile and Social services ensure application registration before allowing access to sensitive data housed within enterprise applications.

Oracle Mobile and Social Access: The Big Picture


Conclusion
Mobile computing is here to stay. Along with its many luxuries, its penetration has introduced new complexities and challenges to organizations. They cannot afford to fall back on user awareness and user agreements to provide security. The question is no longer about allowing or denying mobile access. The question for today is about effective management.
This post is just the first in a 4-part blog series. In our next post, we’ll have in-depth coverage of Mobile Device Management (MDM).

About the Author
Abhishek Gupta is a Senior IAM Engineer at Simeio Solutions. He has over 5 years of experience in the IAM space and has been involved in design, development and implementation of IAM solutions for Simeio's customers with a prime focus on Oracle IAM Suite.

About

Oracle Identity Management is a complete and integrated next-generation identity management platform that provides breakthrough scalability; enables organizations to achieve rapid compliance with regulatory mandates; secures sensitive applications and data regardless of whether they are hosted on-premise or in a cloud; and reduces operational costs. Oracle Identity Management enables secure user access to resources anytime on any device.

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
3
4
5
6
7
8
11
12
13
15
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today