Tuesday Nov 17, 2015

The Lifecycle Management Opportunities of a Data Breach (Part 3) - Simeio Solutions

Identity lifecycle management is one of the most critical parts of a security and identity and access management program.  Identifying the assets and setting a baseline for acceptable risk needs to be considered before starting any security lifecycle project and must involve the proper stakeholders.  Let's refer back to our original blog post where we discussed the Ashley Madison breach.  When the company began, they had advertised their service with a commitment to delete customer info upon their request, but as the headline breach revealed, that was not the case.  The hackers were able to expose data related to tens of millions of accounts which suggests some part of the identity lifecycle management process was not properly followed.   The fact that so much data was compromised from the Database could imply that the attack originated there.  Soon after the attack, it was reported that a former contractor for the company may have been one of the responsible parties.

To some degree, we had a perfect storm brewing.  We had a company that was offering a service that some felt was morally unethical.  We had large amounts of sensitive data stored un-encrypted in a Database.  And we appear to have privileged account access given to a contractor, which may not have been revoked upon separation from the organization.   There have also been some additional discoveries made on the end-user accounts as well – such as the fact that many of the customer accounts utilized very basic passwords – one password cracking group has claimed that they were able to crack 11 million users’ passwords.  This latter topic is beyond the scope of this blog, but suffice it to say that it is important for organizations to enforce strong password policies.  

It is easy to look at the Ashley Madison situation through the tinted lenses of morality and assume nobody should care, doesn’t apply to me or they had it coming.  The reality is, the scenarios at Ashley Madison should keep every security officer awake at night.  Regardless if the attack/theft and ransom is around the morally questionable content of users, or the confidential financial records of customers, the same steps must be made to prevent the same outcome.

In our last blog we talked about privileged account access and how OPAM protects the keys to the kingdom.  But what about the everyday lifecycle of an employee or a contractor?  How do they request and receive access to the assets they need to do their job and nothing more?  How do we take away access rights as their relationship with the company changes (promotions, re-assignments, terminations)?

The Oracle Identity Governance Suite (OIG) enables us to manage entities across different targets/applications in a centralized manner. The solution can address the most complex business and security requirements without changing existing policies, procedures or target sources.

Self-service enables users to raise requests for themselves for access to particular resources or entitlements. It allows for fine-grained configuration such as restricting a user's self-service capabilities by defining policies and rules based on user attributes. For example, taking a scenario where the user is a contractor, certain fields can be denied attributes for such user types. Thus reducing the time of UI customization and preventing users from modifying user data which is not expected.

OIG has built in Admin roles which can be used for carrying out Admin specific tasks. New customized Admin roles can be defined by adding capabilities to a particular organization scope. It allows the creation of attribute based assignment of Admin roles, thus we can define our own membership rules.
Request based approvals enable the respective stakeholders, like role owner or entitlement owner to be involved in the approval process.  This is an important capability for scenarios where a user needs access to a particular account or entitlement. In the latest OIG PS3 release, workflows were introduced as a replacement for approval policies and can provide more logical responses for end user requests.

Role lifecycle management provides an efficient mechanism to automate and scale the provisioning and logical grouping of accesses and controls as well as helping to detect violations which we will cover in more detail in our next blog.

OIG ensures that on-boarding and off-boarding actions are followed based on the start and end dates respectively. It provides a set of access policies which are role based (which in turn can be attribute based) which ensures that uniformity is maintained across various target systems. Role to Access policies mapping is done during role configuration. If this association is done with lifecycle management enabled, it goes through a role owner approval process, thus ensuring role owners are aware of provisioning actions. The provisioning process based on tasks ensures that the proper workflow is followed. Immediate access termination can be done by administrators from the Identity console for users which are found to violate policies whether accidental or malicious. 

Proper sunrise and sunset of account access and entitlements is critical for contractors or in scenarios where access to privileged accounts and entitlements needs to be granted to users – in such cases we can define start and end dates of a particular entitlement and thus control access for a particular period providing another layer of protection against misused access rights.  OIG can automate the process of immediately revoking user access rights upon termination or suspension. This eliminates a commonly exploited security gap and opportunity for policy violations that can occur after the dismissal of an employee or contractor – which is the exact scenario that was assumed exploited at Ashley Madison.

The Oracle Identity Governance Suite can be used to establish a lifecycle management process that allows organization to have comprehensive governance of identities. It allows organizations to identify risks and make sure they address the organization’s defined policies. In the next blog in this series we will discuss more on certifications, audit, compliance and reporting and how it ties together with lifecycle management as part of a holistic security solution to enhance compliance.

For more information on how Simeio Solutions can help you with reducing exposure to data breach with Oracle technologies, please visit them at www.simeiosolutions.com

Wednesday Nov 11, 2015

Managing the Keys to the Kingdom - Privileged/Shared Accounts - Simeio Solutions

This is our second in a series of commentaries on minimizing the risk of becoming the next front page news story on data breaches. 

Privileged and Shared Accounts are some of the most critical assets to manage in an organization since they provide broad access to systems and sensitive corporate and state information. Privileged Accounts are those that typically allow administration of a system or provide higher levels of access within a system such as Linux/Unix ‘root’ or Oracle Database ‘sys’.

There can be many reasons why a user with access to a privileged account does bad things - they were not given an expected raise, denied a vacation or a promotion, or maybe they disagree with the ethical and moral policies of their employer.  Poor password management practices, such as sharing passwords for privileged accounts, or falling prey to smart social hacking is a simple way for others with malicious intentions to gain access to the Keys to the Kingdom.  There can also be privileged escalation attacks where a user  can gain additional access to a system beyond what he or she has been authorized to have by exploiting a vulnerability in that system.

As we discussed in our last blog entry, most data breaches are caused by events such as employees losing, having stolen, or simply unwittingly misusing, corporate assets.  After questioning over 7,000 IT executives and employees across North America and Europe, a recent industry report has found that 31 percent of employees cited simple loss or theft of credentials as the explanation for data breaches they had experienced, ahead of inadvertent misuse by an employee 27 percent of the time. External attacks were mentioned in 25 percent of cases with abuse by malicious insiders at 12 percent. The same selection of causes was cited at much lower levels for business partners.

It is equally important to keep an eye on service accounts associated with test and demo environments.  The principle of least privilege is the key - only assign privileges which are necessary for an employee to effectively do their job, and put the necessary controls in place to remove privileges when no longer warranted. Start with the most restrictive state possible and build out from there.

Organizations are struggling to manage a large number of administrative accounts in a secure, efficient, and scalable way. So the problem is how to handle the situation where we only provide access to a privileged account when it’s required to perform a specific task and how do we audit and report on those situations.

Oracle Privileged Account Manager (OPAM)
Fortunately, there are technologies available to protect an organization’s privileged or shared accounts.  When coupled with industry best practices, a program can be put in place to ensure that your organization doesn’t become the next headline data breach story.  

The following diagram and flow sequence describes how Oracle Privileged Account Manager in conjunction with the Oracle Identity Governance Suite is used to protect the Keys to the Kingdom.  

Flow sequence:
1.    Requester raises request for access to certain systems, groups, etc..
2.    Approver (manager, system owner, etc.) can deny, approve, or delegate request.
3.    As per the roles and policies configured for this request, OIG will provision appropriate access.
4.    (Privileged) User will login to the OPAM self-service console and be authenticated for the request.
5.    OPAM allows the user, for example a database administrator, to use a privileged account by “checking out /check in” a password for a particular enterprise application, operating system, or database server.
6.    ICF connectors provide out of the box integration with various target systems.
7.    When session access is granted, a notification (text message or email) can be sent to an OPAM Admin/IT Security admin.  OPAM Admin/IT Security admin can keep/terminate the session as appropriate.

The request based flow as depicted above ensures that the proper admin team is notified for the access which the present users have. Policies and roles ensure that the only access granted to a user, is that which they require (as per the principle of least privilege). It is always critical to do a periodic review of the policies and roles that are configured.  Sunrise and sunset of accounts and entitlements, access violations and certifications can all be handled by Oracle Identity Manager which will be discussed in a future blog post.  The password policies in place here can ensure strong authentication standards are followed. Additionally, the end users don’t need to remember multiple passwords – they actually never have to see the password for these protected, privileged systems. 

Default passwords are prone to risks so OPAM is configured to automatically change the password and thereby eliminating the possibility of the password being reused.  The system is set to change the password on every check-in, thereby precluding the administrator from reusing the same password again and hence is less prone to sniffing of password of privileged accounts. There may be cases where we need to rollback our privileged account target and in that case OPAM maintains a password history.

OPAM additionally provides session management and auditing capabilities to address various use cases. The OPAM dashboard shows real time status. By creating a single access point to the target resources, OPAM Privileged Session Manager helps administrators to control and monitor all the activities within a privileged session. When session access is granted, a notification can be sent to an auditor. Compliant third-party clients (e.g. Putty, OpenSSH) are supported.  OPSM will monitor SSH session activities through keystroke logging and records the input/output for each session into searchable historical records (transcripts) to support forensic analysis and audit data. OPAM leverages an OPAM agent on the target to capture and record user activities into a MPEG-4 encoded video for Windows playback. OPAM audits and logs all operations and provides its own built-in audit reports.

Additional benefits of OPAM are further realized when deployed in conjunction with some of the other capabilities delivered through the Oracle Identity Governance Suite.  This integration provides an enterprise with a complete governance solution to support ordinary and privileged users in order to meet compliance requirements. We will go into greater depth in our next blog on how OIG provides a simple and robust solution to fully manage the user life cycle with all essential features to secure enterprise assets.

For more information on how Simeio Solutions can help you with reducing exposure to data breach with Oracle technologies, please visit them at www.simeiosolutions.com

Tuesday Oct 27, 2015

Ensuring You Don’t Become the Next Data Breach Story (Part 1) - Simeio Solutions

Recent headline Cyber Crimes at major retailers, health insurers, and even US Government agencies suggest that those involved were not necessarily performed by criminal masterminds, but rather by individuals that at one time had been properly credentialed to access systems or by individuals that were simply exploring open doors to identify vulnerabilities,. As information technology moves further toward the cloud to provide services, we will start to see more security breaches on a greater scale than ever before.

The hack at Ashley Madison has captured the attention of the media on several continents. And it is of no surprise that the former CEO suggested that the hacking incident may have started with someone who at least at one time had legitimate, inside access to the company’s networks — such as a former employee or contractor. In another instance of data theft from a health insurer, it was determined that critical data and records were not properly encrypted leading to the theft of millions of records of personally identifiable information.

As per "The Federal Trade Commission", Identity theft was once again the number one complaint from Americans this year.

Oracle’s Defense-in-Depth strategy and solutions offered as part of the Oracle Identity Management suite of products can prevent the cyber breaches that we are becoming so accustomed to see on the nightly news.

Today’s blog will focus on a few specific capabilities of Oracle Identity Governance (OIG) and show how they can be used to protect against certain types of common exploits.

1. Privileged/Shared Accounts – Keys to the Kingdom.

Privileged and shared accounts unfortunately exist within every organization - designed at a time when security was an afterthought if even thought of at all. How does one prevent or limit privileged accounts like DB Admins from performing malicious actions when compromised? OIG provides session management and auditing capabilities which become the single point to control and monitor activities within privileged sessions. OIG will provide notification alerts on account checkout. You can also define the life of a session and limit the usage of commands.

2. User life cycle management – Role Appropriate Access and Removal of Orphaned Accounts

OIG allows for attribute based role management for application and administrator roles. One can define custom, fine-grained Admin roles. For new user on-boarding, privileges are based on roles, business rules and requests. We can also define sunrise and sunset of application and entitlements which limits the access of users such as contractors or temporary employees for defined time periods. Normal termination based on end date and immediate termination helps to remove privileges and accesses across all target systems. Simply, an individual should only have access and entitlements within and across applications to be effective at their job, and should lose access when they no longer have a business need.

3. Enforceable Password Policies – Start with the basics

Hard-coded passwords, weak/common passwords, and infrequently rotated passwords are at the center of some of the most commonly exploited attacks on organizations. OIG protects privileged/shared accounts with passwords that are mathematically infeasible to ever guess or break and can rotate them on a regular basis. Likewise, password policies can be set for all protected resources requiring individuals to use complex passwords and require regular password changing – making it impossible for an attacker to simply guess the right key to get them through the front door.

4. Protect and Audit

OIG provides the tools to protect privileged accounts. Checking credentials in and out, also allows us to keep track of who has been using these shared accounts. OIG goes one step further, and allows us to monitor specific session activities – capturing and recording user activities as an MPEG video.

Beyond privileged and shared accounts, OIG has powerful certification capabilities - whereby users, managers, and respective application owners can validate and check the accesses of individuals and their specific entitlements. Segregation of Duties (SOD) analysis is efficient and preventative, warning users about potential violations before even the submission of a request.

5. Encrypt the Data – If it cannot be read, it is useless.

There are many rules and regulations mandating encryption and it makes for sound advice regardless. For example, if you have to comply with the PCI-DSS standard, then credit card numbers need to be stored encrypted. OIG allows for encryption of critical attributes of applications – whether that might be credit card information, social security numbers, or other HR data. Additionally, while outside the core scope of this blog series, tools such as Oracle Advanced Security carries out strong encryption of databases to fully protect sensitive information whether at rest or in transit.

Cyber crime has a devastating economic impact on society and at the individual company level can cause reputation and punitive damage from which an organization might never recover. OIG is a vital information safeguard. It exists to protect sensitive data and information from the ever-evolving landscape of security threats. Regardless of the position that a company takes on the extent or viability of such threats, a strong OIG implementation helps to mitigate the risks of cyber crimes.

What's coming next?

Future blogs in this series will discuss in greater depth how the Oracle Identity Management solutions can prevent your organization from being the next front-page exploit.

For more information on how Simeio Solutions can help you with reducing exposure to data breach with Oracle technologies, please visit them at www.simeiosolutions.com

Friday Oct 23, 2015

Focus on Oracle Security @ Oracle OpenWorld 2015

Oracle OpenWorld 2015 is the year's best opportunity for connecting with colleagues and solution experts / leadership. Planning ahead now will enable you to get the most out of your time at OpenWorld 2015.  Below are a list of this years sessions focused on Oracle's Identity Management and additional security topics. For a more detailed view on the sessions, please go to the OpenWorld 2015 session page

Monday, Oct 26

Digital Business--the New Identity Frontier [CON9683]

Simplify the Deployment and Monitoring of Your Identity Management System [CON9468]

Introducing Oracle Identity Cloud Service [CON9463]

Tuesday, Oct 27

Integrate Your On-Premises Identity and Access System with Oracle Public Cloud [CON9478]

Unifying Oracle Identity Governance Suite for the New Digital Age [CON9341]

Enterprise Mobile Security Today and in the Future [CON9455]

Meet the Experts: Oracle Identity Cloud Service [MTE10082]

Wednesday, Oct 28

A Single Access and Control Point for All of Your Applications [CON9452]

Modernize Your Directory Architecture with Oracle Directory Services [CON9454]

Securing APIs for Cloud and Mobile Services [CON9457]

Access Management in the New Digital Age [CON9451]

Mobile Security in the Cloud [CON9456]

Thursday, Oct 29

Identity Federation for Healthcare—a Hub-and-Spoke Access Broker Solution [CON2359]

Breach Avoidance Through Least-Privileged Provisioning with Oracle Identity Governance [CON6308]

Secrets to a Successful Deployment: Tips, Tricks, and Tuning [CON9466]

Balance Security with User Experience—Intelligent Access Management [CON9453]

Inside Look: Secrets to a Successful Identity Management Deployment [CON9469]

Integrating Enterprise Controls with the Cloud [CON9177]

Upgrade to Oracle Identity Governance Suite [CON9473]

 Please make sure you stop by the Oracle Identity Management booth for hands on demonstrations of the latest in Oracle's Identity Management offerings and learn more what Oracle is doing for On-prem, Mobile and Cloud.  

OpenWorld 2015 session page 

Tuesday Sep 22, 2015

New Paper and Webcast on Identity's role in the new Digital Economy

By 2020, more than 7bn inhabitants of Earth will be using over 35bn devices to communicate, collaborate, negotiate and perform transactions.  This new digital economy is only made possible within organizations that are successful at implementing a strategy of true identity management. 

Oracle and The Economist Intelligence Unit have partnered together EIU Paper to deliver a  new paper on the role identity management is playing in helping organizations meet their goals in today's digital economy. This new paper - The Economics of Digital Identity - is based upon an industry survey of over 200  IT executives in manufacturing, financial services and IT technology sectors. 

Key findings include:

  • Almost two-thirds (64%) say digital channels are highly important to their company’s revenue— “mission critical” for 27% and “very important” for 37%
  • Digital channels will be “mission critical” to over one-third of companies in three years’ time
  • 72% say security is the key challenge to managing digital identity, and only 19% are very well prepared to meet the security requirements
  • Enabling customers to control their own identity data is rated as highly effective by 48% of adopters

ISC2 Webcast

As a follow up to this paper, Oracle and ISC2 are sponsoring a live ISC2 Registrationround table webcast to discuss the risks and benefits organizations are faced with today as they look to adopt a modern identity strategy while preparing themselves for the digital economy. This session, "Coin of the Realm: Managing Identity Economics in the Age of Hyperconnectivity" will be hosted by ISC2, Moderated by Brandon Dunlap and our guest presenter will be Siddhartha Agarwal, VP of Product Management & Strategy at Oracle.  Also on the panel, will include Darin Reynolds from DAS/Omnicom and other industry guests.

Register now to attend this exciting session on October 8th, at 1:00pm Eastern time

For more information, please see our Press Release on our activities with The Economist and ISC2.

Thursday Aug 20, 2015

IT Business Edge: Oracle Ties Mobile Security to Identity and Access Management

Oracle Ties Mobile Security to Identity and Access Management

"Arguably, the rapid rise in mobile application and device usage caught most enterprise IT organizations off guard. As a result, a hodgepodge of mobile applications has evolved inside their organizations that have been created using a variety of tools with differing levels of security and governance capabilities. Oracle is making the case that in a world where security is of paramount importance, the time has come to implement a more comprehensive approach to IT security in general—and identity management in particular.

The degree to which that actually occurs will differ wildly across different IT organizations. But the days when IT organizations could try to manage mobile applications in isolation from the rest of the enterprise are rapidly coming to a close."  (complete article)

Tuesday Aug 18, 2015

Oracle's PS3 Release Off to Great Start with SearchOracle Articles

SearchOracle took part in a set of interviews with Oracle's Jim Taylor (Sr Director of Product Management) and another interview with one of our key partners Aaron Perry with Aptec LLC

Patch for Oracle Identity Management aims at mobile security

"Oracle Identity Management 11gR2 PS3 uses contextualization -- a method that takes into account the user, the device and the location to create context for an access request -- to automatically tailor security to the needs of a user working on a secure computer in the office compared to a user working on an iPad in a coffee shop"


Aptec names use cases for Oracle Identity Management patch

"Perry believes that more and more people are  starting to take identity management seriously. According to Perry, government organizations and Fortune 100, 500 and 1,000 companies, among others, have been waiting for the development of a single platform that they can use for both enterprise and mobile identity management.

Now that Oracle has developed it, Perry expects to see a lot of clients wanting to upgrade from a previous version of Oracle Identity Management or homegrown systems onto Identity Management 11gR2 PS3 in the next six to 12 months." (article)

Monday Aug 17, 2015

Register now to join Oracle for an Executive Lunch with Kevin Mitnick

People are the weakest security link. They can be manipulated or influenced into unknowingly helping hackers break into their organization's computers. Does your security organization understand this new level of threat? How does your company protect itself against this modern risk?

Effective security requires an inside-out approach with focus on data privacy, access control, and anomaly detection. Your company needs to both defend against attacks and mitigate the potential damage of a breached credential. Oracle has those solutions.

Join Oracle and Kevin Mitnick, internationally known former black-hat hacker and trusted consultant to the Fortune 500 and governments worldwide, as we share game changing insights to prevent tomorrow's data breach.

Don't miss this event; Click Here to REGISTER

Wednesday Jul 22, 2015

Press Release: Oracle Integrates Mobile Security into Identity and Access Management Platform

Today, Oracle released a Press Release announcing the availability of Identity Management 11gR2 PS3 (Patchset 3). This update to the IDM 11gR2 solution brings forth some groundbreaking new capabilities for our customers to enable organizations to realize success in the areas of new digital business and unifying identities across applications. This greatly simplifies the on-boarding of new users, applications and services such as mobile and cloud.  

Some of the new aspects of the PS3 update include a new "Business Friendly" user interface which provides a single console view of your provisioning, approval workflows, entitlement management, and more.

The update also introduces new capabilities around mobile security with the expansion of Oracle's Mobile Security offering to include Enterprise Mobility Management. This is achieved through the inclusion of Mobile Device Management capabilities as well as a consolidated policy management framework for simplified provisioning of devices, applications and access.

New materials that have been created to help you evaluate this new update include:

Stay tuned to the Oracle Identity Management product page for the latest information on how Oracle is able to solve today's business challenges, and stay on top of the latest information with Oracle's Twitter and Facebook pages.

Thursday Jul 16, 2015

Fragmenting the Path to Mobile

We have all experienced it in one way or another. Either as an applications owner who has seen the scale of the issue grow over time, the line of business owners who have to rely upon what IT is able to deliver, the employees who work with the complex infrastructure and no clear path to the future, or worse, the customers who are potentially impacted by it all.  What are we talking about here?   Identity Fragmentation.  

 So years ago you stand up an HR system with it's own database repository and it's own user account system.  You go to a secondary vendor to help streamline the provisioning and approval workflow for on-boarding and certifications. You leverage another vendor to assist with auditing of privileges and entitlements.  All of this in support of the one application, and each additional layer you add creates it's own silo of identity information.

Now you want to stand up a payroll application.  It too requires it's own repository for events, for user identities, workflow engines, and all the needs around auditing of privileges of entitlements.  More and more layers must be built and very little of this can be re-purposed and re-used.

 The challenged organizations get into is the repetitive efforts they are undertaking in setting up the duplicate components, having to re-create user accounts and the patchwork integration approach between applications which are not designed to share this credential information from the start.  This leads to high costs to support, audit risks to the organization, and a challenge to respond to new requests for new applications and services such as Mobile and Cloud. 

One of the biggest detractors in businesses moving to the cloud is the inability for customer's legacy applications being "cloud ready" in that they are not able to externalize user identities to the new cloud applications which can be detrimental to the success of the cloud migration.

 Oracle has recently written a eBook (Establishing a Mobile Security Architecture) which has an entire chapter dedicated to the issues of Identity Fragmentation in today's enterprises as they related to mobility.  Download this free eBook and take a look at Chapter 5, to learn more about Identity Fragmentation in the enterprise today, and to learn best practices for reducing your exposure and developing a more flexible architecture that scales for future on-prem, cloud or mobile applications.

For more information on Oracle's approach to Identity Unification with Oracle's Identity Management 11gR2, visit our website for more details.

Tuesday May 19, 2015

Now Available! Oracle Identity Management 11gR2 PS3

The Oracle Identity & Access Management team is announcing the General Availability of the latest update to our well recognized Identity Management 11gR2 PS3 (Patchset 3).  This update to the 11gR2 solution brings forth some groundbreaking new capabilities for the Oracle offering and for our customers in the areas of a new "Business Friendly" user interface which greatly simplifies the tasks associated with provisioning and managing the tasks associated within today's more robust identity-driven enviroments. 

The update also introduces new capabilities around mobile security with the expansion of Oracle's Mobile Security offering to include Enterprise Mobility Management. This is achieved through the inclussion of Mobile Device Management capabilities as well as a consolidated policy management framework for simplified provisioning of devices, applications and access.

A more detailed look at Oracle Identity Management 11gR2 PS3 updates include:

    • Business Friendly User Interfaces in the Oracle Identity Governance Suite 
    • Role-based, task driven interface to request, approve and certify access
    • In line Segregation of Duties detection
    • Intelligent Access Catalog with Access Advisor and categorization filtering
    • Role-Lifecycle Management and Analytics
    • Integrated Mobile Administration into the Identity Governance and Access Management consoles for simpler administration and tighter security controls
    • Lightweight Mobile Device Management to provide a complete mobile security solution
    • Directory virtualization in Oracle Unified Directory 
    • PIN-les 2 Factor Authentication has been added to the Mobile Authenticator
    • Enhanced Privileged Account Management
      • Windows session recording
      • Increased target support, including Windows local accounts, SAP and Network Devices
    • Expansion of the Automated Patching and Installer to further simplify operation of the suite
For more information on Oracle's Identity Management offerings and the new Patchset 3 update, please visit Oracle.com/Identity

Thursday May 07, 2015

Drivers for Identity and Access Management in Today's Business

Author: Paul Toal

Most organizations know from experience that Identity and Access Management isn’t a project, but more of a multi-phase, multi-year programme. Those who treat it as a single project, or even worse, as a milestone deliverable within another project (i.e. delivering a new business application) will be destined to fail. However, it is typically individual projects that surface the need for IAM and are forced to implement tactical fixes whilst the organization catches up with a more strategic solution. It is easy to see the challenges that individual projects face. No project sponsor wants to foot the bill for an enterprise-wide IAM platform, just to deliver the subset of capabilities they need. On the flipside, it is often difficult to get sufficient buy-in at the board level to invest in a strategic IAM platform. Implementing such a platform is often seen as a cost with very little ROI. 

However, that is no longer the case. The days of committing to a lengthy and costly IAM programm with very little return are gone. Let’s look at the evolution of IAM business cases in relation to IT security as a whole.


Anyone who has worked in IT security for any length of time will be more than familiar with this approach. Vendors used to sell IT security-related products on fear. IT departments then used the same approach with their investment boards. Pick the worst case scenario of what would happen if you didn’t have a particular IT security product (e.g. firewall) and convince the business that the scenario is highly likely and therefore they absolutely must invest in the project. This approach worked well in the early days when threats on the internet weren’t as well understood and many organizations didn’t take a risk management approach to handling IT security. As use of the internet for business increased and the risks were better understood, the approach of selling on fear started to wane, coupled with the fact that this approach also had very little demonstrable ROI.


As business started pushing back against throwing endless pots of money at IT security with very little to show for it, the industry needed to evolve. By now, use of the internet for business was widespread and organizations were looking at how to take advantage of this shift to online business. As part of this shift, businesses realized that the foundation of any online business is security, and in relation to that, identity. For a company looking to deploy, for example, as eCommerce platform, or online banking, how could this possibly be done unless it was secure? Also, how could online services be provided to consumers unless you know who the consumer is. Once you know their identity and they have proven ownership of their identity (authenticated) you can provide then with the right services (authorization) to meet their needs.

The approach of deploying IAM as a business enabler has been key to obtaining investment from the business. We also know from our everyday experience that there is real ROI associated with this approach. Using the online channel, as end-users, we are transacting more money online than ever before. For many people, the online channel is the first, and preferred channel of engagement. Indeed, it can also be a differentiator when you are looking for a company to provide a service to you. For example, positive answers to questions such as “Can I manage my accounts online?” can set one business apart from its competitors.

For a lot of organizations, identity as an enabler is still the business justification for investing in IAM. However, there are a number of drivers within the industry today that are enabling IAM business cases to evolve further.

User Experience

There are many organizations that already offer a strong online presence and online catalog of services for their customers. However, just having these online capabilities is no longer good enough. With the shift of users from laptops and desktops to mobiles and tablets, the expectations around user experience are driving IAM to a new level and forcing organizations to evolve. Consumers have come to expect slick and personalized user experiences whether they are an employee or a customer. What is going to set an organization apart from its competitors isn’t whether they have an online presence, but what the experience for the end user is like. For example, does the company have a mobile application? Is it easy to use? Can it provide me with all the information and services that I need in an intuitive way? There are so many mobile applications on the market today that users know what a good application looks like. They are not prepared to spend hours learning what they must do. If the app isn’t intuitive enough within a couple of minutes, it is easy for the user to delete it and find a different company that provides a better app and user experience.

IAM plays a crucial role within this evolution. We know from the enablement business cases discussed above, that knowing the user is key to providing them with services. However, looking at user experience, IAM also provides a key set of services. Take these examples: 

Social login – Mobiles and tablets are great devices for many things, but filling in long forms with lots of fields (e.g. username, firstname, lastname, email etc) isn’t one of them. However, user registration is one of the key elements to a mobile application. If you can’t get your user up and running with your mobile app easily and quickly, it will be deleted. Enabling customers to register from their social network such as Facebook, Google+ etc is a great solution to this. However, integrating with lots of social networks can be a painful and time-consuming coding exercise for an application developer. Fortunately, a good IAM platform will take that pain away for you, turning social network integration into a configuration rather than coding exercise. 

Step-up authentication – So, now your user has registered and logged into your app from a social network, now what? Well, that level of trust may be good enough to access some basic information but you aren’t going to let a user manage their bank account (I hope) purely based on a social login. A good IAM platform will enable you to understand the level of trust a user has at any point in time and when necessary step-up their level of trust with an additional challenge. This should be flexible but could include options such as a issuing a challenge question or using a one-time passcode.

Multi-channel Single Sign-on – In modern development, the ‘constant beta’ and the focus is on rapid application development and release cycles is very popular. Therefore, it is not always necessary or desirable to implement all of the information and services that are available on the website within the mobile app. This isn’t a problem because you can always drop out from the application into a web browser on a device, or even present web content within your mobile application. However, you need to ensure you maintain the user experience. Users have enjoyed SSO in the web channel for a long time and they expect no less in the mobile channel. Therefore, flows like the one below are unacceptable for users (and so they should be):

A good IAM platform will enable SSO not just within a single channel, i.e. between multiple mobile applications, but also across channel, e.g between a native app and a browser-based application so that the user experience is maintained.

If you are looking for an IAM solution that can address all of the above requirements as well as provide a single, integrated platform for addressing all of your IAM needs, both internally and externally, the Oracle IAM platform is a great option. Whether you are looking to deploy it on-premise or within the cloud, Oracle can help you realize your IAM strategy with its market-leading solutions.

To summarise, it’s not just about user experience. IAM helps many organizations to meet their legal and regulatory requirements. However, in today’s rapidly evolving IT world, we need to look at how IAM can be used, not only as an enabler, but as a differentiator by delivering improved user experience, thus taking it from a pure cost to the business to one that has a demonstrable ROI.

About the Author

Paul Toal is a very passionate and capable IT security consultant specialising in the field of Information Security. He has worked in IT for over 20 years and built up a wide-ranging and in-depth portfolio of knowledge and skills. Equally comfortable talking to C-level execs or technical experts, Paul has worked in both pre-sales and consulting delivery roles covering everything from writing business cases, high-level requirements capturing and solution architecture, through to delivery, training and post-sales support. In addition, he has also been an integral part of designing the UK’s citizen Identity Assurance framework, “Gov.UK Verify”, where he was one of the original authors of the technical specification.
Paul can be reached via LinkedIn
Extend your Security Platform to enable secure, mobile access.
Paul will be speaking at the OKOUG Technology Conference & Exhibition: Dec 8-10, 2014, at the ACC in Liverpool. Find out how you can secure your mobile workforce to enable BYOD strategies

Visit the Oracle Technology Network for more information about Oracle Identity Management Products including downloads, documentation and samples

Engage with us on Twitter @oracleidm and follow us here in the Identity Management blog.

Wednesday Mar 11, 2015

Oracle Directory Server Enterprise Edition (DSEE) to Oracle Unified Directory (OUD) Upgrade and Co-existence

As a follow up on “Why Customers Should Upgrade Directory Server Enterprise Edition (DSEE) to Oracle Unified Directory (OUD)?”, I would like to illustrate in a case study how easily upgrade can be achieved.

An upgrade process can be defined as the steps required for moving from a state where application leverage data managed within a DSEE directory service to a state where applications leverage data managed within an OUD directory service.

There are multiple ways to achieve that goal:

1. Export data and re-import data

2. Leverage a synchronization tool

3. Enable replication gateway

We have discussed the pro and cons for each one in this blog entry. For more information, you can dive into the details in the OUD’s Transition Guide. In this blog we will focus on how to leverage replication gateway for co-existence and upgrade from DSEE to OUD.
Clearly OUD’s unique feature called “replication gateway” provides ability to keep DSEE and OUD directories in sync for more than just users entries as it also synchronize operational states which is something that synchronization tools have hard time to perform.
Now let’s review the required step when you decide to go for upgrade via “replication gateway”.
Your starting point is likely a configuration like this:

Fig 1: Original environment
Then, you will install an OUD instance; it should go as a straight forward operation as OUD can be installed in just a few minutes.

Fig 2: DSEE and OUD environments
Please refer to quick installation as documented is the installation guide.
Then you start the upgrade. In most cases this can indeed be achieved through 3 steps as simple as 1-2-3
1/ Diagnose, migrate configuration and schema
This is achieved via our ds2oud command, provided as part of OUD.
This first step is important because it will analyze the features used by DSEE to identify those that could require specific attention because they could not be mapped automatically to an OUD equivalent. It will go through plug-ins, schema extensions, password policy used, encrypted attributes, index settings, global configuration parameters.

Fig3: Step 1: Diagnose & Migrate configuration and Schema
It will then be used to diagnose the Directory Server data; this will identify schema differences that cannot be automatically migrated and will require manual adaptation. The ds2oud tool will then be used to migrate automatically the schema and configuration from DSEE to OUD. 
2/ Export / Import data from DSEE to OUD

Fig4: Step 2: Export & Import data from DSEE to OUD

In this step data will be exported including metadata that will be transformed by the export to the OUD format. Then you will import that resulted LDIF file into OUD directory server.
3/ Activate replication gateway

Fig5: Step 3: Setup Replication Gateway

Install and configure the replication gateway as described in the “Setting Up the Replication Gateway” documentation.
This set up bidirectional replication between the two environments. From here any changes that took place on DSEE since you exported the data will be replicated to OUD and any change made on OUD will also be replicated to DSEE. Optionally you can specify that you want changes to be replicated only in one way-
Final step is to redirect application from DSEE to OUD, this can be achieved by updating the load-balancer or proxy configuration. In this scenario you can fall back to DSEE by reverting the load-balancer/proxy configuration

Fig6: Switching applications from DSEE to OUD

Scenario described above cover general case, based on your configuration and existing services in DSEE further steps might be required to perform necessary adaptations.
In such deployment, you will keep the two environments in synchronization while applications get validated on the new environment. You continue to upgrade more DSEE servers to OUD during the co-existence period, and ultimately the replication gateway will be removed and the DSEE servers will be de-provisioned.
In summary, OUD is Oracle’s strategic, next-generation directory and the upgrade path for DSEE. Oracle encourages DSEE customers to upgrade to OUD to take advantage of the latest functionality in order to support on-premise, cloud, and mobile applications while benefiting from a lower TCO, improved user experience, and enhanced security.

We will continue to share upgrade best practices and case studies in future blogs, so please stay tuned. 
Additional references and details can be found here:
Oracle Unified Directory documentation and transition guide, Oracle Directory Services blog, Sylvain Duloutre’s Weblog

About the Author

Etienne Remillon is Senior Principal Product Manager for Oracle Unified Directory and Directory Server Enterprise Edition products. Etienne has been in the X500 and LDAP Directory Services area for the past 20 years starting with Sun Microsystems.

THE AUTHOR can be reached via LinkedIn

Tuesday Mar 03, 2015

Does Your Company Recognize Your Online Identity - Anywhere, Anytime?

Our mobile IDs travel with us to work, back home, and on the road. Businesses are learning to cope.

by Lynne Sampson

Like most aspiring writers, I loved going to the library as a kid. I had a library card as soon as I was old enough to sign my name—creased and frayed from overuse, tucked inside my mom’s wallet. Mom and I handed our cards to the librarian at each visit, and she looked up our names in the library register and compared our signatures to the ones on our cards.

This old-fashioned, analog ID system was around for a long time. It was less than 10 years ago that my local library replaced paper cards with plastic ones, with a photo ID and a magnetic stripe.

Today, analog IDs have gone the way of cursive script. Nearly all IDs are digital. Since the rise of the internet, our banks, employers, and apps ask us for a plethora of user names, passwords, and security questions to prove that we are who we say we are.

This is a nuisance for absent-minded consumers who make frequent use of the “Forgot My Password” button. But it’s an even bigger problem for the companies and employers that we do business with.

67% of Fortune 500 companies connect with customers via mobile app

“Mobile has become the platform of choice for everything from work to vacationing,” said Naresh Persaud, senior director of security product marketing at Oracle. “That adds a layer of complexity to identity management that most organizations haven’t had to deal with before.”

Consider the way we work. “Many companies have salespeople who travel constantly. They use their tablets all the time, and they want to log into their applications, track their deals, check and assign new leads. They like the mobile experience because it’s familiar and easy to navigate,” Persaud said.

What’s not so easy is provisioning all those mobile devices for a corporate network—especially as more and more of us use our personal devices for work.

89% use personal devices for work purposes

Adding further complexity to the mix, a growing volume of marketing, selling, and hiring is done via social channels like Facebook, Twitter, and LinkedIn. “Many of us need social tools integrated into our mobile identities,” Persaud continued. For example, one B2B company tracks new leads coming in from marketing campaigns and then checks the prospect’s ID on LinkedIn. If the sales manager finds a rep who is already part of the prospect’s LinkedIn network, he’ll assign the lead to that rep, using existing relationships to gain an introduction.

And it’s not just customers or employees who companies must think about. “At some companies, like online music providers, the product itself is digital.” This is becoming more common as the “sharing economy” (driven by apps like Uber and Airbnb) takes flight. This means keeping track of which user has access to which products and services. “We’ve entered a world of ‘digital abundance,’ where our mobile ID becomes the currency of entitlement,” Persaud said.

What does it take to manage our mobile identities? How do companies give employees and customers access to all their apps, systems, and products from a multitude of devices?

Companies need to establish policies, technologies, and best practices to manage and audit the use of mobile devices. Mobile should be an integral part of your company’s larger security and identity strategy.

“You need an integrated platform that provisions access to data and systems, manages the identities of people, and authenticates devices,” Persaud explained. “Integrated” is the key ingredient when it comes to managing mobile identities. Using separate security solutions for data, devices, and people makes it more complicated for customers and employees to get access to the tools they need. Plus, a single identity for each user—no matter which device they’re on—can help you maximize conversion and revenue.

“A great example of this is Beachbody,” Persaud said. Beachbody provides home fitness products and creates a community for members trying to reach their physical fitness goals. “Instead of physical locations, Beachbody delivers products and services via the web and mobile devices.” To connect with millions of customers and thousands of fitness coaches, Beachbody needed to digitize identity and do it securely across multiple channels. “Mobile was perhaps the most important part of their identity management project,” Persaud added, “because it’s become the platform of choice for consumers.”

Our mobile identities are somewhat akin to DNA—unique, evolving, and hugely complicated. Someday, our DNA might actually be the key that we use to access all technology and services, from pension checks to downloaded music. Until that happens, though, companies need to work with mobile identities. That means working with an integrated security suite that includes mobile as a consideration equal to data and people.

See the Oracle Mobile Platform at Mobile World Congress

Learn about Oracle Identity Management Solutions

Friday Feb 27, 2015

New eBook: Establishing a Mobile Security Architecture

Today, just as organizations are starting  to understand the first wave of the mobile revolution, there are now numerous demands being placed on IT to support the second wave of mobility as a new generation of devices and applications are coming online to take advantage of these new capabilities in today’s corporate environments.

"Establishing a Mobile Security Architecture" provides a deeper understanding of not only the fundamentals, but also the complex issues related to mobile security in today’s corporate mobility environment. If you maintain the role of a mobility planner, security architect, CISO, security director, IT director, operations manager or just simply want to better understand the best application of technologies for each area of mobility within your organization and how to reduce risk, then download this free copy of  "Establishing a Mobile Security Architecture".

Some of the areas covered in this eBook:

  • A look at the changing mobile and business requirements
  • Deep dive in the technologies used to secure the mobile platform today
  • Containerization and application management
  • The role Identity Management plays on the mobile device
  • The broader view of securing the mobile stack

Register now for your free copy of the "Establishing a Mobile Security Architecture" eBook.

Thursday Feb 19, 2015

Look, Puppies! And Other Stories from the Utility Industry’s Digital Transformation

The digital revolution is creating abundance in almost every industry—turning spare bedrooms into hotel rooms, low-occupancy commuter vehicles into taxi services, and free time into freelance time. This abundance is delivered on mobile devices. One industry, however, is using mobile apps to help its customers do less.

The utility industry is using smartphones to help its customers conserve energy in their daily lives by tapping into smart meters.

The results can be powerful. Armed with information from smart meters, consumers can reduce their energy bill by 20 percent. Using the dishwasher at 12 a.m., for example, will cost less than running it after dinner when everyone else is doing the same. To provide a wider economic lens, if only 10 percent of American households reduced energy consumption by 26 percent, the excess energy could power 2.8 million homes or reduce energy bills by US$4 billion annually.

In Belgium, smartphones and tablets provided a ubiquitous platform to deploy energy-saving applications. So Electrabel, Belgium’s largest energy company, launched a campaign to provide smart boxes, smart thermostats, and smart plugs that would allow homeowners to view power usage and control appliances from their mobile devices. A great idea! But how to make it all secure?  

Providing digital access to all of the appliances in someone’s home requires rethinking security: Which users in the household would be allowed to control the devices? How can the utility company detect fraud and take corrective action? With all of these devices online, how can the utility company manage access by administrators? How can it enable consumers with simple services like password reset and profile changes? Not surprisingly, 40 percent of the attacks on the energy and utilities sector have come in the form of web application attacks.

To keep its smart meter and mobile services from going to the dogs, Electrabel used Oracle’s security solutions. You can read about Electrabel’s implementation in Oracle Magazine, along with another interesting use case at Vodafone Group.

Electrabel was so confident in its solution that it launched a puppy-heavy national ad campaign to encourage participation. Here are more puppies. Need more? Here.

Stories like Electrabel’s are only the beginning. Cisco estimates that by 2020, there will be 50 billion devices on the planet and, according to the report, 69 percent of the value will be people-centric communication, which makes the Electrabel story that much more important—because the interaction between devices and people will rely on similar security processes.

Some estimates show that the smart home market will double by 2018. Like Electrabel, the industry must do the work to keep criminals from hacking these applications and stealing personal data—or even worse, using these services as an entry point to cause potentially catastrophic failures like the attacks against SCADA systems.

Building security into new services is critical for the utilities industry—just as it will be for every business embarking on a digital transformation.

Wednesday Feb 18, 2015

ISACA Webcast Replay - Manage, Monitor & Audit the Mobile User

The greatest threat of a data breach –intentional or not - continues to be from employees, contractors and partners – people you are supposed to be able to trust. On February 12th, Oracle presented to ISACA members on the critical nature of establishing policies, technology and best practices to manage, monitor and audit the use of mobile devices as part of a larger Identity Management strategy.

Our presenter was Mark Wilcox, who is a Senior Principal Product Manager at Oracle. Leveraging his 20 years of experience in the computing industry and the Identity and Access space, Mark delivered a very focused session on best practices and industry guidance that would benefit any organization evaluating their mobile strategy.   Please click on the following link to replay the event from February 12th, 2015.

For more information on ISACA, and how they can support you on a student, professional or academic level, please visit them on their website at www.isaca.org  or directly on their Membership Page

Replay Webcast Here

Wednesday Feb 04, 2015

Security and the User Experience: A Balancing Act

Author: Forest Yin

Security is a key business consideration to protect customer data and transactions, business secrets and intellectual property (IP) as well as ensure compliance with regulations. On the other hand, better user experience is critical as it attracts more customers with more transactions or enables employees to be more productive.

But how can you provide better user experience while at the same time enhance security?

Let’s take a look at a real-world example. A large bank used to provide mobile online banking through their browser applications. However, their customer rating of mobile online banking experience was well below the bank’s competitors. As mobile banking is becoming the most important channel of customer interaction, in order to better compete, the bank decided to provide a native mobile application for online banking.

However, mobile banking has inherently higher risk than traditional channels. For example, the device can be easily lost or stolen, and the password can be easily obtained through shoulder surfing. Given these challenges, stronger security is required for mobile access. But due to user experience considerations, the bank cannot require customers to register their devices or require customers to always use one-time-password (OTP) or other types of multi-factor-authentication (MFA), which may turn customers away.

Even the typical web username and password based login is inconvenient for mobile access.

To ensure tight security while providing excellent user experience, the bank implemented a solution with the following capabilities:

1. Initial setup process

a. When the customer first downloads and installs the native mobile banking application on a mobile device, the user registers the application with the backend server through user name and password authentication.

b. As this is the first time the device with the application is trying to connect to the backend, a one-time-password through email or SMS is sent to the user to further validate the user.

c. Once the user is validated upon application registration, the device fingerprint is taken automatically to register the device for the user.

d. The user can then set up a 4- to 6-digit pin for their future online banking access.

2. Online banking experience after initial setup

a. The user launches the mobile app on the mobile device with a pin.

b. To look up an account balance, no further user authentication is needed if the device fingerprint is validated (automatically in the background).

c. Banking transactions such as money transfers require a pin-based authentication without the need for username-password authentication.

3. Risk control and adaptive authentication. Although the banking experience above is a typical user experience for majority of customers most of the time, the solution is monitoring and analyzing risk based on real-time context such as device, location, transaction amount, frequency, etc., based on defined policies and access patterns. If the risk is deemed high, the user may be required to further authenticate using OTP or Knowledge Based Authentication (KBA) or in some cases the user may be denied access altogether.

With the launch of native-application-based online banking and the excellent user experience provided, the bank’s new mobile online banking service gained wide adoption and the bank’s service rating increased substantially.

The key to balancing security with user experience is an intelligent Access Management solution that understands real-time risk and context and accordingly takes adaptive actions. For example, we all know that passwords are not safe enough. However, it is not practical to require all consumers or even all employees to use MFA all the time due to experience and adoption issues. Security and user experience can be balanced through an intelligent security system.

Users appreciate the fact that they can continue to use passwords as they
always have and will only be challenged further with MFA when risk is high.

In future blogs, we will talk about how Oracle Access Management can intelligently provide context-aware, content-aware and risk-aware access to simplify user experience, so please stay tuned.

About the Author

Forest Yin is the Senior Director of Product Management for Oracle Access Management and Directory Services product lines. Forest has been in the identity management industry for almost 15 years starting with Netegrity.
THE AUTHOR can be reached via LinkedIn

Visit the Oracle Technology Network for more information about Oracle Identity Management Products including downloads, documentation and samples

Engage with us on Twitter @oracleidm and follow us here in the Identity Management blog.

Wednesday Jan 28, 2015

Putting the dots together: How to provide compliance and individual accountability with Oracle Privileged Account Manager

Authors: Olaf Stullich, Arun Theebaprakasam & Himanshu Sharma

The seemingly endless stream of highly visible security breaches and public disclosure of classified information, WikiLeaks website, former NSA contractor Edward Snowden and the latest incidents at Home Depot, USPS and Target, conspicuously exposed the existing problems with privileged user management.

Privileged users perform sensitive activities that involve extended access to strategic corporate and federal (or state) assets.  In most organizations, privileged accounts are not clearly defined, and different individuals often share some of these accounts. When privileged accounts are not tightly managed, they present a high security risk for the organization.
Because privileged accounts are not necessarily tied to individual end users, detecting inappropriate access to privileged accounts and determining which individuals in a team of administrators participated in unauthorized activities is extremely challenging.

The Problem:

  1. How to provide individual accountability when using shared accounts?
  2. How to provide an audit trail to detect inappropriate privileged usage?

The Solution:

Let's see how Oracle's Privileged Account Manager (OPAM) can solve these compliance requirements and connect the dots to provide individual accountability through an audit trail. A routine audit check for a security auditor could start with an inspection of recent system activities using the reporting tools accessible through the OPAM console.
In our case he selects a one week time frame for a particular system or range of systems and searches if specific accounts have been used on these systems. The search result (Figure 1 below) identifies two sessions occurred.

Note:  Further details about sessions and OPAM Session Management can be found in blog entry: “Introducing OPAM Session Management” and the OPAM OTN homepage

Figure 1: OPAM checkout history and session transcripts

In the search result (Figure 1) we see even though users "arun" and "olaf" used the same (shared) account ("admin") in an overlapping period of time an individual session transcript per user was generated. So there's no question who did what and when. A quick glance into the session transcripts doesn't reveal any suspicious user activities.

Note: A session transcript, a fully searchable textual representation of a session, is created when sessions are initiated through OPAM's Session Manager.

Trying to further narrow down his search results the auditor is filtering for key words like "ftp,scp". One session matches the search criteria (Figure 2).

Figure 2: OPAM checkout history search results

The session transcript reveals “olaf” was uploading a database file to a “jumpbox” using “scp”.
When the pattern search reveals a noticeable activity, the auditor can decide to further proceed and track “olaf’s” activities across all systems. He narrows down the potential list of sessions for “olaf” to the time frame close to “olaf’s” Linux session.

One session on the Windows based “jumpbox” is found (Figure 3) that matches the search for the pattern “FTP” in the windows session event index.

Figure 3:
OPAM checkout history and windows sessions event index

Using the windows session event index, which allows searching for a specific event, the auditor can jump directly to this event and replay the session from this point in time versus a replay from the very beginning of the recording.
The video recording plays in standard HTML5 browsers (without need for any additional software downloads). You can jump to a specific video section (the event index), or use the fast-forward or backwards button to quickly navigate within the video.


OPAM’s session recording and auditing, provides individual accountability in heterogeneous system environments for shared (and individual) user accounts.

Our follow up blogs will cover how to setup and use OPAM within a deployment to create the audit trail details described above. Additionally we’ll talk about how to take preventive actions to restrict privileged user access.

About the Authors

Olaf Stullich - OPAM Product Manager
Olaf can be reached via LinkedIn
Arun Theebaprakasam - OPAM Development Manager
Arun can be reached via LinkedIn
Himanshu Sharma - OPAM Development Team Member
Himanshu can be reached via LinkedIn

Visit the Oracle Technology Network for more information about Oracle Identity Management Products including downloads, documentation and samples

Engage with us on Twitter @oracleidm and follow us here in the Identity Management blog.

Tuesday Jan 27, 2015

Building a Scalable, Highly Available Oracle API Gateway 11g Infrastructure in a Cloud Environment

One of the major challenges that companies face in adopting a cloud computing platform is the secure provisioning of services in the cloud. Oracle API Gateway (OAG) 11g can be a very powerful tool in this sense, since it focuses on service protection, with authentication mechanisms, message encryption, and security/policy functionalities.

Marcelo Parisi recently drafted an article that details how one can create a cloud-based OAG infrastructure with high-availability and scalability support. Both high-availability and scalability operations are covered and, for the purpose of the article, Marcelo uses virtual machine (VM) and storage concepts, along with OAG and Oracle Traffic Director (OTD).

Read the entirety of Mr. Parisi's technical article here.

Visit the Oracle Technology Network for more information about Oracle Identity Management Products including downloads, documentation and samples

Engage with us on Twitter @oracleidm and follow us here in the Identity Management blog.

Monday Jan 26, 2015

Is Your PaaS Delivering the Agility Your Users Demand?

January 28th, 2015 10:00am PST/1:00pm EST - Register Today

Modern Business. Modern Cloud. Is Your PaaS Delivering the Agility Your Users Demand?

Join Oracle at the keynote as we kick off the online forum with IDC analyst Robert Mahowald. Learn how to rapidly build, deploy, manage, and secure rich applications and enable business collaboration and innovation using an integrated cloud platform built on the industry’s #1 Database and Application Server.

Following the keynote, stay for highly engaging content specifically designed for:

  • Java and Database developers
  • Database managers and administrators
  • IT operations managers
  • Lines of business managers

Be sure to join the Middleware Cloud Platform Sessions and learn how to Extend Your Identity Management Services to the Cloud

As organizations consume an increasing number of cloud services and apps, identity management becomes fragmented. Organizations have inconsistent access policies and lose visibility into who has access to what. To avoid these risks and costs, they are increasingly adopting a strategy of extending enterprise identity services to the cloud. This session explores how customers are using Oracle Identity Management to deliver a unified identity management solution that gives users access to all their data from any device while providing an intelligent centralized view into user access rights.

Review the full agenda for more information. Experts will be available for online chat to answer your technical questions.

Thursday Jan 22, 2015

Why Customers Should Upgrade Directory Server Enterprise Edition (DSEE) to Oracle Unified Directory (OUD)

Author: Forest Yin

Lightweight Directory Access Protocol (LDAP) is the foundation of Identity Management. LDAP directories are designed to store identity and policy information and provide runtime access to that information. Oracle’s Directory Server Enterprise Edition (DSEE) is the most widely deployed directory in the industry with thousands of production deployments. Some customer deployments include hundreds of millions of entries and even over a billion entries for a single deployment. 

However, as business and technology evolve, a modern directory not only needs to be scalable for large scale directory consolidation but also needs to be able to virtualize identity from multiple data sources. In addition, a directory not only has to provide extremely high search performance but also write performance. A modern directory has to support on-premise applications and deployments as well as cloud applications and deployments. To address these new requirements, Oracle has introduced Oracle Unified Directory (OUD), the next generation, all-in-one directory for LDAP storage, synchronization, and virtualization.

OUD is Oracle’s strategic directory and the upgrade path for DSEE. Oracle strongly encourages DSEE customers to upgrade to OUD to take advantage of the following benefits:

  1. OUD is technically superior resulting in lower total cost of ownership (TCO), stronger security, and better user experience.
    1. OUD is a converged directory service providing storage, synchronization, and virtualization capabilities. Full convergence is in progress and the convergence provides richer functionality while simplifying deployment and ongoing maintenance. 
    2. OUD performance and scalability far exceed DSEE’s. For example, OUD 11gR2 can deliver more than 5 times DSEE’s write performance and more than 3 times DSEE’s search performance.
    3. OUD is designed to address current and future on-premise, mobile, and cloud needs. OUD enables enterprises to consolidate identity management for applications, databases, and servers. It can synchronize and virtualize identities from on-premise and cloud data sources to enable on-premise and cloud applications to work side by side. Its performance can handle dynamic mobile data and its scalability can support the requirements of extremely large social networks.  
  2. Free DSEE-to-OUD upgrade license. Existing DSEE customers are offered a one-to-one free upgrade license to OUD. In other words, no license cost for upgrading to OUD.
  3. DSEE 11gR1 Premier Support is extended while DSEE 5.2 and 6.3 are in Sustaining Support.
    1. DSEE 5.2 and DSEE 6.3 are in infinite Sustaining Support, i.e., no new fixes will be created. These customers should upgrade to OUD (or to the latest DSEE 11gR1) to ensure up-to-date security and take advantage of more functionality and better quality.
    2. In order to ease customer migration, Oracle has extended DSEE 11gR1 Premier Support from June 2015 to December 2016 to provide customers with more time for planning and implementation.    
  4. Upgrade is technically straightforward and easy
    1. OUD is designed to be fully compatible with DSEE, so any applications working with DSEE should work with OUD.
    2. Co-existence is provided between OUD and DSEE in that OUD can run just like a DSEE with bi-directional replication capabilities. This co-existence enables zero down-time and gradual migration for large scale deployments.
  5. OUD is proven with over a hundred production deployments. Most of them are upgrade from DSEE 5.2, 6.3 or 11gR1 while some are a replacement for Novell, OpenLDAP, etc. Some have up to hundreds of millions of users (consumers) while others have tens of thousands of employees.

In summary, OUD is Oracle’s strategic, next-generation directory and the upgrade path for DSEE. Oracle encourages DSEE customers to upgrade to OUD to take advantage of the latest functionality in order to support on-premise, cloud, and mobile applications while benefiting from a lower TCO, improved user experience, and enhanced security.

We will continue to share upgrade best practices and case studies in future blogs, so please stay tuned.    

About the Author

Forest Yin is the Senior Director of Product Management for Oracle Access Management and Directory Services product lines. Forest has been in the identity management industry for almost 15 years starting with Netegrity.
THE AUTHOR can be reached via LinkedIn

Visit the Oracle Technology Network for more information about Oracle Identity Management Products including downloads, documentation and samples

Engage with us on Twitter @oracleidm and follow us here in the Identity Management blog.

Wednesday Jan 21, 2015

Scope Grants and Authorization Policies: Diffs

Author: Vadim Lander, Chief Identity Architect, Oracle

In my last post on OAuth, I covered a couple of important considerations regarding granularity of OAuth scopes. My recommendation was to look at scopes not only from the app development perspective, but also consider administrative knowledge and life cycle burden that might be inadvertently created. I discussed that overloading with too many fine-grained scopes will place a burden on the user, creating confusion or complicating policy administration. Its best to define few scopes protecting the high level service, adding few additional scopes to secure access based on minimally required read and write permissions, and only then evaluate if additional scopes are required.

In this blog, I'm going to take a closer look at the difference between a scope grant and authorization policy.

People ask this question all the time - can a client app possessing a token with a given scope access any application resource or only resources authorized by user's consent represented by the granted scope? It turns out people mistake scope grants for security policies designed to protect the application. The answer depends on how people model application's security policies vs modeling scope grants.

Its important to distinguish between a scope grant authorized by a person who happens to be the "Access Approver" for his/her resources and data, and application security policies that govern what a user in session can do within the application. There are two things going on here:

  • First, the application's functional security model must secure the application by utilizing the RBAC and/or ABAC type policies. This typically accommodates role-based, attribute-based, risk-based, context-based, etc. or various combinations. Security Policies ensure application Security Administrators can customize security policies to suit their needs, and Business and/or Security Administrators can authorize users to have functional capabilities.
  • Second, the scope grant must convey the resource owner's approval for application to use the underlying resource. Hence, the scope grant typically represents context to be evaluated by the authorization policy.

For example, the following authorization policy may be protecting access to the Salary attribute when displaying user's detail page in an HR application (expressed in pseudo language):

(Session.User has Role "HR Clerk" or "Self") and (Session.token has UserSalaryScope")

This policy ensures the user must have a role "HR Clerk" and have the end user's approval to see salary data (or be the user who's record is being viewed).

We can see clear delineation between authorization policies that have user-centric context, and scopes that represent user-centric context. The latter is meant to be used in authorization policies, rather than represent the authorization policy itself. This is the way I suggest people work with OAuth scopes for enterprise applications - first define the functional security model represented by authorization policies, then define scopes to be used as context attributes in authorization policies.

Even though its possible to model application's authorization policies to align with scopes 1:1, doing so would be a wrong thing to do, really painting an application into a corner from the security policy and delegation of administration perspectives. Such shortcut would work only for applications with trivial authorization policies or for 100% claims-based applications, but not for enterprise applications with comprehensive policy and administration needs. Sooner or later (usually sooner), scope overuse will manifest itself in inability to adequately administer enterprise application's security.

In the next blog, we will look at other scope-related topics:

  • Scope changes. The Authorization Server is free to grant a different set of scopes than what a client requests. This can happen because of policy, user consent, or just versioning issues.
  • Scope risk. The Authorization Server might issue different tokens with different lifespans based on the scope requested
  • Implicit scopes. Some scopes may be “implicit” where the policy dictates whether user, or a client on user’s behalf is authorized to do something – resulting in “automatic” consent with no actual consent dialo
  • Privileged scopes. The Authorization Server may inject special scopes not requested by clients, by granted non-the less based on the contextual state of the client.

For more information on OAuth please see http://oauth.net/2/

About the Author

Vadim Lander joined Oracle’s Identity & Access Management team in 2009. He advises Oracle on key security technology trends, sets the technical strategy for the IAM Enterprise and Cloud product lines, and works with various Oracle teams on the architecture and implementation of the IAM stack. Previously, Vadim was CTO for the Security BU at CA delivering the architectural blueprints for engineering CA’s next-generation solutions. Vadim joined CA in 2004 with its acquisition of Netegrity, where he was CTO after holding a number of successive growth positions in engineering.Vadim holds a Bachelor of Science degree in Computer Science from Northeastern University in Boston.
Vadim can be reached via LinkedIn

Visit the Oracle Technology Network for more information about Oracle Identity Management Products including downloads, documentation and samples

Engage with us on Twitter @oracleidm and follow us here in the Identity Management blog.

Wednesday Jan 14, 2015

The Future of User Authentication

Author: Prateek Mishra

As business and citizen services, entertainment and social life all become digitized and virtualized, passwords emerge as a key piece of data to be used for stealing information and online resources. In the past, this was a possibility and an occasional occurrence but in recent years the Apple Celebrity Photo breach [1], JPMorgan [2] and Pharmaceutical Company [3] data breaches have demonstrated the increasing scale and range of password-based threats to businesses. It is interesting to observe that each of these three breaches demonstrates a *different aspect* of the "password problem": ability to guess or reset passwords, password re-use and subsequent discovery from a website with weak security controls, and last, phishing attacks targeted at executives or administrators.

Pundits, bloggers, security gurus and journalists have all declared passwords "dead".
The Motorola login pill [4], the heartbeat monitor [5] and device hardware [6] are just a few of the many claimants jostling for a tryout as password replacements. So are we finally at a point where passwords will no longer be used to login to your employer or at your online medical portal?

To get some perspective, it helps to step back and review the overall context in which passwords are used and the different parties involved. For the business or service provider, passwords are a *scalable* and *low-cost* way to control access to services. For the user, there is a familiarity and ease with the *ceremony* of password use and the overall *user-experience*. Finally, both businesses and users share a conceptual and visual understanding of login page, user registration, forgotten password service and so on.

A successful new model for authentication must address these issues. While business costs and administrative overhead are important, a predictable and easily learnt user-experience is critical and for obvious reasons. The best authentication model is useless if customers or employees find it difficult to use. This is the key reason why it has proven so difficult to transition away from passwords - even after many years of effort - Bill Gates [7] had called for their removal almost a decade ago!

As we are all aware, one significant technological change in the past five years has been the worldwide availability of phones - smart phones (now widespread in the developed world) and wireless feature phones (in the developing world). And perhaps herein lies the future of authentication. We all know how to use a phone and its services, and we are being trained to download and install applications. Phone features are constantly being improved and a foundation for innovative ways to authenticate.

The popularity of a phone-based "authenticator app" which provides TOTP (Time-Based One-Time Passwords) to augment existing password systems is a great example. The technology is well-known and was standardized in RFC 6238 [8] by IETF (the folks who helped define most of the protocols for the internet such as HTTP and SMTP). As an open standard, it has been reviewed by leading experts in the field and so we can have some reasonable expectations of its robustness and quality.

Many websites and vendors now provide such an app: for example, the Oracle Mobile Authenticator can be installed on Android [9] devices or an iPhone [10] and works in concert with the Oracle Access Manager. Once a user has installed the authenticator app, they are guided through a registration process which connects the app to their online account. Notice that a password is still required for this step. The app generates six digit (pseudo) random numbers, in a sequence specific to the user, typically changing to a new number every 30 seconds.

At subsequent logons, in addition to their password, the user is prompted to enter the current random number displayed by the app. Even if the password has been compromised and is known to an attacker, the attacker will be unable to login to the user account.

Clearly this "password+otp" model has its limitations. An attacker could "phish" both the password and the code and within a few seconds login into the user account. A more sophisticated attacker could extract information about the random number generator from the app or the target website and simulate the random number sequence used by the app.

Nevertheless, this model protects against a common attack - where the password was guessed or discovered at a previous time. The level of security sought by a business should be based on the value of the resource and types of attacks against which it is trying to protect itself. The goal is to *impose costs* on an anticipated class of attacks, versus achieving some security ideal. The password+otp user-experience remains a familiar one, though individuals do have to learn the extra step of viewing the app on their phones to retrieve the current number, and entering into a login screen.

Passwords aren't dead but they are going to be less important in the future. They will provide only one component of user authentication, though the conceptual and visual model of the login page will be retained. There are going to be lots of experiments, some profound and some silly (authentication tattoos anyone?), that companies and researchers will bring forward. The recent iPhone 6 [11] fingerprint scanner and Keychain integration is an intriguing sample: how can it be integrated with the familiar login experience and might it become a universal feature of smart phones in the future?

[1] http://www.apple.com/pr/library/2014/09/02Apple-Media-Advisory.html
[2] http://dealbook.nytimes.com/2014/12/22/entry-point-of-jpmorgan-data-breach-is-identified/?ref=technology&_r=1
[3] http://www.nytimes.com/2014/12/02/technology/hackers-target-biotech-companies.html?_r=0
[4] http://www.theregister.co.uk/2013/05/31/motorola_tattoo_pill_authentication/
[5] http://www.washingtonpost.com/blogs/innovations/wp/2014/11/21/the-heartbeat-vs-the-fingerprint-in-the-battle-for-biometric-authentication/
[6] https://fidoalliance.org/
[7] http://www.informationweek.com/gates-says-security-is-job-one-for-vista-/d/d-id/1040561?
[8] https://tools.ietf.org/html/rfc6238
[9] https://play.google.com/store/apps/details?id=oracle.idm.mobile.authenticator&hl=en
[10] https://itunes.apple.com/us/app/oracle-mobile-authenticator/id835904829?mt=8i
[11] https://developer.apple.com/library/ios/samplecode/KeychainTouchID/Introduction/Intro.html

About the Author

Prateek Mishra is Technical Director at the Identity Management Division, Oracle. His group participates in standards and open source activities, including OAuth and OpenAz. He is best known for his pioneering role in conceptualizing and creating the SAML identity standard.
Prateek can be reached via LinkedIn

Visit the Oracle Technology Network for more information about Oracle Identity Management Products including downloads, documentation and samples

Engage with us on Twitter @oracleidm and follow us here in the Identity Management blog.

Thursday Jan 08, 2015

Shoulder Surfed by a Kid: Why cruel and unusual mobile security policies compromise security…

Author: Clayton Donley, Vice President of Product Management, Oracle Identity Management & Mobile Security.

“Thank you for your purchase of Mojo! Your credit card has been billed $19.95.”

As I leaned back and reviewed my morning email on my iPad, I was surprised to see a receipt for a purchase of something called Mojo. However, it quickly dawned on me exactly what it was and how this had happened.

You see, for a few weeks my son had been playing a free-to-play game on his iPad. In this game, there was a virtual currency called Mojo. He had been asking for me to spend real money to buy some of this virtual currency and I had spent an equal amount of time denying this request. So when the receipt landed in my inbox, I knew exactly what it was and who did it. What I didn’t know was how he had managed to make the purchase.

My iTunes password had lower and upper characters, a special character, no dictionary words, and a number. I wasn’t using it on any other site and hadn’t even given it to my wife.

What I had done was type it on my iPad that morning before I left for work, allowing each character of the password to echo on the screen as I typed it.

Apparently, a properly motivated 9-year-old (at the time) can easily watch these characters echo over your shoulder and enter them later on their own device.

What if this was an Enterprise Password?

Many companies still use login/password to access corporate VPNs and business applications.

Imagine that you work for one of these companies and visit a conference or trade show and that you have decided check a file share, CRM application, or wiki using your mobile device.

You pull out your device, unlock it, and launch the application. Usually you’ve entered at least two layers of passwords by this point (perhaps using your fingerprint or swiping rather than entering a PIN to unlock your device).

While the device unlock is important, it requires that someone actually have your device to make it useful. The second sequence, where you connect to your corporate network (or cloud provider) is much more interesting. This is where you go from giving someone access to 32GB of data on your phone to countless terabytes stored in your enterprise.

If your organization hasn’t put into place one-time tokens or two-factor authentication, you’ve potentially given a motivated attacker an easy way to get access to your network. It’s much easier to watch your screen echo your password than it ever was to watch you touch-type your password.

Where some organizations get things exceptionally wrong is by enforcing even more frequent policies on authentication when coming from a mobile device. The idea is that because devices can more easily lost or stolen, it’s ideal to request users re-authenticate frequently to prove that they are still in control of the device.

This particularly cruel and unusual policy not only degrades user experience and encourages people to choose easier-to-type passwords, but also subjects these passwords to more frequent exposure.

Fortunately there are better security policies and better software to make those policies work well.

What Actually Works?

The easiest solution to this problem is to use the device itself as an authentication factor. This means that a hacker needs both my password and the device in order to login. This can be as simple as device fingerprinting and as complicated as leveraging digital certificates.

An even better solution is to move away from using any passwords in the first place, leveraging PKI and other established technology to handle the authentication between the device and the service, while using emerging technology like containerization to ensure that only appropriate applications on the device can leverage that session.

With employees bringing their own devices to work in BYOD programs, it’s very important to take an approach that focuses on applications, rather than devices. Over-hardening security at the device-level (e.g. even just to play Angry Birds), rather than just stepping up authentication when it is really needed (e.g. to view customer data), over-exposes credentials and gives users incentives to work around the inconvenience of security.

What about the Young Hacker?

With no shortage of hidden pride (and considering his promising future black hat career working with the LizardSquad and CryptoWall teams), I let my son know that he wasn’t allowed to do this sort of thing anymore.

Within a few days he proceeded to get my next few passwords, but “only used them to get free apps”. At this point I gave up.

About the Author

Clayton Donley is the Vice President of Product Management for Oracle’s Identity Management and Mobile Security products.
You can follow Clayton on Twitter at @cdonley.

Visit the Oracle Technology Network for more information about Oracle Identity Management Products including downloads, documentation and samples

Engage with us on Twitter @oracleidm and follow us here in the Identity Management blog.


Oracle Identity Management is a complete and integrated next-generation identity management platform that provides breakthrough scalability; enables organizations to achieve rapid compliance with regulatory mandates; secures sensitive applications and data regardless of whether they are hosted on-premise or in a cloud; and reduces operational costs. Oracle Identity Management enables secure user access to resources anytime on any device.


« November 2015