Tuesday Mar 03, 2015

Does Your Company Recognize Your Online Identity - Anywhere, Anytime?

Our mobile IDs travel with us to work, back home, and on the road. Businesses are learning to cope.

by Lynne Sampson

Like most aspiring writers, I loved going to the library as a kid. I had a library card as soon as I was old enough to sign my name—creased and frayed from overuse, tucked inside my mom’s wallet. Mom and I handed our cards to the librarian at each visit, and she looked up our names in the library register and compared our signatures to the ones on our cards.

This old-fashioned, analog ID system was around for a long time. It was less than 10 years ago that my local library replaced paper cards with plastic ones, with a photo ID and a magnetic stripe.

Today, analog IDs have gone the way of cursive script. Nearly all IDs are digital. Since the rise of the internet, our banks, employers, and apps ask us for a plethora of user names, passwords, and security questions to prove that we are who we say we are.

This is a nuisance for absent-minded consumers who make frequent use of the “Forgot My Password” button. But it’s an even bigger problem for the companies and employers that we do business with.

67% of Fortune 500 companies connect with customers via mobile app

“Mobile has become the platform of choice for everything from work to vacationing,” said Naresh Persaud, senior director of security product marketing at Oracle. “That adds a layer of complexity to identity management that most organizations haven’t had to deal with before.”

Consider the way we work. “Many companies have salespeople who travel constantly. They use their tablets all the time, and they want to log into their applications, track their deals, check and assign new leads. They like the mobile experience because it’s familiar and easy to navigate,” Persaud said.

What’s not so easy is provisioning all those mobile devices for a corporate network—especially as more and more of us use our personal devices for work.

89% use personal devices for work purposes

Adding further complexity to the mix, a growing volume of marketing, selling, and hiring is done via social channels like Facebook, Twitter, and LinkedIn. “Many of us need social tools integrated into our mobile identities,” Persaud continued. For example, one B2B company tracks new leads coming in from marketing campaigns and then checks the prospect’s ID on LinkedIn. If the sales manager finds a rep who is already part of the prospect’s LinkedIn network, he’ll assign the lead to that rep, using existing relationships to gain an introduction.

And it’s not just customers or employees who companies must think about. “At some companies, like online music providers, the product itself is digital.” This is becoming more common as the “sharing economy” (driven by apps like Uber and Airbnb) takes flight. This means keeping track of which user has access to which products and services. “We’ve entered a world of ‘digital abundance,’ where our mobile ID becomes the currency of entitlement,” Persaud said.

What does it take to manage our mobile identities? How do companies give employees and customers access to all their apps, systems, and products from a multitude of devices?

Companies need to establish policies, technologies, and best practices to manage and audit the use of mobile devices. Mobile should be an integral part of your company’s larger security and identity strategy.

“You need an integrated platform that provisions access to data and systems, manages the identities of people, and authenticates devices,” Persaud explained. “Integrated” is the key ingredient when it comes to managing mobile identities. Using separate security solutions for data, devices, and people makes it more complicated for customers and employees to get access to the tools they need. Plus, a single identity for each user—no matter which device they’re on—can help you maximize conversion and revenue.

“A great example of this is Beachbody,” Persaud said. Beachbody provides home fitness products and creates a community for members trying to reach their physical fitness goals. “Instead of physical locations, Beachbody delivers products and services via the web and mobile devices.” To connect with millions of customers and thousands of fitness coaches, Beachbody needed to digitize identity and do it securely across multiple channels. “Mobile was perhaps the most important part of their identity management project,” Persaud added, “because it’s become the platform of choice for consumers.”

Our mobile identities are somewhat akin to DNA—unique, evolving, and hugely complicated. Someday, our DNA might actually be the key that we use to access all technology and services, from pension checks to downloaded music. Until that happens, though, companies need to work with mobile identities. That means working with an integrated security suite that includes mobile as a consideration equal to data and people.

See the Oracle Mobile Platform at Mobile World Congress

Learn about Oracle Identity Management Solutions


Friday Feb 27, 2015

New eBook: Establishing a Mobile Security Architecture

Today, just as organizations are starting  to understand the first wave of the mobile revolution, there are now numerous demands being placed on IT to support the second wave of mobility as a new generation of devices and applications are coming online to take advantage of these new capabilities in today’s corporate environments.

"Establishing a Mobile Security Architecture" provides a deeper understanding of not only the fundamentals, but also the complex issues related to mobile security in today’s corporate mobility environment. If you maintain the role of a mobility planner, security architect, CISO, security director, IT director, operations manager or just simply want to better understand the best application of technologies for each area of mobility within your organization and how to reduce risk, then download this free copy of  "Establishing a Mobile Security Architecture".

Some of the areas covered in this eBook:

  • A look at the changing mobile and business requirements
  • Deep dive in the technologies used to secure the mobile platform today
  • Containerization and application management
  • The role Identity Management plays on the mobile device
  • The broader view of securing the mobile stack

Register now for your free copy of the "Establishing a Mobile Security Architecture" eBook.

Thursday Feb 19, 2015

Look, Puppies! And Other Stories from the Utility Industry’s Digital Transformation

The digital revolution is creating abundance in almost every industry—turning spare bedrooms into hotel rooms, low-occupancy commuter vehicles into taxi services, and free time into freelance time. This abundance is delivered on mobile devices. One industry, however, is using mobile apps to help its customers do less.

The utility industry is using smartphones to help its customers conserve energy in their daily lives by tapping into smart meters.

The results can be powerful. Armed with information from smart meters, consumers can reduce their energy bill by 20 percent. Using the dishwasher at 12 a.m., for example, will cost less than running it after dinner when everyone else is doing the same. To provide a wider economic lens, if only 10 percent of American households reduced energy consumption by 26 percent, the excess energy could power 2.8 million homes or reduce energy bills by US$4 billion annually.

In Belgium, smartphones and tablets provided a ubiquitous platform to deploy energy-saving applications. So Electrabel, Belgium’s largest energy company, launched a campaign to provide smart boxes, smart thermostats, and smart plugs that would allow homeowners to view power usage and control appliances from their mobile devices. A great idea! But how to make it all secure?  

Providing digital access to all of the appliances in someone’s home requires rethinking security: Which users in the household would be allowed to control the devices? How can the utility company detect fraud and take corrective action? With all of these devices online, how can the utility company manage access by administrators? How can it enable consumers with simple services like password reset and profile changes? Not surprisingly, 40 percent of the attacks on the energy and utilities sector have come in the form of web application attacks.

To keep its smart meter and mobile services from going to the dogs, Electrabel used Oracle’s security solutions. You can read about Electrabel’s implementation in Oracle Magazine, along with another interesting use case at Vodafone Group.

Electrabel was so confident in its solution that it launched a puppy-heavy national ad campaign to encourage participation. Here are more puppies. Need more? Here.

Stories like Electrabel’s are only the beginning. Cisco estimates that by 2020, there will be 50 billion devices on the planet and, according to the report, 69 percent of the value will be people-centric communication, which makes the Electrabel story that much more important—because the interaction between devices and people will rely on similar security processes.

Some estimates show that the smart home market will double by 2018. Like Electrabel, the industry must do the work to keep criminals from hacking these applications and stealing personal data—or even worse, using these services as an entry point to cause potentially catastrophic failures like the attacks against SCADA systems.

Building security into new services is critical for the utilities industry—just as it will be for every business embarking on a digital transformation.

Wednesday Feb 18, 2015

ISACA Webcast Replay - Manage, Monitor & Audit the Mobile User

The greatest threat of a data breach –intentional or not - continues to be from employees, contractors and partners – people you are supposed to be able to trust. On February 12th, Oracle presented to ISACA members on the critical nature of establishing policies, technology and best practices to manage, monitor and audit the use of mobile devices as part of a larger Identity Management strategy.

Our presenter was Mark Wilcox, who is a Senior Principal Product Manager at Oracle. Leveraging his 20 years of experience in the computing industry and the Identity and Access space, Mark delivered a very focused session on best practices and industry guidance that would benefit any organization evaluating their mobile strategy.   Please click on the following link to replay the event from February 12th, 2015.

For more information on ISACA, and how they can support you on a student, professional or academic level, please visit them on their website at www.isaca.org  or directly on their Membership Page

Replay Webcast Here


Wednesday Feb 04, 2015

Security and the User Experience: A Balancing Act

Author: Forest Yin

Security is a key business consideration to protect customer data and transactions, business secrets and intellectual property (IP) as well as ensure compliance with regulations. On the other hand, better user experience is critical as it attracts more customers with more transactions or enables employees to be more productive.

But how can you provide better user experience while at the same time enhance security?

Let’s take a look at a real-world example. A large bank used to provide mobile online banking through their browser applications. However, their customer rating of mobile online banking experience was well below the bank’s competitors. As mobile banking is becoming the most important channel of customer interaction, in order to better compete, the bank decided to provide a native mobile application for online banking.

However, mobile banking has inherently higher risk than traditional channels. For example, the device can be easily lost or stolen, and the password can be easily obtained through shoulder surfing. Given these challenges, stronger security is required for mobile access. But due to user experience considerations, the bank cannot require customers to register their devices or require customers to always use one-time-password (OTP) or other types of multi-factor-authentication (MFA), which may turn customers away.

Even the typical web username and password based login is inconvenient for mobile access.

To ensure tight security while providing excellent user experience, the bank implemented a solution with the following capabilities:

1. Initial setup process

a. When the customer first downloads and installs the native mobile banking application on a mobile device, the user registers the application with the backend server through user name and password authentication.

b. As this is the first time the device with the application is trying to connect to the backend, a one-time-password through email or SMS is sent to the user to further validate the user.

c. Once the user is validated upon application registration, the device fingerprint is taken automatically to register the device for the user.

d. The user can then set up a 4- to 6-digit pin for their future online banking access.

2. Online banking experience after initial setup

a. The user launches the mobile app on the mobile device with a pin.

b. To look up an account balance, no further user authentication is needed if the device fingerprint is validated (automatically in the background).

c. Banking transactions such as money transfers require a pin-based authentication without the need for username-password authentication.

3. Risk control and adaptive authentication. Although the banking experience above is a typical user experience for majority of customers most of the time, the solution is monitoring and analyzing risk based on real-time context such as device, location, transaction amount, frequency, etc., based on defined policies and access patterns. If the risk is deemed high, the user may be required to further authenticate using OTP or Knowledge Based Authentication (KBA) or in some cases the user may be denied access altogether.

With the launch of native-application-based online banking and the excellent user experience provided, the bank’s new mobile online banking service gained wide adoption and the bank’s service rating increased substantially.

The key to balancing security with user experience is an intelligent Access Management solution that understands real-time risk and context and accordingly takes adaptive actions. For example, we all know that passwords are not safe enough. However, it is not practical to require all consumers or even all employees to use MFA all the time due to experience and adoption issues. Security and user experience can be balanced through an intelligent security system.

Users appreciate the fact that they can continue to use passwords as they
always have and will only be challenged further with MFA when risk is high.

In future blogs, we will talk about how Oracle Access Management can intelligently provide context-aware, content-aware and risk-aware access to simplify user experience, so please stay tuned.

About the Author


Forest Yin is the Senior Director of Product Management for Oracle Access Management and Directory Services product lines. Forest has been in the identity management industry for almost 15 years starting with Netegrity.
THE AUTHOR can be reached via LinkedIn

Visit the Oracle Technology Network for more information about Oracle Identity Management Products including downloads, documentation and samples

Engage with us on Twitter @oracleidm and follow us here in the Identity Management blog.

Wednesday Jan 28, 2015

Putting the dots together: How to provide compliance and individual accountability with Oracle Privileged Account Manager

Authors: Olaf Stullich, Arun Theebaprakasam & Himanshu Sharma

The seemingly endless stream of highly visible security breaches and public disclosure of classified information, WikiLeaks website, former NSA contractor Edward Snowden and the latest incidents at Home Depot, USPS and Target, conspicuously exposed the existing problems with privileged user management.

Privileged users perform sensitive activities that involve extended access to strategic corporate and federal (or state) assets.  In most organizations, privileged accounts are not clearly defined, and different individuals often share some of these accounts. When privileged accounts are not tightly managed, they present a high security risk for the organization.
Because privileged accounts are not necessarily tied to individual end users, detecting inappropriate access to privileged accounts and determining which individuals in a team of administrators participated in unauthorized activities is extremely challenging.

The Problem:

  1. How to provide individual accountability when using shared accounts?
  2. How to provide an audit trail to detect inappropriate privileged usage?

The Solution:

Let's see how Oracle's Privileged Account Manager (OPAM) can solve these compliance requirements and connect the dots to provide individual accountability through an audit trail. A routine audit check for a security auditor could start with an inspection of recent system activities using the reporting tools accessible through the OPAM console.
In our case he selects a one week time frame for a particular system or range of systems and searches if specific accounts have been used on these systems. The search result (Figure 1 below) identifies two sessions occurred.

Note:  Further details about sessions and OPAM Session Management can be found in blog entry: “Introducing OPAM Session Management” and the OPAM OTN homepage


Figure 1: OPAM checkout history and session transcripts

In the search result (Figure 1) we see even though users "arun" and "olaf" used the same (shared) account ("admin") in an overlapping period of time an individual session transcript per user was generated. So there's no question who did what and when. A quick glance into the session transcripts doesn't reveal any suspicious user activities.

Note: A session transcript, a fully searchable textual representation of a session, is created when sessions are initiated through OPAM's Session Manager.

Trying to further narrow down his search results the auditor is filtering for key words like "ftp,scp". One session matches the search criteria (Figure 2).


Figure 2: OPAM checkout history search results

The session transcript reveals “olaf” was uploading a database file to a “jumpbox” using “scp”.
When the pattern search reveals a noticeable activity, the auditor can decide to further proceed and track “olaf’s” activities across all systems. He narrows down the potential list of sessions for “olaf” to the time frame close to “olaf’s” Linux session.

One session on the Windows based “jumpbox” is found (Figure 3) that matches the search for the pattern “FTP” in the windows session event index.


Figure 3:
OPAM checkout history and windows sessions event index

Using the windows session event index, which allows searching for a specific event, the auditor can jump directly to this event and replay the session from this point in time versus a replay from the very beginning of the recording.
The video recording plays in standard HTML5 browsers (without need for any additional software downloads). You can jump to a specific video section (the event index), or use the fast-forward or backwards button to quickly navigate within the video.

Summary:

OPAM’s session recording and auditing, provides individual accountability in heterogeneous system environments for shared (and individual) user accounts.

Our follow up blogs will cover how to setup and use OPAM within a deployment to create the audit trail details described above. Additionally we’ll talk about how to take preventive actions to restrict privileged user access.

About the Authors



Olaf Stullich - OPAM Product Manager
Olaf can be reached via LinkedIn
Arun Theebaprakasam - OPAM Development Manager
Arun can be reached via LinkedIn
Himanshu Sharma - OPAM Development Team Member
Himanshu can be reached via LinkedIn


Visit the Oracle Technology Network for more information about Oracle Identity Management Products including downloads, documentation and samples

Engage with us on Twitter @oracleidm and follow us here in the Identity Management blog.

Tuesday Jan 27, 2015

Building a Scalable, Highly Available Oracle API Gateway 11g Infrastructure in a Cloud Environment

One of the major challenges that companies face in adopting a cloud computing platform is the secure provisioning of services in the cloud. Oracle API Gateway (OAG) 11g can be a very powerful tool in this sense, since it focuses on service protection, with authentication mechanisms, message encryption, and security/policy functionalities.

Marcelo Parisi recently drafted an article that details how one can create a cloud-based OAG infrastructure with high-availability and scalability support. Both high-availability and scalability operations are covered and, for the purpose of the article, Marcelo uses virtual machine (VM) and storage concepts, along with OAG and Oracle Traffic Director (OTD).

Read the entirety of Mr. Parisi's technical article here.


Visit the Oracle Technology Network for more information about Oracle Identity Management Products including downloads, documentation and samples

Engage with us on Twitter @oracleidm and follow us here in the Identity Management blog.

Monday Jan 26, 2015

Is Your PaaS Delivering the Agility Your Users Demand?

January 28th, 2015 10:00am PST/1:00pm EST - Register Today

Modern Business. Modern Cloud. Is Your PaaS Delivering the Agility Your Users Demand?

Join Oracle at the keynote as we kick off the online forum with IDC analyst Robert Mahowald. Learn how to rapidly build, deploy, manage, and secure rich applications and enable business collaboration and innovation using an integrated cloud platform built on the industry’s #1 Database and Application Server.

Following the keynote, stay for highly engaging content specifically designed for:

  • Java and Database developers
  • Database managers and administrators
  • IT operations managers
  • Lines of business managers

Be sure to join the Middleware Cloud Platform Sessions and learn how to Extend Your Identity Management Services to the Cloud

As organizations consume an increasing number of cloud services and apps, identity management becomes fragmented. Organizations have inconsistent access policies and lose visibility into who has access to what. To avoid these risks and costs, they are increasingly adopting a strategy of extending enterprise identity services to the cloud. This session explores how customers are using Oracle Identity Management to deliver a unified identity management solution that gives users access to all their data from any device while providing an intelligent centralized view into user access rights.

Review the full agenda for more information. Experts will be available for online chat to answer your technical questions.

Thursday Jan 22, 2015

Why Customers Should Upgrade Directory Server Enterprise Edition (DSEE) to Oracle Unified Directory (OUD)

Author: Forest Yin

Lightweight Directory Access Protocol (LDAP) is the foundation of Identity Management. LDAP directories are designed to store identity and policy information and provide runtime access to that information. Oracle’s Directory Server Enterprise Edition (DSEE) is the most widely deployed directory in the industry with thousands of production deployments. Some customer deployments include hundreds of millions of entries and even over a billion entries for a single deployment. 

However, as business and technology evolve, a modern directory not only needs to be scalable for large scale directory consolidation but also needs to be able to virtualize identity from multiple data sources. In addition, a directory not only has to provide extremely high search performance but also write performance. A modern directory has to support on-premise applications and deployments as well as cloud applications and deployments. To address these new requirements, Oracle has introduced Oracle Unified Directory (OUD), the next generation, all-in-one directory for LDAP storage, synchronization, and virtualization.

OUD is Oracle’s strategic directory and the upgrade path for DSEE. Oracle strongly encourages DSEE customers to upgrade to OUD to take advantage of the following benefits:

  1. OUD is technically superior resulting in lower total cost of ownership (TCO), stronger security, and better user experience.
    1. OUD is a converged directory service providing storage, synchronization, and virtualization capabilities. Full convergence is in progress and the convergence provides richer functionality while simplifying deployment and ongoing maintenance. 
    2. OUD performance and scalability far exceed DSEE’s. For example, OUD 11gR2 can deliver more than 5 times DSEE’s write performance and more than 3 times DSEE’s search performance.
    3. OUD is designed to address current and future on-premise, mobile, and cloud needs. OUD enables enterprises to consolidate identity management for applications, databases, and servers. It can synchronize and virtualize identities from on-premise and cloud data sources to enable on-premise and cloud applications to work side by side. Its performance can handle dynamic mobile data and its scalability can support the requirements of extremely large social networks.  
  2. Free DSEE-to-OUD upgrade license. Existing DSEE customers are offered a one-to-one free upgrade license to OUD. In other words, no license cost for upgrading to OUD.
  3. DSEE 11gR1 Premier Support is extended while DSEE 5.2 and 6.3 are in Sustaining Support.
    1. DSEE 5.2 and DSEE 6.3 are in infinite Sustaining Support, i.e., no new fixes will be created. These customers should upgrade to OUD (or to the latest DSEE 11gR1) to ensure up-to-date security and take advantage of more functionality and better quality.
    2. In order to ease customer migration, Oracle has extended DSEE 11gR1 Premier Support from June 2015 to December 2016 to provide customers with more time for planning and implementation.    
  4. Upgrade is technically straightforward and easy
    1. OUD is designed to be fully compatible with DSEE, so any applications working with DSEE should work with OUD.
    2. Co-existence is provided between OUD and DSEE in that OUD can run just like a DSEE with bi-directional replication capabilities. This co-existence enables zero down-time and gradual migration for large scale deployments.
  5. OUD is proven with over a hundred production deployments. Most of them are upgrade from DSEE 5.2, 6.3 or 11gR1 while some are a replacement for Novell, OpenLDAP, etc. Some have up to hundreds of millions of users (consumers) while others have tens of thousands of employees.

In summary, OUD is Oracle’s strategic, next-generation directory and the upgrade path for DSEE. Oracle encourages DSEE customers to upgrade to OUD to take advantage of the latest functionality in order to support on-premise, cloud, and mobile applications while benefiting from a lower TCO, improved user experience, and enhanced security.

We will continue to share upgrade best practices and case studies in future blogs, so please stay tuned.    

About the Author


Forest Yin is the Senior Director of Product Management for Oracle Access Management and Directory Services product lines. Forest has been in the identity management industry for almost 15 years starting with Netegrity.
THE AUTHOR can be reached via LinkedIn

Visit the Oracle Technology Network for more information about Oracle Identity Management Products including downloads, documentation and samples

Engage with us on Twitter @oracleidm and follow us here in the Identity Management blog.

Wednesday Jan 21, 2015

Scope Grants and Authorization Policies: Diffs

Author: Vadim Lander, Chief Identity Architect, Oracle

In my last post on OAuth, I covered a couple of important considerations regarding granularity of OAuth scopes. My recommendation was to look at scopes not only from the app development perspective, but also consider administrative knowledge and life cycle burden that might be inadvertently created. I discussed that overloading with too many fine-grained scopes will place a burden on the user, creating confusion or complicating policy administration. Its best to define few scopes protecting the high level service, adding few additional scopes to secure access based on minimally required read and write permissions, and only then evaluate if additional scopes are required.

In this blog, I'm going to take a closer look at the difference between a scope grant and authorization policy.

People ask this question all the time - can a client app possessing a token with a given scope access any application resource or only resources authorized by user's consent represented by the granted scope? It turns out people mistake scope grants for security policies designed to protect the application. The answer depends on how people model application's security policies vs modeling scope grants.

Its important to distinguish between a scope grant authorized by a person who happens to be the "Access Approver" for his/her resources and data, and application security policies that govern what a user in session can do within the application. There are two things going on here:

  • First, the application's functional security model must secure the application by utilizing the RBAC and/or ABAC type policies. This typically accommodates role-based, attribute-based, risk-based, context-based, etc. or various combinations. Security Policies ensure application Security Administrators can customize security policies to suit their needs, and Business and/or Security Administrators can authorize users to have functional capabilities.
  • Second, the scope grant must convey the resource owner's approval for application to use the underlying resource. Hence, the scope grant typically represents context to be evaluated by the authorization policy.

For example, the following authorization policy may be protecting access to the Salary attribute when displaying user's detail page in an HR application (expressed in pseudo language):

(Session.User has Role "HR Clerk" or "Self") and (Session.token has UserSalaryScope")

This policy ensures the user must have a role "HR Clerk" and have the end user's approval to see salary data (or be the user who's record is being viewed).

We can see clear delineation between authorization policies that have user-centric context, and scopes that represent user-centric context. The latter is meant to be used in authorization policies, rather than represent the authorization policy itself. This is the way I suggest people work with OAuth scopes for enterprise applications - first define the functional security model represented by authorization policies, then define scopes to be used as context attributes in authorization policies.

Even though its possible to model application's authorization policies to align with scopes 1:1, doing so would be a wrong thing to do, really painting an application into a corner from the security policy and delegation of administration perspectives. Such shortcut would work only for applications with trivial authorization policies or for 100% claims-based applications, but not for enterprise applications with comprehensive policy and administration needs. Sooner or later (usually sooner), scope overuse will manifest itself in inability to adequately administer enterprise application's security.

In the next blog, we will look at other scope-related topics:

  • Scope changes. The Authorization Server is free to grant a different set of scopes than what a client requests. This can happen because of policy, user consent, or just versioning issues.
  • Scope risk. The Authorization Server might issue different tokens with different lifespans based on the scope requested
  • Implicit scopes. Some scopes may be “implicit” where the policy dictates whether user, or a client on user’s behalf is authorized to do something – resulting in “automatic” consent with no actual consent dialo
  • Privileged scopes. The Authorization Server may inject special scopes not requested by clients, by granted non-the less based on the contextual state of the client.

For more information on OAuth please see http://oauth.net/2/

About the Author


Vadim Lander joined Oracle’s Identity & Access Management team in 2009. He advises Oracle on key security technology trends, sets the technical strategy for the IAM Enterprise and Cloud product lines, and works with various Oracle teams on the architecture and implementation of the IAM stack. Previously, Vadim was CTO for the Security BU at CA delivering the architectural blueprints for engineering CA’s next-generation solutions. Vadim joined CA in 2004 with its acquisition of Netegrity, where he was CTO after holding a number of successive growth positions in engineering.Vadim holds a Bachelor of Science degree in Computer Science from Northeastern University in Boston.
Vadim can be reached via LinkedIn

Visit the Oracle Technology Network for more information about Oracle Identity Management Products including downloads, documentation and samples

Engage with us on Twitter @oracleidm and follow us here in the Identity Management blog.

Wednesday Jan 14, 2015

The Future of User Authentication

Author: Prateek Mishra

As business and citizen services, entertainment and social life all become digitized and virtualized, passwords emerge as a key piece of data to be used for stealing information and online resources. In the past, this was a possibility and an occasional occurrence but in recent years the Apple Celebrity Photo breach [1], JPMorgan [2] and Pharmaceutical Company [3] data breaches have demonstrated the increasing scale and range of password-based threats to businesses. It is interesting to observe that each of these three breaches demonstrates a *different aspect* of the "password problem": ability to guess or reset passwords, password re-use and subsequent discovery from a website with weak security controls, and last, phishing attacks targeted at executives or administrators.

Pundits, bloggers, security gurus and journalists have all declared passwords "dead".
The Motorola login pill [4], the heartbeat monitor [5] and device hardware [6] are just a few of the many claimants jostling for a tryout as password replacements. So are we finally at a point where passwords will no longer be used to login to your employer or at your online medical portal?

To get some perspective, it helps to step back and review the overall context in which passwords are used and the different parties involved. For the business or service provider, passwords are a *scalable* and *low-cost* way to control access to services. For the user, there is a familiarity and ease with the *ceremony* of password use and the overall *user-experience*. Finally, both businesses and users share a conceptual and visual understanding of login page, user registration, forgotten password service and so on.

A successful new model for authentication must address these issues. While business costs and administrative overhead are important, a predictable and easily learnt user-experience is critical and for obvious reasons. The best authentication model is useless if customers or employees find it difficult to use. This is the key reason why it has proven so difficult to transition away from passwords - even after many years of effort - Bill Gates [7] had called for their removal almost a decade ago!

As we are all aware, one significant technological change in the past five years has been the worldwide availability of phones - smart phones (now widespread in the developed world) and wireless feature phones (in the developing world). And perhaps herein lies the future of authentication. We all know how to use a phone and its services, and we are being trained to download and install applications. Phone features are constantly being improved and a foundation for innovative ways to authenticate.

The popularity of a phone-based "authenticator app" which provides TOTP (Time-Based One-Time Passwords) to augment existing password systems is a great example. The technology is well-known and was standardized in RFC 6238 [8] by IETF (the folks who helped define most of the protocols for the internet such as HTTP and SMTP). As an open standard, it has been reviewed by leading experts in the field and so we can have some reasonable expectations of its robustness and quality.

Many websites and vendors now provide such an app: for example, the Oracle Mobile Authenticator can be installed on Android [9] devices or an iPhone [10] and works in concert with the Oracle Access Manager. Once a user has installed the authenticator app, they are guided through a registration process which connects the app to their online account. Notice that a password is still required for this step. The app generates six digit (pseudo) random numbers, in a sequence specific to the user, typically changing to a new number every 30 seconds.

At subsequent logons, in addition to their password, the user is prompted to enter the current random number displayed by the app. Even if the password has been compromised and is known to an attacker, the attacker will be unable to login to the user account.

Clearly this "password+otp" model has its limitations. An attacker could "phish" both the password and the code and within a few seconds login into the user account. A more sophisticated attacker could extract information about the random number generator from the app or the target website and simulate the random number sequence used by the app.

Nevertheless, this model protects against a common attack - where the password was guessed or discovered at a previous time. The level of security sought by a business should be based on the value of the resource and types of attacks against which it is trying to protect itself. The goal is to *impose costs* on an anticipated class of attacks, versus achieving some security ideal. The password+otp user-experience remains a familiar one, though individuals do have to learn the extra step of viewing the app on their phones to retrieve the current number, and entering into a login screen.

Passwords aren't dead but they are going to be less important in the future. They will provide only one component of user authentication, though the conceptual and visual model of the login page will be retained. There are going to be lots of experiments, some profound and some silly (authentication tattoos anyone?), that companies and researchers will bring forward. The recent iPhone 6 [11] fingerprint scanner and Keychain integration is an intriguing sample: how can it be integrated with the familiar login experience and might it become a universal feature of smart phones in the future?

[1] http://www.apple.com/pr/library/2014/09/02Apple-Media-Advisory.html
[2] http://dealbook.nytimes.com/2014/12/22/entry-point-of-jpmorgan-data-breach-is-identified/?ref=technology&_r=1
[3] http://www.nytimes.com/2014/12/02/technology/hackers-target-biotech-companies.html?_r=0
[4] http://www.theregister.co.uk/2013/05/31/motorola_tattoo_pill_authentication/
[5] http://www.washingtonpost.com/blogs/innovations/wp/2014/11/21/the-heartbeat-vs-the-fingerprint-in-the-battle-for-biometric-authentication/
[6] https://fidoalliance.org/
[7] http://www.informationweek.com/gates-says-security-is-job-one-for-vista-/d/d-id/1040561?
[8] https://tools.ietf.org/html/rfc6238
[9] https://play.google.com/store/apps/details?id=oracle.idm.mobile.authenticator&hl=en
[10] https://itunes.apple.com/us/app/oracle-mobile-authenticator/id835904829?mt=8i
[11] https://developer.apple.com/library/ios/samplecode/KeychainTouchID/Introduction/Intro.html

About the Author


Prateek Mishra is Technical Director at the Identity Management Division, Oracle. His group participates in standards and open source activities, including OAuth and OpenAz. He is best known for his pioneering role in conceptualizing and creating the SAML identity standard.
Prateek can be reached via LinkedIn

Visit the Oracle Technology Network for more information about Oracle Identity Management Products including downloads, documentation and samples

Engage with us on Twitter @oracleidm and follow us here in the Identity Management blog.

Thursday Jan 08, 2015

Shoulder Surfed by a Kid: Why cruel and unusual mobile security policies compromise security…

Author: Clayton Donley, Vice President of Product Management, Oracle Identity Management & Mobile Security.

“Thank you for your purchase of Mojo! Your credit card has been billed $19.95.”

As I leaned back and reviewed my morning email on my iPad, I was surprised to see a receipt for a purchase of something called Mojo. However, it quickly dawned on me exactly what it was and how this had happened.

You see, for a few weeks my son had been playing a free-to-play game on his iPad. In this game, there was a virtual currency called Mojo. He had been asking for me to spend real money to buy some of this virtual currency and I had spent an equal amount of time denying this request. So when the receipt landed in my inbox, I knew exactly what it was and who did it. What I didn’t know was how he had managed to make the purchase.

My iTunes password had lower and upper characters, a special character, no dictionary words, and a number. I wasn’t using it on any other site and hadn’t even given it to my wife.

What I had done was type it on my iPad that morning before I left for work, allowing each character of the password to echo on the screen as I typed it.

Apparently, a properly motivated 9-year-old (at the time) can easily watch these characters echo over your shoulder and enter them later on their own device.

What if this was an Enterprise Password?

Many companies still use login/password to access corporate VPNs and business applications.

Imagine that you work for one of these companies and visit a conference or trade show and that you have decided check a file share, CRM application, or wiki using your mobile device.

You pull out your device, unlock it, and launch the application. Usually you’ve entered at least two layers of passwords by this point (perhaps using your fingerprint or swiping rather than entering a PIN to unlock your device).

While the device unlock is important, it requires that someone actually have your device to make it useful. The second sequence, where you connect to your corporate network (or cloud provider) is much more interesting. This is where you go from giving someone access to 32GB of data on your phone to countless terabytes stored in your enterprise.

If your organization hasn’t put into place one-time tokens or two-factor authentication, you’ve potentially given a motivated attacker an easy way to get access to your network. It’s much easier to watch your screen echo your password than it ever was to watch you touch-type your password.

Where some organizations get things exceptionally wrong is by enforcing even more frequent policies on authentication when coming from a mobile device. The idea is that because devices can more easily lost or stolen, it’s ideal to request users re-authenticate frequently to prove that they are still in control of the device.

This particularly cruel and unusual policy not only degrades user experience and encourages people to choose easier-to-type passwords, but also subjects these passwords to more frequent exposure.

Fortunately there are better security policies and better software to make those policies work well.

What Actually Works?

The easiest solution to this problem is to use the device itself as an authentication factor. This means that a hacker needs both my password and the device in order to login. This can be as simple as device fingerprinting and as complicated as leveraging digital certificates.

An even better solution is to move away from using any passwords in the first place, leveraging PKI and other established technology to handle the authentication between the device and the service, while using emerging technology like containerization to ensure that only appropriate applications on the device can leverage that session.

With employees bringing their own devices to work in BYOD programs, it’s very important to take an approach that focuses on applications, rather than devices. Over-hardening security at the device-level (e.g. even just to play Angry Birds), rather than just stepping up authentication when it is really needed (e.g. to view customer data), over-exposes credentials and gives users incentives to work around the inconvenience of security.

What about the Young Hacker?

With no shortage of hidden pride (and considering his promising future black hat career working with the LizardSquad and CryptoWall teams), I let my son know that he wasn’t allowed to do this sort of thing anymore.

Within a few days he proceeded to get my next few passwords, but “only used them to get free apps”. At this point I gave up.

About the Author


Clayton Donley is the Vice President of Product Management for Oracle’s Identity Management and Mobile Security products.
You can follow Clayton on Twitter at @cdonley.

Visit the Oracle Technology Network for more information about Oracle Identity Management Products including downloads, documentation and samples

Engage with us on Twitter @oracleidm and follow us here in the Identity Management blog.

Tuesday Jan 06, 2015

Oracle Magazine: Reducing Risk While Mastering the Digital Identity

Just released - the latest issue of Oracle Magazine is focused on security and features two great case studies you will want to share with your customers. These two stories highlight how companies are reducing risk and at the same time mastering digital identity. "Businesses need identity management systems to provide a single point of access and control while reducing costs and improving operational efficiency. Learn how two organizations are turning to the Oracle Identity Management solution to enable growth and business transformation."( Phillip Gill, Oracle Mag 2015)


Oracle Magazine, January - February 2015

A United Workforce
Vodafone
At Vodafone Group, the world’s second-largest telecommunications company, the first step in adapting to the mobile, social, and cloud evolution was to unite corporate identity and access management.

Empowering Customers
Electrabel
Electrabel GDF Suez, the largest supplier of electricity and gas in Belgium, is counting on identity management to help it reach out to millions of its residential customers to reduce energy consumption.

Monday Jan 05, 2015

Minecraft and Identity Management - What an Identity Management guy learned from managing a world populated by tweens and teens

Author: Clayton Donley, Vice President of Product Management, Oracle Identity Management & Mobile Security.

“Lava and TNT is covering the entire spawn, dad! Can you fix it?”

I help my 12-year-old son run a Minecraft server for his friends, as well as random strangers (500+ at last count). Players point their Minecraft game at his server and work collaboratively (or so we hope) with others to build things, chat, and otherwise have fun.

In the span of two years, there’s been a lot of learning when it comes to managing a system where the bulk of the users have pre-teen or early teen levels of maturity.

What Could Possibly Go Wrong?

Apparently on a server loaded with pre-teen users, there’s actually a LOT that go wrong…frequently.

In addition to my Saturday mornings of cleaning up lava and TNT (CoreProtect is your friend), I’ve needed to unban dozens of legitimate users, revoke privileges from griefers who have decided to destroy parts of the world, and kill off entire populations of zombies, creepers, and other creatures that were placed with the intent to DDoS the server with lag.

While on the surface these all seem to be different problems, they all ultimately come down to the wrong people having too much access and a lack of visibility into who has access to do what.

Who can you Trust?

To be clear, this access generally started with one person (my son), but as a server grew, this power got distributed to other helpers. These helpers get roles like Admin, Mod, Builder, etc… that give them a range of powers.

Minecraft servers support a notion of privilege systems. These systems allow you to very granularly define what each of these groups have access to do. For example, the Builder role might have access to make broad changes to the world by placing blocks in bulk using the WorldEdit, while users in the Mod role may have access to kick a player off the server or ban them. Figuring out which role grants access to what privileges involves manually sifting through pages of roles and permissions in a text file. Users can also have permissions that override the ones defined in their roles or have their roles and permissions restricted to only certain worlds or regions within the server.

If you’ve ever visited a multi-player Minecraft server, you’ll notice that the chat logs are inundated with kids asking others for all kinds of elevated access. If you’ll only make them a Mod, they’ll be your friend for life, bring all their friends to your server, build great things, and help you keep everything running smoothly. They’re friends with so-and-so, who runs the biggest Minecraft server you can imagine, and she will get so-and-so to send people to your server as well.

This is all bulls***. You’re much better off giving your password to the guy on the phone claiming to be from IT or clicking a phishing link.

Apparently, when kids hear this kind of thing, they start giving everyone crazy levels of access without considering the consequences. At one point when things were particularly out of control on the server, I audited user permissions and found that approximately half the active users had some level of privileged access. There was actually a network effect of kids giving it to other kids.

To make things worse, plugins all have their own permissions. Some of these permissions are quite powerful and allow players to change large parts of the world. It’s not always obvious when such privileges have been granted until they are granted to the wrong people — who then take advantage of it.

Who is this Really?

The Minecraft game itself costs money (~$27). Many families buy a single copy that gets shared by everyone in the family. Some kids even share their software with other friends that may not have bought a copy. All of this is done by sharing a single Minecraft login/password.

This means that even if you’ve got a great contributor who is building great things and interacting with a level of maturity well beyond their years…five minutes later a completely different kid could be accessing your server with the exact same account…and this kid could be a disaster!

Not only that, but nearly everyone who does something bad to your sever will claim that it was not really them that did it at all…but their terrible brother/sister/friend/etc… Hackers are frequently invoked. Those of you with multiple kids (or dysfunctional teams) know exactly what I’m talking about.

It’s like asking who left up the toilet seat or ate the last cookie — maybe a ghost?

Regardless of who did it, the damage is done and you’re left cleaning up the mess.

Enterprise Software is Different, Right?

Your typical enterprise is running hundreds or thousands of applications. Each of these systems also has roles and permissions that determine who gets access to which data or functions. Ideally, the security on these systems is being managed in a way that is different from the way my son runs his Minecraft server.

IT and the business need to understand some fundamental things about the users of mission critical systems:

  • Who has access to which systems, functionality, and data?
  • How is this access requested and approved?
  • Who is certifying that this access continues to be appropriate?
  • What users have toxic permission combinations (e.g. create/pay their own POs)?
  • Who has highly privileged access (e.g. super-user) and what are they doing with it?

This is where Identity Governance comes into play.

Identity Governance solutions connect to various systems in the enterprise to manage accounts, roles, and entitlements for users.

When an employee joins the company, they get a standard set of privileges for their role in the enterprise. This might be things like sending email or submitting expense reports. Additional privileges can be easily requested and approved as appropriate by the business and IT. Finally, when an employee leaves the company, their accounts and privileges are centrally revoked across all of these systems.

Lack of proper controls open enterprise applications to various insider threats. Additionally, over-privileged accounts are a goldmine for hackers that have already gained basic access via common attacks like phishing and malware.

Avoiding Lava and TNT

Hooking up an Identity Governance solution to a Minecraft server is a bit overkill — though don’t think I didn’t consider it.

Instead, I simply went user-by-user, role-by-role to limit everyone’s access to the bare minimum. We then selected a few users that would be given the ability to do more privileged things, but didn’t allow these users to further delegate their privileges. Additional plugins were added that allow for tracking and rollback if these permissions were abused (similar to privileged session recording).

Cleaning things up with 500 users in a half-dozen roles on a single, relatively simple system took several hours.

Scaling this manual process up to tens of thousands of users, thousands of roles, and hundreds of systems without the benefit of automation would have been completely impossible without cutting corners and reducing overall security.

That said, in the case of the Minecraft server, this significantly improved the stability of the server and eliminated some of the large-scale griefing that was taking place.

About the Author


Clayton Donley is the Vice President of Product Management for Oracle’s Identity Management and Mobile Security products.
You can follow Clayton on Twitter at @cdonley.

Visit the Oracle Technology Network for more information about Oracle Identity Management Products including downloads, documentation and samples

Engage with us on Twitter @oracleidm and follow us here in the Identity Management blog.

Wednesday Dec 17, 2014

Oracle Access Portal Self Study now available for IDM Solutions

Visit the The Oracle Learning Library to access free Identity and Access Management video content for a multitude of audiences including Security Compliance Auditors, Identity Adminstrators, Security Administrators, as well as Java Architects and Developers.

The latest featured content includes:

'Best Practices to Successfully Monitor & Manage Oracle’s Identity Management Product Line'

The Oracle Learning Library ADF Primer for Oracle Identity Manager Series



Visit the Oracle Technology Network for more information about Oracle Identity Management Products including downloads, documentation and samples

Engage with us on Twitter @oracleidm and follow us here in the Identity Management blog.

Wednesday Dec 10, 2014

Securing Access with OAuth2: How to deal with OAuth Scopes

Author: Vadim Lander, Chief Identity Architect, Oracle

The OAuth standard has proven itself to be a very effective in managing distributed Web authorization by providing client applications a secure, delegated access to server resources on behalf of a Resource Owner.  A large number of public Internet web sites have standardized on OAuth for service-to-service authorization, the standard has gained traction in securing commercial SaaS/PaaS/IaaS services cloud, and is being adopted by enterprises interested in externalizing internal web services.

Here at Oracle we're using OAuth2 to secure access to Web Services exposed by Oracle Public Cloud services.  While the standard itself is relatively straightforward, there are a couple of areas that each implementation must address on its own. The purpose of this blog is to look at one such area we have to advise application developers on - how to deal with OAuth scopes. We will assume the reader is familiar with the standard OAuth terminology.

Figuring out what scopes to expose is a responsibility of an application developer, and it may be confusing at first:

  • Do I expose a single scope protecting the entire service, or do I expose scopes to protect fine-grained business functionality of my application?
  • Do I break up my service into many smaller services with one scope each, or do I build multi-functional service with multiple fine-grained scopes?
  • How do I balance the needs of my clients to request specific capabilities and the needs of my application owners to manage appropriate policies?

Lets take a closer look at scopes, and see what it means to request scopes that will be granted by the Authorization Server and placed into the Access Token.

An OAuth scope X is an indication by a client that it wants to access the Resource Server to perform X or access something on the service that is related to X. For example, the client may request a claim EMAIL_SERVICE to access the email service, or it may request claim DELETE_INBOX if it desires to delete inbox entries.

The developer of the email service needs to think about what scopes should be exposed in a way that lets services support different types of clients by allowing proper authorization delegation. In the previous example, the “EMAIL_SERVICE” scope is generic and might not be that useful because it grants too much authority. If the email service breaks this into scopes such as “EMAIL_READ”, “EMAIL_POST”, “EMAIL_MOVE”, and “EMAIL_DELETE”, the core functionality of the email service is expressed as scopes. This becomes useful to allow clients to use minimal authority to access the user’s mailbox without requiring full access.

As mentioned previously the purpose of OAuth is to authorize access to a service. Hence some Policy Enforcement Point (PEP) will be tasked with securing access to the Resource Server must be able to determine from the Access Token's authorized scopes whether or not access should be allowed.  Once the token is issued to a client, client's access rights will be bound by scopes encapsulated by the Access Token for as long as the Access Token is valid.

The big question is where to draw the line between defining very granular scopes representing the right to invoke functional "capabilities" exposed by physical service implementations, and creating broad scopes representing the right to invoke the actual physical services.

One important perspective on how to answer this question is to look at the problem from the perspective of the Resource Owner - specifically what authorization decisions need to be made to authorize requested scopes, how often these decisions needs to be made, and what needs to be known in order to make such decisions.  The lifecycle of managing such authorization decisions should be straightforward – otherwise the policies will be incomplete, out of date, or overly permissive.

From the Resource Owner perspective there are two important considerations:

  • Who owns the data - end user or the target service
  • Who gets to specify the authorization policy - end user or application owner

The difference in considerations is important since it determines who gets to authorize the client's request for specific scopes  - end user who's data will be requested by the client, or the business/security admin configuring the client and granting it specific privileges.  Lets take a close look at each consideration:

End users authorizing request for scopes

If the Resource Server is tasked with providing access to end user's data (such as the case with consumer sites or user-centric apps such as email), the end user is the ultimate authorization authority for deciding whether or not requested scopes should be granted. 

In this case the purpose of a scope is to let the end user know what the client is trying to do with end user's data (ex: Requesting access to one's pictures or emails, requesting access to one's mobile GPS data, etc.). Then when the Access Token is granted, the approved scopes are "burned" into the token. Presenting this Access Token to the Resource Server conveys the fact the end user has approved client application's request to access his/her data. 

We can see that scopes represent client's intent to access user's data, and can be modeled based on the number of user's data categories the Resource Server wants to protect from "super user" access.

This requirement to secure access to end-user's data is the primary reason for the 3-legged OAuth interaction where the end user (data owner) is responsible for providing consent to operations requested by the client.  Here, the end user is familiar with, and wants to protect access to his/her data, so modeling scopes based on user's data categories (or collection of categories) makes sense. This model is often used by user-centric cloud services such as mail, photos, storage, documents, etc.

Business admins authorizing request for scopes:

There are numerous commercial/enterprise services where the Resource Server is consumed not by the end user directly, but by partners who build clients to consume, expose, or extend application functionality. 

In this case the purpose of scopes is to represent authorization permissions as granted by an administrative process responsible for registering clients.  For example, a real estate site is exposing listings, where unpaid clients have access to listings without addresses, while paid clients have access to addresses. Here, “Address” would be a scope, and it would be the service administrator configuring clients and granting them allowed scopes based on the level of service a client has paid for.

We can see that scopes represent fine-grained capabilities the Resource Server is charging for, using administrators (or automated sign up processes) to decide the authorization policy.

Looking at both scenarios, we can conclude that having too many scopes will create a burden on some user to try and understand/manage the meaning of scopes.

In the case of user-centric scopes, the end user is expected to understand the meaning of the data managed on his behalf.

In the case of business admins, they're expected to understand business rules (or in the case of automated client registration, have the ability to collect required service-level agreements).

The more scopes are exposed by a Resource Server, the greater the burden on a user (end user or administrator) to understand the exact meaning.

Hence, the overarching goal of application developers is to make their users capable of understanding the underlying authorization process, and this requires looking at scopes not only from the application development perspective but also from "administrative" knowledge and life cycle burden a developer might inadvertently create - some human being will have to be responsible for and trained in understanding the meaning of scopes.

Ultimately, the application developer has to think about what scope means in the context of “their” application, including how much delegation (to an end user or policy) should be exposed. There will be as many scopes as the developer wants to expose to a user who is expected to understand their meaning – this could be an end user of social/mobile app clients accessing his/her data, or a security policy admin for enterprise/commercial applications.

Overloading with too many fine-grained scopes will place a burden on the user, creating confusion or complicating policy administration. Its best to define few scopes protecting the high level service, adding few additional scopes to secure access based on read/write operations, and only then take a closer look at whether or not any additional scopes are required.

This is it for the first installment on OAuth scopes.  In the next blog, we will look at other scope-related topics:

  • Scope affinity. Can a client with a given scope access any resource or only the resource associated with the authorizing (and/or owning) user?
  • Scope changes. The Authorization Server is free to grant a different set of scopes than what a client requests. This can happen because of policy, user consent, or just versioning issues.
  • Scope risk. The Authorization Server might issue different tokens with different lifespans based on the scope requested.
  • Implicit scopes. Some scopes may be “implicit” where the policy dictates whether user, or a client on user’s behalf is authorized to do something – resulting in “automatic” consent with no actual consent dialog.
  • Privileged scopes. The Authorization Server may inject special scopes not requested by clients, by granted non-the less based on the contextual state of the client.

For more information on OAuth please see http://oauth.net/2/

About the Author


Vadim Lander joined Oracle’s Identity & Access Management team in 2009. He advises Oracle on key security technology trends, sets the technical strategy for the IAM Enterprise and Cloud product lines, and works with various Oracle teams on the architecture and implementation of the IAM stack. Previously, Vadim was CTO for the Security BU at CA delivering the architectural blueprints for engineering CA’s next-generation solutions. Vadim joined CA in 2004 with its acquisition of Netegrity, where he was CTO after holding a number of successive growth positions in engineering.Vadim holds a Bachelor of Science degree in Computer Science from Northeastern University in Boston.
Vadim can be reached via LinkedIn

Visit the Oracle Technology Network for more information about Oracle Identity Management Products including downloads, documentation and samples

Engage with us on Twitter @oracleidm and follow us here in the Identity Management blog.

Wednesday Dec 03, 2014

Drivers for Identity and Access Management in Today's Businesses

Author: Paul Toal

Most organizations know from experience that Identity and Access Management isn’t a project, but more of a multi-phase, multi-year programme. Those who treat it as a single project, or even worse, as a milestone deliverable within another project (i.e. delivering a new business application) will be destined to fail. However, it is typically individual projects that surface the need for IAM and are forced to implement tactical fixes whilst the organization catches up with a more strategic solution. It is easy to see the challenges that individual projects face. No project sponsor wants to foot the bill for an enterprise-wide IAM platform, just to deliver the subset of capabilities they need. On the flipside, it is often difficult to get sufficient buy-in at the board level to invest in a strategic IAM platform. Implementing such a platform is often seen as a cost with very little ROI. 

However, that is no longer the case. The days of committing to a lengthy and costly IAM programme with very little return are gone. Let’s look at the evolution of IAM business cases in relation to IT security as a whole.

Fear

Anyone who has worked in IT security for any length of time will be more than familiar with this approach. Vendors used to sell IT security-related products on fear. IT departments then used the same approach with their investment boards. Pick the worst case scenario of what would happen if you didn’t have a particular IT security product (e.g. firewall) and convince the business that the scenario is highly likely and therefore they absolutely must invest in the project. This approach worked well in the early days when threats on the internet weren’t as well understood and many organizations didn’t take a risk management approach to handling IT security. As use of the internet for business increased and the risks were better understood, the approach of selling on fear started to wane, coupled with the fact that this approach also had very little demonstrable ROI.

Enablement

As business started pushing back against throwing endless pots of money at IT security with very little to show for it, the industry needed to evolve. By now, use of the internet for business was widespread and organizations were looking at how to take advantage of this shift to online business. As part of this shift, businesses realized that the foundation of any online business is security, and in relation to that, identity. For a company looking to deploy, for example, as eCommerce platform, or online banking, how could this possibly be done unless it was secure? Also, how could online services be provided to consumers unless you know who the consumer is. Once you know their identity and they have proven ownership of their identity (authenticated) you can provide then with the right services (authorization) to meet their needs.

The approach of deploying IAM as a business enabler has been key to obtaining investment from the business. We also know from our everyday experience that there is real ROI associated with this approach. Using the online channel, as end-users, we are transacting more money online than ever before. For many people, the online channel is the first, and preferred channel of engagement. Indeed, it can also be a differentiator when you are looking for a company to provide a service to you. For example, positive answers to questions such as “Can I manage my accounts online?” can set one business apart from its competitors.

For a lot of organizations, identity as an enabler is still the business justification for investing in IAM. However, there are a number of drivers within the industry today that are enabling IAM business cases to evolve further.

User Experience

There are many organizations that already offer a strong online presence and online catalog of services for their customers. However, just having these online capabilities is no longer good enough. With the shift of users from laptops and desktops to mobiles and tablets, the expectations around user experience are driving IAM to a new level and forcing organizations to evolve. Consumers have come to expect slick and personalized user experiences whether they are an employee or a customer. What is going to set an organization apart from its competitors isn’t whether they have an online presence, but what the experience for the end user is like. For example, does the company have a mobile application? Is it easy to use? Can it provide me with all the information and services that I need in an intuitive way? There are so many mobile applications on the market today that users know what a good application looks like. They are not prepared to spend hours learning what they must do. If the app isn’t intuitive enough within a couple of minutes, it is easy for the user to delete it and find a different company that provides a better app and user experience.

IAM plays a crucial role within this evolution. We know from the enablement business cases discussed above, that knowing the user is key to providing them with services. However, looking at user experience, IAM also provides a key set of services. Take these examples: 

Social login – Mobiles and tablets are great devices for many things, but filling in long forms with lots of fields (e.g. username, firstname, lastname, email etc) isn’t one of them. However, user registration is one of the key elements to a mobile application. If you can’t get your user up and running with your mobile app easily and quickly, it will be deleted. Enabling customers to register from their social network such as Facebook, Google+ etc is a great solution to this. However, integrating with lots of social networks can be a painful and time-consuming coding exercise for an application developer. Fortunately, a good IAM platform will take that pain away for you, turning social network integration into a configuration rather than coding exercise. 

Step-up authentication – So, now your user has registered and logged into your app from a social network, now what? Well, that level of trust may be good enough to access some basic information but you aren’t going to let a user manage their bank account (I hope) purely based on a social login. A good IAM platform will enable you to understand the level of trust a user has at any point in time and when necessary step-up their level of trust with an additional challenge. This should be flexible but could include options such as a issuing a challenge question or using a one-time passcode.

Multi-channel Single Sign-on – In modern development, the ‘constant beta’ and the focus is on rapid application development and release cycles is very popular. Therefore, it is not always necessary or desirable to implement all of the information and services that are available on the website within the mobile app. This isn’t a problem because you can always drop out from the application into a web browser on a device, or even present web content within your mobile application. However, you need to ensure you maintain the user experience. Users have enjoyed SSO in the web channel for a long time and they expect no less in the mobile channel. Therefore, flows like the one below are unacceptable for users (and so they should be):

A good IAM platform will enable SSO not just within a single channel, i.e. between multiple mobile applications, but also across channel, e.g between a native app and a browser-based application so that the user experience is maintained.

If you are looking for an IAM solution that can address all of the above requirements as well as provide a single, integrated platform for addressing all of your IAM needs, both internally and externally, the Oracle IAM platform is a great option. Whether you are looking to deploy it on-premise or within the cloud, Oracle can help you realize your IAM strategy with its market-leading solutions.

To summarise, it’s not just about user experience. IAM helps many organizations to meet their legal and regulatory requirements. However, in today’s rapidly evolving IT world, we need to look at how IAM can be used, not only as an enabler, but as a differentiator by delivering improved user experience, thus taking it from a pure cost to the business to one that has a demonstrable ROI.

About the Author


Paul Toal is a very passionate and capable IT security consultant specialising in the field of Information Security. He has worked in IT for over 20 years and built up a wide-ranging and in-depth portfolio of knowledge and skills. Equally comfortable talking to C-level execs or technical experts, Paul has worked in both pre-sales and consulting delivery roles covering everything from writing business cases, high-level requirements capturing and solution architecture, through to delivery, training and post-sales support. In addition, he has also been an integral part of designing the UK’s citizen Identity Assurance framework, “Gov.UK Verify”, where he was one of the original authors of the technical specification.
Paul can be reached via LinkedIn
Extend your Security Platform to enable secure, mobile access.
Paul will be speaking at the OKOUG Technology Conference & Exhibition: Dec 8-10, 2014, at the ACC in Liverpool. Find out how you can secure your mobile workforce to enable BYOD strategies




Visit the Oracle Technology Network for more information about Oracle Identity Management Products including downloads, documentation and samples

Engage with us on Twitter @oracleidm and follow us here in the Identity Management blog.

Monday Nov 24, 2014

Gartner Identity & Access Management Summit, Dec 2-4, 2014 w. Amit Jasuja

Register Now for Gartner Identity and Access Management Summit, Dec 2-4, 2014


Join Platinum Sponsor Oracle in at Caesar's Palace Las Vegas
Oracle Session
: Revolution or Evolution: Unlocking The Potential of The New Digital Economy
Speaker: Amit Jasuja, Senior Vice President, Development Java & Identity Management Products, Oracle
Oracle Session Schedule: Tuesday, December 2, 2014 - 10:45 a.m. – 11:30 a.m - Octavius 22

Abstract: As organizations consume an increasing number of mobile and cloud apps, identity management becomes fragmented. Organizations have inconsistent access policies and lose visibility into who has access to what. To avoid these risks and costs, they are increasingly adopting a strategy of extending enterprise identity services to the cloud. This presentation explores how organizations are using Identity Management to give users access to all their data from any device while providing an intelligent centralized view into user access rights across mobile, cloud and enterprise environments. See how Oracle Identity Management can securely accelerate your adoption of mobile and cloud applications.

Visit the Oracle Platinum Sponsor Booth
Attendees can meet with Oracle Solution experts and discuss how Oracle Identity Management can securely accelerate your adoption of mobile and cloud applications.

Oracle Demos will Showcase:

Identity Governance
Given the state of our economy these days, with high number of data breaches and unauthorized access to sensitive information assets, it is no wonder this is one of the biggest threats an organization is concerned with these days. Ensuring proper vetted access and visibility into highly privileged accounts and entitlements is critical to ensuring a sound security practice.

This demo showcases Oracle’s Identity Management Solution, highlighting the differentiated value proposition of an integrated and converged Identity Governance, Access Management and Privileged Accounts Management approach.

We will show the following capabilities:

  • Self Service Access Request
  • Integrated OIM Catalog with OPAM entitlements
  • Multi approval workflow with temporal grants and authorizations
  • 2-Factor authentication with Oracle Mobile Authenticator
  • Recording of a privileged access (Windows session recording)
  • Execution of a certification campaign with both normal and privileged entitlements
Mobile & Cloud Access Management
  • Unified Self Service Console and Delegated Admin Console (OIG) extended to Mobile
    • App and device level policies, app inventory
    • View user, request for roles and invite user to register device
    • Automated device configuration and Secure Workspace app installation
    • Data leakage prevention policies
  • Application access via Secure Workspace
    • Show applications being provisioned as part of the role assignment above. This would also include link to the IdaaS portal in the secure workspace.
    • Click on the link and you are Single Sign on to the IdaaS portal.
  • Cloud Application access scenarios in IdaaS:
    • Access Document Cloud Service – Simple Federated SSO.
    • Access Fusion HCM and be prompted for a 2 factor auth using OMA.

Visit the Oracle Technology Network for more information about Oracle Identity Management Products including downloads, documentation and samples

Engage with us on Twitter @oracleidm and follow the Identity Management blog.

Thursday Nov 20, 2014

Advanced Registration Now Open for new Oracle Mobile Security Primer eBook

Today, just as organizations are starting to understand the first wave of the mobile revolution, there are now numerous demands being placed on IT to support the second wave as new generation devices and applications are coming online to take advantage of these new capabilities in today’s corporate environment.


Register now to gain access to the new eBook: Oracle Mobile Security Primer as soon as it is published.


The Oracle Mobile Security Primer will provide a deeper understanding of not only the fundamentals, but also the complex issues related to mobile security in today’s corporate mobility environment. If you maintain the role of a mobility planner, security architect, CISO, security director, IT director, operations manager or just simply want to stay up on the latest trends around mobile security, then pre-register for this new eBook: Oracle Mobile Security Primer.


Some of the areas covered in this eBook:

  • A look at the changing mobile and business requirements
  • Deep dive in the technologies used to secure the mobile platform today
  • Containerization and application management
  • The role Identity Management plays on the mobile device
  • The broader view of securing the mobile stack

Registration will allow Oracle to provide notification to you upon its availability in both eBook and printed form by McGraw-Hill.

www.mhprofessional.com/mobsec

Tuesday Nov 18, 2014

Oracle Partner AmerIndia is now Avancer

Oracle Partner and Identity Management solution provider AmerIndia is now Avancer!


(read about the change here)

In a previous guest blog post supporting a webinar (see below) with Avancer, "Embracing Mobility in the Workspace using Oracle API Gateway", we explained how Oracle API Gateway (OAG), Oracle Access Management (OAM) and Oracle Entitlement Server (OES) can be managed to effectively support mobile devices.

"By 2015, over 80% of handsets in mature markets will be smart phones.” - Gartner Research



While mobile devices have evolved to better suit the needs of consumers they've also traded away security to ensure usability. These trade-offs increasingly contribute to security risks when such devices connect to the enterprise resources.

These security risks can be addressed in an effective manner to protect precious company resources and comply with increasingly strict regulations. Mobile Access management solution using Oracle API Gateway technology unifies enterprise resources and cloud-based resources across network boundaries to mobile devices. This solution assures enhanced security, regulatory compliance, improved governance, and increased productivity.

Watch the webinar replay as experts from Avancer and Oracle discuss Mobility in the Enterprise and the implications that BYOD have on the security postures of the organization along with the steps that can be taken to reduce risk.


Visit the Oracle Technology Network for more information about Oracle Identity Management Products including downloads, documentation and samples

Engage with us on Twitter @oracleidm and right here in the Identity Management blog.

Friday Nov 14, 2014

IDM in the Enterprise: Best Practices Blog Series with Infosys

Last week we finished up with the four-part series of must read-read articles for anyone working with Oracle Identity Management in large enterprise environments.

Thanks to the authors, Abhishek Nair, Rajesh Gaddam, and Vikesh Parmar, Senior Technology Architects with the Enterprise Security and Risk Management (ESRM) practice at Infosys Limited*, the response has been outstanding and marked some of the highest readerships ever in the OracleIDM blog.

To read or re-read the series:

Part 1: Design Considerations:
Implementing Oracle Identity Management for Large Enterprises
by Abhishek Nair - Building an abstraction layer to allow for consolidation of identity, account and access information from OIM and other enterprise sources.

Part 2: Disconnected Application Framework in OIM 11g R2 PS1
by Rajesh Gaddam - Exploring further on theme of how organizations can earn an accelerated ROI from the new IDM infrastructure by adopting the Disconnected Application framework.

Part 3: Best Practices: Implementing SSL in Oracle Identity Manager
by Rajesh Gaddam - A practical approach to enabling SSL between Oracle Identity Manager (OIM), a load balancer and Service-Oriented Architecture (SOA).

Part 4: Enterprise Role Definition: Best Practices and Approach
by Vikesh Parmar - Role definition is a critical step in deploying any RBAC system. This article presents the details of a hybrid approach to implementation.

*Infosys Limited (NYSE:INFY) is a global leader in technology, consulting and services and an Oracle (Diamond) Partner


Visit the Oracle Technology Network for more information about Oracle Identity Management Products including downloads, documentation and samples

Engage with us on Twitter @oracleidm and right here in the Identity Management blog.

Sunday Nov 09, 2014

Oracle at Gartner Identity and Access Management Summit - Dec 2nd - 4th, 2014 in Las Vegas

Join Amit Jasuja, Senior Vice President, Development Java & Identity Management Products, Oracle, at the Gartner Identity and Access Management Summit running from December 2nd to 4th, 2014, at which Oracle is proud to be a Platinum sponsor.

Oracle Session: Revolution or Evolution: Unlocking The Potential of The New Digital Economy
Speaker: Amit Jasuja, Senior Vice President, Development Java & Identity Management Products, Oracle
Oracle Session Schedule: Tuesday, December 2, 2014 - 10:45 a.m. – 11:30 a.m - Octavius 22
Abstract: As organizations consume an increasing number of mobile and cloud apps, identity management becomes fragmented. Organizations have inconsistent access policies and lose visibility into who has access to what. To avoid these risks and costs, they are increasingly adopting a strategy of extending enterprise identity services to the cloud. This presentation explores how organizations are using Identity Management to give users access to all their data from any device while providing an intelligent centralized view into user access rights across mobile, cloud and enterprise environments. See how Oracle Identity Management can securely accelerate your adoption of mobile and cloud applications.

Oracle Booth
Attendees can meet with Oracle Solution experts and discuss how Oracle Identity Management can securely accelerate your adoption of mobile and cloud applications.

Oracle Demos will Showcase:

Identity Governance
Given the state of our economy these days, with high number of data breaches and unauthorized access to sensitive information assets, it is no wonder this is one of the biggest threats an organization is concerned with these days. Ensuring proper vetted access and visibility into highly privileged accounts and entitlements is critical to ensuring a sound security practice.

This demo showcases Oracle’s Identity Management Solution, highlighting the differentiated value proposition of an integrated and converged Identity Governance, Access Management and Privileged Accounts Management approach.

We will show the following capabilities:

  • Self Service Access Request
  • Integrated OIM Catalog with OPAM entitlements
  • Multi approval workflow with temporal grants and authorizations
  • 2-Factor authentication with Oracle Mobile Authenticator
  • Recording of a privileged access (Windows session recording)
  • Execution of a certification campaign with both normal and privileged entitlements
Mobile & Cloud Access Management
  • Unified Self Service Console and Delegated Admin Console (OIG) extended to Mobile
    • App and device level policies, app inventory
    • View user, request for roles and invite user to register device
    • Automated device configuration and Secure Workspace app installation
    • Data leakage prevention policies
  • Application access via Secure Workspace
    • Show applications being provisioned as part of the role assignment above. This would also include link to the IdaaS portal in the secure workspace.
    • Click on the link and you are Single Sign on to the IdaaS portal.
  • Cloud Application access scenarios in IdaaS:
    • Access Document Cloud Service – Simple Federated SSO.
    • Access Fusion HCM and be prompted for a 2 factor auth using OMA.

Register Now for Gartner Identity and Access Management Summit 2014. We hope to see you there!

Visit the Oracle Technology Network for more information about Oracle Identity Management Products including downloads, documentation and samples

Engage with us on Twitter @oracleidm and follow the Identity Management blog.

Wednesday Nov 05, 2014

Enterprise Role Definition: Best Practices and Approach

Infosys Limited (NYSE:INFY) is a global leader in technology, consulting and services and an Oracle (Diamond) Partner that has graciously agreed to present on best practices garnered from experience working on Large Enterprise IDM deployments in a four part series hosted here in the Identity Management Blog.

Role Engineering

Today a number of organizations are considering or are in the process of moving to a Role Based Access Control (RBAC) model. Role Engineering is the process by which an organization develops, defines, enforces, and maintains role-based access control. RBAC is often seen as a way to improve security controls for access and authorization, as well as to enforce access policies such as segregation of duties (SoD) to meet regulatory compliance. It establishes effective controls and insight into “Who has access to What”.

RBAC Basic

The concept of roles is defined in the ANSI RBAC standard that was first proposed by the National Institute for Standards and Technology (NIST). The model for RBAC illustrates the mapping between users, roles, and privileges (permissions) in base RBAC. Privileges are collections of system-specific operations on objects that can be mapped to roles.


Infosysblogpost4_image1
Image 1: ANSI RBAC Model

Role

A Role is described as a collection or group of users who share same position or perform the same function. Roles can be defined at Business level and Information Technology (IT) level.

Business Roles: these represent  job functions and related set of responsibilities. These responsibilities are influenced by the relationship of the role to the organization. Business roles can be associated with specific conditions or events, such as hiring and internal transfer for particular job function. Example: supervisor, program manager, customer service representative, and bank teller. Business Roles can be defined by using a Top-down approach by reviewing organizational business and job functions and mapping the permissions for each job function. This approach is more business-driven and provides alignment of roles with business functions.

IT System Roles: these represent technical responsibilities as a collection of privileges across multiple systems that are required to perform a job function. These can be identified as application roles which are application specific, such as a controller permission to an ERP system. Application-specific roles are frequently associated with events like transactions which are configured within application. Examples include: sourcing user, buyer privileges in an ERP application or administrator, domain user permissions in Active Directory. IT Roles can be defined in a Bottom-up approach by analyzing user access and permissions on existing applications and systems. Once user permissions are explored, the next step is to perform role normalization and rationalization. In this approach, roles are defined to meet application or system specific access requirements.


Image 2: Enterprise Role Definition

Challenge

Organizations face various challenges with regard to role engineering such as: how to define and establish a role-based model on a large scale, how to associate user to roles and roles to application/target resources, how to associate business rules and policies to roles, and how to maintain enterprise roles over time.
Role definition is a critical step in deploying any RBAC system. Roles can be defined at an abstract level from a business perspective (Top-down), or context-specific to an application or system from a technology perspective (Bottom-up). Both Top-down and Bottom-up approaches have their own challenges. For instance, Top-down approach does not provide easy enforcement capabilities. Abstracting roles may not be possible without understanding the entire context. Whereas, Bottom-up approach lacks the perspective of or input from business owners.

Best Practices

Infosys recommends a Hybrid approach that combines both Bottom-up and Top-down approach. This approach defines role as an association between user’s functional responsibilities and their IT access privileges.  The Hybrid approach leverages normalized roles derived from bottom-up role mining and aligns them to job functions derived from top-down analysis.  For example, when an employee joins an organization in the customer service department and that person's user account is created the enterprise role management system will determine the user’s attributes such as organization unit, department code, job title. User rules will then translate entitlements to a given customer service representative role in order to provide access rights to applications such a CRM system, call center application, email system or expense tracking system in order for the user to perform his/her job duties.


Image 3: Hybrid Approach to Role Engineering

Infosys has successfully leveraged Oracle Identity Analytics (OIA) to perform bottom-up role mining, role definition, segregation of duties (SoD) reporting, access certification and role governance. Apart from OIA, Infosys has also leveraged homegrown analytics scripts and tools to analyze and associate top-down functional role definition. The process of defining roles should be based on a thorough analysis of how an organization operates and should be an integrated effort with representation from both Business and IT. Role definition and management requires alignment between business owners, business analysts, IT managers and IT administrators. IT representatives provide expertise in evaluating entitlement, authorization data and knowledge of IT control systems, and application owners provide the perspective on how the business operates.

RBAC Methodology

Embarking upon enterprise wide Role Based Access Control initiative requires strategic planning and an organized methodology to achieve the expected business benefits. RBAC initiatives should start with a small scope which can be expanded gradually to define and manage role on an ongoing basis.
RBAC can be achieved enterprise wide by conducting iterative role design cycle with define set of business units in terms of users and number of in-scope applications. It is important to define boundaries for user population, applications, and the number of business units to be included in the project.
The following diagram describes the RBAC Methodology


RBAC Methodology

RBAC Methodology


RBAC Phases

Brief Description

Identity Warehouse

  • Assess existing system privileges information. Application/ system access data is the foundation to build Identity Warehouse for defining roles in the organization.
  • Identify and prioritize logical sets of users based on Business Units, Departments and Reporting Hierarchy.

Role Definition

  • Perform Role Mining on selected sets of logical groupings of user privileges and access rights that map to a department, geographical location, job function, reporting relationship or other organizational attributes.
  • Conduct workshops to refine and finalize Roles and SoD.
  • Role Mining can become a continuous process of refinement as organizations become more mature in their understanding of roles.

Role Governance

  • Establish Role Governance model and framework to maintain roles on an ongoing basis.
  • Role governance should address role life cycle management, role membership and role definition, creation and maintenance of additional data elements that impact the assignment and management of roles.
  • Develop Role Entitlement Certification Workflow. An enterprise that adopts role-based access control also needs to define processes for ensuring that roles are kept up-to-date, old roles are retired and new roles defined to meet new business needs.

Enforce Role

  • Once a role model has been defined, next move is to leverage that model in the user-provisioning process.
  • To assign roles to users, enterprises can choose manual, automated, or request-based systems. Provisioning systems are often used to facilitate user-to-role assignment through internal rule processing.
  • Effective RBAC reduces the risks of users having inappropriate access. As users change their job function, new roles are assigned and old roles are removed. This results in user’s access and privileges matching their job functions.

Conclusion

For a Role Based Access Control model to be successful, it is imperative to have a detailed understanding of how an organization functions and should have participation from both business and IT stakeholders.  Roles should be defined with an eye towards lifecycle management. The optimal approach is to have Hybrid approach with combination of top-down and bottom-up role discovery.

Enterprise role management involves ongoing design, creation, change, and management of roles and the periodic certification of users to their roles.  Leverage enterprise role management tools such as OIA to include role mining, role definition and access recertification. A holistic approach to RBAC and role governance framework will help enterprises in maintaining segregation of duties, keeping up with regulatory compliance requirements, and automating role-based provisioning to enterprise applications.

We hope our experiences and thoughts will help organizations with their security solution planning and implementation. Please reach out to our team and the writers for any queries, feedback and suggestions and be sure to read the previous blog entries in this series:

Design Considerations: Implementing Oracle Identity Management for large enterprises
Disconnected Application Framework in OIM 11g R2 PS1
Best Practices: Implementing SSL in Oracle Identity Manager

Visit the Oracle Technology Network for more information about Oracle Identity Manager including downloads, documentation and samples.

About the Author


Vikesh Parmar is a Senior Technology Architect with the Enterprise Security & Risk Management (ESRM) practice at Infosys Limited. . He has over 14 years of experience providing security services to clients. He has been primarily involved in engaging multiple organization to establish or improve security posture to support business critical processes; define strategy, roadmap, & architecture and manage large scale Identity & Access Management implementation programs.
Vikesh can be reached via LinkedIn

Friday Oct 31, 2014

Best Practices: Implementing SSL in Oracle Identity Manager

Implementing SSL in OIM 11g R2 PS1

Infosys Limited (NYSE:INFY) is a global leader in technology, consulting and services and an Oracle (Diamond) Partner that has graciously agreed to present on best practices garnered from experience working on Large Enterprise IDM deployments in a four part series hosted here in the Identity Management Blog.

In this blog post, part three of the four part series, Infosys shares its experience with enabling SSL between Oracle Identity Manager (OIM), a load balancer and Service-Oriented Architecture (SOA) in one of their recent implementations of OIM 11g R2 PS1.

Why secure an OIM solution?

The majority of the IDM/OIM implementations are used for managing internal users with the IDM implementations being deployed within the intranet and inside the physical boundaries of the enterprise. In such scenarios, it is not uncharacteristic of security engineers and administrators to think that the OIM solution is secure within the intranet and does require any additional measures.
All enterprise OIM solutions integrate with multiple applications and systems. OIM solutions are often used as password management solutions along with the application access request systems. End users change and reset their passwords using the OIM web interface, which then are synchronized to the target applications. The users can also approve access requests for mission critical / top secret applications from the OIM interface.
In such scenarios, regardless of whether the OIM solution is an internal or external implementation, it becomes vital to secure OIM since it holds the passwords and approvals to critical applications. Securing an OIM implementation using SSL provides an additional layer of security by way of securing the communication channel between end users and OIM.
In a typical OIM implementation, OIM is deployed on an Application Server (e.g. Weblogic) and is front-ended by a Web Server / Load Balancer configuration. While it is a common practice to secure the communication channel between end user browsers to a load balancer using SSL, it is equally important to secure the communication between the Web Server / Load Balancer and OIM. Below we will discuss the various aspects of implementing SSL in a reference OIM 11g R2 PS1 implementation.

SSL implementation in OIM 11g R2 PS1

Let us consider a sample reference OIM architecture as shown in Figure-1 for discussing the different aspects related to SSL.


Figure 1 represents a clustered environment with two members in the cluster, both hosting OIM and SOA. In Figure 1 we can see that there are three channels where SSL communication is depicted, while Figure 2 describes those communication channels. In our discussion we will primarily focus on channels 2 and 3. 



Enabling SSL on OIM and SOA

Below are the steps that need to be followed for enabling SSL on OIM and SOA:

  • Create an Identity Keystore
    • This is the custom Identity Keystore. It holds the server certificates of oim_host1 and oim_host2
  • Create a Trust Keystore
    • This is the custom Trust Keystore. It holds the root CA certificate.
    • Alternatively, instead of creating a fresh Trust Keystore, copy the existing enterprise Trust Keystore and rename it as custom Trust Keystore. 
  • Create a Certificate Signing Request for both the servers in the cluster (oim_host1 and oim_host2)
  • Send the Certificate Signing Requests to CA for signing
  • Procure and import signed certificates from CA for both the hosts into your custom Identity Keystore
  • Get the root CA certificate and import into your custom Trust Keystore
  • Login into the Weblogic admin console and perform the below steps for each of the servers in the cluster
    • Click on Environment à Servers to display the servers
    • Click on the server name and select SSL Listen Port Enabled and click on Save
    • Next go to KeyStores Menu and change the Keystores option to ‘Custom Identity and Custom Trust’
    • Enter the absolute path for the custom Identity Keystore, Keystore Type as ‘JKS’, Keystore Passphrase and confirm the Keystore Passphrase
    • Enter the absolute path for the custom Trust Keystore, Keystore Type as ‘JKS’, Keystore Passphrase and confirm the Keystore Passphrase and Save the configurations
    • Go to SSL menu and enter the Private Key Alias, Private Key Passphrase and Confirm Private Key Passphrase and save the configurations
  • Test the SSL URL from your browser  (E.g. https://oim_host1.mycompany.com:7114/identity)
  • Send the server certificates signed by CA for oim_host1 and oim_host2 to administrator of the load balancer for importing into load balancer.

Once the certificates are successfully imported into load balancer, the communication channel is secured from end user browser all the way to OIM/SOA server using SSL.

Additional configuration for SSL communication between OIM and SOA

When SSL is configured for OIM and SOA, without the following additional configurations OIM and SOA will not function as expected. Approvers will not see the approval task details when they open the approval task.

  • Setting OimFrontEndURL Attribute
  • Login to Enterprise Manager (EM)
  • Navigate to Identity and Access -> OIM -> oim(11.1.2.0.0)
  • From Oracle Identity Manager dropdown select System MBean Browser
  • Under Application Defined MBeans, navigate to
oracle.iam ->  Server:IDM-Internal-AppServer1 -> XMLConfig -> Config ->  XMLConfig.DiscoveryConfig -> Discovery
  • Set OimFrontEndURL - https://idm.mycompany.com:443

(Load Balancer URL for OIM on https)

  • Setting Rmiurl and Soapurl
  • Login to Enterprise Manager (EM)
  • Navigate to Identity and Access -> OIM -> oim(11.1.2.0.0)
  • From Oracle Identity Manager dropdown select System MBean Browser
  • Under Application Defined MBeans, navigate to
oracle.iam ->  Server:IDM-Internal-AppServer1 -> XMLConfig -> Config ->  XMLConfig.SOAConfig -> SOAConfig
  • Set Rmiurl - t3s://oim_host1.mycompany.com:7114,oim_host2.mycompany.com:7114

(All SOA servers in the cluster with SSL port and here 7114 is a sample port for SSL communication)

  • Set Soapurl - https://idm.mycompany.com:444

(Load Balancer URL for SOA on https)

  • Setting ServerURL
  • Login to Enterprise Manager (EM)
  • Navigate to Identity and Access -> OIM -> oim(11.1.2.0.0)
  • From Oracle Identity Manager dropdown select System MBean Browser
  • Under Application Defined MBeans, navigate to
oracle.as.soainfra.config  -> Server: SOA-Internal-AppServer1 -> SoaInfraConfig -> soa-infra
  • Set ServerURL – https://idm.mycompany.com:444

(Load Balancer URL for SOA on https)

  • Setting Worklist Task Details Application URI

This needs to be done for each SOA composite that you might be using in your deployment

  • Expand SOA -> soa-infra -> default -> Manager Approval [1.0] [1.0]

This is as a sample SOA composite

  • Scroll down to Component Metrics and click on the Human Task 
  • Click on Administration tab
  • Specify following values and apply the changes:

Host Name: idm.mycompany.com (virtual hostname)
HTTP Port: 0
HTTPS Port: 443 (load balancer SSL port for OIM)

In Conclusion

Although most OIM implementations inherently feel secure from an internal enterprise setup, there are wide variety of reasons why OIM solutions in an enterprise fall in the critical category leading to a pressing need to secure the communication channels between various layers of the solution. In this article, we have documented the settings and configurations that need to be updated to secure the communication between Load Balancer and OIM/SOA as well as communication between OIM and SOA using SSL in an OIM deployment. Administrators and integrators will be able to follow these guidelines to implement/configure SSL in OIM 11g R2 PS1 deployments.

Coming in the next post:

The introduction of roles in an enterprise, whether small or large, has its own challenges.  There is always reluctance for change in existing processes, confusion about what to request for and how it is configured, push back for taking away access that was never intended to be there, etc. Detailed planning and communication are required before the introduction of roles. It is very important that the end users are aware of the roadmap and the important milestones that impact them. Therein, our next post will talk about proven approaches for introducing or updating the role management processes for an enterprise.

Visit the Oracle Technology Network for more information about Oracle Identity Manager including downloads, documentation and samples.

About the Author


Rajesh Gaddam is a Senior Technology Architect with the Enterprise Security & Risk Management (ESRM) practice at Infosys Limited. He has over 10 years of experience in architecting, designing and implementing IAM solutions for multiple clients from different verticals.
Rajesh can be reached via LinkedIn

Thursday Oct 30, 2014

Oracle Virtual Technology Summit Kicks Off November 18

The Oracle Technology Network (OTN) invites you to the next Virtual Technology Summit, on November 18th. Learn first hand from Oracle and community experts about Oracle Middleware, Mobile Architectures and more. Participate in hands-on labs and technical presentations, and chat with other developers. Register here!


Featured at the Summit:  Securing Mobile apps and data in a BYOD world

By Indus Khaitan, Senior Director, Product Management, Oracle

Mobile apps are changing how employees interact with their organizations. Productivity now requires far more than 24x7 email, including unfettered access to corporate data, files, and email from anywhere and on any device. Mobile apps are the new endpoint security concern. This session will focus on measures that can be taken to achieve mobile security without compromising productivity and user-experience.


North America – November 18th / 10am PT to 12:30pm PT - Register Now

APAC English – November 19th / 10am IST to 1:30pm IST - Register Now

EMEA – November 26th / 9am-12:30pm GMT / 10:00am CET / 1:00pm GST - Register Now

About

Oracle Identity Management is a complete and integrated next-generation identity management platform that provides breakthrough scalability; enables organizations to achieve rapid compliance with regulatory mandates; secures sensitive applications and data regardless of whether they are hosted on-premise or in a cloud; and reduces operational costs. Oracle Identity Management enables secure user access to resources anytime on any device.

Search

Archives
« March 2015
SunMonTueWedThuFriSat
1
2
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
    
       
Today