Friday Sep 28, 2012

Identity Globe Trotters (Sep Edition): The Social Customer

Welcome to the inaugural edition of our monthly series - Identity Globe Trotters. Starting today, the last Friday of every month, we will explore regional commentary on Identity Management. We will invite guest contributors from around the world to share their opinions and experiences around Identity Management and highlight regional nuances, specific drivers, solutions and more.

Today's feature is contributed by Michael Krebs, Head of Business Development at esentri consulting GmbH, a (SOA) specialized Oracle Gold Partner based in Ettlingen, Germany. In his current role, Krebs is dealing with the latest developments in Enterprise Social Networking and the Integration of Social Media within business processes. 

By Michael Krebs

The relevance of "easy sign-on" in the age of the "Social Customer"

With the growth of Social Networks, the time people spend within those closed "eco-systems" is growing year by year. With social networks looking to integrate search engines, like Facebook announced some weeks ago, their relevance will continue to grow in contrast to the more conventional search engines. This is one of the reasons why social network accounts of the users are getting more and more like a virtual fingerprint.

With the growing relevance of social networks the importance of a simple way for customers to get in touch with say, customer care or contract departments, will be crucial for sales processes in critical markets. Customers want to have one single point of contact and also an easy "login-method" with no dedicated usernames, passwords or proprietary accounts. The golden rule in the future social media driven markets will be: The lower the complexity of the initial contact, the better a company can profit from social networks. If you, for example, can generate a smart way of how an existing customer can use self-service portals, the cost in providing phone support can be lowered significantly.

Recruiting and Hiring of "Digital Natives"

Another particular example is "social" recruiting processes. The so called "digital natives" don´t want to type in their profile facts and CV´s in proprietary systems. Why not use the actual LinkedIn profile? In German speaking region, the market in the area of professional social networks is dominated by XING, the equivalent to LinkedIn. A few weeks back, this network also opened up their interfaces for integrating social sign-ons or the usage of profile data for recruiting-purposes.

In the European (and especially the German) employment market, where the number of young candidates is shrinking because of the low birth rate in the region, it will become essential to use social-media supported hiring processes to find and on-board the rare talents. In fact, you will see traditional recruiting websites integrated with social hiring to attract the best talents in the market, where the pool of potential candidates has decreased dramatically over the years.

Identity Management as a key factor in the Customer Experience process

To create the biggest value for customers and also future employees, companies need to connect their HCM or CRM-systems with powerful Identity management solutions. With the highly efficient Oracle (social & mobile enabling) Identity Management solution, enterprises can combine easy sign on with secure connections to the backend infrastructure. This combination enables a "one-stop" service with personalized content for customers and talents. In addition, companies can collect valuable data for the enrichment of their CRM-data. The goal is to enrich the so called "Customer Experience" via all available customer channels and contact points. Those systems have already gained importance in the B2C-markets and will gradually spread out to B2B-channels in the near future.

Conclusion: Central and "Social" Identity management is key to Customer Experience Management and Talent Management

For a seamless delivery of "Customer Experience Management" and a modern way of recruiting the best talent, companies need to integrate Social Sign-on capabilities with modern CX - and Talent management infrastructure. This lowers the barrier for existing and future customers or employees to get in touch with sales, support or human resources. Identity management is the technology enabler and backbone for a modern Customer Experience Infrastructure. Oracle Identity management solutions provide the opportunity to secure Social Applications and connect them with modern CX-solutions. At the end, companies benefit from "best of breed" processes and solutions for enriching customer experience without compromising security.

About esentri:

esentri is a provider of enterprise social networking and brings the benefits of social network communication into business environments. As one key strength, esentri uses Oracle Identity Management solutions for delivering Social and Mobile access for Oracle’s CRM- and HCM-solutions.

…..End Guest Post….

With new and enhanced features optimized to secure the new digital experience, the recently announced Oracle Identity Management 11g Release 2 enables organizations to securely embrace cloud, mobile and social infrastructures and reach new user communities to help further expand and develop their businesses.

Additional Resources:

Oracle Identity Management 11gR2 release

Oracle Identity Management website

Datasheet: Mobile and Social Access (pdf)

IDM at OOW: Focus on Identity Management

Facebook: OracleIDM

Twitter: OracleIDM

We look forward to your feedback on this post and welcome your suggestions for topics to cover in Identity Globe Trotters. Last Friday, every month!

Thursday Sep 27, 2012

Chock-full of Identity Customers at Oracle OpenWorld


Oracle Openworld (OOW) 2012 kicks off this coming Sunday. Oracle OpenWorld is known to bring in Oracle customers, organizations big and small, from all over the world. And, Identity Management is no exception.

If you are looking to catch up with Oracle Identity Management customers, hear first-hand about their implementation experiences and discuss industry trends, business drivers, solutions and more at OOW, here are some sessions we recommend you attend:

Monday, October 1, 2012

CON9405: Trends in Identity Management
10:45 a.m. – 11:45 a.m., Moscone West 3003

Subject matter experts from Kaiser Permanente and SuperValu share the stage with Amit Jasuja, Snior Vice President, Oracle Identity Management and Security to discuss how the latest advances in Identity Management are helping customers address emerging requirements for securely enabling cloud, social and mobile environments.

CON9492: Simplifying your Identity Management Implementation
3:15 p.m. – 4:15 p.m., Moscone West 3008

Implementation experts from British Telecom, Kaiser Permanente and UPMC participate in a panel to discuss best practices, key strategies and lessons learned based on their own experiences. Attendees will hear first-hand what they can do to streamline and simplify their identity management implementation framework for a quick return-on-investment and maximum efficiency.

CON9444: Modernized and Complete Access Management
4:45 p.m. – 5:45 p.m., Moscone West 3008

We have come a long way from the days of web single sign-on addressing the core business requirements. Today, as technology and business evolves, organizations are seeking new capabilities like federation, token services, fine grained authorizations, web fraud prevention and strong authentication. This session will explore the emerging requirements for access management, what a complete solution is like, complemented with real-world customer case studies from ETS, Kaiser Permanente and TURKCELL and product demonstrations.

Tuesday, October 2, 2012

CON9437: Mobile Access Management
10:15 a.m. – 11:15 a.m., Moscone West 3022

With more than 5 billion mobile devices on the planet and an increasing number of users using their own devices to access corporate data and applications, securely extending identity management to mobile devices has become a hot topic. This session will feature Identity Management evangelists from companies like Intuit, NetApp and Toyota to discuss how to extend your existing identity management infrastructure and policies to securely and seamlessly enable mobile user access.

CON9491: Enhancing the End-User Experience with Oracle Identity Governance applications
11:45 a.m. – 12:45 p.m., Moscone West 3008

As organizations seek to encourage more and more user self service, business users are now primary end users for identity management installations.  Join experts from Visa and Oracle as they explore how Oracle Identity Governance solutions deliver complete identity administration and governance solutions with support for emerging requirements like cloud identities and mobile devices.

CON9447: Enabling Access for Hundreds of Millions of Users
1:15 p.m. – 2:15 p.m., Moscone West 3008

Dealing with scale problems? Looking to address identity management requirements with million or so users in mind? Then take note of Cisco’s implementation. Join this session to hear first-hand how Cisco tackled identity management and scaled their implementation to bolster security and enforce compliance.

CON9465: Next Generation Directory – Oracle Unified Directory
5:00 p.m. – 6:00 p.m., Moscone West 3008

Get the 360 degrees perspective from a solution provider, implementation services partner and the customer in this session to learn how the latest Oracle Unified Directory solutions can help you build a directory infrastructure that is optimized to support cloud, mobile and social networking and yet deliver on scale and performance.

Wednesday, October 3, 2012

CON9494: Sun2Oracle: Identity Management Platform Transformation
11:45 a.m. – 12:45 p.m., Moscone West 3008

Sun customers are actively defining strategies for how they will modernize their identity deployments. Learn how customers like Avea and SuperValu are leveraging their Sun investment, evaluating areas of expansion/improvement and building momentum.

CON9631: Entitlement-centric Access to SOA and Cloud Services
11:45 a.m. – 12:45 p.m., Marriott Marquis, Salon 7

How do you enforce that a junior trader can submit 10 trades/day, with a total value of $5M, if market volatility is low? How can hide sensitive patient information from clerical workers but make it visible to specialists as long as consent has been given or there is an emergency? How do you externalize such entitlements to allow dynamic changes without having to touch the application code? In this session, Uberether and HerbaLife take the stage with Oracle to demonstrate how you can enforce such entitlements on a service not just within your intranet but also right at the perimeter.

CON3957 - Delivering Secure Wi-Fi on the Tube as an Olympics Legacy from London 2012
11:45 a.m. – 12:45 p.m., Moscone West 3003

In this session, Virgin Media, the U.K.’s first combined provider of broadband, TV, mobile, and home phone services, shares how it is providing free secure Wi-Fi services to the London Underground, using Oracle Virtual Directory and Oracle Entitlements Server, leveraging back-end legacy systems that were never designed to be externalized. As an Olympics 2012 legacy, the Oracle architecture will form a platform to be consumed by other Virgin Media services such as video on demand.

CON9493: Identity Management and the Cloud
1:15 p.m. – 2:15 p.m., Moscone West 3008

Security is the number one barrier to cloud service adoption.  Not so for industry leading companies like SaskTel, ConAgra foods and UPMC. This session will explore how these organizations are using Oracle Identity with cloud services and how some are offering identity management as a cloud service.

CON9624: Real-Time External Authorization for Middleware, Applications, and Databases
3:30 p.m. – 4:30 p.m., Moscone West 3008

As organizations seek to grant access to broader and more diverse user populations, the importance of centrally defined and applied authorization policies become critical; both to identify who has access to what and to improve the end user experience.  This session will explore how customers are using attribute and role-based access to achieve these goals.

CON9625: Taking control of WebCenter Security
5:00 p.m. – 6:00 p.m., Moscone West 3008

Many organizations are extending WebCenter in a business to business scenario requiring secure identification and authorization of business partners and their users. Leveraging LADWP’s use case, this session will focus on how customers are leveraging, securing and providing access control to Oracle WebCenter portal and mobile solutions.

Thursday, October 4, 2012

CON9662: Securing Oracle Applications with the Oracle Enterprise Identity Management Platform
2:15 p.m. – 3:15 p.m., Moscone West 3008

Oracle Enterprise identity Management solutions are designed to secure access and simplify compliance to Oracle Applications.  Whether you are an EBS customer looking to upgrade from Oracle Single Sign-on or a Fusion Application customer seeking to leverage the Identity instance as an enterprise security platform, this session with Qualcomm and Oracle will help you understand how to get the most out of your investment.

And here’s the complete listing of all the Identity Management sessions at Oracle OpenWorld.

Wednesday Sep 26, 2012

Meet and Greet with IDM Executives at Oracle OpenWorld

Oracle’s Identity Management Team

Invites You to

Learn How to Secure The New Digital Experience

Come see how the Oracle Identity Management platform can position your company to take
advantage of the emerging business opportunities.

  • Leverage Social Identities for web authentication
  • Enable customers and employees to interact through their mobile devices
  • Deploy Self Service User Provisioning for quick role changes based on business needs

We look forward to seeing you there!

Wednesday, October 3rd 
3:30-4:30 PM  Meeting
4:30-5:30 PM  Cocktail Reception

Four Seasons Hotel

Yerba Buena Room

757 Market Street
San Francisco, CA 94103



Copyright © 2012, Oracle and/or its affiliates. 
All rights reserved.

Contact Us | Legal Notices and Terms of Use | Privacy Statement

11gR2: BETA Customer perspective with special guest, Ravi Meduri from Kaiser Permanente

Before Oracle IDM 11gR2 launched, we had a very successful BETA program. Kaiser was one of many great companies that participated, and I caught up with Ravi Meduri, IAM Systems Engineering Manager to ask him what he thought of the new release.

Listen to our podcast interview here: podcast interview  to hear Ravi talk about scalability and high availability features in 11gR2.

Tuesday Sep 25, 2012

CSO Summit @ Executive Edge

If you are attending the Executive Edge at Open World be sure to check out the sessions at the Chief Security Officer Summit. Former Sr. Counsel for the National Security Agency, Joel Brenner ,  will be speaking about his new book "America the Vulnerable". In addition, PWC will present a panel discussion on "Crisis Management to Business Advantage: Security Leadership". See below for the complete agenda.

TUESDAY, October 2, 2012

Chief Security Officer Summit Welcome

Dave Profozich, Group Vice President, Oracle

10:00 a.m.–10:15 a.m.

America the Vulnerable

Joel Brenner, former Senior Counsel, National Security Agency

10:15 a.m.–11:00 a.m.

The Threats are Outside, the Risks are Inside

Sonny Singh, Senior Vice President, Oracle

11:00 a.m.–11:20 a.m.

From Crisis Management to Business Advantage: Security Leadership

Moderator: David Burg, Partner, Forensic Technology Solutions, PwC

Charles Beard, CIO and GM of Cyber Security, SAIC
Jim Doggett, Chief Information Technology Risk Officer, Kaiser Permanente
Chris Gavin, Vice President, Information Security, Oracle
John Woods, Partner, Hunton & Williams

11:20 a.m.–12:20 p.m.


Union Square Tent

12:20 p.m.–1:30 p.m.

Securing the New Digital Experience

Amit Jasuja, Senior Vice President, Identity Management and Security, Oracle

1:30 p.m.–2:00 p.m.

Securing Data at the Source

Vipin Samar, Vice President, Database Security, Oracle

2:00 p.m.–2:30 p.m.

Security from the Chairman’s Perspective

Jeff Henley, Chairman of the Board, Oracle
Dave Profozich, Group Vice President, Oracle

2:30 p.m.–3:00 p.m.

Thursday Sep 20, 2012

It's The End of Work as We Know It, But I Feel Fine

If you are attending Open World this year, don't miss Amit Jasuja's session on trends in Identity Management. This session will take place on Monday October 1st in Moscone West at 10:45. You can join the conversation on Twitter as Amit Jasuja discusses the trends that are shaping Identity Management as a market and how Oracle is responding to these secular trends. Use hashtag OracleIDM. In addition, here’s a list of the sessions in the  Identity Management  track.

In Amit's session, he will discuss how the workplace is changing. The pace of technology is accelerating and work is no longer a place but rather an activity. We are behaving socially in our professional lives and our professional responsibilities are encroaching on our social lives. 

The net result is that we will need to change the way we work and collaborate. Work is anytime and anywhere. This impacts the dynamics of teams and how they access information and applications. Our teams span multiple organizations and "the new work order" means enabling the interaction and securing the experience.

It is the end of work as we know it both economically and technologically. Join Amit for this session and you will feel much better about the changing workplace. 

Sun2Oracle: Upgrading from DSEE to the next generation Oracle Unified Directory - webcast follow up

Thanks to all of the guest speakers on our Sun2Oracle webcast: Steve from Hub City Media, Albert from UCLA and our own Scott Bonell.

If you missed the webcast here is a link: Webcast Replay

During the webcast, we tried to answer as many questions as we could, but there were a few that we needed a bit more time to answer.  Albert from UCLA sent me the following information:

Alternate Directory Evaluation

We were happy with Sun DSEE. OUD, based on the research we had done, was a logical continuation of DSEE.  If we moved away, it was to to go open source.

UCLA evaluated OpenLDAP, OpenDS, Red Hat's 389 Directory. We also briefly entertained Active Directory.

Ultimately, we decided to stay with OUD for the Enterprise Directory, and adopt OpenLDAP for the non-critical edge directories.


For Enterprise Directory, UCLA runs 3 Dell PowerEdge R710 servers. Each server has 12GB RAM and 2 2.4GHz Intel Xeon E5 645 processors. We run 2 of those servers at UCLA's Data Center in a semi active-passive configuration. The 3rd server is located at UCLA Berkeley. All three are multi master replicated. At run time, the bulk of LDAP query requests go to 1 server. Essentially, all of our authn/authz traffic is being handled by 1 server, with the other 2 acting as redundant back ups.

You mentioned federation, was that an important requirement for UCLA?

Yes. UCLA collaborates heavily with other higher education institutions around the country/world. We often have researchers wanting to sign into services provided by fellow higher ed institutions. We also have plenty of visiting scholars or collaborating researchers from other institutions accessing UCLA services. Higher education communities around the world have deployed Shibboleth/SAML-based federated IDM solutions to facilitate these collaborations:

And a more comprehensive listing of federations around the world:

What was the net change in hardware footprint?

Not much actually. We kept the same server/network topology: 

  • two servers at our local data center, one at our remote DR data center. 
  • the servers replicate in real time via multi-master replication. 
  • 1 of the servers at our local data center serves as the primary access server serving all query traffic. The other servers serve as hot standby.
  • On our old Sun DSEE servers - we ran Red Hat Enterprise Linux AS release 4 (Nahant Update 8) - 32bit.  On the new OUD servers - Red Hat Enterprise Linux Server release 5.7 (Tikanga) - 64bit

The only changes we made during the upgrade were that we upgraded the software from DSEE 6.3, upgraded Linux, and that we bought new servers. The old servers were Dell PowerEdge 2850's. The new ones are Dell PowerEdge R710's.

What is your hardware specification for one OUD 11g server…

Can you explain the HA/DR architecture a bit more?

RAM size, CPU type, and number?

We runs 3 Dell PowerEdge R710 servers. Each server has 12GB RAM and 2 2.4GHz Intel Xeon E5 645 processors. 2 of those servers run at UCLA's Data Center in a semi active-passive configuration. The 3rd server is located at UCLA Berkeley. All three are multi master replicated. At run time, the bulk of LDAP query requests go to 1 server. Essentially, all of our authn/authz traffic is being handled by 1 server, with the other 2 acting as redundant back ups. 

Our IDM architecture is highly modular. All external access to the enterprise directory run through a service layer. This layer is consists of Shibboleth, a set of data update web services and loading programs, and a number of edge directories. All service layer components can be easily configured (some automatically) to seek out the secondary directory servers when the primary goes down. We take advantage of this capability during maintenance to keep the services available.  

FYI, our servers are hosted in a tier 2.5 data center (We have tier 3-like capability for critical servers such as OUD, but we don't have that for all servers in the data center).

What was the cost of the migration?

 Because of the labor and equipment cost differences, I don't think my numbers will be all that accurate. I can say the following:

  • We engaged Hub City Media for just about 1.5 months worth of work.
  • We had one system engineer working full time on the project throughout the 4 month period. He also managed the project.
  • We had fractional support/transition coordination from our Infrastructure Services team (sys admin, operations, networking), probably about 80 hours
  • We purchased 3 of the servers described above.
  • We purchased the OUD software.

How much testing did you do? Did you do load testing?

Yes. We conducted several passes of data loading/validation tests. In addition, we ran security vulnerability scans and ran multi stress tests ranging from peak stress tests to sustained, multi-day simulations. Sorry. We can't release test result data, but I can say that OUD passed with flying colors.

We only had one engineer working on the project. Between test prep, run, and analysis, testing did take about a month.

Was the OUD Proxy used at UCLA?

No. We considered it, and might still consider it as we revise our architecture. But for the migration, we did not introduce the Proxy.

Can OUD Server and DSEE replicate each other?

Yes, but with caveats. There is no direct replication between OUD 11g and Sun DSEE 6.3. You need to place Oracle DSEE in between. In addition, there is an undisclosed cap on the replication rate. All of this may have changed since we worked on the project though. :-)

Wednesday Sep 19, 2012

Security Newsletter – September Edition is Out Now


The September issue of Security Inside Out Newsletter is out now. This month’s edition offers a preview of Identity Management and Security events and activities scheduled for Oracle OpenWorld. Oracle OpenWorld (OOW) 2012 will be held in San Francisco from September 30-October 4. Identity Management will have a significant presence at Oracle OpenWorld this year, complete with sessions featuring technology experts, customer panels, implementation specialists, product demonstrations and more. In addition, latest technologies will be on display at OOW demogrounds. Hands-on-Labs sessions will allow attendees to do a technology deep dive and train with technology experts.

Executive Edge @ OpenWorld also features the very successful Oracle Chief Security Officer (CSO) Summit. This year’s summit promises to be a great educational and networking forum complete with a contextual agenda and attendance from well known security executives from organizations around the globe.

This month’s edition also does a deep dive on the recently announced Oracle Privileged Account Manager (OPAM). Learn more about the product’s key capabilities, business issues the solution addresses and information on key resources. OPAM is part of Oracle’s complete and integrated Oracle Identity Governance solution set.

And if you haven’t done so yet, we recommend you subscribe to the Security Newsletter to keep up to date on Security news, events and resources.

As always, we look forward to receiving your feedback on the newsletter and what you’d like us to cover in the upcoming editions.

Tuesday Sep 18, 2012

Webcast Reminder: Implementing IDM in Healthcare, September 19th @10:00 am PST

Join me and Rex Thexton from PwC tomorrow (September 19th) as we review an IDM project that Rex and his team completed for a large healthcare organization.  Rex will talk through the IT environment and business drivers that lead to the project, and then we will go through planning, design and implementation of the Oracle Identity Management products that PwC and the customer chose to complete the project.

This will be a great opportunity to hear about the trends that are driving IT Healthcare, and to get your Identity Management questions answered.

If you haven't already registered - Register Here!

Monday Sep 17, 2012

New in 11gR2: Oracle Optimized System for Oracle Unified Directory (OOS4OUD) Podcast

There have been a lot of cool new features in the IDM 11gR2 related to new functionality: social log-in capability, mobile application security, and self service access requests, just to name a few.  But what about performance?

In the 11gR2 release we announced the availability of an Optimized System configuration for Unified Directory.  Oracle is very focused on software with matching hardware that is configured and tuned to get the best performance possible.  I caught up with Nick Kloski, Infrastructure Solutions Manager and asked him to talk me through the new Optimized System for OUD.

Listen to the podcast interview here. Podcast Interview

Thursday Sep 13, 2012

Usability enhancements for Users and Administrators in 11gR2 with Rex Thexton from PwC

In addition to the inviting customers to participate in the 11gR2 BETA program, a select number of partners were invited as well.  Rex Thexton, Managing Director of PwC's Advisory/Technology practice and his team were part of the BETA program.  I caught up with Rex recently to ask him about the new features that he liked most in the latest release.

 Listen to our interview here:  podcast link

Think Global, Act Regional with Identity Globe Trotters

Identity Globe TrottersThis month we will be introducing a new section on our blog. Titled “Identity Globe Trotters”, this will be a monthly series that would feature a regional topic the last Friday of every month. We would invite guest contributors from different regions to highlight a region-specific business issue, solution, highlight a customer implementation or a regional discussion of interest.

If you have an Identity management topic in mind that you’d like featured in this section, do let us know. We look forward to engaging in meaningful discussions with you on global perspectives, regional solutions.

Tuesday Sep 11, 2012

Sun2Oracle: Hub City Media Webcast Reminder - Thursday, September 13, 2012

Our Sun2Oracle webcast featuring Steve Giovanetti from Hub City Media is this Thursday, September 13th at 10:00 am PST. 

If you haven't registered yet, there is still time: Register Here.

Scott Bonell, Sr. Director of Product Management will be talking to Steve about their recent project to upgrade a large University from Sun DSEE Directory to Oracle Unified Directory.  Scott and Steve will talk through details of the project, from planning through implementation.

In addition to this webcast, Steve Giovanetti will also be participating in two sessions at Oracle OpenWorld 2012:

CON9465 - Next-Generation Directory: Oracle Unified Directory
 Etienne Remillon, Principal Product Manager, Oracle
 Steve Giovanetti, CTO Hub City Media
 Warren Leung, Sr. Architect, UCLA
 Tuesday, Oct 2, 5:00 PM – 6:00 PM
 Moscone West – 3008

CON5749 - Solutions for Migration of Oracle Waveset to Oracle Identity Manager
Steve Giovanetti, CTO Hub City Media
Kevin Moulton, Senior Sales Consulting  Manager, Oracle
Thursday, Oct 4, 11:15 AM - 12:15 PM
Moscone West - 3008

Monday Sep 10, 2012

Focus on Identity Management at Oracle OpenWorld12


Heading to Oracle OpenWorld 2012? Then we have Identity Management and relevant sessions all mapped out for you to help you navigate Oracle OpenWorld. Do make use of Focus On Identity Management document online or if you’d like to have a copy handy, use the pdf version instead.

In the meantime, here are the 3 must-attend Identity Management sessions for this year:

  • Trends in Identity Management
    Monday, October 1, at 10:45 a.m., Moscone West L3, room 3003, (session ID# CON9405)
    Led by Amit Jasuja, this session focuses on how the latest release of Oracle Identity Management addresses emerging identity management requirements for mobile, social, and cloud computing. It also explores how existing Oracle Identity Management customers are simplifying implementations and reducing total cost of ownership.
  • Mobile Access Management
    Tuesday, October 2, at 10:15 a.m., Moscone West L3, room 3022, (session ID# CON9437)
    There are now more than 5 billion mobile devices on the planet, including an increasing number of personal devices being used to access corporate data and applications. This session focuses on ways to extend your existing identity management infrastructure and policies to securely and seamlessly enable mobile user access.
  • Evolving Identity Management
    Thursday, October 4, at 12:45 p.m., Moscone West L3, room 3008, (session ID# CON9640)
    Identity management requirements have evolved and are continuing to evolve as organizations seek to secure cloud and mobile access. This session explores emerging requirements and shares best practices for evolving your identity management implementation, including the value of a service-oriented, platform approach.

For a complete listing of all identity management sessions, hands-on labs, and more, see Focus on Identity Management now. See you at OOW12. 

Tuesday Sep 04, 2012

ISACA Webcast follow up: Managing High Risk Access and Compliance with a Platform Approach to Privileged Account Management

Last week we presented how Oracle Privileged Account Manager (OPAM) could be used to manage high risk, privileged accounts.  If you missed the webcast, here is a link to the replay: ISACA replay archive (NOTE: you will need to use Internet Explorer to view the archive)

For those of you that did join us on the call, you will know that I only had a little bit of time for Q&A, and was only able to answer a few of the questions that came in.  So I wanted to devote this blog to answering the outstanding questions.  Here they are.

1. Can OPAM track admin or DBA activity details during a password check-out session?

Oracle Audit Vault is monitoring these activities which can be correlated to check-out events.

2. How would OPAM handle simultaneous requests?

OPAM can be configured to allow for shared passwords.  By default sharing is turned off.

3. How long are the passwords valid?  Are the admins required to manually check them in?

Password expiration can be configured and set in the password policy according to your corporate standards.  You can specify if you want forced check-in or not.

4. Can 2-factor authentication be used with OPAM?

Yes - 2-factor integration with OPAM is provided by integration with Oracle Access Manager, and Oracle Adaptive Access Manager.

5. How do you control access to OPAM to ensure that OPAM admins don't override the functionality to access privileged accounts?

OPAM provides separation of duties by using Admin Roles to manage access to targets and privileged accounts and to control which operations admins can perform.

6. How and where are the passwords stored in OPAM?

OPAM uses Oracle Platform Security Services (OPSS) Credential Store Framework (CSF) to securely store passwords.  This is the same system used by Oracle Applications.

7. Does OPAM support hierarchical/level based privileges?  Is the log maintained for independent review/audit?

Yes. OPAM uses the Fusion Middleware (FMW) Audit Framework to store all OPAM related events in a dedicated audit database.

 8. Does OPAM support emergency access in the case where approvers are not available until later?

Yes.  OPAM can be configured to release a password under a "break-glass" emergency scenario.

9. Does OPAM work with AIX?

Yes supported UNIX version are listed in the "certified component section" of the UNIX connector guide at:

10. Does OPAM integrate with Sun Identity Manager?

Yes.  OPAM can be integrated with SIM using the REST  APIs.  OPAM has direct integration with Oracle Identity Manager 11gR2.

11. Is OPAM available today and what does it cost?

Yes.  OPAM is available now.  Ask your Oracle Account Manager for pricing.

12. Can OPAM be used in SAP environments?

Yes, supported SAP version are listed in the "certified component section" of the SAP  connector guide here:

13. How would this product integrate, if at all, with access to a particular field in the DB that need additional security such as SSN's?

OPAM can work with DB Vault and DB Firewall to provide the fine grained access control for databases.

14. Is VM supported?

As a deployment platform Oracle VM is supported. For further details about supported Virtualization Technologies see Oracle Fusion Middleware Supported System configurations here:

15. Where did this (OPAM) technology come from?

OPAM was built by Oracle Engineering.

16. Are all Linux flavors supported?  How about BSD?

BSD is not supported. For supported UNIX version see the "certified component section" of the UNIX connector guide

17. What happens if users don't check passwords in at the end of a work task?

In OPAM a time frame can be defined how long a password can be checked out. The security admin can force a check-in at any given time.

18. is MySQL supported?

Yes, supported DB version are listed in the "certified component section" of the DB connector guide here:

19. What happens when OPAM crashes and you need to use the password?

OPAM can be configured for high availability, but if required, OPAM data can be backed up/recovered.  See the OPAM admin guide.

20. Is OPAM Standalone product or does it leverage other components from IDM?

OPAM can be run stand-alone, but will also leverage other IDM components


Oracle Identity Management is a complete and integrated next-generation identity management platform that provides breakthrough scalability; enables organizations to achieve rapid compliance with regulatory mandates; secures sensitive applications and data regardless of whether they are hosted on-premise or in a cloud; and reduces operational costs. Oracle Identity Management enables secure user access to resources anytime on any device.


« September 2012 »