Monday Dec 31, 2012

Of Security, Cloud and more – My Observations of The Year That Was

Author: Thom Locke

Thom Locke is a Senior Practice Director, North America Business Development/ASG Solution Architecture for Oracle. With over 37 years of experience in IT Security, Thom is the Security practice leader in Oracle Consulting Services (OCS) and built Security Architecture Consulting at Oracle. Thom manages a team of experts responsible for client engagements, solution design and consulting for database security and identity management solutions from Oracle. And, you'll often find him speaking at industry conferences and events on topics of interest.

2012 it's a wrap folks! It has been an interesting year for security. Cyber security scams, viruses, stolen identities and the end of the world or at least the prediction of it. It's amazing we are all able to login, view accounts and read our favorite blogs! As I look back, a few observations stand out that I’d like to share.

R2 In summer this year, Oracle released R2. My colleagues in License wanted to call this release of software something like Zargon as it truly is a game changing release for Oracle Identity Management. The IAM R2 release brings together multiple products into Directory, Identity and Access worlds. To provide a platform approach to identity, the solutions are better integrated and offer interoperability with your heterogeneous infrastructure. R2 also has out-of-box support for secure social and mobile sign-on enablement. Many clients are picking up this release and moving from the 9.1/11 releases to R2 for a seamless user experience or the first step into looking at the cloud as a solution set but we will speak more to that later. 

Migration Factory - OCS has put together a new way of doing business leveraging our own business platform based on the Oracle Unified Method aka OUM. For the first time Oracle clients will be able to have a solution architect work with them and have an idea of a deliverable in real time. The platform is built on a series of solution components that allow for rapid quotation, consistent deliverables by the delivery organization. An example is that the OCS has been able to take a full Fusion Apps deliverable down from 13 weeks to 11 days - a substantial savings in effort and cost. The same can be said for leveraging the Factory for migrations such as SIM 2 OIM and the latest offering of IAM in a box. IAM in a box "Identity Governance Version" reduces the time to deploy OIM, PAM and OIA in a production environment to weeks from months. Look for other solution components to come in 2013 such as "Mobile, Social", Federation and the DB Security bundle in a box. 

How could we talk about 2012 without a trip to the clouds? As mentioned earlier, the R2 release of the IAM product sets is the stepping stone into the cloud. Take those components and toss them on an EXA platform and, as Emril would say, “BAM”; you have an elastic cloud solution. Offerings on the Oracle cloud have jumped into the lime light. Pick your flavor -Public, Private or Semi Private cloud, Oracle has a solution we have deployed. OCS has delivered such a solution as a fully multi tenant solution set on a Public and Private Cloud for SaskTel. Check out this video recorded with SaskTel CIO, John Hill. 

Data security should be on everyone’s mind. How safe is your data? Who has access what and have you seen SQL attacks throughout your system? A security assessment allows you know where your weakest link is within the enterprise and what needs to be done to fix it. 

We close 2012 by saying thanks to all that we have all had the pleasure to work with. It looks like 2013 will be the year of Migrations, Transitions, Mobile, Cloud and it all being done "in a box". Aloha 2013 and Welcome to 2013.

Friday Dec 21, 2012

Webcast Replay: Securing the Cloud for Public Sector


[Read More]

Thursday Dec 20, 2012

Webcast Replay Now Available: Developing and Enforcing a BYOD Policy

Mobile Device Policy is a hot topic for IT - everyone knows they need a policy and enforcement tools, but few companies have actually created a formal policy covering employee owned devices.

Oracle and SANS teamed up to present a comprehensive look at mobile device policy: in the first segment, security expert Tony DeLaGrange presents current trends in mobile device policy based on a recent SANS survey.  In the second segment, SANS legal expert Ben Wright discusses the pros and cons of various BYOD policies from legal perspective.  And in the third segment, Oracle's own Lee Howarth presents the technology and software necessary to enforce mobile device and application access policies.

Click this link to register and listen to the replay: Webcast Registration

The presentation for this webcast is posted below.

Monday Dec 17, 2012

Partner Blog: aurionPro SENA - Mobile Application Convenience, Flexibility & Innovation Delivered

About the Writer:

Des Powley is Director of Product Management for aurionPro SENA inc. the leading global Oracle Identity and Access Management specialist delivery and product development partner.

In October 2012 aurionPro SENA announced the release of the Mobile IDM application that delivers key Identity Management functions from any mobile device.

The move towards an always on, globally interconnected world is shifting Business and Consumers alike away from traditional PC based Enterprise application access and more and more towards an ‘any device, same experience’ world. It is estimated that within five years in many developing regions of the world the PC will be obsolete, replaced entirely by cheaper mobile and tablet devices. This will give a vast amount of new entrants to the Internet their first experience of the online world, and it will only be via these newer, mobile access channels.

Designed to address this shift in working and social environments and released in October of 2012 the aurionPro SENA Mobile IDM application directly addresses this emerging market and requirement by enhancing administrators, consumers and managers Identity Management (IDM) experience by delivering a mobile application that provides rapid access to frequently used IDM services from any Mobile device.

Built on the aurionPro SENA Identity Service platform the mobile application uses Oracle’s Cloud, Mobile and Social capabilities and Oracle’s Identity Governance Suite for it’s core functions. The application has been developed using standards based API’s to ensure seamless integration with a client’s on premise IDM implementation or equally seamlessly with the aurionPro SENA Hosted Identity Service.

The solution delivers multi platform support including iOS, Android and Blackberry and provides many key features including:

Providing easy to access view all of a users own access privileges

The ability for Managers to approve and track requests

Simply raising requests for new applications, roles and entitlements through the service catalogue

This application has been designed and built with convenience and security in mind. We protect access to critical applications by enforcing PIN based authentication whilst also providing the user with mobile single sign on capability.

This is just one of the many highly innovative products and services that aurionPro SENA is developing for our clients as we continually strive to enhance the value of their investment in Oracle’s class leading 11G R2 Identity and Access Management suite.

The Mobile IDM application is a key component of our Identity Services Suite that also includes Managed, Hosted and Cloud Identity Services. The Identity Services Suite has been designed and built specifically to break the barriers to delivering Enterprise, Mobile and Social Identity Management services from the Cloud.

aurionPro SENA - Building next generation Identity Services for modern enterprises.

To view the app please visit http://youtu.be/btNgGtKxovc

For more information please contact des.powley@aurionprosena.com

Friday Dec 14, 2012

Grow Your Business with Security

Author: Kevin Moulton

Kevin Moulton has been in the security space for more than 25 years, and with Oracle for 7 years. He manages the East EnterpriseSecurity Sales Consulting Team. He is also a Distinguished Toastmaster. Follow Kevin on Twitter at twitter.com/kevin_moulton, where he sometimes tweets about security, but might also tweet about running, beer, food, baseball, football, good books, or whatever else grabs his attention. Kevin will be a regular contributor to this blog so stay tuned for more posts from him.

It happened again! There I was, reading something interesting online, and realizing that a friend might find it interesting too. I clicked on the little email link, thinking that I could easily forward this to my friend, but no! Instead, a new screen popped up where I was asked to create an account. I was expected to create a User ID and password, not to mention providing some personally identifiable information, just for the privilege of helping that website spread their word.

Of course, I didnt want to have to remember a new account and password, I didnt want to provide the requisite information, and I didnt want to waste my time. I gave up, closed the web page, and moved on to something else. I was left with a bad taste in my mouth, and my friend might never find her way to this interesting website. If you were this content provider, would this be the outcome you were looking for?

A few days later, I had a similar experience, but this one went a little differently. I was surfing the web, when I happened upon some little chotcke that I just had to have. I added it to my cart. When I went to buy the item, I was again brought to a page to create account. Groan!

But wait! On this page, I also had the option to sign in with my OpenID account, my Facebook account, my Yahoo account, or my Google Account. I have all of those! No new account to create, no new password to remember, and no personally identifiable information to be given to someone else (Ive already given it all to those other guys, after all).

In this case, the vendor was easy to deal with, and I happily completed the transaction. That pleasant experience will bring me back again.

This is where security can grow your business. Its a differentiator. Youve got to have a presence on the web, and that presence has to take into account all the smart phones everyones carrying, and the tablets that took over cyber Monday this year. If you are a company that a customer can deal with securely, and do so easily, then you are a company customers will come back to again and again.

I recently had a need to open a new bank account. Every bank has a web presence now, but they are certainly not all the same. I wanted one that I could deal with easily using my laptop, but I also wanted 2-factor authentication in case I had to login from a shared machine, and I wanted an app for my iPad. I found a bank with all three, and thats who I am doing business with.

Lets say, for example, that Im in a regular Texas Hold-em game on Friday nights, so I move a couple of hundred bucks from checking to savings on Friday afternoons. I move a similar amount each week and I do it from the same machine. The bank trusts me, and they trust my machine. Most importantly, they trust my behavior. This is adaptive authentication. There should be no reason for my bank to make this transaction difficult for me.

Now let's say that I login from a Starbucks in Uzbekistan, and I transfer $2,500. What should my bank do now? Should they stop the transaction? Should they call my home number? (My former bank did exactly this once when I was taking money out of an ATM on a business trip, when I had provided my cell phone number as my primary contact. When I asked them why they called my home number rather than my cell, they told me that their policy is to call the home number. If I'm on the road, what exactly is the use of trying to reach me at home to verify my transaction?)

But, back to Uzbekistan

Should my bank assume that I am happily at home in New Jersey, and someone is trying to hack into my account? Perhaps they think they are protecting me, but I wouldnt be very happy if I happened to be traveling on business in Central Asia.

What if my bank were to automatically analyze my behavior and calculate a risk score? Clearly, this scenario would be outside of my typical behavior, so my risk score would necessitate something more than a simple login and password. Perhaps, in this case, a one-time password to my cell phone would prove that this is not just some hacker half way around the world.

But, what if you're not a bank? Do you need this level of security? If you want to be a business that is easy to deal with while also protecting your customers, then of course you do.

You want your customers to trust you, but you also want them to enjoy doing business with you. Make it easy for them to do business with you, and theyll come back, and perhaps even Tweet about it, or Like you, and then their friends will follow.

How can Oracle help?

Oracle has the technology and expertise to help you to grown your business with security.

Oracle Adaptive Access Manager will help you to prevent fraud while making it easier for your customers to do business with you by providing the risk analysis I discussed above, step-up authentication, and much more.

Oracle Mobile and Social Access Service will help you to secure mobile access to applications by expanding on your existing back-end identity management infrastructure, and allowing your customers to transact business with you using the social media accounts they already know. You also have device fingerprinting and metrics to help you to grow your business securely.

Security is not just a cost anymore. Its a way to set your business apart. With Oracles help, you can be the business that everyones tweeting about.

Image courtesy of Flickr user shareski

Tuesday Dec 11, 2012

Webcast Tomorrow: Securing the Cloud for Public Sector

Oracle Corporation
Securing the Cloud for Public Sector

Click here, to register for the live webcast.


Dec 12 For 360 Degree View of Security in the Cloud


Cloud computing offers government organizations tremendous potential to enhance public value by helping organizations increase operational efficiency and improve service delivery. However, as organizations pursue cloud adoption to achieve the anticipated benefits a common set of questions have surfaced. “Is the cloud secure? Are all clouds equal with respect to security and compliance? Is our data safe in the cloud?”

Join us December 12th for a webcast as part of the “Secure Government Training Series” to get answers to your pressing cloud security questions and learn how to best secure your cloud environments. You will learn about a comprehensive set of security tools designed to protect every layer of an organization’s cloud architecture, from application to disk, while ensuring high levels of compliance, risk avoidance, and lower costs.

Discover how to control and monitor access, secure sensitive data, and address regulatory compliance across cloud environments by:

  • providing strong authentication, data encryption, and (privileged) user access control to ensure that information is only accessible to those who need it
  • mitigating threats across your databases and applications
  • protecting applications and information – no matter where it is – at rest, in use and in transit


For more information, access the Secure Government Resource Center or to speak with an Oracle representative, please call1.800.ORACLE1.




LIVE Webcast
Securing the Cloud for Public Sector

Date
:
Wednesday,
December 12, 2012

Time
:
2:00 p.m. ET
Visit the Secure Government Resource Center

Click here for information on enterprise security solutions that help government safeguard information, resources and networks.

ACCESS NOW

Visit the Secure Government Resource Center
Hardware and Software Engineered to Work Together
Copyright © 2012, Oracle. All rights reserved. Contact Us | Legal Notices | Privacy Statement

Thursday Dec 06, 2012

Tackling Security and Compliance Barriers with a Platform Approach to IDM: Featuring SuperValu

On October 25, 2012 ISACA and Oracle sponsored a webcast discussing how SUPERVALU has embraced the platform approach to IDM.  Scott Bonnell, Sr. Director of Product Management at Oracle, and Phil Black, Security Director for IAM at SUPERVALU discussed how a platform strategy could be used to formulate an upgrade plan for a large SUN IDM installation.

See the webcast replay here: ISACA Webcast Replay (Requires Internet Explorer or Chrome)

Some of the main points discussed in the webcast include:

  • Getting support for an upgrade project by aligning with corporate initiatives
  • How to leverage an existing IDM investment while planning for future growth
  • How SUN and Oracle IDM architectures can be used in a coexistance strategy
  • Advantages of a rationalized, modern, IDM Platform architecture


 

Wednesday Dec 05, 2012

Partner Blog: Hub City Media Introduces iPad Application for Oracle Identity Analytics

About the Writer:
Steve Giovannetti is CTO of Hub City Media, Inc., a company that specializes in implementation and product development on the Oracle Identity Management platform.

Recently, Hub City Media announced the introduction of iPad application IdentityCert for Oracle Identity Analytics. This post explore the business use cases and application of IdentityCert.


Hub City Media(HCM) has been deploying certification solutions based on Oracle Identity Analytics since it first appeared on the market as Vaau RBACx. With each deployment we've seen the same pattern repeat time and time again:

1. Customers suffering under the weight of manual access certification regimens deploy Oracle Identity Analytics (OIA) for automated certification.
2. OIA improves the frequency, speed, accuracy, and participation of certifications across the organization.
3. Then the certifiers, typically managers and supervisors, ask, “Is there any easier way to do these certifications offline?”

The current version of OIA has a way to export certification data to a spreadsheet.  For some customers, we've leveraged this feature and combined it with some of our own custom code to provide a solution based on spreadsheet exports and imports.  Customers export the certification to Microsoft Excel, complete it, and then import the spreadsheet to OIA. It worked well for offline certification, but if the user accidentally altered the format of the spreadsheet, the import of the data could fail. We were close to a solution but it wasn’t reliable.

Over the past few years, we've seen the proliferation of Apple iOS devices, specifically the iPhone and iPad, in the enterprise.  As our customers were asking for offline certification, we noticed the same population of users traditionally responsible for access certification, were early adopters of the iPad. The environment seemed ideal for us to create an iPad application to support offline certifications using Oracle Identity Analytics. That’s why we created IdentityCert™.

IdentityCert allows users to view their analytics dashboard, complete user certifications, and resolve policy violations with OIA, from their iPads.

The current IdentityCert analytics dashboard displays the same charts that are available in the Oracle Identity Analytics product. However, we plan to expand the number of available analytics in future releases.



The main function of IdentityCert is user certification which can be performed quickly and efficiently using a simple touch interface. Managers tap into a certification, use simple gestures to claim users and certify their access.  Certifications can be securely downloaded to IdentityCert and can be completed with or without a network connection. The user can upload the completed certifications once they are connected to a cellular or wi-fi network.



Oracle Identity Analytics can generate policy violation notifications based on detective scans of identity warehouse or via preventative analysis of identity access requests. IdentityCert allows users to view all policy violations, resolve, or delegate them to appropriate users. IdentityCert also analyzes the policy violation expression and produces more human friendly descriptions of the policy violation which improves the ability of users to resolve the violation.



IdentityCert can be deployed quickly into a customer's environment. It is deployed with Hub City Media's ID Services to connect Oracle Identity Analytics securely with the iPad application.

Oracle Identity Management 11g R2 is an important evolutionary release. Oracle's Identity Management suite has more characteristics of a cohesive platform. This platform provides an integrated set of identity services that can be used to protect, manage, and audit security within the enterprise. At HCM we take the platform concept a step further and see it as an opportunity to create unique solutions for Oracle Identity Management customers. IdentityCert is our commitment to this platform.

You can download IdentityCert from the Apple iOS App Store today. It includes a demo dataset that you can use to explore the functions of the product without any server infrastructure. Download it. Give it a try. We would appreciate your interest and welcome any feedback.

Resources:
Press Release: Hub City Media Introduces iPad Application IdentityCert™ for Oracle Identity Analytics
App Store Download: http://bit.ly/IdentityCert
Oracle Identity Governance Suite

Tuesday Dec 04, 2012

LexisNexis and Oracle Join Forces to Prevent Fraud and Identity Abuse

Author: Mark Karlstrand

About the Writer:
Mark Karlstrand is a Senior Product Manager at Oracle focused on innovative security for enterprise web and mobile applications. Over the last sixteen years Mark has served as director in a number of tech startups before joining Oracle in 2007. Working with a team of talented architects and engineers Mark developed Oracle Adaptive Access Manager, a best of breed access security solution.

The world’s top enterprise software company and the world leader in data driven solutions have teamed up to provide a new integrated security solution to prevent fraud and misuse of identities. LexisNexis Risk Solutions, a Gold level member of Oracle PartnerNetwork (OPN), today announced it has achieved Oracle Validated Integration of its Instant Authenticate product with Oracle Identity Management.

Oracle provides the most complete Identity and Access Management platform. The only identity management provider to offer advanced capabilities including device fingerprinting, location intelligence, real-time risk analysis, context-aware authentication and authorization makes the Oracle offering unique in the industry. LexisNexis Risk Solutions provides the industry leading Instant Authenticate dynamic knowledge based authentication (KBA) service which offers customers a secure and cost effective means to authenticate new user or prove authentication for password resets, lockouts and such scenarios. Oracle and LexisNexis now offer an integrated solution that combines the power of the most advanced identity management platform and superior data driven user authentication to stop identity fraud in its tracks and, in turn, offer significant operational cost savings.

The solution offers the ability to challenge users with dynamic knowledge based authentication based on the risk of an access request or transaction thereby offering an additional level to other authentication methods such as static challenge questions or one-time password when needed. For example, with Oracle Identity Management self-service, the forgotten password reset workflow utilizes advanced capabilities including device fingerprinting, location intelligence, risk analysis and one-time password (OTP) via short message service (SMS) to secure this sensitive flow. Even when a user has lost or misplaced his/her mobile phone and, therefore, cannot receive the SMS, the new integrated solution eliminates the need to contact the help desk. The Oracle Identity Management platform dynamically switches to use the LexisNexis Instant Authenticate service for authentication if the user is not able to authenticate via OTP. The advanced Oracle and LexisNexis integrated solution, thus, both improves user experience and saves money by avoiding unnecessary help desk calls.


Oracle Identity and Access Management secures applications, Juniper SSL VPN and other web resources with a thoroughly modern layered and context-aware platform. Users don't gain access just because they happen to have a valid username and password. An enterprise utilizing the Oracle solution has the ability to predicate access based on the specific context of the current situation. The device, location, temporal data, and any number of other attributes are evaluated in real-time to determine the specific risk at that moment. If the risk is elevated a user can be challenged for additional authentication, refused access or allowed access with limited privileges. The LexisNexis Instant Authenticate dynamic KBA service plugs into the Oracle platform to provide an additional layer of security by validating a user's identity in high risk access or transactions. The large and varied pool of data the LexisNexis solution utilizes to quiz a user makes this challenge mechanism even more robust. This strong combination of Oracle and LexisNexis user authentication capabilities greatly mitigates the risk of exposing sensitive applications and services on the Internet which helps an enterprise grow their business with confidence.

Resources:
Press release: LexisNexis® Achieves Oracle Validated Integration with Oracle Identity Management
Oracle Access Management (HTML)
Oracle Adaptive Access Manager (pdf)

About

Oracle Identity Management is a complete and integrated next-generation identity management platform that provides breakthrough scalability; enables organizations to achieve rapid compliance with regulatory mandates; secures sensitive applications and data regardless of whether they are hosted on-premise or in a cloud; and reduces operational costs. Oracle Identity Management enables secure user access to resources anytime on any device.

Search

Archives
« December 2012 »
SunMonTueWedThuFriSat
      
1
2
7
8
10
12
13
15
16
18
19
22
23
24
25
26
27
29
30
     
Today