Wednesday Jan 30, 2013

Tweet Jam Reveals - Authentication: Stronger or More Often?

Last week, on January 22nd, Mike Neuenschwander, Senior Director, Security & Identity Management at Oracle took over the @OracleIDM account to host a live twitter chat at #AuthChat . The topic – Authentication: Stronger or More Often?

Mobile, social and cloud are changing the way we do business today. User identity and devices are crossing the personal and professional boundaries making it a seamless world. And that brings us to – Authentication. Accepting a social identity or allowing an employee or a user to sign-on from a personal device to access business applications is becoming more common place. Meanwhile, organizations are still struggling with passwords – too many/too vulnerable.

With that in mind, the live twitter discussion focused on key trends in authentication and predictions for 2013. The tweet chat explored if practices like “Trust but Verify” still hold true today or not. Industry thought leaders including Bob Blakley, Dave Kearns, Eve Maler, Ian Glazer, Dan Miller and more participated in this very engaging discussion. The interaction ranged from whether passwords were a dying breed to the cost of biometrics, to the state of SAML and all things authentication.

From serious musings to light hearted commentary (including this pic that Eve Maler from Forrester shared re. #authcat  #authchat), the tweet jam proved to be a great meeting of minds.

Even if you participated, you may have missed portions of the live discussion so we have curated the chat ; it might be worth going back and following the discussion.

One of my personal favorites was a tweet from Clayton Donley who said “Killing all passwords is like killing all mosquitoes…good luck with that!”

Catch the recap of the tweet jam and while you still can, feel free to search for the complete thread by searching on “#authchat” on twitter.

Meanwhile, the first tweet jam has wet our appetite. We are looking to put together a schedule for identity tweet chats. Have a topic in mind? Send it our way; we look forward to hearing from you.

Recap: Authentication – Stronger or More Often? Tweet Jam Archive

Picture Courtesy: 

Tuesday Jan 29, 2013

Customer Success Story: How Avea upgraded from Sun to Oracle IDM

Avea is a telecommunications company in Turkey that had a large Sun IDM implementation.  Like many Sun customers, they were planning for the future and were excited by the new features that they saw in the 11g release.

Their upgrade project covered 6300 identities for both employees and partners, 16 enterprise systems including SAP, MS AD, Exchange, Siebel CRM and Unix systems, 150 roles and access policies, 23 request and approval workflow processes, and included attestation and SOD.

This project won the Avea team the coveted Most Innovative IDM Project at Oracle OpenWorld 2012. 

Join us on Thursday, January 31 @ 10:00 am PST to hear them tell all about their project, and get your IDM questions answered by experts during live Q&A.

Click this link to register

Questions submitted during the webcast will be retweeted on #IDMTalk.

Monday Jan 28, 2013

Partner Blog Series: aurionPro SENA- Who Moved My Security Boundary? Part 4

IDM as a Business Enabler

By: Mike Nelsey

In this series we have reflected on the evolution of life and work practices that have brought about a demand for business to deliver services to its target audience – employees, partners or true consumers – in a new way that has led to a change in where our security boundaries are situated.  With this comes a significant improvement in customer satisfaction, a reduction in cost of delivery and consequentially an opportunity for business to drive up retention rates with services that fit people’s lives; suit the new fluid business environments.

This is no longer about enormous developments of unwieldy proprietary environments, it’s about delivery of solutions using COTS and blending this to streamline process, improve security and change delivery modes for information.  And, fundamentally, beyond the speed of business change.

Organizations cannot retain a reliance on consumers’, employees’ and partners’ apathy-cum-acceptance of average or satisfactory service in the belief that they therefore have a sustainable business model.  Whether we are talking about Public or Commercial Sector organizations, those to whom we deliver a service feel more empowered to make a choice.  Our competitors, with better service delivery will help them in this.

So, removing the barriers, acknowledging that too much process or too much security can be worse than too little, and doing so by focusing on identities as the core target for delivery is the way forward.  

One of our consultants jovially referred to it as “Breaking down the office walls” and that is not a bad place to start.

I remember when a mobile phone simply made and received calls, cost the price of a small house and was only used by the very privileged!  Since then mobile technology has made significant advances, advanced technology available in ever smaller and cheaper packages.   They are now used by the masses, an integral part of modern life and probably here to stay – well at least until the next leap to embedding devices inside people.  When leaving the house it would appear that checking you have your mobile device is as important as checking you have your keys to secure your house and your wallet for the items you wish to purchase.

A smart mobile device not only allows us to make and receive voice calls but extends the scope of communication by allowing us to send and receive information.  This information could be of a personal and or business nature.  Users are now pushing to use their own mobile devices to access business information as this limits the number of mobile devices they have to manage.  It also gives them the user experience that they prefer and a degree of freedom of expression.  As a result this means mobile business users or consumers of information require access anytime, anywhere on any device.  This is forcing companies to rapidly adopt a BYOD policy to protect their information.

Allowing users to access to information anytime, anywhere on any device does have business advantages as users can execute tasks outside of the traditional office hours.  However, the company still needs to maintain a level of security and audit data.  Users who are using their own mobile devices have neither a vested interest in nor detailed knowledge of strong security and thus may inadvertently weaken the traditional security boundaries and thus compromise the integrity of the information the company holds.

What is the solution? How do you allow users to BYOD while still maintaining an adequate level of security and give the users good experience?

Let’s consider an example.

A customer raises a support call from an office located in Australia.  The supplier’s support desk is based in the UK and closed when the ticket is raised; however a reply is still required.  The support system sends a notification to the support engineer’s personal mobile phone informing them that a ticket has been raised.  The engineer has the company support application installed on their mobile device – an application which is protected by Oracle Mobile Application.  Before the engineer is allowed to access the information they are forced to authenticate, one of the options being to use their social network credentials for convenience.  Since they have only authenticated with their social credentials the access policy on the support application only allows the engineer to view the status of the support ticket and a brief synopsis.

Based on the limited information provided, the engineer deems that an urgent reply is required and therefore loads the cloud-based company roster applications on their mobile device to determine which engineer is on call for this customer. This application is also protected by Oracle Mobile Application.  Because the engineer has previously authenticated, they are provided with Single Sign-On between the two applications as defined in the security policy.  Having determined the on-call personnel, the engineer now needs to send an email to them using the company email application.  This is also protected by Oracle Mobile Application.  Because email has a higher security value the security policy does now allow the engineer to use their social credentials to authenticate.  Therefore they are forced to re-authenticate using their company issued credentials.  

Are all mobile devices permitted to access the company resources?  Suppose the engineer gets a great bonus this month and buys a new mobile device which is not supported by the companies BYOD policy.  Integrating Oracle Identity Management with Oracle Adaptive Access Management provides device finger printing.  This allows unrecognized or unapproved mobile devices to be blocked from accessing company resources.

In summary; the modern office working hours are very flexible, gone are the days of users accessing information simply while they are in the office using the company network and or mainframe style devices.  All organizations are going through the same evolution, and thus they demand of us the same flexibility that their employees demand of them.  Employees expect choice and flexibility in working hours and working methods – providing this does have a cost, but it helps to attract and retain the best in talent and thus is a trade-off which can be justified.  As businesses expand over multiple continents, users need access to information 24 hours a day, 365 days per year in disparate locations.  

In the same way, consumers expect to be able to engage whenever it suits them.  We need to be able to respond rapidly to changing market requirements – scaling up rapidly, using the cloud, deploying new functionality – whilst at all times retaining appropriate security levels and providing an exceptional customer experience.  Those who support this by adopting social media and cloud-based identity and access models will gain competitive advantage and be able to reach consumers like never before.

Business must embrace the change in both the organizational and consumer spheres and deploy the correct technology or they will suffer in the “always plugged-in world”.

This brings the last of the series to a close,  

Despite the noise we’re creating, this is not a revolutionary-big bang approach.  An old friend always talks about sprucing up a house by tidying up the doors and windows.  Service improvement is just this.  Small visible steps based upon a thought through strategy delivering against a roadmap that has business buy in and takes account of where we are and where we want to be.  With the focus on our target populations.  Identity and access management delivering for your organization.

For more information on any of the topics we have discussed in this blog series or to request a copy of the ‘Who Moved My Security Boundary?’ brochure please email  or to view an electronic copy please click here.

About the Author:

Mike Nelsey, Managing Director, aurionPro SENA

Working in the IT industry since the early 90’s, Mike leads the aurionProSENA European operation. Mike has been involved in identity and access management since 1999 when the company won its first framework agreement with UK policing for web access control.  Since then he has overseen the company’s strategy moving into a focused delivery model working closely with Oracle to provide a true stack offering covering consult, design, build and support.

Gartner Positions Oracle as a Leader for Identity Management

Oracle Named a Leader in both Gartner Magic Quadrant for Identity and Access Governance and User Administration/Provisioning Reports

Once again, Gartner has named Oracle as a Leader in both of its recently published Identity Management reports - Gartner Magic Quadrant for Identity and Access Governance, 2012, and Gartner Magic Quadrant for User Administration/Provisioning, 2012.  Read the press release for more information.

Recently Gartner published their Magic Quadrant Report for User Administration and Provisioning, December 2012 and Oracle was named a Leader.

Figure 1. Magic Quadrant for User Administration and Provisioning

Source: Gartner (December 2012).

This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Oracle here. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any of warranties of merchantability or fitness for a particular purpose.

Gartner describes leaders in user administration/provisioning as, “high-momentum vendors (based on sales, world presence and mind share growth). They possess impressive track records in UAP use across most industry segments. Business investments position them well for the future. Leaders demonstrate balanced and exceptional progress and effort in the Ability to Execute and Completeness of Vision categories. They possess comprehensive feature sets and enjoy reasonable customer satisfaction. They can — and often do — change the course of the industry.

Gartner also published their Magic Quadrant Report for Identity and Access Governance, December 2012 and Oracle is a leader.

Figure 1. Magic Quadrant for Identity and Access Governance

Source: Gartner (December 2012)

This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Oracle here. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any of warranties of merchantability or fitness for a particular purpose.

Identity and Access Governance solutions offer business users identity analytics and reports to address governance, audit and compliance challenges. According to Gartner, leaders in Identity and Access Governance (IAG), “deliver a comprehensive toolset for the governance of identities and access. Leaders also show evidence of superior vision and execution for anticipated requirements related to technology, methodology or means of delivery. Leaders typically show strong revenue growth and demonstrate customer satisfaction with IAG capabilities and/or related service and support.”

Oracle’s position in the Leaders Quadrant in both User Provisioning and Identity and Access Governance Reports further confirms that organizations recognize the advantages of a platform approach to Identity Management and that the benefits of an integrated solution far outweigh those of deploying individual, point solutions. The recently announced
Oracle Identity Governance Suite offers customers proven, industry leading and tightly integrated user provisioning, identity & access governance and privileged account management capabilities.

If you are looking at user provisioning and/or compliance solutions, we suggest you start by downloading these analyst reports and our recently issued press release on the subject. For more information on Oracle’s platform approach to Identity Management and to learn more about our best-in-class Identity Management solutions, visit us at or contact us via our online communities: Facebook, Blog and Twitter.


Friday Jan 25, 2013

Globe Trotters Edition: Virgin Media brings WiFi to London Tube for Olympics 2012

Contributed by: Ben Bulpett, aurionPro SENA

Virgin Media is the UK’s first combined provider of broadband, TV, mobile and home phone services. In preparation for the 2012 London Olympics, Virgin Media worked with their partner, aurionPro SENA, to enable free secure WiFi services to London Underground using Oracle Identity Management solutions. Yes, the secure WiFi on London Tube today is enabled using identity management! And, as an Olympic 2012 legacy, the Oracle architecture will form a platform to be consumed by other Virgin Media services. Check out this video:

This post and an upcoming webcast will examine how Identity Management specifically Oracle Virtual Directory (OVD) and Oracle Entitlements Server (OES) have enabled Virgin Media to offer services leveraging back end legacy systems that were never designed to be externalized.

Challenges abound for this massive undertaking. The initial scope of the project targeted 72 London Underground stations within Zone 1. With 2 or more platforms per station and potentially hundreds of people in the station, the service had to be able to support 115,000 sessions every 2 minutes. And of course, customer experience was key. That meant high availability even at peak times while offering a seamless experience to the users.

The current systems, databases and directories that hold their customer data resides in a plethora of legacy architectures, none of which were designed to be externalized. Working with aurionPro SENA, Virgin Media was able to provide an abstract layer using Oracle Virtual Directory to build a carrier class directory which provided views of the customer data, which integrated with Oracle Entitlements server provides the rules based entitlements service determining if a customer is eligible for the free customer wifi service.

Virgin Media were successful in securing the service to provide a free WIFI service to the London Underground, which had to be implemented before the 2012 London Olympics (Metro WIFI). According to Virgin Media, WiFi on London Underground has been an incredible success with over 700,000 people already online and a remarkable million sessions every day.

However, they wanted to extend the use of the service after the games as an additional value add service to all its customers, as well as a platform to wholesale to other providers.

As there was no existing Virgin Media service that provided the same sort of end-to-end functionality as Metro WiFi, rather than build the whole service from scratch Virgin Media wanted to try and reuse some components that already exist within their environment. Because they intended to make this new service available to existing Virgin Media Broadband and certain Virgin Media Mobile customers these existing components are chiefly around the backend user authentication and authorization piece; RADIUS, Central LDAP and the Virgin Mobile user systems.

However, the links between these systems to enable Virgin Media WiFi Service did not yet exist, so in essence the solution consists of taking these pre-existing components and adding new links between them to provide an integrated solution with as few newer parts as possible.

The solution is based upon three Oracle Software components, sitting on an Oracle Hardware platform:

OES has been integrated into OVD, to provide an authorization context to standard LDAP lookups. This is to allow Steel Belted Radius to authenticate and authorize users in disparate user repositories to a public WiFi service by using the standard LDAP interface, whilst leveraging centrally managed authorization policies provided by OES.

The solution works by OVD adding a number of virtual attributes to the LDAP requests containing the results of authorization calls made to OES. Steel Belted Radius then takes these virtual attributes and enforces the authorization by allowing or denying connections to the WiFi Service.

The London Underground WiFi service will be enabled for all of Virgin Media’s broadband and contract mobile user base (Virgin Media and Virgin Mobile).

If you would like to know more about the solution then look out for the forth coming webinar from Virgin Media, where Perry Banton one of Virgin Media’s architects will discuss the solution with their partner aurionPro SENA is greater detail.

Virgin Media Takes Identity Management Underground
Thursday, March 28, 2013
10 a.m. PDT/ 1 p.m. EDT

About the Writer:

Ben Bulpett is Alliance and Enterprise Accounts Director at aurionPro SENA in the UK.  He is responsible for the relationship between aurionPro SENA and Oracle UK as well as managing a number of key strategic accounts.

Ben has been with aurionPro SENA for over 3 years and was instrumental in developing the relationship with Oracle and leading aurionPro SENA to become Oracle UK and EMEA Partner of the Year.  He also led the team that delivered the Oracle components for the Metro WIFI solution at Virgin Media. Ben has over 25 years’ experience and knowledge of the Computer industry.  Before joining aurionPro SENA, he held various sales and management roles including Director Security Sales at CA, UK Sales Director with Novell and was responsible for key enterprise customers and partners with Mindjet UK Limited.  He is married with 6 children

Thursday Jan 24, 2013

Partner Blog Series: Deloitte Talks Part 4 - Building a Secure Mobile Environment

This blog is the fourth in a series of blogs regarding Mobile Security, and focuses on strategies for mobile security deployment.

Mobility poses challenging risks and existing security, IT support resources and infrastructure typically cannot be extended to cover mobile devices and applications without significant investment in developing new skills, technical capabilities, operational processes and deployment of a mobility infrastructure. Existing operational processes may not be efficiently designed or mobile-ready which may hinder expected productivity.

After gaining an understanding of the specific risks that affect your business, the next step is identifying and defining your approach to a mobile security solution deployment. When identifying the right approach, it is important to understand your specific use cases and incorporate your primary business drivers and objectives.

Strategic Choices: After identifying the desired approach to meet your overall mobile security objectives, a critical next step is to address a few critical strategic choices and/or decisions that your organization should consider. This, in turn, will likely impact how your organization executes on the chosen approach and also the development of the overall mobile security strategy. In an earlier blog in this series, we’ve discussed the challenges an enterprise may face regarding the bring-your-own vs. enterprise provided device decision. Other decisions facing organizations regarding their mobile security strategy include:

  • Manage mobile security in-house vs. outsourcing: Organizations should balance the bandwidth and mobile security experience required to viably manage their own mobile security against the reduced control and flexibility they may have by partnering with a third party provider
  • Simplify application development and distribution: Consider establishing a mobility-aware enterprise architecture and application design framework. Use cross-platform software development kits that support multiple mobile operating systems and support disconnected and loosely connected local applications, browser-based applications that decouple the application from the mobile operating system, and virtual desktop solutions that reduce the need for a local client where appropriate
  • Reduce device support: Implement centralized device management (commonly referred to as “Mobile Device Management” or MDM) by installing an agent on the device or by registering the device with a central management application so you can monitor it for health status and configuration settings, and push applications, configuration settings, and software patches as necessary. Adopt a cross-platform solution to support the broadest array of devices from a single management console
  • Full vs. restricted data access: There is a continuum of choices to be considered when determining what type of data and applications mobile devices should have access to. The more critical the data accessed, the higher the potential risks and the more stringent the security measures need to be to mitigate that risk. The drive to enhance the productivity of mobile workers will likely result in more critical data types being exposed and corresponding security measures to be employed
  • Reduce security risk: Develop a tightly coordinated suite of technical and policy-based solutions and consistently applied processes for device and network access controls, local and remote data wipe, device configuration, data encryption, patching and updating, authentication, device partitioning, security and appropriate use monitoring, and the like. Establish a private enterprise application store so employees can have a single trusted place to download the latest mobile applications. Partitioning is a particularly important aspect of BYOD as it allows a clean separation of personal and business applications and data. This in turn makes it possible to lock down and manage business applications and data without affecting personal assets running on the device
  • Managing user compliance: To reduce business risk and legal liability, consider developing user agreements and providing training so users understand mobile security risks, their responsibilities, acceptable use policies, prerequisites for connecting any device to the network, inappropriate use, and more. Implement processes for notifying users when they are out of compliance and explain why they are out of compliance, along with the steps they should take to become compliant. For global operations, tailor user agreements and supporting practices by country to comply with local regulatory requirements

Tips for Securing a Mobile Environment: There are many aspects to consider in order to provide a secure mobile environment. The following are tips to consider when deploying (or gaining secure control of) an enterprise mobile environment:

  • Consider the installation of a network access control system (NAC) to confirm that the enterprise network is prepared to work with and adequately secure mobile device access
  • Check to see if the enterprise physical locations have a strong wireless infrastructure so that mobile devices are as effective in the office as on the road, without incurring the expense associated with 3rd Generation (3G) / 4th Generation (4G) cellular access. 3G and 4G are standards for mobile communication and these standards specify how the airwaves must be used for transmitting information (voice and data)
  • Automate the distribution of anti-virus updates and OS security patches
  • If deploying enterprise owned devices, there are several processes that should be considered to effectively manage the physical devices, including:

o Asset management, inventory control and physical security

o Device refresh procedures (mobile devices have a short shelf life and are probably obsolete within two years)

o Lost device wiping and replenishment

o Damaged device replenishment (and data recovery)

Mobile Security Framework: The implementation and deployment of a mobile security strategy should be approached broadly as there are several areas of the enterprise impacted both from a business and IT standpoint. As mentioned in the first blog in the series, having an understanding of the components comprising the mobile ecosystem, its inter-dependencies, the various organizational risks, the underlying mobile security objectives/approach and strategic choices is critical in the development of an effective, requirements driven strategy.

Define requirements:

  • Coordinate with IT, Legal, HR and other business owners to define the current business model, future objectives, leading to a publication of a mobility vision and strategy. Develop a mobile security policy framework and initial operational procedures.
  • Gather business, functional and technical mobility requirements, followed by security requirements in support of the others. Conduct a gap analysis to identify a prioritized set of people, process and technology recommendations.

Architect and design:

  • Define and construct the mobile security operations framework, including hardware, software, services, business processes and HR requirements. Define an ongoing oversight and management review process.
  • Define supporting technologies such as mobile OS security baselines and secure mobile application development procedures. Develop an implementation roadmap and project plan.

Technology Acquisition and Deployment:

  • Perform make vs. buy analysis for important decision points. Identify resource requirements and skill sets and embark on training/acquiring the necessary resources.
  • Engage with procurement team to define and acquire the services required to support the mobile security environment.
  • Perform the analysis of current mobile device vendors to determine what OS platforms, carriers and devices meet the requirements of the business.
  • Follow normal IT protocols for piloting, testing and user acceptance. Conduct a mobile device, application and operations security assessment.
  • A detailed communication strategy should precede and accompany full deployment.
  • Rinse and repeat! The mobile landscape is ever evolving and new requirements, use cases, platforms and devices require proactive and periodic updates to the enterprise mobile security strategy. Initiate a broad process to stay abreast of the ever changing mobile environment and an update/patch process to keep the network safe.

Conclusion: Enterprise mobility is redefining long-standing rules for end-user support, device management, acceptable use, risk management and data protection. As a result, mobility is creating significant new challenges for enterprise IT departments. With the proliferation of mobile devices, rising expectations of end users and the velocity with which uninvited devices are entering the network, these challenges simply should not be ignored. CIOs should seize the initiative and start to align business strategy and needs, IT capabilities and user expectations. By doing so, the enterprise may be able to cost-effectively and securely satisfy end users, streamline and reduce IT support costs, and ideally position the enterprise to embrace and reap the rewards of increasingly sophisticated mobile devices and mobile applications. Conversely, failure to act may lead to the IT organization being perceived as “tone deaf” by end users (including executive management) and may significantly increase the security, privacy and regulatory risks to your organization.

We welcome your thought and feedback on this blog. What challenges has your organization faced in deploying a mobile security strategy? What best known practices has your organization adopted to meet these challenges?

Previous posts in the series:

Mobile Security – An Enterprise View

BYOD - An Emerging technology Concept

Securing Mobile Applications

Laura Hars is a Manager in Deloitte & Touche LLP’s Identity and Access Management (IAM) practice. Laura is a specialist in the following capabilities: IAM, IT Risk Management, IT Compliance Management, Security Architecture Design, Program Management, Data Loss Prevention, Systems Engineering, and delivering customized IAM designs for programs. Laura has a rich background in security engineering with over 10 years of experience. Most recently, Laura is focused on requirements and architecture designs for mobile architecture platforms.

This document contains general information only and Deloitte is not, by means of this document, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This document is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte shall not be responsible for any loss sustained by any person who relies on this document.

About Deloitte

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms. Please see for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.

Copyright © 2013 Deloitte Development LLC. All rights reserved.
Member of Deloitte Touche Tohmatsu Limited

Tuesday Jan 22, 2013

Avea Telecommunications upgrades from Sun to Oracle Identity Management

Original post at Oracle Fusion Middleware blog

Avea Telecommunications recently upgraded from Sun Identity Management to Oracle Identity Management 11g to position the company for future growth.  In this video, Ulvi Bucak, Security and Operations Planning Manager at Avea, discusses the key factors that led to their selection of Oracle Identity Management when migrating from Sun Identity Management.Learn more about Oracle Identity Management today.

Monday Jan 21, 2013

Partner Blog Series: aurionPro SENA- Who Moved My Security Boundary? Part 3

Consumerization of Identity: Bringing Social Identity to Work

Business is now driving costs out and enriching services with the sophisticated use of identity information. Forward-looking organizations are latching on to terms such as “social media identity” and “Consumerization” to gain an upper hand against the competition through improved and simplified internal or consumer orientated user experience. What does this mean in real terms, though?

We’ve looked previously at how the desire of users and consumers to access information from anywhere at any time impacts on our approach. The security boundary has surely moved. But how far? Yes, it could move as far as individual data elements. If we examine things more closely, however, is the step that employees and consumers are asking us to take really such a big one? Is it a blind leap into the unknown, or a manageable journey to a better place for all?

Complexity always exists, and simplification for end-users will likely come as a result of an infrastructure that is functionally richer. The discussion should not be one of complexity, though. To decide whether to accede to our users’ requests and support the consumerization of identity, we must focus primarily on risk. Let’s approach this from two points of view.

The first view is that of security of social identity. There is much talk of using Facebook, Twitter and other social media identity to replace logon to low-value resource on company websites. The knee-jerk reaction to such a request is “no way”, because it just feels insecure. If we think about it, though, what’s more valuable to an individual? Their company-provided extranet logon or their Facebook logon? Their company credit card or their personal credit card? Their office keys or their house keys? People will always tend to value more highly those things whose compromise will lead to greater personal impact. And thus they will protect them more diligently. So a Facebook logon is arguably more valuable to its holder than the extranet logon. Of course, the comparison is not as simple as just that one aspect. Among other risks, personal assets can be shared with a trusted peer group, particularly family, whereas corporate assets are typically not. Conversely, personal assets are generally not shared with trusted work peer groups either, whereas corporate assets can be. However, the point remains that a social identity is not the weak credential that it can appear to be when just using initial gut reaction.

So with a combination of both personal and corporate security responsibilities, the security of a credential existing in both domains simultaneously can be greater than one that exists purely in a single domain. The duties of care between the employer and the employee are becoming entwined in a subtle way that it hard to unpick, but in a way where security benefits can accrue in unanticipated ways for both sides.

Take a second, completely different viewpoint. It’s common for employees to use social identity for numerous business purposes. Data is sourced and published in the public domain using identities that exist in the public domain. Marketing, recruitment and many other activities rely on sites such as Twitter and LinkedIn. Does the company gain benefit by trying to control these public domain identities too closely? Should the employee be allowed to use their personal accounts? Just as valid a question is: does the employee want to use their personal accounts?

Employees are asking for access to everything from everywhere. But do they really want so much freedom, with almost no boundary between personal and corporate identities? A degree of separation between the two is desirable for all? Regardless, identity governance needs as complete a picture as possible of system access – for corporate, partner and cloud systems. The risk assessment around this needs data, so we need to include public domain systems in our governance scope. We can’t establish a BYOD or social identity programme without an analysis of the risk trade-offs.

So where does this leave us? Are we being asked to take the blind leap into the unknown? It leaves us at "Security: Step 1".

We need to do the risk assessment. We need to compare the business rewards, the possible issues and compare these with the corporate risk appetite. And crucially, to do this we need to know what our employees and customers really desire. They really aren’t asking us to move to a scary place.

In fact, for some areas of business it is a wholly appropriate place. Irrespective, though, it’s just to a place we’re not accustomed to in the new use cases we are being presented with.

But know this. If you choose to say “yes” to shifting the security boundary, the technology exists to support your journey. We will look more closely at some of the options in our final part of this series.

About the Author:

Mike Nelsey, Managing Director, aurionPro SENA

Working in the IT industry since the early 90’s, Mike leads the aurionProSENA European operation. Mike has been involved in identity and access management since 1999 when the company won its first framework agreement with UK policing for web access control. Since then he has overseen the company’s strategy moving into a focused delivery model working closely with Oracle to provide a true stack offering covering consult, design, build and support.

Thursday Jan 17, 2013

Partner Blog Series: Deloitte Talks Part 3 - Securing Mobile Applications

This blog is the third in a series of blogs regarding Mobile Security, focusing on application security and the role Identity and Access Management (IAM) can play in helping to secure mobile applications.

Mobile applications run on or are accessed from a given mobile device. Application security encompasses those measures taken to prevent a security policy exception at the application level or to expose a vulnerability of the underlying platform. Mobile applications are rapidly evolving from being narrow and task oriented, to providing complex capabilities applicable to most business functions. Applications accessed through mobile devices range from enterprise-hosted applications that are accessed through web browsers, to highly customized applications that operate natively within a mobile device and are compiled for a specific mobile platform.

Mobile application security should be considered within the context of a heterogeneous IT environment. Users expect a consistent experience, whether they are accessing an application from a mobile device at the airport, or from their laptop in the office. In particular, enterprise information systems should recognize users in the same way and support access, permissions, and password security across many devices and locations. Provisioning to mobile devices and every other type of system access should also be simple, cost effective, and secure. Effective security measures may provide adequate protection from vulnerabilities, while not impairing adoption or usability.

Understand Unique Threats: Mobile platforms have unique security challenges. These challenges can lead to data leakage or other vulnerabilities that may not have been considered when developing/provisioning applications solely for workstation or browser access, for example:

  • Information can be exchanged in many different ways on mobile devices (Bluetooth, Wi-Fi, Desktop Sync, 4G wireless, etc.)
  • Data can be shared among applications running on a given platform
  • Mobile devices are easily lost, stolen or even shared; physical security cannot be assumed
  • Applications may be accessed from vulnerable locations (e.g., airports, restaurants, etc.)
  • Mobile Devices may be easily taken “off network,” limiting the usefulness of typical security remedies such as remote data wipe or lock
  • Differences in device management strategies (e.g., bring our own device vs. enterprise-provided devices)

Mobile application security strategies should account for multiple platforms, as each platform comes with its own set of vulnerabilities. Platforms are rapidly evolving, and thus enterprise mobile security strategies must be proactive in identifying and mitigating new threats as they emerge.

Implement Broad Application Security from the Start: An enterprise should define and communicate the enterprise policies and processes for managing mobile applications up front, and revisit them frequently. Policies can include areas such as device usage, data handling, user provisioning, network access, encryption, application downloading, purchasing and development. Once these policies and procedures are defined, the enterprise should identify and implement technologies that can enforce them.

In-house mobile application development capabilities are evolving, and secure Systems Development Life Cycle (SDLC) methodologies for mobility are not widely deployed. The application development/procurement process should consider how applications will be developed and maintained for each target platform. It is important that the technical team is adequately trained and remains current in mobile security leading practices. Whether buying or developing a mobile application, consider whether that the application uses a platform’s native Application Programming Interfaces (API) for privacy and security functions. Processes such as architecture reviews and secure code reviews should be leveraged and consistently applied as part of the mobile application SDLC. A secure update process should be implemented so that critical security patches are deployed in a timely manner. Mobile development and testing tools are rapidly evolving and can be obtained from multiple sources, ranging from commercially available tools to freeware. Any selected tool should be validated for intended use, as part of establishing a mobile application security framework.

Focus on Data Security: A mobile application is a gateway to enterprise data. Furthermore, the very design of a mobile device indicates the intent to access that enterprise data from outside the boundaries of the enterprise security protections. Any data that is accessed on the mobile device should be encrypted. Storage of any enterprise critical intellectual property and privacy information on the device should be limited. Any local data that will be written back to the enterprise host should be replicated as soon as possible, and data should be purged by an application when it is no longer needed. However, for applications with off-line use cases, consider what data needs to remain on the device to support off-line use. Business data should be isolated from personal data on a given device.

Any type of forms-based authentication should include in-line forms validation and utilize Secure Sockets Layer (SSL) to avoid transporting user credentials over the Internet in clear text. Applications developed for mobile devices should consider utilizing the unique capabilities of these devices (voice recognition, facial recognition, other biometrics, etc.) to reduce the need for users to enter cumbersome, multi-character type, strong passwords and/or to support multifactor authentication requirements. Authentication and authorization methods for mobile applications need to account for use cases where both on-line and off-line access will be supported.

Validating data input is another key component of application security on a mobile device. Validated input may help ensure that a remote procedure call does not crash or allow remote access if malformed data is passed. Threats such as buffer overflow, Structured Query Language (SQL) injection, denial-of-service (DoS), memory leaks and others may result from not validating fields requiring user input.

Implement Mobile Access Logging and Monitoring: Security event logs should include parameters such as Session ID, User identity, event description, success/failure, severity level, hostname/IP, location of event and timestamp. Periodic reviews of security audit trails and log files, and active monitoring for invalid mobile application access is an important key to maintaining a secure mobile environment. Care should be taken to balance the requirements for security logging and monitoring with potential user privacy concerns.

Ultimately, mobile applications play the role of client to an enterprise’s back end (or cloud-based) services. Security measures for mobile applications should protect the backend application and underlying infrastructure, which are the real targets of most attacks.

Role of Identity and Access Management (IAM): Mobile device application security use cases can impact every discipline within an enterprise IT organization, including IAM. The IAM system can provide the means to create new mobile users, set those user’s attributes and entitlements, and de-provision those users, just as with any other enterprise service.

Application level security should not rely solely on the user-to-device authentication, but should include additional controls at the application level. The security native to a mobile device is not likely sufficient to prevent security breaches and it rarely adequately enforced. How an application renders authentication and authorization decisions will vary based on the application’s architecture. However, applications should consider authenticating users against existing enterprise directories (e.g., Active Directory). In addition, there is an opportunity for IAM systems to begin taking advantage of unique attributes of mobile devices to leverage contextual information, such as a user’s geo-location, to augment existing authentication and authorization capabilities.

Until recently, IAM leading practices, such as authentication, authorization, user provisioning and federation, were designed for non-mobile applications and then adapted for mobile use cases. IAM suppliers are beginning to deploy mobile aware capabilities in their product suites. For example, at least one IAM vendor is incorporating standards such as Open Standard for Authentication (OAuth) and OpenID and Representational State Transfer (REST or RESTful) interfaces to enable custom application development, device registration, context-sensitive authorization, and certificate and credential management, backed by device usage reports and analysis.

Conclusion: A mobile application security strategy is fundamentally based on solid IT practices that account for the security exposures unique to mobile devices and the heterogeneous nature of a mobile-infused enterprise IT environment. IAM systems have the opportunity to play a key role in supporting a secure mobile application environment. A proactive and flexible IT organization will be well-positioned to manage the mobility challenges of today’s workforce.

We welcome your thought and feedback on this blog. What challenges is your organization seeing managing application security on mobile devices? What leading practices has your organization adopted to help meet these challenges? How is IAM helping you to manage your mobile security?

Andrew Morrison is a Principal in Deloitte & Touche LLP’s Security & Privacy practice and co-leads Deloitte’s security alliance with Oracle.  Andrew has over 15 years of information technology experience and has spent the last 10 years with a specific focus on the security and privacy issues associated with Identity and Access Management. Andrew works with senior executives to define overall corporate strategies for Security and Privacy and has led the deployment of commercial Identity and Access Management solutions for some of Deloitte’s largest clients.

This document contains general information only and Deloitte is not, by means of this document, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This document is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte shall not be responsible for any loss sustained by any person who relies on this document.

About Deloitte

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms. Please see for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.

Copyright © 2013 Deloitte Development LLC. All rights reserved.
Member of Deloitte Touche Tohmatsu Limited

Wednesday Jan 16, 2013

Centrica Slashes Annual Helpdesk Costs with Oracle Identity Management

The Company:

Centrica plc is an integrated energy company operating in seven countries, including the United Kingdom and the United States. A top 30 FTSE 100 company, the organization secures and supplies electricity and gas for 30 million consumer and business customers.

Business Challenges:

  • Implement an enterprise-level single-sign on solution that the company can use initially for self-service access to HR and payroll applications with the ability to roll out to additional applications in future
  • Provide 45,000 internal and external users―including employees and gas and electricity partner organizations―with secure application access
  • Reduce the number of helpdesk calls, and associated costs, related to password and log-in related helpdesk calls


Centrica worked with Oracle partner, auroinPro SENA to implement Oracle Identity Federation, part of Oracle’s comprehensive Oracle Access Management solution, within six months to enable secure access for employees and partner organizations. As part of its Identity and Access Management program, Centrica brought its human resources (HR) applications in-house and implemented employee and manager self-service for 45,000 users.

The implementation of Oracle Identity Federation has enabled Centrica to significantly reduce helpdesk overhead and enable streamlined access to both its employees and partners. The company leveraged Oracle Identity Management to enabled single sign-on for the Web-based, self-service HR application across different domains, using industry best practice SAML2 authentication. aurionPro SENA worked with Centrica to finalize the design and on-site consultation throughout the implementation.

For more information on Centrica’s implementation, check out the case study.

Tuesday Jan 15, 2013

A Look at OAuth2 - A Follow-Up to the Reader's Comments

Originally posted on Phil Hunt's blog IndependentID

On my last blog post on Oracle IDM, Marc asks some very good questions that deserve a longer response:


Here's where I get confused about OAuth2. I keep hearing you don't need crypto (which is often where developers get so tripped up on other federation protocols) but how do you securely have a self contained token without crypto? You mention signing a token, but isn't that crypto? If you are relying solely on transport security does that mean all connections need to be HTTPS mutual authentication to be viable?


Let me break this up into a couple of paraphrased pieces:

1. If you do not use crypto, how do you securely have a self-contained token without crypto (aka bearer token)?

In OAuth1, the algorithm, usage and signing instructions were narrowly defined (probably limiting the life of the spec). OAuth1, assumed all communication would be insecure and therefore the access token itself needed to be secure. This required each client developer to implement the specifications MAC token in order to access services.

In contrast, OAuth2 the assumptions are reversed. Communication are secure, so tokens do not need to be self-securing (as MAC tokens were in OAuth1). OAuth2 opens the door to using simple bearer tokens (RFC 6750) to access services. OAuth2 assumes that because the issuing process is secured by TLS, the mere possession of a valid token is sufficient to authenticate or rather maintain the session relationship with the client.

With that said, there are still many scenarios where stronger ongoing authentication of the client is important to improve security. For a larger discussion on this, check out the current OAuth2 WG Security draft which discusses these issues.

2. Does this mean all connections must be HTTPS mutual authentication to be viable?

TLS Mutual authentication is useful, but is not required. OAuth2 allows the client application to be authenticated through other means such as client secret, a JWT, or SAML assertion. One of the problems with TLS mutual authentication is when TLS terminates before the server (e.g. in a load balancer), the server may not be able to access the client's authentication with the load balancer.

Let me first qualify that not all communication needs to be secured in all cases. Let's look at the two main endpoints that are being communicated with. The Authorization Server (aka Token Server), does require that at least server-authenticated TLS be enabled for all communication. In the case of a Resource Server, server-authenticated TLS is not required but SHOULD be used when using tokens without crypto (aka bearer tokens).

Thanks for the questions. Please keep them coming!

Standards Corner: A Look at OAuth2

Last week, the IETF published RFC 6819 ( ), a Threat Model document that describes extended security considerations for OAuth2. Having had a hand in drafting that document, some have asked, what's my feeling on OAuth1? What new features does OAuth2 bring over OAuth1?  Should customers use OAuth1?

Let me just say that Dick Hardt gives a great summary of the origin and inspiration for OAuth1:

The inspiration for OAuth was to standardize how users authorize a site or application (the client) to access data at another site (the resource server). Clients wanting to access data on a resource server would ask the user for their credentials so that they could call the API or scrape the site – a horrible practice from a security point of view.

Flickr, Microsoft, Yahoo! and others came up with flows that allowed the client to redirect the user to the resource server to authorize release of the users data and then get a token to make API calls instead of the user’s password.

Each of these solved the same problem in a slightly different way and client developers had to learn each mechanism and terminology. Many say a need to standardizing the best practices to discourage the falling back to asking for the user’s password and OAuth was born.

One of the design decisions in OAuth 1.0 was to not require SSL. While lowering the barrier to developers by not requiring SSL was admirable, it effectively meant the developer had to implement crypto. While this was wrapped up in libraries and it would usually work – when it did not work – or worse – worked intermittently – it was difficult to debug. I know.

I won't get into the full history, but I encourage you to read Dick's blog post here:

Dick sums up OAuth2's 3 most important enhancements:

1. Simplicity: Client developers don’t need to do any cryptography or use a library to call OAuth 2.0 protected resources. The token can be passed in the HTTP headers or as a URL parameter. While HTTP headers are preferred, a URL parameter is simpler and allows API exploration with a browser.

2. Token choice: implementers can use existing tokens that they already generate or consume. There are extension points so that the client can sign the token instead of it being a bearer token.

3. Separation of roles: if the token is self-contained, then the resource can verify the token independently of the authorization server. Resources don’t have to call back to the authorization server to verify the token on each call, enabling higher performance and separation of security contexts.

From an enterprise perspective, the choice is very clear. OAuth2 gives the flexibility needed to cover enterprise authorization scenarios and goes much further to eliminate the password anti-pattern if done correctly. In particular, point 2, is surprisingly important. It enables important bridges with SOAP based services and SAML infrastructure.

So, should customers go ahead with OAuth1 support? My recommendation is no. OAuth1 is likely too narrowly defined for most customer use cases and requires too much risk that client developers can implement OAuth1's MAC tokens correctly. OAuth2 on the other hand has had substantial implementation and review. Coupled with the Threat Model document capturing a lot of the working group experience, this newly ratified protocol comes ready with a strong set of best practices.

The OAuth2 WG is currently working on new functionality and some new token types. Such as dynamic registration (of client applications), token revocation, as well as a new JSON Web Token (JWT) which is essentially a JSON version of SAML tokens. These drafts represent new functionality for OAuth2 that add new capabilities that address features like federated resources and client-bound (HoK) tokens. None of these efforts change the core OAuth2 specification. So, if you are wondering, is OAuth2 ready to go? The answer is yes!

About the Writer:

Phil Hunt joined Oracle as part of the November 2005 acquisition of OctetString Inc. where he headed software development for what is now Oracle Virtual Directory. Since joining Oracle, Phil works as CMTS in the Identity Standards group at Oracle where he developed the Kantara Identify Governance Framework and provided significant input to JSR 351. Phil participates in several standards development organizations such as IETF and OASIS working on federation, authorization (OAuth), and provisioning (SCIM) standards.  Phil blogs at and a Twitter handle of @independentid.

Previous Posts:

2012: No Time to REST for the Holidays

Monday Jan 14, 2013

Partner Blog Series: aurionPro SENA- Who Moved My Security Boundary? Part 2

The BYOD Culture

Author: Mike Nelsey

Ask most employees what they want from their IT department and they will say “useable devices that connect to services that are there when I need them…”, “always on” or something akin to that.  What they are really saying is “I want something like what I use at home – in fact, why can’t I use mine as it is far better than this outdated pile of junk you’ve given me and insist I use?”  And they’re right in many cases, save for highly secure or confidential environments.

The challenge of the everything-everywhere culture that modern users – not just Generation Y – have come to expect can come at a price.  We’re not here to tell you how to run a BYOD scheme, what policies you should have.  They are well documented and it is accepted that a good BYOD approach can improve productivity.  How organisations now securely extend the range of data that can be made available, manage who can use their device, where, when and how becomes an expanded security challenge, particularly around identification, audit and compliance.

In the last article we touched upon boundaries moving, disappearing or being pulled in to surround our data; In effect data, but more importantly, identity of those accessing the data is becoming the new boundary.

What’s really new, then?  Arguably, we are turning our internal users into consumers, treating them in the same way as – for example – media companies are – where a consumer’s rights can be managed by what they are accessing, from which location, which device and even time bounded.  Let’s learn from this for our internal users. 

Such an approach will require an update of risk and threat models to build a consumer orientated approach to drive context based access control.  Our systems will need to be able to assess the overall risk of access and supply the data accordingly.  After all, the data being accessed in many cases is the same, be it for the consumer or the employer’s users. 

However, we make the step to a consumer based model not only with the risks mentioned above, but also with the risk of disenfranchising our users, because we still want them to prove who they are , and prove this to us, depending upon the risk matrix of the data requests.  Again, we should be able to learn from and replicate the innovation of the consumer side model.  For example, if our users are logging on to review low level information, say shift rotas, then can they use their social media logins.  If they then want to move on to look at more sensitive data, we can step up the authentication at that point.  Appropriate access control designed with the needs of the users and the business in mind. 

Separating out the controls in this way means that we can have fine grained privilege and authorisation layers to set who can see what how when and where, removing the complexity of a multi-layered security approach for the underlying applications and removing this layer from the applications per se.  Simplification driving improved security and improved user experiences. 

So BYOD in isolation is insufficient.  Come to that, BYOD is an opportunity to take a broader approach to data and identity controls as a part of a considered approach. 

In the next blog we will look more closely at how consumer and social identities are being used as a foundation to accelerate application development and simplify the end-user experience, encouraging faster and broader adoption of new services.

About the Author:

Mike Nelsey, Managing Director, aurionPro SENA

Working in the IT industry since the early 90’s, Mike leads the aurionProSENA European operation. Mike has been involved in identity and access management since 1999 when the company won its first framework agreement with UK policing for web access control. Since then he has overseen the company’s strategy moving into a focused delivery model working closely with Oracle to provide a true stack offering covering consult, design, build and support.

Friday Jan 11, 2013

Bang for the Buck

Author: Kevin Moulton

You’ve just spent a good chunk of change on an Identity Management suite, and you want to find your way to positive ROI. That’s easy. You decide to do everything! You’ll automate 20 enterprise-wide applications, implement password changes every 30 days, deploy web access management across all web-based apps, with single-sign on, risk-based behavioral analysis, separation of duties, and re-certification every six months. You’ll build all of that in the lab, and go live over a long weekend after you get everything working.

When will that be?

Probably never!

These are all excellent goals, but do you really need to accomplish them all at once? Rome wasn’t built in a day.

You may think you’ll get the job done more quickly if you try to boil the ocean but, in my experience, this method will lead to scope creep and continual project changes, while version changes in your production environment will make your lab work obsolete before you get out of user acceptance testing.

While this is going on, your management who wrote the check to purchase the Identity Management suite will grow impatient. They want to see results. Finger-pointing is inevitable.

In my experience, a phased approach is the only way to go if you hope to be successful. Determine what you can implement which will affect the greatest percentage of your user population, and can be implemented quickly and easily. For example, suppose that HR enters all of your in-house employees and contractors into PeopleSoft, and then IT gives them an account in Active Directory and Exchange. This affects everyone in your environment, so automate these steps in Phase 1. This is easy and quick to implement in Oracle Identity Manager. With the completion of Phase 1, the new employee entry in PeopleSoft would trigger a new user creation in Oracle Identity Manager, and simple provisioning rules would generate the Active Directory and Exchange accounts. Create additional rules to automate membership in Active Directory groups and Exchange distribution lists based on attributes of your users that flowed from PeopleSoft.

Now that you’ve automated the Active Directory environment, and group memberships, in Phase 2 you could implement Oracle Access Manager to protect your web-based resources, using the Active Directory accounts for authentication, and the group memberships for authorization. Again, don’t try to tackle every web-based resource. For this phase, just pick the ones that receive the highest amount of traffic.

With this approach, your management will quickly see the value of their investment, and your end-user community will be excited about this new automation tool you put in place. They’ll stop you in the coffee room and ask you what this new thing is, and when can you manage accounts in their database environment, the CRM system, or their home-grown application. Your compliance folks will be happy with the added benefit that you will be able to quickly de-provision these accounts when someone leaves.

In other words, find the biggest bang for the buck, and get it done. This will generate the momentum and excitement that will drive the entire project to success. This approach has the added benefit of not asking your end-user community to accept too much change all at once, which will make them more comfortable with your project.

But what about all of those other target systems that you had hoped to implement in your “boil the ocean” project plan?

If you are managing these targets manually today, then just setup manual workflow for these systems. Create a workflow that allows end-users to request these systems, and then assign that task to the person or group who currently does the work, and let them go into the workflow and mark the task as completed when they are done. In this way, you have a comprehensive record of who has access to what, who requested that access, who approved it, and when it was granted. This will give you compliance reporting and recertification.

In later phases, you can replace these manual tasks with automation. The import/export capabilities of Oracle Identity Management allow you to easily promote new capabilities from development to test to production.

I know that this sounds very simple, and it is. Identity Management can be very complex. By biting off a little bit at a time, you can turn your Identity Management project into a series of successes, each of which generates excitement in your end-user community, the approval of your management, and an ever-increasing ROI.

About the Author:

Kevin Moulton has been in the security space for more than 25 years, and with Oracle for 7 years. He manages the East Enterprise Security Sales Consulting Team. He is also a Distinguished Toastmaster. Follow Kevin on Twitter at, where he sometimes tweets about security, but might also tweet about running, beer, food, baseball, football, good books, or whatever else grabs his attention. Kevin will be a regular contributor to this blog so stay tuned for more posts from him.

Previous Posts from the Author:

Grow your Business with Security

The Unintended Consequences of Sound Security Policy

Thursday Jan 10, 2013

Partner Blog Series: Deloitte Talks Part 2: BYOD - An Emerging technology Concept

There’s an accelerating trend in the workplace raising new challenges for today’s CIO: the bring your own device (BYOD) revolution. The use and acceptance of mobile devices in the workplace is a critical issue that many chief executives are considering for their corporate environment. A BYOD strategy enables an employee to use a single device with the flexibility and usability they prefer, while providing access to both their personal and business applications and data. There are also potential cost savings for the enterprise as the employee may bear the cost of the device and the ongoing mobile access plan. An enterprise should consider the extent to which BYOD will be embraced, and the challenges BYOD presents as a part of an enterprise’s overall mobile security management strategy.

Before embarking on this journey, an organization should first decide – why BYOD? Does the increased user productivity and availability of data outweigh the risk and the associated mitigation expense? There are risks introduced at the device, application and infrastructure levels that present new challenges. These challenges may vary from compliance issues, to data leaks, to malware and challenges will likely only intensify as the number of mobile devices and operating systems proliferate. Another option is that the employer can provide employees with a mobile device hoping to enhance their productivity and ability to support the organization remotely. The illustrative chart below depicts some of the Pros and Cons of an employer providing corporate mobile devices versus letting employees use their own mobile phones and tablets.


Bring Your Own

Corporate Provided


  • Device and connectivity costs incurred by employee
  • Addresses increased demand of employees to connect personal devices to corporate networks

  • Tighter device oversight and control
  • Streamlining devices, platforms and OSes simplifies IT support
  • Service fees negotiated with service providers; increased purchasing power


  • Limited device oversight and control
  • Increased challenges with enforcing legal and regulatory requirements
  • Device and data ownership questions

  • Cost of providing devices
  • High employee demand for broader diversity in devices can lead to lower satisfaction and adoption
  • May require potential increase in IT support staffing and skill set requirements
  • Privacy considerations with monitoring of employee usage and activity, etc.

As an organization gains an understanding of the key risks that may affect the business, the next step is determining and defining the approach to a secure BYOD solution deployment. One of the primary risks of mobile devices to the enterprise is the security of data that is stored on the devices. Corporate email, financial and marketing data and any other sensitive data may leak out of the organization if the device is not encrypted and adequately protected.

Another point to consider is how the organization might prevent rogue mobile devices from accessing the network. What will prevent users from bringing in their own unpatched/unapproved devices into the environment? Network Access Control (NAC) solutions may help to solve this issue. These solutions have become a popular way to manage the risk of employee owned devices. NAC allows organizations to control which devices can access each level of the organization’s internal network. For example, NAC can limit how a device can connect to the network, what it can access, prevent downloading and potentially prohibit a device from connecting at all. A “health-check” that inspects for required security configurations and controls can be performed before allowing a device to connect to the network to keep the network safe from viruses and malware that could be on an employee owned mobile device. If a “health-check” is not performed before the device is allowed on the network, the scenario described below could occur:

When determining the desired approach, it is critical for an organization to understand the specific use cases and incorporate key business drivers and objectives. This will allow the enterprise to determine if the primary objectives from a mobile security perspective are device, or data centric or a combination of both for their BYOD program.

Device Centric

Data Centric

Mobile device management (MDM)

Minimal device data footprint

Strict device policy enforcement

Communications encryption

Local data encryption


A device-centric approach focuses on the mobile device and associated security controls. This approach is typically centered on how the devices are managed, how policies are enforced, data encryption on the local device and solutions such as secure containers. Some key considerations supporting this approach include:

  • MDM software secures, monitors, manages and supports corporate-owned and employee-owned mobile devices deployed across an enterprise
  • Policy enforcement supports permissible/non-permissible devices, considers factors such as who can connect to the network (user types, etc.)

A data-centric approach focuses on the data stored or processed by the mobile device and how it is secured and transmitted. This approach considers how the data is managed on the devices, transmission security, virtualization and data integrity. Some key considerations are:

  • Minimizing local data storage on the device reduces the risk associated with device loss or theft
  • Securing the transmission of the data from the mobile device to internal/external servers, applications, or other devices is critical
  • Virtualization is an important technology/solution to consider in a data centric approach: virtual desktops accessible from the mobile device or data stored in virtual/cloud environments are critical elements to evaluate
  • Accessing corporate data from mobile devices introduces the need for data integrity controls

For a solid BYOD approach, not only are well defined policies and standards critical, but the technology that enforces this governance should be in place to help ensure that the standards are adhered to. Many organizations may have well defined and communicated policies, but enforcing these restrictions on their users may be a daunting task without the appropriate technology and security framework. To facilitate this approach, mobile security requirements should be defined. A gap analysis should be conducted comparing current state capabilities to the desired state. Next, an overall mobile security operations framework should be developed and the operational processes to support this framework need to be defined. If the mobile security framework is planned appropriately to support a BYOD program and the risks are mitigated throughout the lifecycle, enterprises may see increased user productivity and satisfaction.

About the Writer:

Tim Sanouvong is a Senior Manager in Deloitte & Touche LLP’s Security & Privacy practice with 13 years of experience in the information security area. He specializes in leading large security projects spanning areas such as security strategy and governance, mobile security, and identity and access management. He has consulted for several clients across diverse industries such as financial services, retail, healthcare, state government, and aerospace and defense.

This document contains general information only and Deloitte is not, by means of this document, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This document is not a