Friday Apr 26, 2013

Globe Trotters Edition: The Economic Impact of Security

Author: Ricardo Diaz

News on cyber crime recently made front page news.

Vast majority of global cyber-espionage emanates from China, report finds -Washington Post April 2013.

The economic threat of cyber crime is serious, has and will impact our daily lives and unfortunately been a threat most businesses haven't taken serious for decades. Rather, for decades, we have mis-directed our efforts to focus elsewhere as opposed to what really needs to be protected - our data or intellectual property. Economic Espionage is a threat you, your business and organizations you do business with should take a long, hard look at before your next security investment.

Mis-directed? You know what I am talking about. Consider what we think about the "real threat" of cyber crime. Some punk teenage hacker, hyped up on Redbull and Pixie Sticks, whose sole focus is to create havoc by breaking into your home PC or defacing your corporate website before he runs off to his next all night rave. This is the common portrayal of threat that we come across on media. Unfortunately this highlights a common misconception that most security threats are carried out to either hack your wallet or hack some government facility to crack into a top secret military facility.

Why would a major World Power be interested in our corporate data? Simple... It's the power of economics and competitive advantage! The economic impact of losing corporate intellectual property to a competitor, most business executives understand. What they don't understand is where is the threat coming from, if this ever happens to them and how common economic espionage attacks happen frequently and not from traditional places or people we thought.

Still, how does this impact you? Well, "everyone gets burned if you think about it", is how a fellow security mate of mine put it. The cost of data loss = loss of credibility, stock price going down, liability lawsuits, cost of compliance, brand tarnished and maybe your job. It may impact your job because not enough investment may be made in your projects, additional resources or financial incentives cut down, meanwhile as you send out your résumé, how attractive is it to put that tarnished company name on it? Not very!

Everyone is impacted!

What specifically is under attack or being stolen? It's not the devices or the systems but the data on it. What is the bigger threat? Losing your iPhone or losing the data with those passwords on it? Yes, that's right... The threat of Data loss, now more than ever, not only is on the inside of your business but now travels in our pocket, bags and purses of your employees everyday. Thank you BYOD to work!!

So, what is to be done? Secure the data by building data security controls and access controls and of course building a compliance process around it all to keep it all in check and prove compliance. Realize security is not orthogonal to business growth/profit, Security can save the cost we talked about earlier and actually create business opportunity (reach out to new customers using secure social media, attract new talent with BYOD, bring agility with secure cloud). We just need to think differently about security it is not wires, padlocks, just firewalls or multiple authentication controls; instead we should take a holistic approach to securing your data.

Hence why I love working at Oracle and with the global security team. There is no better place for a security technology aficionado than at Oracle. Massive R&D investments in security acquisitions (over $1 Billion In Identity Management since 2004), industry leading technology (Leaders position in Magic Quadrants in Identity Management for years), a plethora of thought leaders and cutting edge innovations (e.g. Oracle Mobile and Social Access Management - see SUPERVALU use case) are the hooks that have kept me planted at Oracle for the past 9 years. Where else can one find a security technology solution to enforce Separation-of-Duty (SoD) policy, automatically across the enterprise? Only Oracle.

The economic impact of security related threats to your business is real. Pay attention to WHAT is being stolen (corporate data - intellectual property) in these cyber crime attacks! In this day and age, gaining a competitive advantage has never been easier thanks to cyber espionage. Why develop or research when I can appropriate what I need via my competitors weak technology infrastructure, information security policy and process??

This risk can be mitigated and reduced, significantly, by investing in a risk intelligent, Oracle enterprise security architecture, built to Secure the Digital Experience, Data Centers, Applications and The Cloud. Learn more at

Image Courtesy:,


Who is Ricardo Diaz?

Husband, father, technologist, identity management, security and privacy adroit, CrossFitter, ESPN addict and dog lover!

For the better part of my 17+ years as an enterprise security architect, consultant or business advisor, I have traveled many miles across this great planet of ours, to sit down with customers to help evaluate and better understand what the real threats are, how important it is to protect their data/users and put the proper controls/policies/processes in place to mitigate risks.

Thursday Apr 25, 2013

Securing Your Cloud Experience the IRS way

This week we have focused our attention on how to secure cloud deployments since Security continues to be the biggest deterrent in adoption of cloud technology by enterprises. In fact, in a recent OAUG user group survey, 62% of organizations reported concern over losing visibility and control over their data and overall cloud strategy due to proprietary technologies.

The key then is to:

  • Identify the top security challenges with the cloud deployment and address those,
  • Recognize that Security silos only exacerbate the problem and not address it,
  • Standardize with an integrated security platform that is extensible enough to support your on-premise and cloud deployments and offers end-to-end auditing and reporting.

Whether you are an enterprise looking to push applications in the cloud, host cloud services or build using cloud services, an IRS approach will allow you to enforce security, manage regulatory compliance and at the same time, reduce operational costs.

If you missed it, catch the screencast now.

And, download the informative whitepaper to learn how you can unlock the potential opportunities that cloud offers without compromising your user and data security. And, get the complete middleware picture on the Social, Cloud and Mobile imperative by visiting here.

Oracle Identity Management is built on the platform approach to allow you to leverage proven identity solutions across your entire infrastructure. We leave you today with a video of SaskTel, a leading communications provider in Canada, on how the company is leveraging Oracle Identity Management in-house to reduce OpEx and is also offering secure cloud services to its customers scaling the solution across millions of users.

Tuesday Apr 23, 2013

SUPERVALU Manages Access for 2000+ Tablet Computers to Bring Innovation in Business

SUPERVALU is a national grocery retailer and wholesaler with more than 2,200 corporate-owned stores and approximately 2,500 independent franchises. It is also one of the largest food distributors in the country, serving more than 4,300 retail end points via its supply chain and support services.

In our previous posts, we have shared with you a brief video featuring Phillip Black, IT Director for Identity and Access Management, SUPERVALU where he discussed how SUPERVALU is enabling their 2000+ store managers with iPads so they can spend more time interfacing with customers than navigating applications and inventory. Oracle Identity Management is the enabling technology for securing mobile access. We also discussed the IDC write-up on this topic and the recent announcement that was made.

Now check out this recently released snapshot that discusses how SUPERVALU is innovating business and unlocking the huge potential of social and mobile in the retail sector powered by Oracle Identity Management.

Friday Apr 19, 2013

A Recap of Security as a Business Enabler

This week, we talked about how a Security Inside out approach enables organizations to leverage security for their cloud deployments – whether public, hybrid or private. We will continue the conversation on cloud security next week.

Today, we recap our discussion on how Security today is not just about brand and reputation protection but it is actually a business enabler. Here’s a brief screencast with Oracle product marketing director for Security, Naresh Persaud, on how organizations can leverage security today to unlock the business potential from opportunities like cloud, mobile and social.

The key take away – build security within and at the get go but make sure to have a scalable approach to security. Oracle recommends a platform approach to security where security serves as a framework for your entire infrastructure and extends to your application & data in the cloud, or accessed across any device using social or other logins. Access this whitepaper to learn how you can have Identity Management for internet scale built in your IT program.

Feedback? We’d love to hear it. Do send us your comments.

Thursday Apr 18, 2013

How to Mitigate Risk in the Cloud

Yesterday we talked about how risk varies with the type of cloud deployment with public clouds posing greater risk than hybrid or private. Thankfully, a built-in security approach offers you protection for either of those deployments. Irfan Saif, Principal at Deloitte goes through the top 5 things you need to consider to mitigate the risk in the cloud and bolster security.

Watch the 3rd in the series of CIO Insights video and get the experts’ insights to find out how to build security in your cloud strategy. Mark Sunday, Oracle’s CIO hosts the executive panel.

Wednesday Apr 17, 2013

Different Clouds Equal Different Risks

Earlier this week, I posted the first in a series of three video CIO Insights series on the Top 5 Things to Look for in a Cloud Provider When It Comes to Security.

The second video here underscores the fact that not all clouds are the same. The risk level varies based on the type of cloud deployment. The risk increases proportionally with the distance from your enterprise, meaning as you go from private to hybrid to public cloud, the risk increases substantially. So, how do you manage risk and maintain audit control across your cloud deployments?

Watch this video where Oracle CIO, Mark Sunday discusses this very issue with Gail Coury, Vice President, Risk Management at Oracle and Irfan Saif, Principal at Deloitte. Learn how secure authentication and centralized authorization play a crucial role in securing your cloud deployment.

Monday Apr 15, 2013

Top 5 Things To Look For In A Cloud Security Provider When It Comes To Security

Recent surveys confirm that security continues to be the number one barrier in cloud adoption. The impact of a security breach or failure to meet regulation guidelines is too large to ignore. So, how do you keep control of security for your data and applications in the cloud?

Cloud security is a discussion that needs to happen between you and your cloud provider. This week we tackle an important aspect of cloud security – what are the top 5 things YOU need to ask your cloud provider when it comes to security. The CIO Insights Series explores organizations' top security and risk management considerations in the cloud as well as the framework for your security discussion with your cloud provider. Here’s the first in a three part CIO Insights Series video featuring an experts panel - Oracle CIO, Mark Sunday, Irfan Saif, Principal at Deloitte and the VP of Risk Management at Oracle, Gail Coury that tackles this important topic of discussion.

Friday Apr 12, 2013

Virgin Media goes underground with Oracle IDM - webcast wrap up

On Wednesday, we told you how Virgin Media used Oracle IDM to allow everyone riding the London Underground to use their free Wi-Fi service.

Perry Banton from Virgin Media and Ben Bulpett from aurionPro SENA delivered a great webcast where they discussed how the project was funded, the architecture they chose, and how they overcame the inevitable roadblocks to deliver world class Wi-Fi to the underground.

If you missed it, register here for the replay.

We had some good questions about the project, so I'm putting them and the responses below:

Who sponsored the project within Virgin Media?

Mobile and Broadband Marketing teams were the main sponsors. These teams wanted to offer a value-add to the business. Providing a new service offering was compelling to the business.

With such tight timeframes what project approach did you use?

The start of the Olympics was a hard deadline, and free wi-fi was promised by the start. Agile planning, sprints, and checks were used. Short segments were rolled out. Personal devices were used to test the service, testing was very much crowd sourced – all available platforms had to be tested.

Is the service device specific?

No – a range of platforms were supported and tested. The requirement was to be device independent.

Why did you not build another large directory consolidating the back end LDAPs, instead of Oracle Virtual Directory?

There were some data ownership concerns, and the various departments didn’t want to give up management of their customer data, also they didn’t want to setup another LDAP, so a decision was made to use virtual directory technology. Virtual directory also provided a better platform for building future services.

How is the system managed and what service levels are required?

Geographically dispersed data centers were used. Performance and availability were considered a gold service within Virgin Media – which means there would be brand impact if the service became unavailable. Virgin and SENA provided real time management, with an incident response SLA within minutes of problem detection. Oracle Enterprise Manager was used to view system performance and availability.

How much of the service were SENA actually involved in?

Virgin and SENA have been working on architecture and roadmap for a long time. SENA are a gold Oracle partner with extensive experience in IDM implementations, so Virgin engaged SENA for the implementation and support services.

I'm not clear on why entitlements came into play. Were this VM customers authenticating with their email addresses? Was this not open to the general public and if so, I'm guessing you "relied" on whatever email addresses they provided?

OES came into play when VM launched the fee paying service and only wanted certain customers to gain access based upon their subscription with VM.  For the Olympics only OVD was used as a way of aggregating email addresses across the back end platform as the service was “open” to anyone with an email address

Thursday Apr 11, 2013

Drive Innovation, Get Recognition: Oracle Excellence Awards Call for Nomination

Doing something different with your Identity Management implementation? Taking your deployment beyond basic automation? Solving unique challenges for your organization? Or contributing to business growth or innovation with your Identity Management deployment? Then you are the one who we want to hear from.

The call for nomination for the 2013 Oracle Excellence Awards for Oracle Fusion Middleware Innovation is now open. Submit your nomination for Innovation in Identity Management. These highly coveted awards honor customers like you with cutting-edge use of Oracle Identity Management solutions to solve unique business challenges or create business value. Winners are selected based on the uniqueness of their business case, business benefits, level of impact relative to the size of the organization, complexity and magnitude of implementation, and the originality of architecture. Aside from recognition from the IDM community and Oracle executives, customer winners receive a complimentary pass to Oracle OpenWorld 2013 in San Francisco (September 22-26) and will be honored during a special awards ceremony at Oracle OpenWorld. 

For consideration and follow-up, please send a note to Matthew Berzinski. And note that the call for nominations closes at 5 pm PDT on Tuesday, June 18, 2013.

So, give us a shout and get recognized for your work and accomplishments. We look forward to hearing from you.

Wednesday Apr 10, 2013

Virgin Media Secures Wi-Fi for London Underground with Oracle Identity Management

In preparation for London Olympics 2012 that would bring millions of additional passengers - athletes, support crews, vendors, and spectators to London, the task of providing free, secure Wi-Fi services to the London Underground went to Virgin Media.

Virgin Media is the UK’s first combined provider of broadband, TV, mobile and home phone services. Find out how Virgin Media used Oracle Identity Management, Oracle Virtual Directory, and Oracle Entitlements Server to leverage back-end legacy systems for the London Underground Wi-Fi project; systems that were never designed to be externalized.

Learn more about the Wi-Fi project and how Virgin Media is scaling the project to deliver true place-shifting—allowing subscribers to watch pay-per-view assets from any device, anywhere.

You may also want to check out the on-demand webcast with experts from Virgin Media, their implementation partner, aurionPro SENA and Oracle to get more context. And here's the link to a recent newsletter feature on Virgin Media's IDM implementation.

Questions? Send us your comments and we will get those answered right away.

Tuesday Apr 09, 2013

#PrivQA Chat Archive Published

Last week Michael Neuenschwander, Senior Director at Oracle hosted a live conversation on Privacy on twitter. We were honored to have Dr. Ann Cavoukian, Ontario Commissioner for Information and Privacy join #PrivQA chat and contribute actively to the discussion.

The conversation centered around recent privacy news stories like the Indian Government's project, Aadhaar and the privacy concerns around that among other current topics. There was discussion on private sector's role in enforcing privacy and security by embedding it in their strategy, processes and systems. The discussion also got into the difference between privacy and security and how one may facilitate the other but not necessarily enforce it. IDM and Privacy experts and enthusiasts also discussed how and why organizations can be motivated to think about embedding security and privacy from the get-go rather than bolt those on afterwards.

Here is the link to the discussion archive. We encourage you to continue the discussion and share your feedback. And if you have other topics in mind for a discussion, do let us know!

Wednesday Apr 03, 2013

Of Privacy, Security and Compliance – Facts and Such

FACT: Live tweet chat tomorrow, Thurs, Apr 4 at 10 am PDT/ 1 pm EDT, on Privacy featuring well known Privacy expert and the Commissioner for Information & Privacy for Ontario, Dr. Ann Cavoukian along with other industry thought leaders.

OPINION: Privacy is the not the same as Security which is not the same as Compliance. And yet you need all three to not only protect your brand and to manage customer relationships but also to enable business growth via traditional, social, mobile and cloud computing channels.

OPINION: The common denominator across Privacy, Security and Compliance is Context. For Privacy, you need to be up front about what you are going to disclose, to whom, for what purpose, when and via what channel(s) and perhaps the scope of disclosure too. For Security, you need to understand authentication, authorization and administration context. Who needs access to what, when, for how long? And btw, has it been verified that you are who you say you are? If not, I’d need context for your user authentication. For compliance and audit, again the question – who has access to what, approved and administered by whom, when and what the person did with that access. So, context is key!

OPINION: Contrary to popular belief, Privacy, Security and Compliance are not at cross-hairs with business growth or user experience. Customers who know their information, interactions are secure when dealing with your organization tend to make for happy, satisfied and loyal customers. Allowing seamless yet secure access via social and mobile channels or enabling access to cloud applications securely – all part of the master plan to enable friendly user experience and customer trust intact.

OPINION: No one size fits all for defining Privacy, Security and Compliance plans. Regions, industries, business units and more all add to the mix. So, while it makes sense to build in Security, Privacy and Compliance in your architecture plans versus bolting it on afterwards, IT or Privacy teams alone can’t be the sole stakeholders.

FACT: All opinions are incidentally up for debate and discussion. We will be hosting and participating in the Privacy conversation tomorrow. Feel free to challenge us, ask your own questions and add your commentary. #PrivQA tmrw at 10 am PDT/ 1 pm EDT on twitter

FACT: We look forward to hearing from you!

Tuesday Apr 02, 2013

You do know you are on camera...don't you?

On Thursday, Dr. Ann Cavoukian, Ontario's Commissioner of Information and Privacy will be joining the IDM team for a live Twitter chat about privacy.  Here are the details:


Live Twitter Conversation with the Ontario Commissioner of Privacy

Thursday, April 4, 10 a.m. PDT/1 p.m. EDT

Join on twitter using #PrivQA


This got me thinking about privacy, and how cameras have silently invaded all aspects of our lives.  Security cameras are not new: see the video below.

OK - it's clear this guy expected a camera to be on him when he breaks in, but somehow he didn't expect the camera to be watching him before...?  And, what's up with those crazy pants?  But, I digress...

Cameras in stores, cameras in office buildings, traffic cameras - and now that your phone is a camera, they are with you everywhere you go.  It used to be: "hey that's a good picture, can you email it to me?" now we say, "hey that's a good picture, can you post it on Facebook so everyone can see?"   Instagram has over 100M users now, and it's clear that the younger generation is definitely very comfortable sharing their pictures with anyone and everyone.

There used to be a lot more complaints and resistance to cameras being everywhere, with the fear that the government was getting into every aspect of our personal lives.  The truth is, we are voluntarily exposing ourselves!

So with cameras everywhere, is your life private? 

Securely Social SuperMarkets: SUPERVALU Embraces Secure Social and Mobile

Oracle announced today that SUPERVALU is leveraging Oracle Identity Management Release 2 to empower its employees to securely use social and mobile environments in an effort to bring efficiency and agility at grocery storefronts.

SUPERVALU is a leading grocery retailer and supply chain operator that has over 2000 retail locations and 2,500 independent franchises, as well as extensive supply chain services that are leveraged by the company, customers and government organizations across the country.

Powered by Oracle Identity Management, SUPERVALU’s advanced social and mobile strategy serves as an excellent example of how companies today are leveraging social and mobile to enable business and improve customer experience. Read the press release and take a look at this brief video we recorded with SUPERVALU’s Phillip Black.

What is your business case for social and/or mobile? Do tell.


Oracle Identity Management is a complete and integrated next-generation identity management platform that provides breakthrough scalability; enables organizations to achieve rapid compliance with regulatory mandates; secures sensitive applications and data regardless of whether they are hosted on-premise or in a cloud; and reduces operational costs. Oracle Identity Management enables secure user access to resources anytime on any device.


« April 2013 »