Thursday Feb 19, 2015

Look, Puppies! And Other Stories from the Utility Industry’s Digital Transformation

The digital revolution is creating abundance in almost every industry—turning spare bedrooms into hotel rooms, low-occupancy commuter vehicles into taxi services, and free time into freelance time. This abundance is delivered on mobile devices. One industry, however, is using mobile apps to help its customers do less.

The utility industry is using smartphones to help its customers conserve energy in their daily lives by tapping into smart meters.

The results can be powerful. Armed with information from smart meters, consumers can reduce their energy bill by 20 percent. Using the dishwasher at 12 a.m., for example, will cost less than running it after dinner when everyone else is doing the same. To provide a wider economic lens, if only 10 percent of American households reduced energy consumption by 26 percent, the excess energy could power 2.8 million homes or reduce energy bills by US$4 billion annually.

In Belgium, smartphones and tablets provided a ubiquitous platform to deploy energy-saving applications. So Electrabel, Belgium’s largest energy company, launched a campaign to provide smart boxes, smart thermostats, and smart plugs that would allow homeowners to view power usage and control appliances from their mobile devices. A great idea! But how to make it all secure?  

Providing digital access to all of the appliances in someone’s home requires rethinking security: Which users in the household would be allowed to control the devices? How can the utility company detect fraud and take corrective action? With all of these devices online, how can the utility company manage access by administrators? How can it enable consumers with simple services like password reset and profile changes? Not surprisingly, 40 percent of the attacks on the energy and utilities sector have come in the form of web application attacks.

To keep its smart meter and mobile services from going to the dogs, Electrabel used Oracle’s security solutions. You can read about Electrabel’s implementation in Oracle Magazine, along with another interesting use case at Vodafone Group.

Electrabel was so confident in its solution that it launched a puppy-heavy national ad campaign to encourage participation. Here are more puppies. Need more? Here.

Stories like Electrabel’s are only the beginning. Cisco estimates that by 2020, there will be 50 billion devices on the planet and, according to the report, 69 percent of the value will be people-centric communication, which makes the Electrabel story that much more important—because the interaction between devices and people will rely on similar security processes.

Some estimates show that the smart home market will double by 2018. Like Electrabel, the industry must do the work to keep criminals from hacking these applications and stealing personal data—or even worse, using these services as an entry point to cause potentially catastrophic failures like the attacks against SCADA systems.

Building security into new services is critical for the utilities industry—just as it will be for every business embarking on a digital transformation.

Wednesday Jan 28, 2015

Putting the dots together: How to provide compliance and individual accountability with Oracle Privileged Account Manager

Authors: Olaf Stullich, Arun Theebaprakasam & Himanshu Sharma

The seemingly endless stream of highly visible security breaches and public disclosure of classified information, WikiLeaks website, former NSA contractor Edward Snowden and the latest incidents at Home Depot, USPS and Target, conspicuously exposed the existing problems with privileged user management.

Privileged users perform sensitive activities that involve extended access to strategic corporate and federal (or state) assets.  In most organizations, privileged accounts are not clearly defined, and different individuals often share some of these accounts. When privileged accounts are not tightly managed, they present a high security risk for the organization.
Because privileged accounts are not necessarily tied to individual end users, detecting inappropriate access to privileged accounts and determining which individuals in a team of administrators participated in unauthorized activities is extremely challenging.

The Problem:

  1. How to provide individual accountability when using shared accounts?
  2. How to provide an audit trail to detect inappropriate privileged usage?

The Solution:

Let's see how Oracle's Privileged Account Manager (OPAM) can solve these compliance requirements and connect the dots to provide individual accountability through an audit trail. A routine audit check for a security auditor could start with an inspection of recent system activities using the reporting tools accessible through the OPAM console.
In our case he selects a one week time frame for a particular system or range of systems and searches if specific accounts have been used on these systems. The search result (Figure 1 below) identifies two sessions occurred.

Note:  Further details about sessions and OPAM Session Management can be found in blog entry: “Introducing OPAM Session Management” and the OPAM OTN homepage


Figure 1: OPAM checkout history and session transcripts

In the search result (Figure 1) we see even though users "arun" and "olaf" used the same (shared) account ("admin") in an overlapping period of time an individual session transcript per user was generated. So there's no question who did what and when. A quick glance into the session transcripts doesn't reveal any suspicious user activities.

Note: A session transcript, a fully searchable textual representation of a session, is created when sessions are initiated through OPAM's Session Manager.

Trying to further narrow down his search results the auditor is filtering for key words like "ftp,scp". One session matches the search criteria (Figure 2).


Figure 2: OPAM checkout history search results

The session transcript reveals “olaf” was uploading a database file to a “jumpbox” using “scp”.
When the pattern search reveals a noticeable activity, the auditor can decide to further proceed and track “olaf’s” activities across all systems. He narrows down the potential list of sessions for “olaf” to the time frame close to “olaf’s” Linux session.

One session on the Windows based “jumpbox” is found (Figure 3) that matches the search for the pattern “FTP” in the windows session event index.


Figure 3:
OPAM checkout history and windows sessions event index

Using the windows session event index, which allows searching for a specific event, the auditor can jump directly to this event and replay the session from this point in time versus a replay from the very beginning of the recording.
The video recording plays in standard HTML5 browsers (without need for any additional software downloads). You can jump to a specific video section (the event index), or use the fast-forward or backwards button to quickly navigate within the video.

Summary:

OPAM’s session recording and auditing, provides individual accountability in heterogeneous system environments for shared (and individual) user accounts.

Our follow up blogs will cover how to setup and use OPAM within a deployment to create the audit trail details described above. Additionally we’ll talk about how to take preventive actions to restrict privileged user access.

About the Authors



Olaf Stullich - OPAM Product Manager
Olaf can be reached via LinkedIn
Arun Theebaprakasam - OPAM Development Manager
Arun can be reached via LinkedIn
Himanshu Sharma - OPAM Development Team Member
Himanshu can be reached via LinkedIn


Visit the Oracle Technology Network for more information about Oracle Identity Management Products including downloads, documentation and samples

Engage with us on Twitter @oracleidm and follow us here in the Identity Management blog.

Wednesday Jan 21, 2015

Scope Grants and Authorization Policies: Diffs

Author: Vadim Lander, Chief Identity Architect, Oracle

In my last post on OAuth, I covered a couple of important considerations regarding granularity of OAuth scopes. My recommendation was to look at scopes not only from the app development perspective, but also consider administrative knowledge and life cycle burden that might be inadvertently created. I discussed that overloading with too many fine-grained scopes will place a burden on the user, creating confusion or complicating policy administration. Its best to define few scopes protecting the high level service, adding few additional scopes to secure access based on minimally required read and write permissions, and only then evaluate if additional scopes are required.

In this blog, I'm going to take a closer look at the difference between a scope grant and authorization policy.

People ask this question all the time - can a client app possessing a token with a given scope access any application resource or only resources authorized by user's consent represented by the granted scope? It turns out people mistake scope grants for security policies designed to protect the application. The answer depends on how people model application's security policies vs modeling scope grants.

Its important to distinguish between a scope grant authorized by a person who happens to be the "Access Approver" for his/her resources and data, and application security policies that govern what a user in session can do within the application. There are two things going on here:

  • First, the application's functional security model must secure the application by utilizing the RBAC and/or ABAC type policies. This typically accommodates role-based, attribute-based, risk-based, context-based, etc. or various combinations. Security Policies ensure application Security Administrators can customize security policies to suit their needs, and Business and/or Security Administrators can authorize users to have functional capabilities.
  • Second, the scope grant must convey the resource owner's approval for application to use the underlying resource. Hence, the scope grant typically represents context to be evaluated by the authorization policy.

For example, the following authorization policy may be protecting access to the Salary attribute when displaying user's detail page in an HR application (expressed in pseudo language):

(Session.User has Role "HR Clerk" or "Self") and (Session.token has UserSalaryScope")

This policy ensures the user must have a role "HR Clerk" and have the end user's approval to see salary data (or be the user who's record is being viewed).

We can see clear delineation between authorization policies that have user-centric context, and scopes that represent user-centric context. The latter is meant to be used in authorization policies, rather than represent the authorization policy itself. This is the way I suggest people work with OAuth scopes for enterprise applications - first define the functional security model represented by authorization policies, then define scopes to be used as context attributes in authorization policies.

Even though its possible to model application's authorization policies to align with scopes 1:1, doing so would be a wrong thing to do, really painting an application into a corner from the security policy and delegation of administration perspectives. Such shortcut would work only for applications with trivial authorization policies or for 100% claims-based applications, but not for enterprise applications with comprehensive policy and administration needs. Sooner or later (usually sooner), scope overuse will manifest itself in inability to adequately administer enterprise application's security.

In the next blog, we will look at other scope-related topics:

  • Scope changes. The Authorization Server is free to grant a different set of scopes than what a client requests. This can happen because of policy, user consent, or just versioning issues.
  • Scope risk. The Authorization Server might issue different tokens with different lifespans based on the scope requested
  • Implicit scopes. Some scopes may be “implicit” where the policy dictates whether user, or a client on user’s behalf is authorized to do something – resulting in “automatic” consent with no actual consent dialo
  • Privileged scopes. The Authorization Server may inject special scopes not requested by clients, by granted non-the less based on the contextual state of the client.

For more information on OAuth please see http://oauth.net/2/

About the Author


Vadim Lander joined Oracle’s Identity & Access Management team in 2009. He advises Oracle on key security technology trends, sets the technical strategy for the IAM Enterprise and Cloud product lines, and works with various Oracle teams on the architecture and implementation of the IAM stack. Previously, Vadim was CTO for the Security BU at CA delivering the architectural blueprints for engineering CA’s next-generation solutions. Vadim joined CA in 2004 with its acquisition of Netegrity, where he was CTO after holding a number of successive growth positions in engineering.Vadim holds a Bachelor of Science degree in Computer Science from Northeastern University in Boston.
Vadim can be reached via LinkedIn

Visit the Oracle Technology Network for more information about Oracle Identity Management Products including downloads, documentation and samples

Engage with us on Twitter @oracleidm and follow us here in the Identity Management blog.

Wednesday Dec 17, 2014

Oracle Access Portal Self Study now available for IDM Solutions

Visit the The Oracle Learning Library to access free Identity and Access Management video content for a multitude of audiences including Security Compliance Auditors, Identity Adminstrators, Security Administrators, as well as Java Architects and Developers.

The latest featured content includes:

'Best Practices to Successfully Monitor & Manage Oracle’s Identity Management Product Line'

The Oracle Learning Library ADF Primer for Oracle Identity Manager Series



Visit the Oracle Technology Network for more information about Oracle Identity Management Products including downloads, documentation and samples

Engage with us on Twitter @oracleidm and follow us here in the Identity Management blog.

Wednesday Dec 10, 2014

Securing Access with OAuth2: How to deal with OAuth Scopes

Author: Vadim Lander, Chief Identity Architect, Oracle

The OAuth standard has proven itself to be a very effective in managing distributed Web authorization by providing client applications a secure, delegated access to server resources on behalf of a Resource Owner.  A large number of public Internet web sites have standardized on OAuth for service-to-service authorization, the standard has gained traction in securing commercial SaaS/PaaS/IaaS services cloud, and is being adopted by enterprises interested in externalizing internal web services.

Here at Oracle we're using OAuth2 to secure access to Web Services exposed by Oracle Public Cloud services.  While the standard itself is relatively straightforward, there are a couple of areas that each implementation must address on its own. The purpose of this blog is to look at one such area we have to advise application developers on - how to deal with OAuth scopes. We will assume the reader is familiar with the standard OAuth terminology.

Figuring out what scopes to expose is a responsibility of an application developer, and it may be confusing at first:

  • Do I expose a single scope protecting the entire service, or do I expose scopes to protect fine-grained business functionality of my application?
  • Do I break up my service into many smaller services with one scope each, or do I build multi-functional service with multiple fine-grained scopes?
  • How do I balance the needs of my clients to request specific capabilities and the needs of my application owners to manage appropriate policies?

Lets take a closer look at scopes, and see what it means to request scopes that will be granted by the Authorization Server and placed into the Access Token.

An OAuth scope X is an indication by a client that it wants to access the Resource Server to perform X or access something on the service that is related to X. For example, the client may request a claim EMAIL_SERVICE to access the email service, or it may request claim DELETE_INBOX if it desires to delete inbox entries.

The developer of the email service needs to think about what scopes should be exposed in a way that lets services support different types of clients by allowing proper authorization delegation. In the previous example, the “EMAIL_SERVICE” scope is generic and might not be that useful because it grants too much authority. If the email service breaks this into scopes such as “EMAIL_READ”, “EMAIL_POST”, “EMAIL_MOVE”, and “EMAIL_DELETE”, the core functionality of the email service is expressed as scopes. This becomes useful to allow clients to use minimal authority to access the user’s mailbox without requiring full access.

As mentioned previously the purpose of OAuth is to authorize access to a service. Hence some Policy Enforcement Point (PEP) will be tasked with securing access to the Resource Server must be able to determine from the Access Token's authorized scopes whether or not access should be allowed.  Once the token is issued to a client, client's access rights will be bound by scopes encapsulated by the Access Token for as long as the Access Token is valid.

The big question is where to draw the line between defining very granular scopes representing the right to invoke functional "capabilities" exposed by physical service implementations, and creating broad scopes representing the right to invoke the actual physical services.

One important perspective on how to answer this question is to look at the problem from the perspective of the Resource Owner - specifically what authorization decisions need to be made to authorize requested scopes, how often these decisions needs to be made, and what needs to be known in order to make such decisions.  The lifecycle of managing such authorization decisions should be straightforward – otherwise the policies will be incomplete, out of date, or overly permissive.

From the Resource Owner perspective there are two important considerations:

  • Who owns the data - end user or the target service
  • Who gets to specify the authorization policy - end user or application owner

The difference in considerations is important since it determines who gets to authorize the client's request for specific scopes  - end user who's data will be requested by the client, or the business/security admin configuring the client and granting it specific privileges.  Lets take a close look at each consideration:

End users authorizing request for scopes

If the Resource Server is tasked with providing access to end user's data (such as the case with consumer sites or user-centric apps such as email), the end user is the ultimate authorization authority for deciding whether or not requested scopes should be granted. 

In this case the purpose of a scope is to let the end user know what the client is trying to do with end user's data (ex: Requesting access to one's pictures or emails, requesting access to one's mobile GPS data, etc.). Then when the Access Token is granted, the approved scopes are "burned" into the token. Presenting this Access Token to the Resource Server conveys the fact the end user has approved client application's request to access his/her data. 

We can see that scopes represent client's intent to access user's data, and can be modeled based on the number of user's data categories the Resource Server wants to protect from "super user" access.

This requirement to secure access to end-user's data is the primary reason for the 3-legged OAuth interaction where the end user (data owner) is responsible for providing consent to operations requested by the client.  Here, the end user is familiar with, and wants to protect access to his/her data, so modeling scopes based on user's data categories (or collection of categories) makes sense. This model is often used by user-centric cloud services such as mail, photos, storage, documents, etc.

Business admins authorizing request for scopes:

There are numerous commercial/enterprise services where the Resource Server is consumed not by the end user directly, but by partners who build clients to consume, expose, or extend application functionality. 

In this case the purpose of scopes is to represent authorization permissions as granted by an administrative process responsible for registering clients.  For example, a real estate site is exposing listings, where unpaid clients have access to listings without addresses, while paid clients have access to addresses. Here, “Address” would be a scope, and it would be the service administrator configuring clients and granting them allowed scopes based on the level of service a client has paid for.

We can see that scopes represent fine-grained capabilities the Resource Server is charging for, using administrators (or automated sign up processes) to decide the authorization policy.

Looking at both scenarios, we can conclude that having too many scopes will create a burden on some user to try and understand/manage the meaning of scopes.

In the case of user-centric scopes, the end user is expected to understand the meaning of the data managed on his behalf.

In the case of business admins, they're expected to understand business rules (or in the case of automated client registration, have the ability to collect required service-level agreements).

The more scopes are exposed by a Resource Server, the greater the burden on a user (end user or administrator) to understand the exact meaning.

Hence, the overarching goal of application developers is to make their users capable of understanding the underlying authorization process, and this requires looking at scopes not only from the application development perspective but also from "administrative" knowledge and life cycle burden a developer might inadvertently create - some human being will have to be responsible for and trained in understanding the meaning of scopes.

Ultimately, the application developer has to think about what scope means in the context of “their” application, including how much delegation (to an end user or policy) should be exposed. There will be as many scopes as the developer wants to expose to a user who is expected to understand their meaning – this could be an end user of social/mobile app clients accessing his/her data, or a security policy admin for enterprise/commercial applications.

Overloading with too many fine-grained scopes will place a burden on the user, creating confusion or complicating policy administration. Its best to define few scopes protecting the high level service, adding few additional scopes to secure access based on read/write operations, and only then take a closer look at whether or not any additional scopes are required.

This is it for the first installment on OAuth scopes.  In the next blog, we will look at other scope-related topics:

  • Scope affinity. Can a client with a given scope access any resource or only the resource associated with the authorizing (and/or owning) user?
  • Scope changes. The Authorization Server is free to grant a different set of scopes than what a client requests. This can happen because of policy, user consent, or just versioning issues.
  • Scope risk. The Authorization Server might issue different tokens with different lifespans based on the scope requested.
  • Implicit scopes. Some scopes may be “implicit” where the policy dictates whether user, or a client on user’s behalf is authorized to do something – resulting in “automatic” consent with no actual consent dialog.
  • Privileged scopes. The Authorization Server may inject special scopes not requested by clients, by granted non-the less based on the contextual state of the client.

For more information on OAuth please see http://oauth.net/2/

About the Author


Vadim Lander joined Oracle’s Identity & Access Management team in 2009. He advises Oracle on key security technology trends, sets the technical strategy for the IAM Enterprise and Cloud product lines, and works with various Oracle teams on the architecture and implementation of the IAM stack. Previously, Vadim was CTO for the Security BU at CA delivering the architectural blueprints for engineering CA’s next-generation solutions. Vadim joined CA in 2004 with its acquisition of Netegrity, where he was CTO after holding a number of successive growth positions in engineering.Vadim holds a Bachelor of Science degree in Computer Science from Northeastern University in Boston.
Vadim can be reached via LinkedIn

Visit the Oracle Technology Network for more information about Oracle Identity Management Products including downloads, documentation and samples

Engage with us on Twitter @oracleidm and follow us here in the Identity Management blog.

Sunday Nov 09, 2014

Oracle at Gartner Identity and Access Management Summit - Dec 2nd - 4th, 2014 in Las Vegas

Join Amit Jasuja, Senior Vice President, Development Java & Identity Management Products, Oracle, at the Gartner Identity and Access Management Summit running from December 2nd to 4th, 2014, at which Oracle is proud to be a Platinum sponsor.

Oracle Session: Revolution or Evolution: Unlocking The Potential of The New Digital Economy
Speaker: Amit Jasuja, Senior Vice President, Development Java & Identity Management Products, Oracle
Oracle Session Schedule: Tuesday, December 2, 2014 - 10:45 a.m. – 11:30 a.m - Octavius 22
Abstract: As organizations consume an increasing number of mobile and cloud apps, identity management becomes fragmented. Organizations have inconsistent access policies and lose visibility into who has access to what. To avoid these risks and costs, they are increasingly adopting a strategy of extending enterprise identity services to the cloud. This presentation explores how organizations are using Identity Management to give users access to all their data from any device while providing an intelligent centralized view into user access rights across mobile, cloud and enterprise environments. See how Oracle Identity Management can securely accelerate your adoption of mobile and cloud applications.

Oracle Booth
Attendees can meet with Oracle Solution experts and discuss how Oracle Identity Management can securely accelerate your adoption of mobile and cloud applications.

Oracle Demos will Showcase:

Identity Governance
Given the state of our economy these days, with high number of data breaches and unauthorized access to sensitive information assets, it is no wonder this is one of the biggest threats an organization is concerned with these days. Ensuring proper vetted access and visibility into highly privileged accounts and entitlements is critical to ensuring a sound security practice.

This demo showcases Oracle’s Identity Management Solution, highlighting the differentiated value proposition of an integrated and converged Identity Governance, Access Management and Privileged Accounts Management approach.

We will show the following capabilities:

  • Self Service Access Request
  • Integrated OIM Catalog with OPAM entitlements
  • Multi approval workflow with temporal grants and authorizations
  • 2-Factor authentication with Oracle Mobile Authenticator
  • Recording of a privileged access (Windows session recording)
  • Execution of a certification campaign with both normal and privileged entitlements
Mobile & Cloud Access Management
  • Unified Self Service Console and Delegated Admin Console (OIG) extended to Mobile
    • App and device level policies, app inventory
    • View user, request for roles and invite user to register device
    • Automated device configuration and Secure Workspace app installation
    • Data leakage prevention policies
  • Application access via Secure Workspace
    • Show applications being provisioned as part of the role assignment above. This would also include link to the IdaaS portal in the secure workspace.
    • Click on the link and you are Single Sign on to the IdaaS portal.
  • Cloud Application access scenarios in IdaaS:
    • Access Document Cloud Service – Simple Federated SSO.
    • Access Fusion HCM and be prompted for a 2 factor auth using OMA.

Register Now for Gartner Identity and Access Management Summit 2014. We hope to see you there!

Visit the Oracle Technology Network for more information about Oracle Identity Management Products including downloads, documentation and samples

Engage with us on Twitter @oracleidm and follow the Identity Management blog.

Thursday Oct 23, 2014

UL Secures Customers’ Access to Certification Status While Protecting Intellectual Property

Equipped with requirements to provide customers with access to information on product-testing and certification status, as well as additional information on the company’s services, UL needed to ensure that it could provide this information without exposing confidential intellectual property information to the wrong parties. In pursuit of these goals, UL initiated a three-year security and identity-management evolution process relying on Oracle Identity and Access Management Suite to authenticate users and provide an access-control framework built on the company’s business taxonomy.

Using Oracle API Gateway, UL can provide its customers with a user interface giving them control over defining their own identities and providing specific employees within their organizations with access to the UL information stores associated with them. This federation capability enables UL’s customers to manage their own user provisioning and make adjustments as needed, while freeing UL from needing to provision or deprovision customer users - boosting security as any user who leaves a customer organization is automatically deprovisioned and denied access.

Click here for more about the UL deployment of  Oracle Identity and Access Management Suite and Oracle API Gateway.

For more information about Oracle API Gateway, read these previous OracleIDM blog entries:
What Can Oracle API Gateway Do for You?
Embracing Mobility in the Workspace: Oracle API Gateway

Wednesday Oct 08, 2014

Seamlessly & Securely Managing 360k+ User Identities While Reducing IT Complexity: the Seneca College IdM Success Story

Following the 2013 decision to choose Oracle’s PeopleSoft applications running on  Oracle Exadata database machines as its new enterprise resource planning (ERP) and campus-solutions platform in 2013, Seneca College of Applied Arts and Technology was also faced with another critical decision prompted by the impending end-of-life scenario of its legacy identity management solution. 

Spurred with the overarching goal to provide secure and role-based access to all of the school’s applications and online services for a growing and increasingly remote student body, Seneca chose Oracle Identity and Access Management Suite as its new platform for managing identity and access rights. 

Engaging with Oracle partner ICSynergy, Seneca and ICSynergy designed a solution to meet the college's needs for high availability across multiple campuses and a very diverse user base of 26,500 full-time students and 70,000 part-time registrants. The solution provides streamline control of student access to Seneca College's digital services while securing student privacy and addressing the compliance requirements of Ontario’s Freedom of Information and Protection of Privacy Act (FIPPA).

The full success story can be read here.

Sunday Sep 28, 2014

Focus On: Access Management at Oracle OpenWorld '14

Oracle Access Management (OAM): Comprehensive Access Management.  

OAM delivers risk-aware end-to-end user authentication, single sign-on, and authorization protection, enabling enterprises to secure access from mobile devices and seamlessly integrate social identities with applications.

Join Oracle, our partners and customers at Oracle Open World 2014 and learn about Oracle Access Management, the industry’s most advanced solution for securing applications, data, Web services, and cloud-based services.

The following is a list of Access related Identity Management Sessions and HandsOn Labs at OOW14, by order of date and time, to help you as you plan your week. Click on each to find out more information and don't forget to register for those you want to attend as sessions can and do fill out.


Monday / Tuesday / Wednesday / Thursday
Identity Governance: Reduce Cost, Increase Productivity, and Improve Compliance [HOL9408]This hands-on lab focuses on how Oracle provides a complete identity governance solution that enables organizations to efficiently balance the objectives of access, security, ... View More
  • Monday, Sep 29, 10:15 AM - 11:15 AM - Hotel Nikko - Nikko Ballroom III
Ready for the Digital Economy? Oracle’s Vision of How Identity Helps[CON7989]As organizations consume an increasing number of cloud services and apps, identity management becomes fragmented. Organizations have inconsistent access policies and lose ... View More
  • Monday, Sep 29, 10:15 AM - 11:00 AM - Moscone West - 3020
Access Management: Secure Web, Mobile, and Cloud Access [HOL9449]The Oracle access management solution provides an optimal user experience for end users while reducing risks and costs through a common infrastructure. It provides a ... View More
  • Monday, Sep 29, 11:45 AM - 12:45 PM - Hotel Nikko - Nikko Ballroom III
Identity Governance Across the Extended Enterprise [CON7968]As organizations deploy an ever-increasing number of cloud, mobile, and enterprise applications, identifying and managing user access can be a challenge, especially when ...View More
  • Monday, Sep 29, 11:45 AM - 12:30 PM - Moscone West - 3020
Access Without Fear: Delivering an Optimal Multichannel User Experience[CON7995]During today’s application explosion, organizations are dealing with an identity fragmentation issue that is creating a disjointed user experience and costing them ... View More
  • Monday, Sep 29, 2:45 PM - 3:30 PM - Moscone West - 3020
Identify Bottlenecks and Tune Oracle Identity Management to Maximize Performance [CON8383]The Oracle Identity Management suite enables enterprises to manage the end-to-end lifecycle of user identities across all enterprise resources to control access to their ... View More
  • Monday, Sep 29, 4:00 PM - 4:45 PM - Moscone West - 3020
Oracle Management Pack Plus for Identity Management Best Practices and Lessons Learned [CON8212]This session presents best practices and lessons learned from real-world Oracle Management Pack Plus for Identity Management implementations. Although Oracle Identity and ... View More
  • Monday, Sep 29, 4:00 PM - 4:45 PM - Moscone South - 200
Architecting Appiications with Intelligent Authentication and Authorization[CON7978]With the increased opportunities of the mobile explosion and cloud applications comes an increase in security threats. To combat these threats while still providing a ... View More
  • Monday, Sep 29, 5:15 PM - 6:00 PM - Moscone West - 3020
Securing Oracle Applications and the Extended Enterprise with Identity Management [CON8874]All Oracle applications are shipped with Oracle Identity Management components to provide the security services they need. These services can be extended to enable not only ... View More
  • Monday, Sep 29, 5:15 PM - 6:00 PM - Moscone West - 3018
Mobile Security: Enabling Secure Consumer Mobility [HOL9398]Oracle Mobile Security Suite and Oracle API Gateway enable developers to secure consumer-facing mobile apps and the APIs they connect to. In this hands-on lab, learn how to ... View More
  • Tuesday, Sep 30, 10:15 AM - 11:15 AM - Hotel Nikko - Nikko Ballroom III
Mobile Security: BYOD to Securely Access Corporate Resources [HOL9399]Oracle Mobile Security Suite delivers a secure workspace where employees can access corporate resources from personal devices without locking them down. It offers the most ...View More
  • Tuesday, Sep 30, 11:45 AM - 12:45 PM - Hotel Nikko - Nikko Ballroom III
CyberSecurity in Higher Education [CON7734]Information access is very important in higher education, where data sharing and collaboration are mission-critical. This session discusses ways to improve information ... View More
  • Tuesday, Sep 30, 12:30 PM - 1:15 PM - Marriott Marquis - Golden Gate C3
Identity as a Service: Extend Enterprise Controls and Identity to the Cloud[CON8040]As organizations continue to adopt software as a service (SaaS) applications to provide various business services such as CRM, office, HR, and collaboration, it is critical ... View More
  • Tuesday, Sep 30, 3:45 PM - 4:30 PM - Moscone West - 3020
Identity Services in the New GM [CON2007]The speaker's team at General Motors started with what seemed to be a straightforward mandate: “The New GM IT organization should be in-sourced and delivering internally ... View More
  • Tuesday, Sep 30, 5:00 PM - 5:45 PM - Moscone West - 3020
Customer Success Stories: How to Eliminate the Blind Spots in Enterprise Risk[CON7991]Three customers, three unique stories. This session focuses solely on understanding how these customers were able to automate their identity governance requirements by using ... View More
  • Wednesday, Oct 1, 10:15 AM - 11:00 AM - Moscone West - 3020
Securely Extend Applications to Mobile Devices: Developing a Mobile Architecture [CON7994]As smartphones and tablets become the dominant form of consumer computing, customers are demanding access to services through native mobile applications that two years ago ... View More
  • Wednesday, Oct 1, 12:45 PM - 1:30 PM - Moscone West - 3020
Beyond Brute Force: Strategies for Securely Leveraging Mobile Devices[CON7973]With today’s always-connected workforce, employees are demanding access to corporate assets from mobile devices. Although this enables employees to be more productive, ... View More
  • Wednesday, Oct 1, 3:30 PM - 4:15 PM - Moscone West - 3020
Trust but Verify: Best Practices for Monitoring Privileged Users [CON8005]Privileged accounts provide administrators with root-level access to systems and applications. As these accounts are frequently shared, providing secure controls to prevent ... View More
  • Wednesday, Oct 1, 4:45 PM - 5:30 PM - Moscone West - 3020
Managing Telenet’s Identities in Practice [CON3995]After confronting a security audit, Telenet kicked off the implementation of its security roadmap. First up was the proper management of internal identity access rights in ... View More
  • Thursday, Oct 2, 9:30 AM - 10:15 AM - Moscone West - 3020

Self-Service Access Control: Help Yourself to More Productivity [CON8007]
As the pace of business increases, it has become impossible for the IT team to manage all the access requests and certifications in an efficient and secure manner. It is ... View More
  • Thursday, Oct 2, 1:15 PM - 2:00 PM - Moscone West - 3018
Architecting a Complete Access Solution for the Cloud Economy [CON7975]To be able to conduct business in the digital economy, it is essential that users have consistent access to all their applications from any access channel. This session ... View More
  • Thursday, Oct 2, 1:15 PM - 2:00 PM - Moscone West - 3020


To maximize your attendance at Oracle OpenWorld 2014, running in San Francisco, CA from September 28th to October 2nd, be sure to review the complete listing of Oracle Identity Management Sessions and Demos.

The Schedule Builder is an invaluable tool to use when plan your visit to the conference. Be sure to pre-enroll in sessions of your interest as rooms can fill up. You can search identity management sessions using the term “identity+management” in the Content Catalog.

Identity Management executives and experts will be readily available for discussions and follow ups. Don’t forget to catch live demonstrations of our complete Oracle Identity Management solutions set while at OpenWorld.

Before and during, follow the conversation about Oracle OpenWorld 2014 on Twitter with #oow14 and, as always, engage with us @oracleidm and follow the Identity Managment blog. We hope to see you there!

Saturday Sep 27, 2014

Focus On: Cloud & Identity at Oracle Open World 2014

As organizations consume an increasing number of cloud services and apps, identity management becomes fragmented. Private, public or hybrid, all cloud solutions warrant strict security and identity management policies and the solutions to implement them within the ever-expanding perimeter of devices and access points.

Join Oracle, our partners and customers at Oracle Open World 2014 and find out how Oracle Identity Management can securely accelerate your adoption of cloud services in the new digital economy.

The following is a list of Cloud related Identity Management Sessions and HandsOn Labs at OOW14, by order of date and time, to help you as you plan your week. Click on each to find out more information and don't forget to register for those you want to attend as sessions can and do fill out.


Ready for the Digital Economy? Oracle’s Vision of How Identity Helps [CON7989] As organizations consume an increasing number of cloud services and apps, identity management becomes fragmented. Organizations have inconsistent access policies and lose ... View More
  • Monday, Sep 29, 10:15 AM - 11:00 AM - Moscone West - 3020
Access Management: Secure Web, Mobile, and Cloud Access [HOL9449] The Oracle access management solution provides an optimal user experience for end users while reducing risks and costs through a common infrastructure. It provides a ... View More
  • Monday, Sep 29, 11:45 AM - 12:45 PM - Hotel Nikko - Nikko Ballroom III
Identity Governance Across the Extended Enterprise [CON7968] As organizations deploy an ever-increasing number of cloud, mobile, and enterprise applications, identifying and managing user access can be a challenge, especially when ... View More
  • Monday, Sep 29, 11:45 AM - 12:30 PM - Moscone West - 3020
Access Without Fear: Delivering an Optimal Multichannel User Experience [CON7995] During today’s application explosion, organizations are dealing with an identity fragmentation issue that is creating a disjointed user experience and costing them ... View More
  • Monday, Sep 29, 2:45 PM - 3:30 PM - Moscone West - 3020
Securing Oracle Applications and the Extended Enterprise with Identity Management [CON8874] All Oracle applications are shipped with Oracle Identity Management components to provide the security services they need. These services can be extended to enable not only ... View More
  • Monday, Sep 29, 5:15 PM - 6:00 PM - Moscone West - 3018
Architecting Applications with Intelligent Authentication and Authorization [CON7978] With the increased opportunities of the mobile explosion and cloud applications comes an increase in security threats. To combat these threats while still providing a ... View More
  • Monday, Sep 29, 5:15 PM - 6:00 PM - Moscone West - 3020
Identity as a Service: Extend Enterprise Controls and Identity to the Cloud [CON8040] As organizations continue to adopt software as a service (SaaS) applications to provide various business services such as CRM, office, HR, and collaboration, it is critical ... View More
  • Tuesday, Sep 30, 3:45 PM - 4:30 PM - Moscone West - 3020
The Age of Megavolume: Oracle’s Next-Generation Directory and Future Strategy [CON8043] With the rapid expansion of identities through cloud and mobile applications, it is becoming essential that you have a directory that is capable of handling them. In addition ... View More
  • Tuesday, Sep 30, 5:00 PM - 5:45 PM - Moscone West - 3018
Trust but Verify: Best Practices for Monitoring Privileged Users [CON8005] Privileged accounts provide administrators with root-level access to systems and applications. As these accounts are frequently shared, providing secure controls to prevent ... View More
  • Wednesday, Oct 1, 4:45 PM - 5:30 PM - Moscone West - 3020
Managing Telenet’s Identities in Practice [CON3995] After confronting a security audit, Telenet kicked off the implementation of its security roadmap. First up was the proper management of internal identity access rights in ... View More
  • Thursday, Oct 2, 9:30 AM - 10:15 AM - Moscone West - 3020
Architecting a Complete Access Solution for the Cloud Economy [CON7975] To be able to conduct business in the digital economy, it is essential that users have consistent access to all their applications from any access channel. This session ... View More
  • Thursday, Oct 2, 1:15 PM - 2:00 PM - Moscone West - 3020

To maximize your attendance at Oracle OpenWorld 2014, running in San Francisco, CA from September 28th to October 2nd, be sure to review the complete listing of Oracle Identity Management Sessions and Demos.

The Schedule Builder is an invaluable tool to use when plan your visit to the conference. Be sure to pre-enroll in sessions of your interest as rooms can fill up. You can search identity management sessions using the term “identity+management” in the Content Catalog.

Identity Management executives and experts will be readily available for discussions and follow ups. Don’t forget to catch live demonstrations of our complete Oracle Identity Management solutions set while at OpenWorld.


Before and during, follow the conversation about Oracle OpenWorld 2014 on Twitter with #oow14 and, as always, engage with us @oracleidm and follow the Identity Managment blog. We hope to see you there!

Friday Sep 26, 2014

Focus on: Mobile Security at Oracle Open World 2014

Oracle Mobile Security with the Oracle Mobile Security Suite (OMSS)

Join Oracle, our partners and customers at Oracle Open World 2014 and learn about comprehensive Mobile Identity and Application Management for provisioning of Trusted Access. See how Oracle Identity Management Solutions and the Oracle Mobile Security Suite deliver authentication and authorization for applications and services, application signing and wrapping, enterprise application store, device wipe, device enrollment, and provisioning - all in a simplified management framework.

The following is a list of Mobile Security related Identity Management Sessions and HandsOn Labs at OOW14, by order of date and time, to help you as you plan your week. Click on each to find out more information and don't forget to register for those you want to attend as sessions can and do fill out.


Identity Governance Across the Extended Enterprise [CON7968] As organizations deploy an ever-increasing number of cloud, mobile, and enterprise applications, identifying and managing user access can be a challenge, especially when ... View More
  • Monday, Sep 29, 11:45 AM - 12:30 PM - Moscone West - 3020
Access Management: Secure Web, Mobile, and Cloud Access [HOL9449] The Oracle access management solution provides an optimal user experience for end users while reducing risks and costs through a common infrastructure. It provides a ... View More
  • Monday, Sep 29, 11:45 AM - 12:45 PM - Hotel Nikko - Nikko Ballroom III
Access Without Fear: Delivering an Optimal Multichannel User Experience [CON7995] During today’s application explosion, organizations are dealing with an identity fragmentation issue that is creating a disjointed user experience and costing them ... View More
  • Monday, Sep 29, 2:45 PM - 3:30 PM - Moscone West - 3020
Architecting Appiications with Intelligent Authentication and Authorization [CON7978] With the increased opportunities of the mobile explosion and cloud applications comes an increase in security threats. To combat these threats while still providing a ... View More
  • Monday, Sep 29, 5:15 PM - 6:00 PM - Moscone West - 3020
Mobile Security: Enabling Secure Consumer Mobility [HOL9398] Oracle Mobile Security Suite and Oracle API Gateway enable developers to secure consumer-facing mobile apps and the APIs they connect to. In this hands-on lab, learn how to ... View More
  • Tuesday, Sep 30, 10:15 AM - 11:15 AM - Hotel Nikko - Nikko Ballroom III
Securing the New Perimeter: Strategies for Mobile Application Security [CON7993] As the mobile security market consolidates, identity management platform benefits are enabling customers to move deployments to the next level of sophistication. Solutions ... View More
  • Tuesday, Sep 30, 10:45 AM - 11:30 AM - Moscone West - 3020
Mobile Security: BYOD to Securely Access Corporate Resources [HOL9399] Oracle Mobile Security Suite delivers a secure workspace where employees can access corporate resources from personal devices without locking them down. It offers the most ... View More
  • Tuesday, Sep 30, 11:45 AM - 12:45 PM - Hotel Nikko - Nikko Ballroom III
The Age of Megavolume: Oracle’s Next-Generation Directory and Future Strategy [CON8043] With the rapid expansion of identities through cloud and mobile applications, it is becoming essential that you have a directory that is capable of handling them. In addition ... View More
  • Tuesday, Sep 30, 5:00 PM - 5:45 PM - Moscone West - 3018
Modern Identity Management: Upgrading to Meet Requirements of the Digital Economy [CON8023] Most enterprise organizations have some form of identity management solution deployed. Whether what they have is provisioning for a small number of core system, single ... View More
  • Wednesday, Oct 1, 11:30 AM - 12:15 PM - Moscone West - 3020
Bulletproof the Oracle Mobile Platform with Integrated Security [CON6983] A common pitfall for many mobile application implementations is the fact that enterprise security, mobile security, and mobile application platforms are frequently based on ... View More
  • Wednesday, Oct 1, 12:45 PM - 1:30 PM - Moscone West - 3022
Securely Extend Applications to Mobile Devices: Developing a Mobile Architecture [CON7994] As smartphones and tablets become the dominant form of consumer computing, customers are demanding access to services through native mobile applications that two years ago ... View More
  • Wednesday, Oct 1, 12:45 PM - 1:30 PM - Moscone West - 3020
Beyond Brute Force: Strategies for Securely Leveraging Mobile Devices [CON7973] With today’s always-connected workforce, employees are demanding access to corporate assets from mobile devices. Although this enables employees to be more productive, ... View More
  • Wednesday, Oct 1, 3:30 PM - 4:15 PM - Moscone West - 3020
Architecting a Complete Access Solution for the Cloud Economy [CON7975] To be able to conduct business in the digital economy, it is essential that users have consistent access to all their applications from any access channel. This session ... View More
  • Thursday, Oct 2, 1:15 PM - 2:00 PM - Moscone West - 3020

To maximize your attendance at Oracle OpenWorld 2014, running in San Francisco, CA from September 28th to October 2nd, be sure to review the complete listing of Oracle Identity Management Sessions and Demos.

The Schedule Builder is an invaluable tool to use when plan your visit to the conference. Be sure to pre-enroll in sessions of your interest as rooms can fill up. You can search identity management sessions using the term “identity+management” in the Content Catalog.

Identity Management executives and experts will be readily available for discussions and follow ups. Don’t forget to catch live demonstrations of our complete Oracle Identity Management solutions set while at OpenWorld.


Before and during, follow the conversation about Oracle OpenWorld 2014 on Twitter with #oow14 and, as always, engage with us @oracleidm and follow the Identity Managment blog. We hope to see you there!

Monday Apr 14, 2014

Follow up Identity Management 11g R2 PS2

If you joined our webcast on Thursday, thanks for tuning in.  Below is a link to the on-demand webcast and we have captured the Q & A from the session in-line.

On demand  Webcast: Click Here

Question: For the customers in the process of moving to cloud and mobile space, is PS2 the right version (whether access or Identity) to be on? : Answer: Absolutely. Particularly for Access with full OAUTH2 support.

Question:Has Consumer and Customer identity requirments for Retail been met full user experience and Admin/provisioning, federated access and delegated admin implemented? any large retail account or case study for the implementation available for sharing? Answer: Yes, we have several retail customers who have implemented unified, enterprise wide identity management to help grow their business (via customer loyalty apps and programs) and streamline/secure their business with complete Identity Governance and life cycle management. Click here to see customer examples:

Question:any large AppStore implementation and Global roll out? Answer: For the Oracle Mobile Security Suite we have some very large Fortune 5 customers with global rollouts including oil & gas, retail and banking.

Question: Can you elaborate on how security concerns were addressed about the form fill technology? Answer:The form fill technology in the Access Portal Service is built on Oracle ESSO Infrastructure. It leverages the same ESSO repository to store credentials and application configuration. It is compatible with the same business logic flows that exist in native ESSO . It fully supports bi-directional crypto between Java and CAPI code. The asymmetric key supports RSA and translation of PK pairs to/from MS PK & Java. The symmetric key support includes AES256 and TripleDES (for compat/upgrade). It fully supports encryption/decryption for ESSO Credentials in Java (compatible with CAPI). The Hashing / MessageDigest supports SHA1 and SHA 256 that is compatible with Java and CAPI

Question:Question from my Tweet - Will the new Access mgmt platform support SAML, OAuth as the standard instead of ObSSO token? Answer:We already support SAML and have now introduced support as an OAuth 2.0 server in PS2 while ensuring that these technologies work seamlessly in conjunction with session management and secure single sign on using OAM 11g technology.

Question:How do we provision deprovision users for Cloud Apps? Answer:We will provide auto provisioning of applications by allowing association to applications directly from the OAM console. Today auto provisioning is only possible using the Enterprise Single Sign-On provisioning gateway.

Question:  Is the Blitzer application available as part of the Oracle Access Manager product? Answer: The Bitzer technology is available in the Oracle Mobile Security Suite

Question: Does OAP provides support for Legacy application (Thick client) (Mainframe apps)? Answer: Access Portal - at this time - is for web-based applications only

Question:Does Cloud Security Portal works with OAM 10G version? Answer: Access Portal is an OAM 11gR2 PS2 service

Question: how do you compare Oracle PS2 with REST APU based security appliance like layer 7 etc? Answer: The Oracle API Gateway (OAG) component provides REST API security in the same way. This is already available and is widely deployed by our customer base -- particularly for their consumer and mobile facing applications.

Question: What are licenses needed for Automated Suite Installation for IDM which was spoken about ? Answer: The automated installation requires only licenses for the software that you are installing. There's not a separate license for the automation.

Question: Do you have PII, PCI compliance patterns implemented for SaaS eCommerce Apps globally? Answer: May need more info to answer this - but if Oracle accepts credit cards for any of its service then obviously it will need to follow PCI etc. Here is a link to a paper on how we align with PCI controls with IDM

Question: Do you see a push in the federal marketplace to implement the Oracle soft token approach to security or is the marketplace still leveraging traditional 2 factor and mobile technologies are lagging behind? Answer: We see a push across all verticals to use the soft token approach 

Question: As OMSS and IDM Suite come separately (2 different product suites) , then how exactly these get wired to achieve SSO. How difficult it is to wire it? Answer: These suites are separate from a licensing perspective  but utilize the same underlying platform.

Thursday Apr 10, 2014

Securing The Identity of Everything

Securing the Identity of Everything

Along with tremendous economic change, the Internet of Things (IoT) will transform the way IT organizations think about security. Instead of focusing on securing the network perimeter, IT departments will have to secure the new perimeter: people, data and devices. The new point of control will be user access to devices, data and applications. Each device will have an identity on the network, and companies will face the challenge of device tracking, registration and fraud detection. In this session, Ranjan Jain will discuss his current effort to manage the "Identity of Everything" and share how organizations can unlock the potential of this approach. Register now.

Ranjan Jain, IT Architect for Enterprise Identity and Access Management, Cisco 

Naresh Persaud, Senior Director, Product Marketing and Market Development, Oracle


Wednesday Apr 09, 2014

Webcast: Announcing The Oracle Mobile Security Suite



Oracle IDM 11gR2 PS2: Cloud and Mobile Strategy Update Webcast

As cloud applications and personal mobile devices continue to drive new business models, new security challenges for IT teams are on the rise. Oracle recently announced the availability of its latest Oracle Identity Management 11gRelease 2 PS2—which is heavily focused on securing the extended enterprise. 

This live webcast will provide you with an overview of key themes in Oracle Identity Management 11g Release 2 PS2, and cover salient aspects of the release’s cloud and mobile security strategy. You’ll also see a demonstration of the new cloud access portal and mobile security suite. The Twitter feed #OracleIDMPS2 can be used for questions during the live Q&A session at the end of the presentation.

Attend this webcast to:

  • Hear about the latest updates in Oracle Identity Management 11g Release 2 PS2 including new, strong authentication and installation automation features
  • See how Oracle is taking an application-focused approach to mobile security
  • Learn how you can secure your cloud applications with enterprise identity management

Register now to attend this important webcast. Tweet your questions using hashtag #OracleIDMPS2

April 10, 2014 – 10:00 am PST





<image008.gif>
Copyright © 2013, Oracle and/or its affiliates. 
All rights reserved.


Tuesday Mar 25, 2014

Enabling access to Google Apps through Oracle IDM

Guest blog by Anand Murugesan

Adoption of cloud is enabling organizations to rapidly increase capacity and employee productivity while reducing their cost.  IT organizations are trying to play catchup to this accelerating trend and are faced with technological obstacles in enabling access to cloud applications.  When it comes to enabling employee access to cloud applications, organizations today are using cumbersome techniques including manual provisioning and de-provisioning process that causes delay in cloud enablement.  More over it leaves security vulnerabilities when employees leave the company or move between organizations.   Oracle Identity and Access Management suite (Oracle IAM Suite) addresses these issues with right set of technologies and tools to fast-track cloud adoption.  In this article we will discuss how organizations can enable their users to access Google Applications.  

Organizations can integrate Oracle IAM Suite with Google Applications through either Identity Federation or Identity Synchronization techniques.  The choice depends on the type of access needed for Google Applications.

First option is to use SAML 2.0 based Federation standards to integrate with Google Apps.  As per Google, “Google Apps offers a SAML-based Single Sign-On (SSO) service that provides customers with full control over the authorization and authentication of hosted user accounts that can access web-based applications like Gmail or Google Calendar.”   In this case Google Apps works as a Service Provider (SP).   Oracle Identity and Access Management Federation Service acts as an Identity Provider (IdP).  With this type of integration, when accessing the Google Apps through a web browser, the user is redirected to Federation Service hosted by customer for authentication.  Once authentication is complete the user is redirected back to Google Apps.  Federation Services supports both logout initiated by SP and IdP.  Customer still maintains full control of who has access to Google Apps.

Second option is to use two-way identity synchronization techniques.  Google Apps connector that ships with Oracle Identity Manager (part of Oracle IAM Suite) keeps both on-premise and cloud identities in sync.  This connector manages Google Apps as a ‘managed target resource’, enabling data about users created or modified directly on Google Apps to be reconciled into Oracle Identity Manager. More over the user accounts can be provisioned into Google Apps from Oracle Identity Manager.

Both Federation and Identity Synchronization techniques enable seamless integration with Google Apps.  When would you choose one over the other?   If the customer needs to enable only the web browser based access to the Google Application to their users, then SAML based Federation would be sufficient.  Setting up Federation is fairly simple process.  For more information refer to this white paper.  On the other hand, if the customer wants to enable user access beyond web browser to desktop or mobile clients such as outlook for Google Apps, identity synchronization would be a better option.  For more information on how to setup Google Connector, please refer to Oracle Identity Manager Google Apps Connector documentation.

Friday Mar 21, 2014

What's New in PS2? The Cloud Access Portal

Cloud Application management is one of the main themes in the PS2 release.  I have asked Lee Howarth to explain a bit more about the new Cloud Access Portal Service.


With the advent of SaaS applications how do we solve password and single sign-on challenges…… again?

For many years Single Sign-On technology has provided various security and usability benefits, allowing organizations to simplify the user experience to gain access to multiple web and enterprise resources, while forcing more complex password policies to increase security.  Unfortunately this status quo is being challenged by the advent of Software-as-a-Service applications.

Once again users are being asked to remember multiple name and password combinations to their various SaaS accounts, a situation made even more frustrating by the fact that more and more users are accessing these sites from mobile devices.

The types of web applications accessed by a typical corporate user can be grouped into three main categories:

  1. Applications that require a name and password (corporate and SaaS) to be entered directly into a login form
  2. Applications that are protected via some form of Access Management solutions; and
  3. Applications that are federation enabled (corporate partner or SaaS application).

Addressing the password challenge across each of these categories, while simplifying usability and management are key benefits of the new Oracle Access Management - Access Portal Service.
The Access Portal provides:

  • A cross-platform logon portal for web-based applications that automatically adapts to the device form-factor.
  • Single sign-on to SaaS, web, partner and Oracle Access Management protected resources via Identity Federation, Form-Fill and Oracle Access Management session identifiers.
  • Centralized administration and wizard-based form-fill template generation to simplify administrative tasks.
  • RESTful interfaces to enable integration with existing corporate portals.

Administrators define application using the Oracle Access Management administration interface as one of three types – associated to each of the categories mentioned above.

  • Form-Fill Applications:  are applications that require a name and password to be entered into a login form.  The Access Portal service uses proxy technology to provide a form-fill service that supports login forms and can even sense when passwords have changed –perhaps due to password expiration - and enables the user to update securely stored credentials.
  • SSO Agent applications:  are applications protected by Oracle Access Management (OAM).  With this type of application the Access Portal simply represents OAM protected URLs.  Authentication is handled by standard OAM authentication and session management.
  • Federated Applications: are applications that required a federated authentication, be they partner or SaaS applications.  In this case the Access Portal applications are essentially IDP initiated authentication links, which use the Oracle Access Management – Federation Service to authenticate and assert their identity to a target application.

The following diagram represents the high-level architecture for the Access Portal Service (APS):

APS Architecture

For more information, please visit http://www.oracle.com/identity



 

Wednesday Mar 19, 2014

What's new in PS2? Many enhancements to Identity Governance

As you might know, our official IDM 11gR2 PS2 webcast will be held on April 10, 2014 @ 10:00 am PST

Register for our PS2 Webcast

#OracleIDMPS2 is our offical twitter handle for all things PS2!

In the run up to the webcast, I have asked the PM team to put together a series of blogs to help outline the big changes and new features that were introduced as a part of the PS2 webcast.  This week, the Identity Governance team has put together a post all about Identity Governance


Oracle Identity Governance is a suite of highly flexible and scalable enterprise identity administration solutions that provides operational and business efficiency by providing centralized administration & complete automation of identity and user provisioning events across enterprise as well as extranet applications. It provides role lifecycle management and privileged account management, ensuring consistent enforcement of identity based controls thereby reducing ongoing operational and compliance costs. New features introduced in the Oracle Identity Governance 11gR2 PS2 release are focused on customer success and improving overall reliability and reducing TCO of existing deployments. Highlights include: 

Dynamic Organization Membership

In a typical enterprise or extranet use case scenario, a user will be associated to their home organization but would require membership to other organization entities to perform related functions. For example, a global help desk user who belongs to the Support organization would require access to view and perform certain functions (like password reset) on other organizations like Finance, Sales etc. The solution has the capability to manually assign the help desk user to an Organization Viewer admin role, which is restrictive and more applicable to permission grants. 

Dynamic Organization Membership provides a way to specify a rule that would drive the membership of the user to one or more organizations based on their user attributes. The feature introduces the ability to specify a membership rule for organizations similar to how roles are handled. Once the user is dynamically associated to other organizations, they get implicit viewer privileges to view users, roles and privileges made available to those organizations as well. If certain users are needed to perform certain functions, like the help desk example above, they can still be associated to the corresponding admin role manually. Note that this is dynamic rule based organization membership (not virtual organization) that has to be associated with a physical organization in the solution.

Simplified Request Management

Oracle Identity Governance provides a centralized catalog of access rights, including enterprise and application roles, standard and privileged accounts and entitlements. The solution enables customers to create multiple views of the centralized catalog, like catalog by location, by department or a hierarchical catalog showing all applications along with associated entitlements etc., tailored to their needs. A list of beneficiaries can also be programmatically sent to the catalog enabling customers to integrate with other request initiating systems like a ticketing system.

Oracle Identity Governance provides a business user friendly catalog to request account entitlements. However it required the business user to know any entitlement related dependencies. For example, the user needed to know that they needed an e-Business account before they can request for an entitlement that grants them privileges to raise a purchase order in e-Business. OIG can now automatically request the account for a user when a related entitlement is requested, thereby reducing the burden of the business users to know the account-entitlement relationship.

Business users, requesters, approvers or access certifiers, often require detailed information on what a particular entitlement maps to in the target system. For example, granting an e-Business role or responsibility would grant a user a set of menu/button privileges. OIG now supports such critical hierarchical entitlement metadata to be imported and made available during request, approval and certification processes. Users typically would have more than one account in a target system and OIG supported multiple accounts to be associated with a user.

The solution now supports specifying to which account a specific entitlement in a request needs to be associated with during the request checkout process. In many cases, requesters are required to provide additional information during access request for each item requested. For example, in a request that involves multiple entitlements, the requester might be required to specify the start date and end date for each of the entitlements requested. OIG enables requesters to provide such information during request that can be carried all the way to approval and provisioning processes. OIG also provides an out-of-the-box scheduled task for entitlement grant and revoke based on the start and end dates specified.

Oracle Identity Governance also enables requesters to save the request cart enabling them to validate and submit requests at a later time.

Collaborative Certification Processes with Identity Auditor

Oracle Identity Governance introduces the capability of specifying additional levels of reviews in the certification workflow process. For example, OIG can now launch a certification review process whereby the business manager reviews the users that report to him/her, but is then followed by the managers' manager also reviewing the same access rights, while viewing the decisions made by their subordinate. In addition, collaborative Certification workflows with involvement from representatives from both Business lines and IT can also be launched for improved accountability and remediation. 

Improved Diagnostics

Oracle Identity Governance introduces a new operational console in Oracle Enterprise Manager that enables administrators a complete view of all the defined OIG operations, out-of-the-box and customer defined event handlers, child processes, workflow processes their state and error information without requiring to mine different server logs. This tool does not replace the larger IDM management pack in Enterprise Manager that provides a suite wide monitoring capability but serves as a useful diagnostic tool specifically for OIG. 

Privileged Account Session Management

Recent front-page security breaches have emphasized the fact that access control and monitoring of privileged accounts is critical. In some cases, privileged account password management alone is not enough. The OPAM solution in the OIG suite additionally provides session management and auditing capabilities to address extreme use cases. By creating a single access point to the target resources, OPAM’s Oracle Privileged Session Manager (OPSM) helps administrators to control and monitor all the activities within a privileged session.

 For more information on OPAM, read our blog here: New Session Management in OPAM

Tuesday Mar 18, 2014

What's New in PS2? Oracle Privileged Account Manager session management

As you saw in my previous blog there are a lot of new features in PS2 - and as we count down to our PS2 Webcast (April 10 @ 10:00 am PST - Register Here ) we will be posting a series of blogs detailing the new features.  In this blog, I have invited the PM team to talk about the new session management capability in OPAM.


11gR2 PS2 is an important release for OPAM where we made significant advances in many product areas. One such area is “Session Management”.

So, what is session management? In the past, privileged access management solutions focused on password vaults and providing secure access to the credentials stored in such vaults.

However, this approach raises certain questions:  

  • Can we prevent the end user seeing the actual privileged account password?
  • How can we control how the end user utilizes the password?
  • Can we capture the actions performed by the end user for audit purposes?


Session Management support in OPAM addresses all of these questions by focusing on the following areas:

Session Initiation

  1. Users can initiate a session as a privileged account without knowing the actual account password.
  2. Instead, the user just needs to authenticate himself and access to the target is granted based on the grants he has.
  3. Finally, since OPAM uses a gateway based approach the end user can connect using any protocol compliant 3rd party client.

Click for larger version

Thus privileged session initiation has been secured while not impacting the established working practices of the end user. The end user is still free to use the tools he is familiar with (ex. putty, openSSH etc.) and does not need to explicitly interact with OPAM for every checkout.

Session Control

  1. Sessions can be terminated based on usage policies (ex. after 30 mins)
  2. Sessions can be terminated by  security personal observing suspicious behavior


Since the sessions occur via OPAM’s Session Management server, there’s a controlled single entry point for privileged access. Additionally, since all sessions occur within OPAM’s purview we are able to control what occurs within a session and terminate it as needed.

Session Recording

  1. Session activity is recorded and stored in an Oracle audit database.
  2. It is indexed and searchable.

All action that occurs within a session is recorded, indexed and stored in the OPAM database. Therefore answering questions like who ran a certain command on the fileserver as admin between 9am and 10am on April 1st 2013 is trivial.

In summary OPAM’s Privileged Session Management is an important addition to the existing password vault solution, adding personal accountability and extending audit capabilities. In 11gR2 PS2, we focused on SSH since there is a very large footprint of SSH enabled target systems. However, moving forward we’ll be adding both new protocols and additional functionality as part of our session management offering.

For further details see Oracle Privileged Account Manager - Whitepaper



Thursday Mar 13, 2014

Major Themes of the IDM 11gR2 PS2 Release

On April 10, Amit Jasuja and his Product Management team will be hosting a webcast to explain all of the newest features in the PS2 release. (Register Here for the Webcast)

The PS2 release has 3 major themes: Cloud, Mobile & Simplification.

Oracle continues to expand our management capability for cloud applications, and one of the new features in the PS2 release is the Cloud Access Portal.  The Cloud Access Portal provides a single console for managing access to cloud applications.  Single sign-on, form-fill technology and federation capabilities, that runs on a full size browser, tablet or smart phone, make this new portal a must-have for organizations using cloud apps (who isn't?)

For Mobile application security, the PS2 release brings the introduction of the Mobile Security Suite. See our new web page devoted to specifically to mobile security.

Based on technology from the Bitzer Mobile acquisition, the Oracle Mobile Security suite allow organizations to separate and manage apps and data on mobile devices.  Here's a link to the new data sheet

The final major theme is simplification.  Oracle IDM is a secure, feature rich, highly scalable platform for protecting applications of all architectures.  To make this platform easier to install, patch and upgrade, PS2 introduces an installation automation wizard.  This wizard can capture details of an existing install, and save those parameters which can be used to clone an entire environment.  Installation times are dramatically reduced, as are patching and upgrade tasks.

In addition to these three major themes PS2 also contains: improved OAuth support, strong authentication features, new Privileged Account management features, as well as customizations and UI improvements throughout.

To learn more about the PS2 release: Register for our April 10, 2014 webcast


Wednesday Mar 12, 2014

Save the Date: April 10, 2014 @ 10:00 am PST - IDM 11gR2 PS2 Webcast

Oracle has recently released Patchset 2 for the Oracle IDM 11gR2 platform.  PS2 contains some important updates for Cloud & Mobile applications, as well as significant new features.  Register now to join us on April 10, where you will hear Amit Jasuja, SVP for IDM and Java talk about the focus on this release.  During this webcast, you will hear about:

  • Oracle's strategy for cloud application security - including a demo of the new Cloud Application Portal
  • New capabilities for full support of OAuth 2.0
  • Session recording and new management features for privileged account access
  • New features in the Mobile Security Suite - including a demo showing how business apps and data can be protected on a mobile device
  • New strong authentication functionality
  • All new automated installation wizard
  • Enhancements to Identity Governance

Register Now to Learn about the PS2 release: Webcast registration link

Monday Nov 25, 2013

Congratulations to Putnam Investments for winning the 2013 Oracle Excellence Award for Identity Management

This year, Putnam Investments won one of two Fusion Middleware Innovation Awards from a field of 31 organizations worldwide.

Pictured left to right: Aaron Perry, President of APTEC LLC, Marc Boroditsky Vice President of Product Mangement IDM, and John Xu Putnam Investments

Putnam Investments won the 2013 OEA award for their project that migrated 80 core applications from Sun Access Manager to Oracle Access Manager in a year’s time, and replaced a competitive Identity Management solution with Oracle Identity Manager to automate access requests and approval workflows.

They are the recipients of this year’s excellence award for their comprehensive vision of how identity management is transforming their business through a converged security infrastructure.

Congratulations to ANZ Banking Group for winning the 2013 Oracle Excellence Award for Identity Management

This year ANZ Banking Group won one of two coveted Oracle Excellence awards for Fusion Middleware Innovation in the Identity Management category.  ANZ and Putnam were chosen from a field of 31 entries submitted by organizations worldwide.

Pictured left to right: Paul Beresford, ANZ Banking Group, Marc Boroditsky, Vice President Product Mangement, IDM, Richard Watson, IDM Sales Director, ANZ

ANZ Banking Group won the 2013 OEA award for their project to migrate their award winning mobile banking application from a competitive product to the Oracle IDM Platform, which provides device registration, authentication, authorization and application SSO.

By leveraging the Oracle IDM Platform, ANZ is able to provide a consistent customer experience regardless of how customers access the system (Mobile, Web, ATM, etc.)  Their innovative design resulted in extremely high levels of code reuse and 60% reduction of interfaces needed internally.


Sunday Nov 03, 2013

Patients are Running out of Patience

Healthcare is in a dramatic state of change globally and the change is being driven by patients. Patients are no longer content to wait in line, endure appointment delays and stay on hold waiting for a health insurance representative. Instead, patients are demanding on-line access to physicians, joining communities with fellow patients, scheduling appointments online and resolving claims issues over email. 

To accomodate the demand for patient connectivity, providers are innovating to find new ways to collaborate with patients. To address the demand, providers are providing 24/7 access online and pioneering ways to deliver care via mobile devices -  for example using your iPhone as a heart monitor. Patient vitals can be collected before the patient even walks into the clinic. 

These new approaches promise to enhance the patient experience and reduce the cost of care. Time is money both for the patient and the provider. For insurance companies, all of this is  welcome news because it reduces un-necessary time with the physician which reduces the number of claims.  Oracle is focused on enabling and securing the experience. The video below shares the Oracle healthcare transformation story.

asas

Friday Nov 01, 2013

The Importance of a Security Assessment - by Michael Terra, Oracle

Today's Blog was written by Michael Terra, who was the Subject Matter Expert for the recently announced Oracle Online Security Assessment.

You can take the Online Assessment here: Take the Online Assessment

Over the past decade, IT Security has become a recognized and respected Business discipline.  Several factors have contributed to IT Security becoming a core business and organizational enabler including, but not limited to, increased external threats and increased regulatory pressure. Security is also viewed as a key enabler for strategic corporate activities such as mergers and acquisitions.

Now, the challenge for senior security professionals is to develop an ongoing dialogue within their organizations about the importance of information security and how it can impact their organization's strategic objectives/mission.

The importance of conducting regular “Security Assessments” across the IT and physical infrastructure has become increasingly important. Security standards and frameworks, such as the international standard ISO 27001, are increasingly being adopted by organizations and their business partners as proof of their security posture and “Security Assessments” are a great way to ensure a continued alignment to these frameworks.

Oracle offers a number of different security assessment covering a broad range of technologies. Some of these are short engagements conducted for free with our strategic customers and partners. Others are longer term paid engagements delivered by Oracle Consulting Services or one of our partners. The goal of a security assessment, (also known as a security audit or security review), is to ensure that necessary security controls are integrated into the design and implementation of a project, application or technology.  A properly completed security assessment should provide documentation outlining any security gaps that exist in an infrastructure and the associated risks for those gaps. With that knowledge, an organization can choose to either mitigate, transfer, avoid or accept the risk.

One example of an Oracle offering is a Security Readiness Assessment:

The Oracle Security Readiness Assessment is a practical security architecture review focused on aligning an organization’s enterprise security architecture to their business principals and strategic objectives. The service will establish a multi-phase security architecture roadmap focused on supporting new and existing business initiatives.

Offering Overview

The Security Readiness Assessment will:

  • Define an organization’s current security posture and provide a roadmap to a desired future state architecture by mapping  security solutions to business goals
  • Incorporate commonly accepted security architecture concepts to streamline an organization’s security vision from strategy to implementation
  • Define the people, process and technology implications of the desired future state architecture
  • The objective is to deliver cohesive, best practice security architectures spanning multiple domains that are unique and specific to the context of your organization.


Offering Details

The Oracle Security Readiness Assessment is a multi-stage process with a dedicated Oracle Security team supporting your organization.  During the course of this free engagement, the team will focus on the following:

  • Review your current business operating model and supporting IT security structures and processes
  • Partner with your organization to establish a future state security architecture leveraging Oracle’s reference architectures, capability maps, and best practices
  • Provide guidance and recommendations on governance practices for the rollout and adoption of your future state security architecture
  • Create an initial business case for the adoption of the future state security architecture


If you are interested in finding out more, ask your Sales Consultant or Account Manager for details.

Thursday Oct 31, 2013

Take our Online Assessment to see how your IDM strategy stacks up

Recently, we launched a new online self assessment tool to help customers review their current IDM infrastructure.  This 10 question self assessment will allow you to measure the effectiveness of your IDM technology, but also business processes and security posture.

Watch the video below, and then click the "Get Started!" link embedded in the player to take the survey. (Note: the video tells you to go to our Oracle.com/identity page to get started - but using the link in the video player saves you the extra step.)

At the end of the survey, you will be presented with your overall score, your security maturity ranking, and you can register to save your results and to download a comprehensive report.  The report explains each of the questions, notes your response, and makes specific suggestions.

Use this link to jump to the Online Assessment directly:  Take the assessment, and see how you rank!


About

Oracle Identity Management is a complete and integrated next-generation identity management platform that provides breakthrough scalability; enables organizations to achieve rapid compliance with regulatory mandates; secures sensitive applications and data regardless of whether they are hosted on-premise or in a cloud; and reduces operational costs. Oracle Identity Management enables secure user access to resources anytime on any device.

Search

Archives
« July 2015
SunMonTueWedThuFriSat
   
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
 
       
Today