Monday Apr 14, 2014

Follow up Identity Management 11g R2 PS2

If you joined our webcast on Thursday, thanks for tuning in.  Below is a link to the on-demand webcast and we have captured the Q & A from the session in-line.

On demand  Webcast: Click Here

Question: For the customers in the process of moving to cloud and mobile space, is PS2 the right version (whether access or Identity) to be on? : Answer: Absolutely. Particularly for Access with full OAUTH2 support.

Question:Has Consumer and Customer identity requirments for Retail been met full user experience and Admin/provisioning, federated access and delegated admin implemented? any large retail account or case study for the implementation available for sharing? Answer: Yes, we have several retail customers who have implemented unified, enterprise wide identity management to help grow their business (via customer loyalty apps and programs) and streamline/secure their business with complete Identity Governance and life cycle management. Click here to see customer examples:

Question:any large AppStore implementation and Global roll out? Answer: For the Oracle Mobile Security Suite we have some very large Fortune 5 customers with global rollouts including oil & gas, retail and banking.

Question: Can you elaborate on how security concerns were addressed about the form fill technology? Answer:The form fill technology in the Access Portal Service is built on Oracle ESSO Infrastructure. It leverages the same ESSO repository to store credentials and application configuration. It is compatible with the same business logic flows that exist in native ESSO . It fully supports bi-directional crypto between Java and CAPI code. The asymmetric key supports RSA and translation of PK pairs to/from MS PK & Java. The symmetric key support includes AES256 and TripleDES (for compat/upgrade). It fully supports encryption/decryption for ESSO Credentials in Java (compatible with CAPI). The Hashing / MessageDigest supports SHA1 and SHA 256 that is compatible with Java and CAPI

Question:Question from my Tweet - Will the new Access mgmt platform support SAML, OAuth as the standard instead of ObSSO token? Answer:We already support SAML and have now introduced support as an OAuth 2.0 server in PS2 while ensuring that these technologies work seamlessly in conjunction with session management and secure single sign on using OAM 11g technology.

Question:How do we provision deprovision users for Cloud Apps? Answer:We will provide auto provisioning of applications by allowing association to applications directly from the OAM console. Today auto provisioning is only possible using the Enterprise Single Sign-On provisioning gateway.

Question:  Is the Blitzer application available as part of the Oracle Access Manager product? Answer: The Bitzer technology is available in the Oracle Mobile Security Suite

Question: Does OAP provides support for Legacy application (Thick client) (Mainframe apps)? Answer: Access Portal - at this time - is for web-based applications only

Question:Does Cloud Security Portal works with OAM 10G version? Answer: Access Portal is an OAM 11gR2 PS2 service

Question: how do you compare Oracle PS2 with REST APU based security appliance like layer 7 etc? Answer: The Oracle API Gateway (OAG) component provides REST API security in the same way. This is already available and is widely deployed by our customer base -- particularly for their consumer and mobile facing applications.

Question: What are licenses needed for Automated Suite Installation for IDM which was spoken about ? Answer: The automated installation requires only licenses for the software that you are installing. There's not a separate license for the automation.

Question: Do you have PII, PCI compliance patterns implemented for SaaS eCommerce Apps globally? Answer: May need more info to answer this - but if Oracle accepts credit cards for any of its service then obviously it will need to follow PCI etc. Here is a link to a paper on how we align with PCI controls with IDM

Question: Do you see a push in the federal marketplace to implement the Oracle soft token approach to security or is the marketplace still leveraging traditional 2 factor and mobile technologies are lagging behind? Answer: We see a push across all verticals to use the soft token approach 

Question: As OMSS and IDM Suite come separately (2 different product suites) , then how exactly these get wired to achieve SSO. How difficult it is to wire it? Answer: These suites are separate from a licensing perspective  but utilize the same underlying platform.

Thursday Apr 10, 2014

Securing The Identity of Everything

Securing the Identity of Everything

Along with tremendous economic change, the Internet of Things (IoT) will transform the way IT organizations think about security. Instead of focusing on securing the network perimeter, IT departments will have to secure the new perimeter: people, data and devices. The new point of control will be user access to devices, data and applications. Each device will have an identity on the network, and companies will face the challenge of device tracking, registration and fraud detection. In this session, Ranjan Jain will discuss his current effort to manage the "Identity of Everything" and share how organizations can unlock the potential of this approach. Register now.

Ranjan Jain, IT Architect for Enterprise Identity and Access Management, Cisco 

Naresh Persaud, Senior Director, Product Marketing and Market Development, Oracle

Wednesday Apr 09, 2014

Webcast: Announcing The Oracle Mobile Security Suite

Oracle IDM 11gR2 PS2: Cloud and Mobile Strategy Update Webcast

As cloud applications and personal mobile devices continue to drive new business models, new security challenges for IT teams are on the rise. Oracle recently announced the availability of its latest Oracle Identity Management 11gRelease 2 PS2—which is heavily focused on securing the extended enterprise. 

This live webcast will provide you with an overview of key themes in Oracle Identity Management 11g Release 2 PS2, and cover salient aspects of the release’s cloud and mobile security strategy. You’ll also see a demonstration of the new cloud access portal and mobile security suite. The Twitter feed #OracleIDMPS2 can be used for questions during the live Q&A session at the end of the presentation.

Attend this webcast to:

  • Hear about the latest updates in Oracle Identity Management 11g Release 2 PS2 including new, strong authentication and installation automation features
  • See how Oracle is taking an application-focused approach to mobile security
  • Learn how you can secure your cloud applications with enterprise identity management

Register now to attend this important webcast. Tweet your questions using hashtag #OracleIDMPS2

April 10, 2014 – 10:00 am PST

Copyright © 2013, Oracle and/or its affiliates. 
All rights reserved.

Tuesday Mar 25, 2014

Enabling access to Google Apps through Oracle IDM

Guest blog by Anand Murugesan

Adoption of cloud is enabling organizations to rapidly increase capacity and employee productivity while reducing their cost.  IT organizations are trying to play catchup to this accelerating trend and are faced with technological obstacles in enabling access to cloud applications.  When it comes to enabling employee access to cloud applications, organizations today are using cumbersome techniques including manual provisioning and de-provisioning process that causes delay in cloud enablement.  More over it leaves security vulnerabilities when employees leave the company or move between organizations.   Oracle Identity and Access Management suite (Oracle IAM Suite) addresses these issues with right set of technologies and tools to fast-track cloud adoption.  In this article we will discuss how organizations can enable their users to access Google Applications.  

Organizations can integrate Oracle IAM Suite with Google Applications through either Identity Federation or Identity Synchronization techniques.  The choice depends on the type of access needed for Google Applications.

First option is to use SAML 2.0 based Federation standards to integrate with Google Apps.  As per Google, “Google Apps offers a SAML-based Single Sign-On (SSO) service that provides customers with full control over the authorization and authentication of hosted user accounts that can access web-based applications like Gmail or Google Calendar.”   In this case Google Apps works as a Service Provider (SP).   Oracle Identity and Access Management Federation Service acts as an Identity Provider (IdP).  With this type of integration, when accessing the Google Apps through a web browser, the user is redirected to Federation Service hosted by customer for authentication.  Once authentication is complete the user is redirected back to Google Apps.  Federation Services supports both logout initiated by SP and IdP.  Customer still maintains full control of who has access to Google Apps.

Second option is to use two-way identity synchronization techniques.  Google Apps connector that ships with Oracle Identity Manager (part of Oracle IAM Suite) keeps both on-premise and cloud identities in sync.  This connector manages Google Apps as a ‘managed target resource’, enabling data about users created or modified directly on Google Apps to be reconciled into Oracle Identity Manager. More over the user accounts can be provisioned into Google Apps from Oracle Identity Manager.

Both Federation and Identity Synchronization techniques enable seamless integration with Google Apps.  When would you choose one over the other?   If the customer needs to enable only the web browser based access to the Google Application to their users, then SAML based Federation would be sufficient.  Setting up Federation is fairly simple process.  For more information refer to this white paper.  On the other hand, if the customer wants to enable user access beyond web browser to desktop or mobile clients such as outlook for Google Apps, identity synchronization would be a better option.  For more information on how to setup Google Connector, please refer to Oracle Identity Manager Google Apps Connector documentation.

Friday Mar 21, 2014

What's New in PS2? The Cloud Access Portal

Cloud Application management is one of the main themes in the PS2 release.  I have asked Lee Howarth to explain a bit more about the new Cloud Access Portal Service.

With the advent of SaaS applications how do we solve password and single sign-on challenges…… again?

For many years Single Sign-On technology has provided various security and usability benefits, allowing organizations to simplify the user experience to gain access to multiple web and enterprise resources, while forcing more complex password policies to increase security.  Unfortunately this status quo is being challenged by the advent of Software-as-a-Service applications.

Once again users are being asked to remember multiple name and password combinations to their various SaaS accounts, a situation made even more frustrating by the fact that more and more users are accessing these sites from mobile devices.

The types of web applications accessed by a typical corporate user can be grouped into three main categories:

  1. Applications that require a name and password (corporate and SaaS) to be entered directly into a login form
  2. Applications that are protected via some form of Access Management solutions; and
  3. Applications that are federation enabled (corporate partner or SaaS application).

Addressing the password challenge across each of these categories, while simplifying usability and management are key benefits of the new Oracle Access Management - Access Portal Service.
The Access Portal provides:

  • A cross-platform logon portal for web-based applications that automatically adapts to the device form-factor.
  • Single sign-on to SaaS, web, partner and Oracle Access Management protected resources via Identity Federation, Form-Fill and Oracle Access Management session identifiers.
  • Centralized administration and wizard-based form-fill template generation to simplify administrative tasks.
  • RESTful interfaces to enable integration with existing corporate portals.

Administrators define application using the Oracle Access Management administration interface as one of three types – associated to each of the categories mentioned above.

  • Form-Fill Applications:  are applications that require a name and password to be entered into a login form.  The Access Portal service uses proxy technology to provide a form-fill service that supports login forms and can even sense when passwords have changed –perhaps due to password expiration - and enables the user to update securely stored credentials.
  • SSO Agent applications:  are applications protected by Oracle Access Management (OAM).  With this type of application the Access Portal simply represents OAM protected URLs.  Authentication is handled by standard OAM authentication and session management.
  • Federated Applications: are applications that required a federated authentication, be they partner or SaaS applications.  In this case the Access Portal applications are essentially IDP initiated authentication links, which use the Oracle Access Management – Federation Service to authenticate and assert their identity to a target application.

The following diagram represents the high-level architecture for the Access Portal Service (APS):

APS Architecture

For more information, please visit


Wednesday Mar 19, 2014

What's new in PS2? Many enhancements to Identity Governance

As you might know, our official IDM 11gR2 PS2 webcast will be held on April 10, 2014 @ 10:00 am PST

Register for our PS2 Webcast

#OracleIDMPS2 is our offical twitter handle for all things PS2!

In the run up to the webcast, I have asked the PM team to put together a series of blogs to help outline the big changes and new features that were introduced as a part of the PS2 webcast.  This week, the Identity Governance team has put together a post all about Identity Governance

Oracle Identity Governance is a suite of highly flexible and scalable enterprise identity administration solutions that provides operational and business efficiency by providing centralized administration & complete automation of identity and user provisioning events across enterprise as well as extranet applications. It provides role lifecycle management and privileged account management, ensuring consistent enforcement of identity based controls thereby reducing ongoing operational and compliance costs. New features introduced in the Oracle Identity Governance 11gR2 PS2 release are focused on customer success and improving overall reliability and reducing TCO of existing deployments. Highlights include: 

Dynamic Organization Membership

In a typical enterprise or extranet use case scenario, a user will be associated to their home organization but would require membership to other organization entities to perform related functions. For example, a global help desk user who belongs to the Support organization would require access to view and perform certain functions (like password reset) on other organizations like Finance, Sales etc. The solution has the capability to manually assign the help desk user to an Organization Viewer admin role, which is restrictive and more applicable to permission grants. 

Dynamic Organization Membership provides a way to specify a rule that would drive the membership of the user to one or more organizations based on their user attributes. The feature introduces the ability to specify a membership rule for organizations similar to how roles are handled. Once the user is dynamically associated to other organizations, they get implicit viewer privileges to view users, roles and privileges made available to those organizations as well. If certain users are needed to perform certain functions, like the help desk example above, they can still be associated to the corresponding admin role manually. Note that this is dynamic rule based organization membership (not virtual organization) that has to be associated with a physical organization in the solution.

Simplified Request Management

Oracle Identity Governance provides a centralized catalog of access rights, including enterprise and application roles, standard and privileged accounts and entitlements. The solution enables customers to create multiple views of the centralized catalog, like catalog by location, by department or a hierarchical catalog showing all applications along with associated entitlements etc., tailored to their needs. A list of beneficiaries can also be programmatically sent to the catalog enabling customers to integrate with other request initiating systems like a ticketing system.

Oracle Identity Governance provides a business user friendly catalog to request account entitlements. However it required the business user to know any entitlement related dependencies. For example, the user needed to know that they needed an e-Business account before they can request for an entitlement that grants them privileges to raise a purchase order in e-Business. OIG can now automatically request the account for a user when a related entitlement is requested, thereby reducing the burden of the business users to know the account-entitlement relationship.

Business users, requesters, approvers or access certifiers, often require detailed information on what a particular entitlement maps to in the target system. For example, granting an e-Business role or responsibility would grant a user a set of menu/button privileges. OIG now supports such critical hierarchical entitlement metadata to be imported and made available during request, approval and certification processes. Users typically would have more than one account in a target system and OIG supported multiple accounts to be associated with a user.

The solution now supports specifying to which account a specific entitlement in a request needs to be associated with during the request checkout process. In many cases, requesters are required to provide additional information during access request for each item requested. For example, in a request that involves multiple entitlements, the requester might be required to specify the start date and end date for each of the entitlements requested. OIG enables requesters to provide such information during request that can be carried all the way to approval and provisioning processes. OIG also provides an out-of-the-box scheduled task for entitlement grant and revoke based on the start and end dates specified.

Oracle Identity Governance also enables requesters to save the request cart enabling them to validate and submit requests at a later time.

Collaborative Certification Processes with Identity Auditor

Oracle Identity Governance introduces the capability of specifying additional levels of reviews in the certification workflow process. For example, OIG can now launch a certification review process whereby the business manager reviews the users that report to him/her, but is then followed by the managers' manager also reviewing the same access rights, while viewing the decisions made by their subordinate. In addition, collaborative Certification workflows with involvement from representatives from both Business lines and IT can also be launched for improved accountability and remediation. 

Improved Diagnostics

Oracle Identity Governance introduces a new operational console in Oracle Enterprise Manager that enables administrators a complete view of all the defined OIG operations, out-of-the-box and customer defined event handlers, child processes, workflow processes their state and error information without requiring to mine different server logs. This tool does not replace the larger IDM management pack in Enterprise Manager that provides a suite wide monitoring capability but serves as a useful diagnostic tool specifically for OIG. 

Privileged Account Session Management

Recent front-page security breaches have emphasized the fact that access control and monitoring of privileged accounts is critical. In some cases, privileged account password management alone is not enough. The OPAM solution in the OIG suite additionally provides session management and auditing capabilities to address extreme use cases. By creating a single access point to the target resources, OPAM’s Oracle Privileged Session Manager (OPSM) helps administrators to control and monitor all the activities within a privileged session.

 For more information on OPAM, read our blog here: New Session Management in OPAM

Tuesday Mar 18, 2014

What's New in PS2? Oracle Privileged Account Manager session management

As you saw in my previous blog there are a lot of new features in PS2 - and as we count down to our PS2 Webcast (April 10 @ 10:00 am PST - Register Here ) we will be posting a series of blogs detailing the new features.  In this blog, I have invited the PM team to talk about the new session management capability in OPAM.

11gR2 PS2 is an important release for OPAM where we made significant advances in many product areas. One such area is “Session Management”.

So, what is session management? In the past, privileged access management solutions focused on password vaults and providing secure access to the credentials stored in such vaults.

However, this approach raises certain questions:  

  • Can we prevent the end user seeing the actual privileged account password?
  • How can we control how the end user utilizes the password?
  • Can we capture the actions performed by the end user for audit purposes?

Session Management support in OPAM addresses all of these questions by focusing on the following areas:

Session Initiation

  1. Users can initiate a session as a privileged account without knowing the actual account password.
  2. Instead, the user just needs to authenticate himself and access to the target is granted based on the grants he has.
  3. Finally, since OPAM uses a gateway based approach the end user can connect using any protocol compliant 3rd party client.

Click for larger version

Thus privileged session initiation has been secured while not impacting the established working practices of the end user. The end user is still free to use the tools he is familiar with (ex. putty, openSSH etc.) and does not need to explicitly interact with OPAM for every checkout.

Session Control

  1. Sessions can be terminated based on usage policies (ex. after 30 mins)
  2. Sessions can be terminated by  security personal observing suspicious behavior

Since the sessions occur via OPAM’s Session Management server, there’s a controlled single entry point for privileged access. Additionally, since all sessions occur within OPAM’s purview we are able to control what occurs within a session and terminate it as needed.

Session Recording

  1. Session activity is recorded and stored in an Oracle audit database.
  2. It is indexed and searchable.

All action that occurs within a session is recorded, indexed and stored in the OPAM database. Therefore answering questions like who ran a certain command on the fileserver as admin between 9am and 10am on April 1st 2013 is trivial.

In summary OPAM’s Privileged Session Management is an important addition to the existing password vault solution, adding personal accountability and extending audit capabilities. In 11gR2 PS2, we focused on SSH since there is a very large footprint of SSH enabled target systems. However, moving forward we’ll be adding both new protocols and additional functionality as part of our session management offering.

For further details see Oracle Privileged Account Manager - Whitepaper

Thursday Mar 13, 2014

Major Themes of the IDM 11gR2 PS2 Release

On April 10, Amit Jasuja and his Product Management team will be hosting a webcast to explain all of the newest features in the PS2 release. (Register Here for the Webcast)

The PS2 release has 3 major themes: Cloud, Mobile & Simplification.

Oracle continues to expand our management capability for cloud applications, and one of the new features in the PS2 release is the Cloud Access Portal.  The Cloud Access Portal provides a single console for managing access to cloud applications.  Single sign-on, form-fill technology and federation capabilities, that runs on a full size browser, tablet or smart phone, make this new portal a must-have for organizations using cloud apps (who isn't?)

For Mobile application security, the PS2 release brings the introduction of the Mobile Security Suite. See our new web page devoted to specifically to mobile security.

Based on technology from the Bitzer Mobile acquisition, the Oracle Mobile Security suite allow organizations to separate and manage apps and data on mobile devices.  Here's a link to the new data sheet

The final major theme is simplification.  Oracle IDM is a secure, feature rich, highly scalable platform for protecting applications of all architectures.  To make this platform easier to install, patch and upgrade, PS2 introduces an installation automation wizard.  This wizard can capture details of an existing install, and save those parameters which can be used to clone an entire environment.  Installation times are dramatically reduced, as are patching and upgrade tasks.

In addition to these three major themes PS2 also contains: improved OAuth support, strong authentication features, new Privileged Account management features, as well as customizations and UI improvements throughout.

To learn more about the PS2 release: Register for our April 10, 2014 webcast

Wednesday Mar 12, 2014

Save the Date: April 10, 2014 @ 10:00 am PST - IDM 11gR2 PS2 Webcast

Oracle has recently released Patchset 2 for the Oracle IDM 11gR2 platform.  PS2 contains some important updates for Cloud & Mobile applications, as well as significant new features.  Register now to join us on April 10, where you will hear Amit Jasuja, SVP for IDM and Java talk about the focus on this release.  During this webcast, you will hear about:

  • Oracle's strategy for cloud application security - including a demo of the new Cloud Application Portal
  • New capabilities for full support of OAuth 2.0
  • Session recording and new management features for privileged account access
  • New features in the Mobile Security Suite - including a demo showing how business apps and data can be protected on a mobile device
  • New strong authentication functionality
  • All new automated installation wizard
  • Enhancements to Identity Governance

Register Now to Learn about the PS2 release: Webcast registration link

Monday Nov 25, 2013

Congratulations to Putnam Investments for winning the 2013 Oracle Excellence Award for Identity Management

This year, Putnam Investments won one of two Fusion Middleware Innovation Awards from a field of 31 organizations worldwide.

Pictured left to right: Aaron Perry, President of APTEC LLC, Marc Boroditsky Vice President of Product Mangement IDM, and John Xu Putnam Investments

Putnam Investments won the 2013 OEA award for their project that migrated 80 core applications from Sun Access Manager to Oracle Access Manager in a year’s time, and replaced a competitive Identity Management solution with Oracle Identity Manager to automate access requests and approval workflows.

They are the recipients of this year’s excellence award for their comprehensive vision of how identity management is transforming their business through a converged security infrastructure.

Congratulations to ANZ Banking Group for winning the 2013 Oracle Excellence Award for Identity Management

This year ANZ Banking Group won one of two coveted Oracle Excellence awards for Fusion Middleware Innovation in the Identity Management category.  ANZ and Putnam were chosen from a field of 31 entries submitted by organizations worldwide.

Pictured left to right: Paul Beresford, ANZ Banking Group, Marc Boroditsky, Vice President Product Mangement, IDM, Richard Watson, IDM Sales Director, ANZ

ANZ Banking Group won the 2013 OEA award for their project to migrate their award winning mobile banking application from a competitive product to the Oracle IDM Platform, which provides device registration, authentication, authorization and application SSO.

By leveraging the Oracle IDM Platform, ANZ is able to provide a consistent customer experience regardless of how customers access the system (Mobile, Web, ATM, etc.)  Their innovative design resulted in extremely high levels of code reuse and 60% reduction of interfaces needed internally.

Sunday Nov 03, 2013

Patients are Running out of Patience

Healthcare is in a dramatic state of change globally and the change is being driven by patients. Patients are no longer content to wait in line, endure appointment delays and stay on hold waiting for a health insurance representative. Instead, patients are demanding on-line access to physicians, joining communities with fellow patients, scheduling appointments online and resolving claims issues over email. 

To accomodate the demand for patient connectivity, providers are innovating to find new ways to collaborate with patients. To address the demand, providers are providing 24/7 access online and pioneering ways to deliver care via mobile devices -  for example using your iPhone as a heart monitor. Patient vitals can be collected before the patient even walks into the clinic. 

These new approaches promise to enhance the patient experience and reduce the cost of care. Time is money both for the patient and the provider. For insurance companies, all of this is  welcome news because it reduces un-necessary time with the physician which reduces the number of claims.  Oracle is focused on enabling and securing the experience. The video below shares the Oracle healthcare transformation story.


Friday Nov 01, 2013

The Importance of a Security Assessment - by Michael Terra, Oracle

Today's Blog was written by Michael Terra, who was the Subject Matter Expert for the recently announced Oracle Online Security Assessment.

You can take the Online Assessment here: Take the Online Assessment

Over the past decade, IT Security has become a recognized and respected Business discipline.  Several factors have contributed to IT Security becoming a core business and organizational enabler including, but not limited to, increased external threats and increased regulatory pressure. Security is also viewed as a key enabler for strategic corporate activities such as mergers and acquisitions.

Now, the challenge for senior security professionals is to develop an ongoing dialogue within their organizations about the importance of information security and how it can impact their organization's strategic objectives/mission.

The importance of conducting regular “Security Assessments” across the IT and physical infrastructure has become increasingly important. Security standards and frameworks, such as the international standard ISO 27001, are increasingly being adopted by organizations and their business partners as proof of their security posture and “Security Assessments” are a great way to ensure a continued alignment to these frameworks.

Oracle offers a number of different security assessment covering a broad range of technologies. Some of these are short engagements conducted for free with our strategic customers and partners. Others are longer term paid engagements delivered by Oracle Consulting Services or one of our partners. The goal of a security assessment, (also known as a security audit or security review), is to ensure that necessary security controls are integrated into the design and implementation of a project, application or technology.  A properly completed security assessment should provide documentation outlining any security gaps that exist in an infrastructure and the associated risks for those gaps. With that knowledge, an organization can choose to either mitigate, transfer, avoid or accept the risk.

One example of an Oracle offering is a Security Readiness Assessment:

The Oracle Security Readiness Assessment is a practical security architecture review focused on aligning an organization’s enterprise security architecture to their business principals and strategic objectives. The service will establish a multi-phase security architecture roadmap focused on supporting new and existing business initiatives.

Offering Overview

The Security Readiness Assessment will:

  • Define an organization’s current security posture and provide a roadmap to a desired future state architecture by mapping  security solutions to business goals
  • Incorporate commonly accepted security architecture concepts to streamline an organization’s security vision from strategy to implementation
  • Define the people, process and technology implications of the desired future state architecture
  • The objective is to deliver cohesive, best practice security architectures spanning multiple domains that are unique and specific to the context of your organization.

Offering Details

The Oracle Security Readiness Assessment is a multi-stage process with a dedicated Oracle Security team supporting your organization.  During the course of this free engagement, the team will focus on the following:

  • Review your current business operating model and supporting IT security structures and processes
  • Partner with your organization to establish a future state security architecture leveraging Oracle’s reference architectures, capability maps, and best practices
  • Provide guidance and recommendations on governance practices for the rollout and adoption of your future state security architecture
  • Create an initial business case for the adoption of the future state security architecture

If you are interested in finding out more, ask your Sales Consultant or Account Manager for details.

Thursday Oct 31, 2013

Take our Online Assessment to see how your IDM strategy stacks up

Recently, we launched a new online self assessment tool to help customers review their current IDM infrastructure.  This 10 question self assessment will allow you to measure the effectiveness of your IDM technology, but also business processes and security posture.

Watch the video below, and then click the "Get Started!" link embedded in the player to take the survey. (Note: the video tells you to go to our page to get started - but using the link in the video player saves you the extra step.)

At the end of the survey, you will be presented with your overall score, your security maturity ranking, and you can register to save your results and to download a comprehensive report.  The report explains each of the questions, notes your response, and makes specific suggestions.

Use this link to jump to the Online Assessment directly:  Take the assessment, and see how you rank!

Wednesday Oct 23, 2013

Oracle Identity Management Connector Overview

Oracle Identity Manager (OIM) is a complete Identity Governance system that automates access rights management, and provisions IT resources.  One important aspect of this system is the Identity Connectors that are used to integrate OIM with external, identity-aware applications.

New in OIM 11gR2 PS1 is the Identity Connector Framework (ICF) which is the foundation for both OIM and Oracle Waveset.

Identity Connectors perform several very important functions:

  • On boarding accounts from trusted sources like SAP, Oracle E-Business Suite, & PeopleSoft HCM
  • Managing users lifecycle in various Target systems through provisioning and recon operations
  • Synchronizing entitlements from targets systems so that they are available in the OIM request catalog
  • Fulfilling access grants and access revoke requests
  • Some connectors may support Role Lifecycle Management
  • Some connectors may support password sync from target to OIM

The Identity Connectors are broken down into several families:

The BMC Remedy Family

  • BMC Remedy Ticket Management
  • BMC Remedy User Management

The Microsoft Family

  • Microsoft Active Directory
  • Microsoft Active Directory Password Sync
  • Microsoft Exchange

The Novell Family

  • Novell eDirectory
  • Novell GroupWise

The Oracle E-Business Suite Family

  • Oracle e-Business Employee Reconciliation
  • Oracle e-Business User Management

The PeopleSoft Family

  • PeopleSoft Employee Reconciliation
  • PeopleSoft User Management

The SAP Family

  • SAP Employee Reconciliation
  • SAP User Management

The UNIX Family

  • UNIX Telnet

As you can see, there are a large number of connectors that support apps from a variety of vendors to enable OIM to manage your business applications and resources.

If you are interested in finding out more, you can get documentation on these connectors on our OTN page at:

Tuesday Oct 22, 2013

Enjoy Cloud Odyssey The Oracle Movie

If you attended Open World you may have seen the promotions for a new movie produced by Oracle. The movie is called Cloud Odyssey and it chronicles the journey of a hero to the cloud. The movie is an animated sci-fi adventure. This movie will be played at Oracle events around the world so you may soon get an invite to attend. Interesting approach to telling the cloud story. For many IT organizations, the journey to the cloud is a major initiative for end users. I am sure Homer would be proud. In fact perhaps if it is successful, I am hopeful we may see a cloud Iliad. 

Below, I have embedded a trailer to the movie for your viewing pleasure. While it clearly is not the next Iron Man, it is intriguing. Hope you enjoy. 

Thursday Oct 17, 2013

Two views of Federation: inside out, and outside in

I always think of Star Fleet when I hear Federation!

IDM customers that I speak to have spent a lot of time thinking about enterprise SSO - asking your employees to log in to multiple systems, each with distinct hard to guess (translation: hard to remember) passwords that fit the corporate security policy for length and complexity is a strategy that is just begging for a lot of help-desk password reset calls. So forward thinking organizations have implemented SSO for as many systems as possible.

With the mix of Enterprise Apps moving to the cloud, it makes sense to continue this SSO strategy by Federating with those cloud apps and services.  Organizations maintain control, since employee access to the externally hosted apps is provided via the enterprise account.  If the employee leaves, their access to the cloud app is terminated when their enterprise account is disabled.  The employees don't have to remember another username and password - so life is good.

From the outside in - I am excited about the increasing use of Social Sign-on - or BYOI (Bring your own Identity).  The convenience of single-sign on is extended to customers/users/prospects when organizations enable access to business services using a social ID.  The last thing I want when visiting a website or blog is to create another account.  So using my Google or Twitter ID is a very nice quick way to get access without having to go through a registration process that creates another username/password that I have to try to remember.

The convenience of not having to maintain multiple passwords is obvious, whether you are an employee or customer - and the security benefit of not having lots of passwords to lose or forget is there as well.

Are enterprises allowing employees to use their personal (social) IDs for enterprise apps?  Not yet, but we are moving in the right direction, and we will get there some day.

Monday Oct 14, 2013

CSO Summit Open World

If you attended Open World, you were present for a historic occasion, not only was this the largest Open World, but the Oracle team also won the America's cup against incredible odds. There are a few lessons we can apply to security. Security, like the America's Cup race, is about latency. Since 2007 the boat speeds have gone from 14 mph to 50 mph with greater control and roughly the same number of crew on-board.

Without the technology on-board providing control, these boats would be very difficult to pilot. The mast of the AC72 is as high as a three story building. Yet, despite the large size, these boats almost fly over the water.  Today many businesses face the same challenge, they must grow while maintaining the same level of governance. Security allows companies to accelerate with confidence.

The theme for the CSO Summit was "accelerating with confidence".  With over 18 countries represented across 12 vertical markets, it was truly a world class audience.  Instead of an exclusively security audience, this year the executives came from many lines of business. This reinforces the trend that companies are starting to progressively align security to new business initiatives. For a survey on companies using security as a business enabler see the PWC Global State of Information Survey

SUN2Oracle upgrades and migrations

There are many resources for SUN customers who are interested in upgrading or migrating to Oracle IDM.  And since this is a common request from customers, I wanted to list a few of them here for easy access.

Here are two customer stories that represent both types of upgrade: an incremental upgrade, and a full re-platform

SuperValu represents an incremental upgrade (we call this a co-existance strategy, where both SUN and Oracle IDM are used together).  In this customer case study, a decision was made to incrementally upgrade individual components since the organization had a lot of staff resources that were good with the SUN products.

Customer success story: webcast replay link

In the case of Avea, the decision was made to re-architect a whole new IDM platform foundation due to performance requirements, and new features available in the Oracle products.

Customer Success Story: webcast replay link

SUN DSEE customers that are looking to move to the next generation, highly scalable Oracle Unified Directory can take a look at this webcast replay, where UCLA, and partner Hub City Media moved from a DSEE directory implementation directly to OUD:

SUN2Oracle: Upgrading from DSEE to the next generation Oracle Unified Directory: Webcast replay link

A common problem that customer's have is explaining to their management all of the benefits of upgrading and then building a business case to get the project funded.  In this video, Mike Neuenschwander explains how to build a business case for a SUN2Oracle IDM upgrade.

Finally, in this video, Mike gives advice for how to build a project roadmap to migrate from SUN to Oracle IDM:

Monday Oct 07, 2013

OpenWorld Recap - CON8808 Amit Jasuja's Identity Management Presentation

CON8808 at OpenWorld 2013 in San Francisco was a big event for the IDM team.  In his presentation, Amit Jasuja talked about how IDM has gone from a set of restrictive controls to a real business enabler.

His session featured 3 live demos.  In the first, he took an iPad from an audience volunteer, downloaded a secure container, and showed how he could access his corporate resources and files on a borrowed device, from a public network.

In the second demo, he showed how an administrator could request privileged access in order to start up a demonstration server.  One of the key points of this demo was that the the person requesting the access never saw the password, but was able to execute the start up command to get the server running.

In the third demo, Amit showed converged Identity Governance; he was able to certify file and application access from the same console.

After each demo, Amit would talk through how each was achieved using Oracle IDM. Although you can't see the demos (since they were live), I have attached his slides.

Sunday Oct 06, 2013

Making Cars More Social: Redefining Identity Management

When you were 16, ( or perhaps still believe you are 16) your car was the enabler to your social life providing you with the freedom and means to explore. Today your car is a platform for your life transporting your family and providing transportation to and from work. The average commute time in the US one way is 25.4 minutes. If you are on the east coast or Washington DC that time is significantly greater. In Sao Paulo Brazil, the average commute time is 43 minutes. So if we assume 1 hour a day for 52 weeks a year we can spend more than 300+ hours in our cars. Most commuters are now using their cars as mobile offices and for social time to connect with colleagues, friends and family. As a baseline the average social media user can spend 6.9 hours per month on social media sites. If your car is social enabled, you can probably double your time on Facebook. 

It is not surprising that manufacturers of automobiles are taking advantage of the social revolution both as a means of providing better service to consumers and as a means of enabling consumers to connect and get more work done. The transformation is across the entire life-cyle of the automobile from innovation to consumer experience. This video provides an info-graphic of the transformation.

This new experience is redefining how we think about Identity Management and security. To connect your cars to the social network, the car needs and identity and each passenger needs an identity on the vehicles they drive. The car personalizes to each driver and becomes a platform for applications which means authorization and authentication across applications. All of this moves passenger and driver context into the foreground for automative designers. The graphic below the new requirements for security when we identity enable a car.

Friday Sep 20, 2013

CON8829: Partnering for Success with your System Integrator - OOW13 MUST SEE

OpenWorld 2013 is almost here.  I am very excited to tell you a little bit about my session.  I will be speaking with several of Oracle's top tier partners in CON8829 which will be on Wednesday at 10:15 am in Moscone West room 2018.

This is a bit of a free form session, where each of the panelist will give a little bit of an update on major trends they are seeing in the market.  Then, we will have a live Q&A session which will be lead by the hard hitting, yet erudite Scott Bonnell.

On the panel this year will be:

  • Andrew Morrison, from Deloitte and Touche, LLP
  • Alexander Bollonte, from Accenture
  • Rex Thexton, from PwC, LLP
  • and me, Darin Pendergraft from Oracle

We did this session last year, and it was a lot of fun.  This will be a good opportunity to ask your questions, and to hear what the partners are focusing on.  Come join us on Wednesday!

Thursday Sep 19, 2013

CON8811: Converged Identity Governance for speeding up business and reducing cost

We talk a lot about the platform approach to Identity Management: and in CON8811, Sanjay Rallapalli explains how the Platform Approach applies to Identity Governance.

He will show how a platform approach enables organizations to pursue end-to-end user lifecycle management and closed-loop remediation for both standard and privileged user access, driving down costs by automating error prone manual processes.

Joining Sanjay on stage to give their perspective will be Chris Commerford from Pfizer, Rich Flees from Qualcomm, and Dariusz Spiewak, from ZUS, Poland.

Click this link to get more information and to register for the session:

CON8828: Justifying and Planning a successful Identity Management Upgrade

One of the things the IDM team has been focused on, is providing an upgrade path to our SUN customers and CON8828 is focused on just that.

On Wednesday, September 25 @ 10:15 am, Sanjay Rallapalli will talk you through the major considerations when planning an upgrade, such as:

  • Do you need to do data migration?
  • Do you have a test plan?
  • Do you have a backup?
  • Will your upgrade be in-place?

Sanjay will be joined on stage by Anthony Undorf from ETS, and Shanti Vellanki from Safeway who will share their upgrade experiences.

Be sure to register for this session to reserve your spot, as I am sure it will fill up.


Oracle Identity Management is a complete and integrated next-generation identity management platform that provides breakthrough scalability; enables organizations to achieve rapid compliance with regulatory mandates; secures sensitive applications and data regardless of whether they are hosted on-premise or in a cloud; and reduces operational costs. Oracle Identity Management enables secure user access to resources anytime on any device.


« April 2014