By Naresh Persaud on Jun 03, 2013
If you have downloaded Identity Management R2 PS1 and are looking for a good summary of capabilities, the presentation below by Marc Boroditsky, Vice President of Product Management, provides a good preview.
As regulatory pressure and security threats continue to rise, the Chief Security Officer (CSO) role is gaining more importance in many organizations. With security spending at an all time high, many CSO's are re-thinking their priorities and focusing on risk. A recent CSO Market Pulse survey of IT executives, finds that in most organizations IT spending is not aligned with risk.
Mary Ann Davidson, Oracle Corp CSO, joins us for this exclusive webcast to discuss the findings of the survey. One of the most important voices among computer security practitioners today, Davidson describes how CSOs and other IT leaders can use this information to reduce risk in the enterprise. To Register Click Here.
Webcast Date: Thursday, July 18, 2013
Time: 10:00 PM PST
Speaker: Mary Ann Davidson, Chief Security Officer, Oracle
Registration: Click Here
If you are moving applications to the cloud or extending your applications to mobile devices, you will be concerned with securing the device interaction with users and with back end components that reside behind your perimeter. In Identity Management 11g R2 Patch Set 1, we have enhanced and released Oracle API Gateway to enable organizations to address the challenges of service oriented security, applications on mobile devices and applications in the cloud. Patch Set 1 is another step in rationalizing a platform approach to Identity and Access Management to enable organizations to modernize security. For a primer on Oracle API gateway, Apple Bagwell simplified the topic and captured it in a Prezi. Apple recently presented an overview to the Identity Architect Forum which was well received. He does a great job of simplifying and demystifying the topic. Click here to view the Prezi.
The latest docs to the Oracle API Gateway can be found here. For more resources on Identity Management R2 Patch Set 1, see the links below.
We extend our congratulations to the team at Virgin Media for winning the award for best Identity and Access Management project at the European Identity Conference in Munich this week. Excerpt below from the European Identity Conference.
In the category “Best Identity and Access Management Project”, the award goes to Virgin Media for the implementation of highly polished access control mechanisms with IAM technologies for the WiFi network of the London Underground metro system. This project went live for the 2012 Summer Olympics and had to meet very demanding requirements for high performance user authentication.
You can learn more about the Virgin Media story by viewing this on demand webcast here.
Oracle recently worked with CSO Online to study the economics of security. Despite the the increasing IT spend on security, many organizations don't feel any safer. According to the study, organizations allocate up to 67% of their IT security spend protecting network resources. However, the biggest risk in many organizations is weak governance controls on user access and application security. According to the latest Verizon Data Breach Report 2013 , 76% of attacks utilize lost or stolen credentials as a means of entry or propagating the attack.
According to the survey, 40% believed that implementing fragmented point solutions created gaps in their security and resulted in vulnerability. Fragmentation creates latency in security processes and latency introduces risk. According to a similar study by Aberdeen Research, organizations that take an integrated platform approach had 35% fewer audit deficiencies and were more responsive.
The findings underscore the relevance of Oracle’s “security inside-out” approach which means focusing attention on the organization's most strategic assets which include applications, databases, systems, and users.
Read the details here
This year's European Identity Conference is devoted to cloud, mobile and social. This promises to be an exciting event this year. Here is a link to the conference. You will not want to miss Peter Boyle and Mike Neuenschwander. Peter's keynote is on Thursday May 16th. Peter Boyle is Head of Identity Services for BT. Below is an abstract for his talk.
If Your Customers Don't Feel Safe, They Will Leave You
More than 559 million adults have been victims of cyber-crime - that´s more than the population of the European Union. More businesses are trying to connect with customers on social and mobile but, 15% of social networking users have had accounts infiltrated and 21% have fallen prey to mobile or social attacks. Only one incident can cause a customer to shift brands. If you are trying to find new paths to market online, don´t miss this session. Securing the customer experience should be the top priority for any business initiative involving cloud, mobile and social. Faced with the need to secure a growing hosting business with more than 10,000 customers accessing services on-line, British Telecom Identity enabled their applications to secure their customer data and transactions. In this session, Peter Boyle Head of Identity Services for BT will discuss how to keep your customer safe, loyal to your brand and keep them coming back for more.
See Mike Neuenschwander will speak in the following sessions:
The North American Customer Advisory Board (CAB) was held at Oracle headquarters, April 16-18. Customers were invited to attend in order to get an update on product direction, participate in discussions on key industry trends, and to meet with Product Managers to discuss product road maps and features.
Day 1 consisted of an overview of the Oracle IDM business, including key market trends and customer success stories, followed by presentations by Product Management in three key areas: Directory Services, Identity Governance, and Access Management
Day 2 contained moderated discussions on key topics such as Mobile and Cloud Applications, and also a customer presentation by College Board on their IDM implementation.
Day 3 began with a presentation by Oracle IT on how they are using Oracle IDM to manage systems and applications internally, and then moved on to additional breakout and feedback sessions. There were also opportunities for customers to meet with Product Managers one on one to discuss specific product features and functions. At the end of the day, customers were invited to provide feedback about the various presentations and discussions, and to identify key priorities for their organizations.
Here are some of the more popular discussion topics:
A lot of discussion around reference architectures for IDM: customers identified the need for additional best practice guidance when sizing and scaling hardware for optimal performance. A lot of good reference material exists for 10g products (which have been in the market for quite a while) but less is available for 11g products.
Multi-datacenter configurations, as well as configuring for high availability and disaster recovery.
Mobile application security was a hot topic: most of the attendees were delivering and securing mobile applications but there was a lot of variation in what customers were doing. Most agreed that the management capabilities of IDM for mobile applications needed to improve, and most agreed that mobile application management was a top priority for them.
All of the customers I spoke to agreed that the time was well spent, and that the presentations were detailed and focused on the topics, technologies and timelines that they felt were important. Everyone agreed that the ability to meet one on one with Product Management was very helpful, and everyone liked the customer presentations.
Thank you to everyone that attended, and shared their concerns, thoughts and suggestions with the IDM team.
Thank you to everyone that joined us on Thursday, April 25, 2013 for the Centrica webcast. Chris Wilton, Senior Project Manager at Centrica, and Ben Bulpett from aurioPro SENA were the guest speakers.
If you missed the webcast, you can register for the replay here: Centrica Webcast Replay
Here are a few of the key takeaways that were discussed during the webcast:
Key Business Drivers:
Cenrtrica wanted contingency plans in place should an ESSO outage occur
Centrica and aurionPro SENA used several Oracle products were used to achieve the desired results, some in place before this project. They include:
Oracle Access Manager (OAM), Oracle Virtual Directory (OVD), Oracle Identity Manager (OIM), and Oracle Identity Federation (OIF)
The project was completed in 60 days and provided a ESSO capability for HR and Payroll, with the ability to add additional applications in the future. Over 45,000 internal and external users now have access provided by this system.
Here are some additional questions and answers related to this project:
Who sponsored the project within Centrica?
The project was initially sponsored by the Head of IS Power Generation, due to the number of passwords that Power Station staff were required to remember. However, as the requirement for a truly enterprise solution became more pressing, the sponsorship moved into the SAP Competency Centre.
Why did Centrica embark on another Identity Project after the original implementation?
The initial identity project did not implement federated identity, partially as there was an existing SSO solution within the British Gas business and there was not a requirement for an enterprise solution at the time the original ID project was put in place. Once the requirement was there to look at SSO on an enterprise level, leveraging the existing work that had been done.
How is the system managed and what service levels are required?
The solution is managed by our colleagues in British Gas, with the support element currently being undertaken by Infosys. Availability is as per the main IAM solution, with 99.5% availability and 24x7 support in place. RTO 30mins RPO 15mins
If you were to embark on the project again knowing what you do what would you change?
The intergration with the SAP Netweaver Portal v7.3 was the most challenging part of the project – we were unable to find any other company that had configured SAP Netweaver 7.3 to accept SAML 2 and initially didn’t have the necessary knowledge or resources to be able to implement this to begin with. Through a mix of extensive reading, coupled with trial and error, we were able to integrate the system. Specialist resourcing on the SAP side of things was the biggest lesson we took forward from this.
Photo courtesy: www.cloudtweaks.comYou don’t like losing control – that is human nature. In your personal life or professional – whether you are an IT architect, a manager, developer, a DBA or an executive, you never like losing control or not knowing a situation or an outcome. But a cloud deployment is exactly that – where you don’t have a 100% control over or insight into the security framework that govern your applications or data in the cloud.
The problem is further exacerbated with latency and fragmentation. If it is not the same security policies that govern your enterprise infrastructure and your cloud deployment, duplicating security policy data in multiple places will complicate policy enforcement. Fragmentation, in turn, creates latency where a change in the system is not detected or acted upon immediately making your cloud systems vulnerable. If, for example, your employee changes jobs, unless the HR system is immediately able to trigger a revocation alert/workflow across all the applications and systems – both in-house and in the cloud, you may have inadvertently allowed unauthorized (and potentially damaging) access to your applications and data.
Of course, then there is audit and compliance. If you are a financial institution your cloud has to provide reporting to address the BASEL 2 requirements or you will incur financial penalties. If your cloud hosts your General Ledger – your cloud has to provide Sarbanes Oxley (SOX) certification. If your customers are in Europe, your cloud has to comply with the European data privacy directive. How do organizations, such as yours, provide timely compliance reporting and remediation if you don’t have visibility or if recent actions aren’t immediately recorded. Fragmentation and latency, thus, impact audit and compliance reporting. Simply put, if you don’t know about it, you can’t accurately report on it.
So, if fragmentation and latency are the issues, a standardized platform must be the antidote! Having a complete, standardized security and identity management platform will allow you to enforce uniform security policies across all your resources – on-premise or hosted. A platform approach implies seamless integration within components thereby getting rid of security and identity silos. A platform approach implies interoperability so that the framework works for your complete heterogeneous infrastructure. A platform approach affords scalability- you can support thousands or millions of users across the myriad of resources. You can scale to what the new digital experience requires!
Thanks to Oracle’s large and advanced customer base, the company realized the rationale for the platform approach to Security and Identity Management early on. Oracle offers the industry’s first Identity Management platform that is proven to be extensible enough to support your internet scale.
Learn more about Oracle’s platform approach to Identity Management and how you can leverage Identity services at internet scale. Download the free whitepaper today.
And for more information and resources, visit Oracle Identity Management on oracle.com today.
As we talk to organizations around the world, it is clear that most consider Cloud as the biggest opportunity today to reduce cost. To any organization, cloud offers numerous advantages – business agility, reduced operational costs, scalability, improved performance and more. With cloud deployments ranging from private to hybrid to public, the scale of benefits vary but so do the risks.
Going up the cloud continuum from on-premise to private to hybrid and then public cloud, IT’s control and visibility into security policies decreases.
Private clouds give organizations greater control over security and data privacy, compliance, and also quality of service, since private clouds can manage network bandwidth and implement optimizations that public clouds don’t allow. But much like your enterprise, risks arise from privileged access and insider threats. In the public cloud, policies are managed by an outside 3rd party which is the cloud service provider. A shared environment in the public cloud also causes security and compliance concerns. A hybrid cloud, by its very definition, encapsulates both the benefits and the risks of both the private and public clouds.
As we move through the spectrum, security policies get more and more fragmented as we duplicate policy data in multiple places. Consequently, latency also increases and risk increases exponentially. Add to that the compliance and governance issues and it is no wonder that Security continues to be the #1 barrier in cloud adoption. In fact, according to the “Private Cloud Vision vs. Reality”, InformationWeek Report, 2012, 82% of organizations say security and data privacy concerns are one of the main reasons they are phasing out, or have decided to not use, public cloud.
So, where best to focus your efforts so as to leverage cloud without risking security? A recent CSO Online survey of Chief Security officers found that the top 5 security concerns for cloud were all related to mobile data access, regulatory compliance and managing access to the data and the applications i.e., Identity Management.
Organizations that move applications into the cloud have to bridge the gap between the enterprise and the cloud by providing standardized security framework around data security and application access. Take some time to watch this brief screencast and learn how you can manage security risks, address governance issues while unlocking the full potential of the cloud.
Centrica Plc is an integrated energy company operating in 7 countries including the U.K. and U.S. that supplies electricity and gas for 30 million consumer and business customers.
In an effort to drive down operational costs due to password resets for their critical business applications, Centrica engaged aurionPro SENA to help them explore the most cost effective options.
The project goals were to:
To find out more about the Enterprise Single Sign on system designed and implemented for this project, join us on April 25, 2013 @ 10:00 am PST for a webcast featuring Chris Wilton, Senior Project Manager at Centrica, Ben Bulpett, Alliances and Enterprise Account Director at aurionPro SENA, and myself (Darin Pendergraft, Product Marketing, Oracle)
We will discuss the project and will have an opportunity for live Q&A.
This year the EMEA Customer Advisory Board (CAB) was held in the beautiful city of Vienna, Austria. Representatives from Oracle product management and engineering teams met with customers from all over Europe to discuss market trends, product direction, and to get feedback on current products.
Day 1 focused on updates since the last CAB meeting, including the launch of 11gR2, the state of the IDM business, and featured updates from the Directory Team, the Access Management Team and the Identity Governance team.
Day 2 contained moderated discussions focusing on Mobile Identity Management, Cloud Identity Management, and Enterprise IDM. The first of three customer presentations was delivered by Vodafone Romania who discussed how they are using Oracle IDM.
Day 3 contained customer presentations by BT and Turkcell, followed by breakout sessions, on topics ranging from risk management to upgrade & migration strategies.
Overall, this CAB was a very big success, and proved beneficial to both the Oracle Product Teams who collected valuable feedback from customers, and for customers to hear directly from the product teams about upcoming product road maps and direction. Several customers also mentioned that they really enjoyed hearing about other customers' implementations and plans.
Thank you to all that attended, and a special thank you to those customers that presented!
Yarra Valley Water (YVW) is the largest of Melbourne’s three water retail businesses. Owned by the State Government of Victoria (Australia), YVW provides water supply and sewerage services to over 1.7 million people and over 50,000 businesses in Melbourne’s northern and eastern suburbs, including some recycled water and trade waste customers.
YVW needed to automate account provisioning for both its partners and end users so that they have easy yet secure online access to YVW applications. Check out this video to find out more about YVW’s use case and how Oracle Identity Management helped.
If you are following the Cyprus bailout story, you will sympathize with the extraordinary situation faced by Cypriots coping with unprecedented banking regulation. Faced with a risk of capital outflow, the government placed limits on domestic and foreign currency transactions. After the restrictions were lifted, it was discovered that there were loopholes that allowed withdrawals from subsidiary banks in London where the controls were not enforced. For controls to work they have to be consistent. The limits are very specific and very difficult to enforce. As institutions and governments try to apply fiscal or regulatory controls over large groups of people, the controls are only as effective as the identity management capabilities of the institution. The problem is latency. The longer it takes for an endpoint or in this case a bank subsidiary to get updated, the more security risk. In this case Cyprus loses a significant fraction of foreign deposits.
The problem is not unique to Cyprus. During the American financial crisis, the breakdown in trust almost froze the credit system. When a credit card is swiped at the local retailer, the authentication does not always go directly to the bank that issued the credit card. The transaction flows to a merchant bank. The entire system depends on keeping the merchant banks in synch. Every transaction we make without cash has an element of identity involved. The economic cost of identity authentication, while not explicit, is a factor in every credit card transaction and every purchase online. The Cyprus crisis demonstrates what can happen if identity controls break down or fail. In Cyprus the consequence is failure of the banking system.
Authentication failure at an individual level ends in fraud or theft. As the customer experience becomes more digital the consequences are more drastic. Authentication failure can hurt an individual, a business or in this case compromise the future of a nation.
King Richard III: Villain, Hero, or Tragic Victim of Identity Theft?
What does Identity Management has to do with the recent discovery of King Richard III remains? A Lot, according to this recently published post in Forbes Magazine from the Oracle Identity Management team.
Don’t miss this interesting Shakespearean twist to Identity Management. Turns out, authentication and Identity Management are more pervasive than it’d appear on the surface. Identity is King!
Amit Jasuja sat down for an in-person interview to discuss how digital security is changing and how cloud, mobile and social are driving the transformation. The entire interview can be found here.
It's more virtual and less physical
In the past most security was focused on the physical protection of buildings and access to systems. The security transformation means securing content and information in places we don't have control. The point of control has moved from the enterprise to the cloud.
It's more integrated than fragmented
Instead of multiple point products being used to secure systems, we will see a more integrated approach where security information is shared across components. By de-fragmenting the data, security becomes more responsive.
It's more mobile and less stationary
The shift to mobile applications will expose organizations to new threats and operational challenges. Security will need to scale to protect the vast number of changing devices.
It's about getting it done right and avoiding rework
Organizations will focus on deployment of technologies to get it done right the first time. We will choose technologies that provide a clear roadmap and upgrade path to avoid costly rip and replace projects.
With the recent discovery of Richard III in a Leicester parking lot, we realize that authenticating an individual is as important as authenticating a king. Your identity is king.
The recent twitter #authchat provides a good survey of authentication techniques. Authenticating Richard required many of the same identity management techniques we use in software. Here are a few observations:
DNA evidence from two related descendants was critical in verifying the identity of the king. The same is true for the way we authenticate today. While we may use finger print readers on our laptops and in our data centers, we still rely on additional factors of authentication beyond biometrics. From the description of the battle of Bosworth, many thumbs and fingers were most likely misplaced – lots of parts everywhere. If Richard were alive today, he would have commanded, “my kingdom for a thumb!” If the researchers had tested DNA from the wrong thumb, the results would have been wrong. Biometrics are only a piece of the puzzle.
Third Party Verification
The research team had to find a descendant to verify the DNA of Richard III. DNA, like a certificate, on its own is not enough to prove who you are. A third party has to vouch for the fact that the information is correct. We may think we are advanced because we can make an instant SAML request to an identity provider to log into our 401K plan or download a ringtone, but it is perhaps more amazing that the team found an identity provider (Richard's descendant nephew) across 500+ years of the family tree, in a country thousands of miles away.
Finding the king and verifying the identity were almost equally challenging tasks. The location information from history played a role. In addition, the context of the injuries and the battle description were all indicators that helped to confirm the identity. Other factors including radio carbon dating and food consumption patterns were all part of the context used in the formula. Today, with many users with different roles accessing our systems, adaptive access and context aware security are used to complement authentication. Now, we may be a long way from using food consumption patterns to authenticate a user on a banking website, but I would not rule it out. It gives validity to the claim “you are what you eat.”
The key is that no single form of authentication is sufficient in all circumstances. Context helps to provide ongoing assurance that we are dealing with the correct user. It turns out Richard III was not the tyrant as he is remembered, but perhaps just the victim of identity fraud. Congrats to the research team – truly a remarkable accomplishment and the discovery demonstrates that “the king’s name is [still] a tower of strength”(Shakespeare,Richard III) -- especially given the amount of media exposure.
Meet Christian Patrascu. Christian is Senior Group Manager with Oracle. A seasoned Security professional and a reputed Identity Management expert, Christian is a member of the EMEA outbound Product Management team that drives sales and adoption of Oracle Fusion Middleware within the Europe, Middle East and Africa (EMEA) region. Oracle Fusion Middleware is a portfolio of leading, standards-based and customer-proven software products that spans a range of tools and services from J2EE and developer tools, to integration services, business intelligence, collaboration, content management and Identity Management.
Christian recently sat down for an interview with Sebastian Graf (DOAG Head of the SIG BPM) where he discussed the difference between Authentication and Authorization and the importance of both in an enterprise' end-to-end security strategy. DOAG (Deutsche Oracle User Group) is one of the largest organized and independent Oracle user groups in Europe.
The discussion on authentication and authorization is especially relevant in today's "anytime, anywhere" world where business and personal boundaries have blurred and users are looking for a seamless experience between their social and business channels via mobile devices and more. So, as we close out 2012 and look to 2013, we thought this video interview would be apt for the last edition of Globe Trotters for 2012.
We wish you all a very safe and Happy New Year and look forward to engaging with you in more security discussions.
If you did not get a chance to attend Amit Jasuja's session at Gartner IAM this week in Las Vegas, here is a summary of the session and a copy of the slides. The agenda featured an introduction by Ray Wagner, Managing VP at Gartner, followed by Amit discussing the trends in Identity and Access Management shaping Oracle's strategy.
Today we are seeing the largest re-architecture in a decade. Every business from manufacturing to retail is transforming the way they do business. Manufacturing companies are becoming manufacturing services companies. Retail organizations are embracing social retail. Healthcare is being delivered on-line around the clock. Identity Management is at the center of the transformation. Whether you are Toyota embracing a social network for cars or launching the next Iphone, the Identity of the user provides context to enable the interaction and secure the experience. All of these require greater attention to the context of the user and externalizing applications for customers and employees.
Ranjan discussed how Cisco is transforming by integrating 1800 applications to a single access management framework and consolidating 3M users across 4 data centers to support internal and external processes. David Lee demonstrated how to use Oracle Access Manager 11g R2 on a mobile application to sign-on across multiple applications while connecting mobile applications to a single access control policy.
Oracle Corporation - Worldwide Headquarters, 500 Oracle Parkway, OPL - E-mail Services, Redwood Shores, CA 94065, United States
UPMC, a $10-billion integrated global health enterprise, has selected Oracle as a key technology partner in UPMC’s $100-million analytics initiative designed to help “unlock the secrets of human health and disease” by consolidating and analyzing data from 200 separate sources across UPMC’s far-flung network.As part of the project UPMC also selected Oracle Identity Management to secure the interaction and insure regulatory compliance. Read complete article here.
As healthcare organizations create new services on-line to provide better care Identity Management can provide a foundation for collaboration.
After the launch of Identity Management 11g R2, Oracle Magazine writer David Baum sat down with Sally Hudson, research director of security products at International Data Corporation (IDC) to get her perspective on securing mobile access. Below is an excerpt from the interview. The complete article can be found here.
"We’re seeing a much more diverse landscape of devices, computing habits, and access methods from outside of the corporate network. This trend necessitates a total security picture with different layers and end-point controls. It used to be just about keeping people out. Now, you have to let people in. Most organizations are looking toward multifaceted authentication—beyond the password—by using biometrics, soft tokens, and so forth to do this securely. Corporate IT strategies have evolved beyond just identity and access management to encompass a layered security approach that extends from the end point to the data center. It involves multiple technologies and touch points and coordination, with different layers of security from the internals of the database to the edge of the network." ( Sally Hudson, Oracle Mag Sept/Oct 2012)
As the landscape changes you can find out how to adapt by reading Oracle's strategy paper on providing identity services at Internet scale.
Oracle Identity Management is a complete and integrated next-generation identity management platform that provides breakthrough scalability; enables organizations to achieve rapid compliance with regulatory mandates; secures sensitive applications and data regardless of whether they are hosted on-premise or in a cloud; and reduces operational costs. Oracle Identity Management enables secure user access to resources anytime on any device.