Friday Sep 13, 2013

200 Million: Directory Deployment at Verizon CON4535

Verizon Wireless is one of the fastest growing mobile carriers in the world with a brand and reputation for quality of service. Serving more than 90 million users with more than 220 million entries, Verizon required a modern access and directory infrastructure to deliver a secure and user-friendly experience with high performance and availability. To grasp the dramatic scale that telecommunications organizations will have to address, the chart below shows how global data traffic has grown in the past five years with 100% growth between 2011 and 2012. 

They also needed risk-aware, social-ready access control that could adapt in real time to enhance security while improving usability; a high-performance directory capable of searches/modifications in 1 to 2 ms and additions in less than 10 ms, with the ability to quickly load hundreds of millions of entries to ensure performance; and a multi-master setup to deliver scalability and high availability.  The chart below provides a baseline for global smart phone subscription growth and highlights the pressure to gain new subscribers and share of market for Verizon and other telecommunications firms.

Attend this session to learn how Verizon Wireless leverages Oracle Access Management Suite and Oracle Unified Directory to provide exceptional services to its members. Register here 

Thursday Sep 12, 2013

OOW 2013 Content: Access at Scale for Hundreds of Millions of Users

Scalability has become a much more important requirement for IDM professionals as we expand to securely accommodate multiple personal networked devices with access to our corporate apps and data.

Access at Scale for Hundreds of Millions of Users [CON8833] will take a look at this trend and will review several business cases.  In addition to the Oracle speakers, this session will feature Nirmal Rahi, Solution Architect from College Board, Brendan McGuire, Director from KPMG and Chirag Andani, Sr. Director, Identity & Access Management, PDIT - Oracle.

Plan on attending this session on:

Monday, Sep 23, 12:15 PM - 1:15 PM - @ Moscone West - 2018

Wednesday Sep 11, 2013

OOW Session: Who should Have Access to What , Risk = Hazard + Outrage

Risk = Hazard + Outrage. This was Peter Sandman's simple formula for executives to evaluate the risk and response to a potentially brand damaging event. With user access, the formula applies as well. If a trusted administrator gets access to the latest product specs and discloses the information to the public without consent, the hazard is financially high and the shareholder outrage is perhaps equivalently high. The net is directly equivalent to the risk of the event happening. 

So when we consider who should have access to what, different users constitute different risk.  A single administrator with root access may create a higher risk than the intern working in the mail room. The risk is directly related to the system and the data to which these individuals have access. Governing the data is directly related to how we govern the user access. 

If these topics interest you, You will want to catch Jim Taylor and Neil Gandhi at Open World in session "CON8810: Who Should have Access to What -- Better risk management with Identity Governance" . Complete list of sessions click here.

Monday Sep 09, 2013

Amit Jasuja's OOW2013 IDM Presentation - Oracle IDM: Enabling Business Growth in the New Economy

Hello Everyone!

The IDM team is feverishly working to get everything ready for another amazing OpenWorld conference.  There is going to be a lot to do and see, and to help you get around, we have created several tools to help you build a schedule.

The Focus on Identity Management page is the best way to take a look at all of the sessions that are being presented by the Oracle IDM team. You can click on the title and see a detailed summary of the session, and once you are on the session page, you can register to attend (if you are logged in).  Last year we had several sessions fill up, so if you see something you really like, but sure to register to save a spot.

The IDM team will also be blogging about our sessions to give you more of a preview of what you are going to see.  I will get things started off by telling you a little bit about Amit Jasuja's presentation - Oracle IDM: Enabling Business Growth in the New Economy [CON8808].

Amit's presentation represents our overall theme this year of demonstrating how Identity Management technologies and practice can not only protect your business, but more importantly, can help your business grow by allowing you to securely offer new business services in the new mobile, social and cloud app economy.  Amit's session will include demos of secure mobile access that you will definitely find interesting.

We are also very pleased to have two customer spotlights during his session featuring Dominic Fedronic from VISA, and Adam Hergert from ANZ Bank.  Both of these customers will discuss how they are using Oracle IDM to offer new services while maintaining the highest level of security and regulatory compliance.

Be sure to register for this session, as I am sure it will fill up quickly: Register for Amit's Session

Wednesday Aug 14, 2013

Identity Management at Oracle OpenWorld 2013

The IDM team is getting ready for OpenWorld 2013 and the speaking schedule is now available.  Take a look at the schedule below.

Monday September 23, 2013




10:45 am – 11:45 am

CON8808: Oracle Identity Management: Enabling Business Growth in the New Economy

Amit Jasuja Senior VP, Identity Management and Security, Oracle

Moscone West, Room 2018

12:15 am – 1:15 pm

CON8833: Access at Scale for 100's of millions of users

Venu Shastri, Senior Principal Product Manager, Oracle
Selvendran Neelamegam, Principal Member Technical Staff, Oracle

Moscone West, Room 2018

1:45 pm – 2:45 pm

CON8810: Who Should have Access to What -- Better risk management with Identity Governance

Jim Taylor, Senior Director Product Management, Oracle
Neil Gandhi, Principal Product Manager, Oracle

Moscone West, Room 2018

4:45 pm – 5:45 pm

CON8819: Context and Risk Aware Access Control – Any Device Any Where

Svetlana Kolomeyskaya, Principal Product Manager, Oracle
Ashish Kolli, Senior Director Development, Oracle

Moscone West, Room 2018

4:45 pm – 5:45 pm

CON4535: 200M: Real World Large Scale Access and Directory Deployment at Verizon

Nahil Khan, Verizon Wireless

Moscone West, Room 2012

Tuesday September 24, 2013




10:15 am – 11:15 am

CON8811: Converged Identity Governance to Speed up Business and Reduce Cost

Sanjay Rallapalli, Senior Manager, Product Management, Oracle
Rajesh Pakkath, Principal Product Manager, Oracle

Moscone West, Room 2018

11:45 am – 12:45 pm

CON8896: Securely Enabling Mobile Access for Business Transformation

Lee Howarth, Senior Principal Product Manager, Oracle
Ajay Sondhil, Software Development Director, Oracle

Moscone West, Room 2018

1:15 pm – 2:15 pm

CON8834: Attract new customers and users by leveraging Bring Your Own Identity (BYOI)

Forest Yin, Senior Director of Product Management, Oracle

Moscone West, Room 2018

5:00 pm – 6:00 pm

CON8817: API Management: Enable Your Infrastructure for Secure Mobile and Cloud Use

Ganesh Kirti, Oracle
Sastry Hari, Architect - Entitlement Server, Oracle

Moscone West, Room 2018

Wednesday September 25, 2013




10:15 am – 11:15 am

CON8829: Partnering for Success with your System Integrator

Scott Bonnell, Senior Director Product Management, Oracle
Darin Pendergraft, Principal Product Marketing Director, Oracle

Moscone West, Room 2018

11:45 am – 12:45 pm

CON8837: Leverage Authorization to Monetize Content and Media Subscriptions

Roger Wigenstam, Senior Director Product Management, Oracle
Sid Mishra, Senior Principal Product Manager, Oracle

Moscone West, Room 2018

1:15 pm – 2:15 pm

CON8828: Justifying and Planning a successful Identity Management Upgrade

Javed Beg, Group Product Manager, Oracle
Sanjay Rallapalli,
Senior Manager, Product Management, Oracle, Oracle

Moscone West, Room 2018

3:30 am – 4:30 pm

CON8813: Securing Privileged Accounts with an integrated identity management solution

Olaf Stullich, Principal Product Manager, Oracle

Moscone West, Room 2018

5:00 pm – 6:00 pm

CON8823: Access Management for the Internet of Things

Kanishk Mahajan, Principal Product Manager, Oracle
Mark Wilcox, Senior Manager Product Management, Oracle

Moscone West, Room 2018

Thursday September 26, 2013




11:00 am – 12:00 pm

CON8836: Leveraging the Cloud to simplify your Identity Management implementation

Guru Shashikumar, Product Management Director, Oracle
Mike Neuenschwander, Senior Director of Product Management, Oracle

Moscone West, Room 2018

12:30 pm – 1:30 pm

CON4342: Identity Services in the New GM IT

Andrew Cameron, General Motors

Moscone West, Room 2018

2:00 pm – 3:00 pm

CON9024: Next Generation Optimized Directory - Oracle Unified Directory

Etienne Remillon, Senior Principal Product Manager, Oracle

Moscone West, Room 2018

2:00 pm – 3:00 pm

CON8902: Developing Secure Mobile Applications

Mark Wilcox, Senior Manager - Product Management, Oracle
Mahajan, Principal Product Manager, Oracle

Marriot Marquis - Golden Gate C3

3:30 pm – 4:30 pm

CON8826: Zero Capital Investment by leveraging Identity Management as a Service

Mike Neuenschwander, Senior Director of Product Management, Oracle
Lee Howarth,
Senior Principal Product Manager, Oracle

Moscone West, Room 2018

Monday Jul 01, 2013

SIM to OIM Migration: A How-to Guide to Avoid Costly Mistakes (SDG Corporation)

In the fall of 2012, Oracle launched a major upgrade to its IDM portfolio: the 11gR2 release.  11gR2 had four major focus areas:

  • More simplified and customizable user experience
  • Support for cloud, mobile, and social applications
  • Extreme scalability
  • Clear upgrade path

For SUN migration customers, it is critical to develop and execute a clearly defined plan prior to beginning this process.  The plan should include initiation and discovery, assessment and analysis, future state architecture, review and collaboration, and gap analysis. 

To help better understand your upgrade choices, SDG, an Oracle partner has developed a series of three whitepapers focused on SUN Identity Manager (SIM) to Oracle Identity Manager (OIM) migration.

In the second of this series on SUN Identity Manager (SIM) to Oracle Identity Manager (OIM) migration, Santosh Kumar Singh from SDG  discusses the proper steps that should be taken during the planning-to-post implementation phases to ensure a smooth transition from SIM to OIM.

Read the whitepaper for Part 2: Download Part 2 from

In the last of this series of white papers, Santosh will talk about Identity and Access Management best practices and how these need to be considered when going through with an OIM migration.

If you have not taken the opportunity, please read the first in this series which discusses the Migration Approach, Methodology, and Tools for you to consider when planning a migration from SIM to OIM. Read the white paper for part 1: Download Part 1 from

About the Author:

Santosh Kumar Singh

Identity and Access Management (IAM) Practice Leader

Santosh, in his capacity as SDG Identity and Access Management (IAM) Practice Leader, has direct senior management responsibility for the firm's strategy, planning, competency building, and engagement deliverance for this Practice. He brings over 12+ years of extensive IT, business, and project management and delivery experience, primarily within enterprise directory, single sign-on (SSO) application, and federated identity services, provisioning solutions, role and password management, and security audit and enterprise blueprint. Santosh possesses strong architecture and implementation expertise in all areas within these technologies and has repeatedly lead teams in successfully deploying complex technical solutions.

About SDG:

SDG Corporation empowers forward thinking companies to strategize their future, realize their vision, and minimize their IT risk. SDG distinguishes itself by offering flexible business models to fit their clients’ needs; faster time-to-market with its pre-built solutions and frameworks; a broad-based foundation of domain experts, and deep program management expertise. (

Tuesday Jun 25, 2013

Register for a free webcast presented by ISC2: Identity Auditing Techniques for Reducing Operational Risk and Internal Delays

Join us tomorrow, June 26 @ 10:00 am PST for Part 1 of a 3 part security series co-presented by ISC2

Part 1 will deal focus on Identity Auditing techniques and will be delivered by Neil Gandhi, Principal Product Manager at Oracle and Brandon Dunlap, Managing Director at Brightfly

Register for Part 1: Identity Auditing Techniques for Reducing Operational Risk and Internal Delays


Part 2 will focus on how mobile device access is changing the performance and workloads of IDM directory systems and will be delivered by Etienne Remillon, Senior Principal Product Manager at Oracle, and Brandon Dunlap, Managing Director at Brightfly

Register for Part 2: Optimizing Directory Architecture for Mobile Devices and Applications


Finally, Part 3 will focus on what you need to do to support native mobile communications and security protocols and will be presented by Sid Mishra, Senior Principal Product Manager at Oracle, and Brandon Dunlap, Managing Director at Brightfly.

Register for Part 3: Using New Design Patterns to Improve Mobile Access Control

Monday Jun 03, 2013

A Summary of Identity Management R2 PS1

If you have downloaded Identity Management R2 PS1 and are looking for a good summary of capabilities, the presentation below by Marc Boroditsky, Vice President of Product Management, provides a good preview.

For more information on getting started with Identity Management R2 PS1 click here for the documentation. You can learn more about Identity Management R2 PS1 from these resources:

Tuesday May 28, 2013

Don't Secure Yourself Out of Business

As regulatory pressure and security threats continue to rise, the Chief Security Officer (CSO) role is gaining more importance in many organizations. With security spending at an all time high, many CSO's are re-thinking their priorities and focusing on risk. A recent CSO Market Pulse survey of IT executives, finds that in most organizations IT spending is not aligned with risk.

Mary Ann Davidson, Oracle Corp CSO, joins us for this exclusive webcast to discuss the findings of the survey. One of the most important voices among computer security practitioners today, Davidson describes how CSOs and other IT leaders can use this information to reduce risk in the enterprise. To Register Click Here.

Webcast Date: Thursday, July 18, 2013

Time: 10:00 PM PST

Speaker: Mary Ann Davidson, Chief Security Officer, Oracle

Registration: Click Here

API Security Beyond The Perimeter: IdM R2 PS1

If you are moving applications to the cloud or extending your applications to mobile devices, you will be concerned with securing the device interaction with users and with back end components that reside behind your perimeter. In Identity Management 11g R2 Patch Set 1, we have enhanced and released Oracle API Gateway to enable organizations to address the challenges of service oriented security, applications on mobile devices and applications in the cloud. Patch Set 1 is another step in rationalizing a platform approach to Identity and Access Management to enable organizations to modernize security. For a primer on Oracle API gateway, Apple Bagwell simplified the topic and captured it in a Prezi. Apple recently presented an overview to the Identity Architect Forum which was well received. He does a great job of simplifying and demystifying the topic. Click here to view the Prezi.

The latest docs to the Oracle API Gateway can be found hereFor more resources on Identity Management R2 Patch Set 1, see the links below. 

Thursday May 16, 2013

Congrats to Virgin Media: Best IAM Project Award

We extend our congratulations to the team at Virgin Media for winning the award for best Identity and Access Management project at the European Identity Conference in Munich this week. Excerpt below from the European Identity Conference.

In the category “Best Identity and Access Management Project”, the award goes to Virgin Media for the implementation of highly polished access control mechanisms with IAM technologies for the WiFi network of the London Underground metro system. This project went live for the 2012 Summer Olympics and had to meet very demanding requirements for high performance user authentication.

You can learn more about the Virgin Media story by viewing this on demand webcast here.

Monday May 06, 2013

CSO Online Study: Threats are Outside, Risks are Inside

Oracle recently worked with CSO Online to study the economics of security. Despite the the increasing IT spend on security, many organizations don't feel any safer. According to the study, organizations allocate up to 67% of their IT security spend protecting network resources. However, the biggest risk in many organizations is weak governance controls on user access and application security. According to the latest Verizon Data Breach Report 2013 , 76% of attacks utilize lost or stolen credentials as a means of entry or propagating the attack.

According to the survey, 40% believed that implementing fragmented point solutions created gaps in their security and resulted in vulnerability. Fragmentation creates latency in security processes and latency introduces risk. According to a similar study by Aberdeen Research, organizations that take an integrated platform approach had 35% fewer audit deficiencies and were more responsive.

The findings underscore the relevance of Oracle’s “security inside-out” approach which means focusing attention on the organization's most strategic assets which include applications, databases, systems, and users. 

Read the details here

Thursday May 02, 2013

European Identity Conference

This year's European Identity Conference is devoted to cloud, mobile and social. This promises to be an exciting event this year. Here is a link to the conference.  You will not want to miss Peter Boyle and Mike Neuenschwander. Peter's keynote is on Thursday May 16th. Peter Boyle is Head of Identity Services for BT. Below is an abstract for his talk.

If Your Customers Don't Feel Safe, They Will Leave You

More than 559 million adults have been victims of cyber-crime - that´s more than the population of the European Union. More businesses are trying to connect with customers on social and mobile but, 15% of social networking users have had accounts infiltrated and 21% have fallen prey to mobile or social attacks. Only one incident can cause a customer to shift brands. If you are trying to find new paths to market online, don´t miss this session. Securing the customer experience should be the top priority for any business initiative involving cloud, mobile and social. Faced with the need to secure a growing hosting business with more than 10,000 customers accessing services on-line, British Telecom Identity enabled their applications to secure their customer data and transactions. In this session, Peter Boyle Head of Identity Services for BT will discuss how to keep your customer safe, loyal to your brand and keep them coming back for more.

See Mike Neuenschwander will speak in the following sessions:

  • May 14th 2:00 pm :The Future of IAM
  • May 15th 10:30 am: Next Generation Cloud and Mobile Identity Management 
  • May 15th 2:00 pm: The Future of IAM: "Do not kill IAM, improve and extend it"
  • May 16th 2pm: Life Management Platforms, Personal Data, Private Cloud 

Wednesday May 01, 2013

North American CAB Notes and Key Takeaways

The North American Customer Advisory Board (CAB) was held at Oracle headquarters, April 16-18.  Customers were invited to attend in order to get an update on product direction, participate in discussions on key industry trends, and to meet with Product Managers to discuss product road maps and features.

Day 1 consisted of  an overview of the Oracle IDM business, including key market trends and customer success stories, followed by presentations by Product Management in three key areas: Directory Services, Identity Governance, and Access Management

Day 2 contained moderated discussions on key topics such as Mobile and Cloud Applications, and also a customer presentation by College Board on their IDM implementation.

Day 3 began with a presentation by Oracle IT on how they are using Oracle IDM to manage systems and applications internally, and then moved on to additional breakout and feedback sessions.  There were also opportunities for customers to meet with Product Managers one on one to discuss specific product features and functions.  At the end of the day, customers were invited to provide feedback about the various presentations and discussions, and to identify key priorities for their organizations.

Here are some of the more popular discussion topics:

A lot of discussion around reference architectures for IDM: customers identified the need for additional best practice guidance when sizing and scaling hardware for optimal performance.  A lot of good reference material exists for 10g products (which have been in the market for quite a while) but less is available for 11g products.

Multi-datacenter configurations, as well as configuring for high availability and disaster recovery.

Mobile application security was a hot topic: most of the attendees were delivering and securing mobile applications but there was a lot of variation in what customers were doing.  Most agreed that the management capabilities of IDM for mobile applications needed to improve, and most agreed that mobile application management was a top priority for them.

All of the customers I spoke to agreed that the time was well spent, and that the presentations were detailed and focused on the topics, technologies and timelines that they felt were important.  Everyone agreed that the ability to meet one on one with Product Management was very helpful, and everyone liked the customer presentations.

Thank you to everyone that attended, and shared their concerns, thoughts and suggestions with the IDM team.

Monday Apr 29, 2013

Centrica webcast follow up - key takeaways and Q&A

Thank you to everyone that joined us on Thursday, April 25, 2013 for the Centrica webcast.  Chris Wilton, Senior Project Manager at Centrica, and Ben Bulpett from aurioPro SENA were the guest speakers.

If you missed the webcast, you can register for the replay here: Centrica Webcast Replay

Here are a few of the key takeaways that were discussed during the webcast:

Key Business Drivers:

  • Centrica needed to simplify log on to SAP, which is a critical business app
  • Wanted to reduce the number of passwords
  • Wanted to automate password resets
  • Wanted to reduce the number of helpdesk calls
  • Centrica wanted to be able to rapidly deprovision accounts for users that leave the organization

Cenrtrica wanted contingency plans in place should an ESSO outage occur

Centrica and aurionPro SENA used several Oracle products were used to achieve the desired results, some in place before this project.  They include:

Oracle Access Manager (OAM), Oracle Virtual Directory (OVD), Oracle Identity Manager (OIM), and Oracle Identity Federation (OIF)

 The project was completed in 60 days and provided a ESSO capability for HR and Payroll, with the ability to add additional applications in the future.  Over 45,000 internal and external users now have access provided by this system.

Here are some additional questions and answers related to this project:

Who sponsored the project within Centrica?

The project was initially sponsored by the Head of IS Power Generation, due to the number of passwords that Power Station staff were required to remember. However, as the requirement for a truly enterprise solution became more pressing, the sponsorship moved into the SAP Competency Centre.

Why did Centrica embark on another Identity Project after the original implementation?

The initial identity project did not implement federated identity, partially as there was an existing SSO solution within the British Gas business and there was not a requirement for an enterprise solution at the time the original ID project was put in place. Once the requirement was there to look at SSO on an enterprise level, leveraging the existing work that had been done.

How is the system managed and what service levels are required?

The solution is managed by our colleagues in British Gas, with the support element currently being undertaken by Infosys. Availability is as per the main IAM solution, with 99.5% availability and 24x7 support in place. RTO 30mins RPO 15mins

If you were to embark on the project again knowing what you do what would you change?

The intergration with the SAP Netweaver Portal v7.3 was the most challenging part of the project – we were unable to find any other company that had configured SAP Netweaver 7.3 to accept SAML 2 and initially didn’t have the necessary knowledge or resources to be able to implement this to begin with. Through a mix of extensive reading, coupled with trial and error, we were able to integrate the system. Specialist resourcing on the SAP side of things was the biggest lesson we took forward from this.

Wednesday Apr 24, 2013

What is Your Cloud Security Forecast?

Photo courtesy:

You don’t like losing control – that is human nature. In your personal life or professional – whether you are an IT architect, a manager, developer, a DBA or an executive, you never like losing control or not knowing a situation or an outcome. But a cloud deployment is exactly that – where you don’t have a 100% control over or insight into the security framework that govern your applications or data in the cloud.

The problem is further exacerbated with latency and fragmentation. If it is not the same security policies that govern your enterprise infrastructure and your cloud deployment, duplicating security policy data in multiple places will complicate policy enforcement. Fragmentation, in turn, creates latency where a change in the system is not detected or acted upon immediately making your cloud systems vulnerable. If, for example, your employee changes jobs, unless the HR system is immediately able to trigger a revocation alert/workflow across all the applications and systems – both in-house and in the cloud, you may have inadvertently allowed unauthorized (and potentially damaging) access to your applications and data.

Of course, then there is audit and compliance. If you are a financial institution your cloud has to provide reporting to address the BASEL 2 requirements or you will incur financial penalties. If your cloud hosts your General Ledger – your cloud has to provide Sarbanes Oxley (SOX) certification. If your customers are in Europe, your cloud has to comply with the European data privacy directive. How do organizations, such as yours, provide timely compliance reporting and remediation if you don’t have visibility or if recent actions aren’t immediately recorded. Fragmentation and latency, thus, impact audit and compliance reporting. Simply put, if you don’t know about it, you can’t accurately report on it.

So, if fragmentation and latency are the issues, a standardized platform must be the antidote! Having a complete, standardized security and identity management platform will allow you to enforce uniform security policies across all your resources – on-premise or hosted. A platform approach implies seamless integration within components thereby getting rid of security and identity silos. A platform approach implies interoperability so that the framework works for your complete heterogeneous infrastructure. A platform approach affords scalability- you can support thousands or millions of users across the myriad of resources. You can scale to what the new digital experience requires!

Thanks to Oracle’s large and advanced customer base, the company realized the rationale for the platform approach to Security and Identity Management early on. Oracle offers the industry’s first Identity Management platform that is proven to be extensible enough to support your internet scale.

Learn more about Oracle’s platform approach to Identity Management and how you can leverage Identity services at internet scale. Download the free whitepaper today.

And for more information and resources, visit Oracle Identity Management on today.

Monday Apr 22, 2013

Addressing the Top 5 Cloud Security Challenges

As we talk to organizations around the world, it is clear that most consider Cloud as the biggest opportunity today to reduce cost. To any organization, cloud offers numerous advantages – business agility, reduced operational costs, scalability, improved performance and more. With cloud deployments ranging from private to hybrid to public, the scale of benefits vary but so do the risks.

Going up the cloud continuum from on-premise to private to hybrid and then public cloud, IT’s control and visibility into security policies decreases.

Private clouds give organizations greater control over security and data privacy, compliance, and also quality of service, since private clouds can manage network bandwidth and implement optimizations that public clouds don’t allow. But much like your enterprise, risks arise from privileged access and insider threats. In the public cloud, policies are managed by an outside 3rd party which is the cloud service provider. A shared environment in the public cloud also causes security and compliance concerns. A hybrid cloud, by its very definition, encapsulates both the benefits and the risks of both the private and public clouds.

As we move through the spectrum, security policies get more and more fragmented as we duplicate policy data in multiple places. Consequently, latency also increases and risk increases exponentially. Add to that the compliance and governance issues and it is no wonder that Security continues to be the #1 barrier in cloud adoption. In fact, according to the “Private Cloud Vision vs. Reality”, InformationWeek Report, 2012, 82% of organizations say security and data privacy concerns are one of the main reasons they are phasing out, or have decided to not use, public cloud.

So, where best to focus your efforts so as to leverage cloud without risking security? A recent CSO Online survey of Chief Security officers found that the top 5 security concerns for cloud were all related to mobile data access, regulatory compliance and managing access to the data and the applications i.e., Identity Management.

Organizations that move applications into the cloud have to bridge the gap between the enterprise and the cloud by providing standardized security framework around data security and application access. Take some time to watch this brief screencast and learn how you can manage security risks, address governance issues while unlocking the full potential of the cloud.

Thursday Apr 18, 2013

Centrica drives down operational cost by implementing Single Sign On using Oracle IDM

Centrica Plc is an integrated energy company operating in 7 countries including the U.K. and U.S. that supplies electricity and gas for 30 million consumer and business customers.

In an effort to drive down operational costs due to password resets for their critical business applications, Centrica engaged aurionPro SENA to help them explore the most cost effective options.

The project goals were to:

  • simplify user log on to SAP
  • reduce the number of passwords
  • automate password resets
  • reduce the number of help desk calls (related to password issues)

To find out more about the Enterprise Single Sign on system designed and implemented for this project, join us on April 25, 2013 @ 10:00 am PST for a webcast featuring Chris Wilton, Senior Project Manager at Centrica, Ben Bulpett, Alliances and Enterprise Account Director at aurionPro SENA, and myself (Darin Pendergraft, Product Marketing, Oracle)

We will discuss the project and will have an opportunity for live Q&A.

Click Here to Register! 

Tuesday Apr 16, 2013

5th Annual EMEA Customer Advisory Board held in Vienna, March 18 - 20, 2013

This year the EMEA Customer Advisory Board (CAB) was held in the beautiful city of Vienna, Austria.  Representatives from Oracle product management and engineering teams met with customers from all over Europe to discuss market trends, product direction, and to get feedback on current products.

Day 1 focused on updates since the last CAB meeting, including the launch of 11gR2, the state of the IDM business, and featured updates from the Directory Team, the Access Management Team and the Identity Governance team.

Day 2 contained moderated discussions focusing on Mobile Identity Management, Cloud Identity Management, and Enterprise IDM.  The first of three customer presentations was delivered by Vodafone Romania who discussed how they are using Oracle IDM.

Day 3 contained customer presentations by BT and Turkcell, followed by breakout sessions, on topics ranging from risk management to upgrade & migration strategies.

Overall, this CAB was a very big success, and proved beneficial to both the Oracle Product Teams who collected valuable feedback from customers, and for customers to hear directly from the product teams about upcoming product road maps and direction.  Several customers also mentioned that they really enjoyed hearing about other customers' implementations and plans.

Thank you to all that attended, and a special thank you to those customers that presented! 

Friday Apr 05, 2013

Yarra Valley Water utilizes Oracle Identity Management

Yarra Valley Water (YVW) is the largest of Melbourne’s three water retail businesses. Owned by the State Government of Victoria (Australia), YVW provides water supply and sewerage services to over 1.7 million people and over 50,000 businesses in Melbourne’s northern and eastern suburbs, including some recycled water and trade waste customers.

YVW needed to automate account provisioning for both its partners and end users so that they have easy yet secure online access to YVW applications. Check out this video to find out more about YVW’s use case and how Oracle Identity Management helped.

Sunday Mar 31, 2013

Authentication and Authorization Problem in Cyprus

If you are following the Cyprus bailout story, you will sympathize with the extraordinary situation faced by Cypriots coping with unprecedented banking regulation. Faced with a risk of capital outflow, the government placed limits on domestic and foreign currency transactions. After the restrictions were lifted, it was discovered that there were loopholes that allowed withdrawals from subsidiary banks in London where the controls were not enforced. For controls to work they have to be consistent. The limits are very specific and very difficult to enforce. As institutions and governments try to apply fiscal or regulatory controls over large groups of people, the controls are only as effective as the identity management capabilities of the institution. The problem is latency. The longer it takes for an endpoint or in this case a bank subsidiary to get updated, the more security risk. In this case Cyprus loses a significant fraction of foreign deposits.

The problem is not unique to Cyprus. During the American financial crisis, the breakdown in trust almost froze the credit system. When a credit card is swiped at the local retailer, the authentication does not always go directly to the bank that issued the credit card. The transaction flows to a merchant bank. The entire system depends on keeping the merchant banks in synch. Every transaction we make without cash has an element of identity involved. The economic cost of identity authentication, while not explicit, is a factor in every credit card transaction and every purchase online. The Cyprus crisis demonstrates what can happen if identity controls break down or fail. In Cyprus the consequence is failure of the banking system.

Authentication failure at an individual level ends in fraud or theft. As the customer experience becomes more digital the consequences are more drastic. Authentication failure can hurt an individual, a business or in this case compromise the future of a nation.

Friday Feb 15, 2013

Identity Goes Shakespearean with King Richard III - A Forbes Feature

King Richard III: Villain, Hero, or Tragic Victim of Identity Theft?

What does Identity Management has to do with the recent discovery of King Richard III remains? A Lot, according to this recently published post in Forbes Magazine from the Oracle Identity Management team.

Don’t miss this interesting Shakespearean twist to Identity Management. Turns out, authentication and Identity Management are more pervasive than it’d appear on the surface. Identity is King!

As always, we welcome your feedback and thoughts. Please send us your comments here and engage with us on Twitter and Facebook.

Monday Feb 11, 2013

Amit Jasuja - Cloud, Mobile and Social Will Drive Digital Security

Amit Jasuja sat down for an in-person interview to discuss how digital security is changing and how cloud, mobile and social are driving the transformation. The entire interview can be found here.

It's more virtual and less physical

In the past most security was focused on the physical protection of buildings and access to systems. The security transformation means securing content and information in places we don't have control. The point of control has moved from the enterprise to the cloud. 

It's more integrated than fragmented 

Instead of multiple point products being used to secure systems, we will see a more integrated approach where security information is shared across components. By de-fragmenting the data, security becomes more responsive.

It's more mobile and less stationary

The shift to mobile applications will expose organizations to new threats and operational challenges. Security will need to scale to protect the vast number of changing devices.  

It's about getting it done right and avoiding rework 

Organizations will focus on deployment of technologies to get it done right the first time. We will choose technologies that provide a clear roadmap and upgrade path to avoid costly rip and replace projects. 

Thursday Feb 07, 2013

Richard III – Authentication Gets Shakespearean

With the recent discovery of Richard III in a Leicester parking lot, we realize that authenticating an individual is as important as authenticating a king. Your identity is king.

The recent twitter #authchat provides a good survey of authentication techniques. Authenticating Richard required many of the same identity management techniques we use in software. Here are a few observations:


DNA evidence from two related descendants was critical in verifying the identity of the king. The same is true for the way we authenticate today. While we may use finger print readers on our laptops and in our data centers, we still rely on additional factors of authentication beyond biometrics. From the description of the battle of Bosworth, many thumbs and fingers were most likely misplaced – lots of parts everywhere. If Richard were alive today, he would have commanded, “my kingdom for a thumb!” If the researchers had tested DNA from the wrong thumb, the results would have been wrong. Biometrics are only a piece of the puzzle.

Third Party Verification

The research team had to find a descendant to verify the DNA of Richard III. DNA, like a certificate, on its own is not enough to prove who you are.  A third party has to vouch for the fact that the information is correct. We may think we are advanced because we can make an instant SAML request to an identity provider to log into our 401K plan or download a ringtone, but it is perhaps more amazing that the team found an identity provider (Richard's descendant nephew) across 500+ years of the family tree, in a country thousands of miles away.

Context Aware

Finding the king and verifying the identity were almost equally challenging tasks. The location information from history played a role. In addition, the context of the injuries and the battle description were all indicators that helped to confirm the identity. Other factors including radio carbon dating and food consumption patterns were all part of the context used in the formula. Today, with many users with different roles accessing our systems, adaptive access and context aware security are used to complement authentication. Now, we may be a long way from using food consumption patterns to authenticate a user on a banking website, but I would not rule it out. It gives validity to the claim “you are what you eat.”

The key is that no single form of authentication is sufficient in all circumstances. Context helps to provide ongoing assurance that we are dealing with the correct user. It turns out Richard III was not the tyrant as he is remembered, but perhaps just the victim of identity fraud. Congrats to the research team – truly a remarkable accomplishment and the discovery demonstrates that “the king’s name is [still] a tower of strength”(Shakespeare,Richard III) -- especially given the amount of media exposure.

Friday Dec 28, 2012

Globe Trotters: The Difference between Authentication and Authorization

Meet Christian Patrascu. Christian is Senior Group Manager with Oracle. A seasoned Security professional and a reputed Identity Management expert, Christian is a member of the EMEA outbound Product Management team that drives sales and adoption of Oracle Fusion Middleware within the Europe, Middle East and Africa (EMEA) region. Oracle Fusion Middleware is a portfolio of leading, standards-based and customer-proven software products that spans a range of tools and services from J2EE and developer tools, to integration services, business intelligence, collaboration, content management and Identity Management.

Christian recently sat down for an interview with Sebastian Graf (DOAG Head of the SIG BPM) where he discussed the difference between Authentication and Authorization and the importance of both in an enterprise' end-to-end security strategy. DOAG (Deutsche Oracle User Group) is one of the largest organized and independent Oracle user groups in Europe.

The discussion on authentication and authorization is especially relevant in today's "anytime, anywhere" world where business and personal boundaries have blurred and users are looking for a seamless experience between their social and business channels via mobile devices and more. So, as we close out 2012 and look to 2013, we thought this video interview would be apt for the last edition of Globe Trotters for 2012.

We wish you all a very safe and Happy New Year and look forward to engaging with you in more security discussions.


Oracle Identity Management is a complete and integrated next-generation identity management platform that provides breakthrough scalability; enables organizations to achieve rapid compliance with regulatory mandates; secures sensitive applications and data regardless of whether they are hosted on-premise or in a cloud; and reduces operational costs. Oracle Identity Management enables secure user access to resources anytime on any device.


« April 2014