Tuesday Apr 24, 2012

SANS Institute Product Review of Oracle Entitlements Server

In a new independent product review report titled “Demystifying External Authorization: Oracle Entitlements Server Product Review”, SANS analyst and senior courseware author, Tanya Baccam provides an insightful analysis of Oracle Entitlements Server (OES) strongly endorsing its key capabilities and customer benefits. In this product report, the SANS institute reviewed some of its core capabilities which enable businesses to enforce granular security throughout the stack - apps, web services, portals or databases can all be secured with OES. You can download the full product review here.

  • Application Security: Applications of many flavors – including homegrown, packaged and cloud applications can be secured with OES. Organizations can decouple the evolution of authorization policies from business logic by externalizing access privileges from applications. This drastically simplifies the application development lifecycle.
  • SharePoint Security: Content Management Servers such as SharePoint provide excellent facilities for storing, retrieving and sharing documents. They often come with standard facilities to secure documents. OES can extend these simple security models with sophisticated RBAC and ABAC based models. OES s allows organizations to gain control of prolific use of SharePoint. It can also lock down information hosted in SharePoint to a very granular level protecting web parts, pages, list items and so on.
  • Data Security: Sometimes information stored in a database is extremely sensitive and extensive checks need to be done irrespective of the application. For example, credit card numbers and passwords should only be shared on a need to know basis. In these situations it may be desirable to enforce restrictions from within the Database itself. OES can be used to do Row and Column level filtering based on standards based authorization policies. Because this filtering is done within the database, security policies will be enforced irrespective of the application. This solution is also useful with legacy applications which cannot externalize authorization.
  • Web Services Security: OES in combination with XML gateways such as Oracle Enterprise Gateway helps enforce granular security for SOA environments. For instance, organizations can now enforce security policies for web services based on the content of SOAP headers and attribute information. This makes it easier to enforce policies based on time of day, client IP etc.  Policies can be setup to redact confidential information from web service responses. And OES  supports most web services message standards including SOAP, REST, and JMS.
Here is an excerpt from the report: “
    The ability to centrally manage access down to the specific resource level has, in the past, seemed unachievable beyond a system-by-system basis. Oracle Entitlements Server (OES) made the process of controlling access easier—and more manageable across multiple applications and scenarios within those applications—with no retooling of applications required.”

You can download the full report here.

Wednesday Mar 21, 2012

Webcast Q&A: Demystifying External Authorization

Thanks to everyone who joined us on our webcast with SANS Institute on "Demystifying External Authorization". Also a special thanks to Tanya Baccam from SANS for sharing her experiences reviewing Oracle Entitlements Server. If you missed the webcast, you can catch a replay of the webcast here.

 Here is a compilation of the slides that were used on today's webcast. 

We have captured the Q&A from the webcast for those who couldn't attend.

Q: Is Oracle ADF integrated with Oracle Entitlements Server (OES) ?

A:  In Oracle Fusion Middleware 11g and later, Oracle ADF, Oracle WebCenter, Oracle SOA Suite and other middleware products are all built on Oracle Platform Security Services (OPSS). OPSS privodes many security functions like authentication, audit, credential stores, token validaiton, etc. OES is the authorization solution underlying OPSS. And OES 11g unifies different authorization mechanisms including Java2/ABAC/RBAC. 

Q: Which portal frameworks support the use of OES policies for portal entitlement decisions?

A:  Many portals including Oracle WebCenter 11g  run natively on top of OES. The authorization engine in WebCenter is OES. Besides, OES offers out of the box integration with Microsoft SharePoint. So SharePoint sites, sub sites, web parts, navigation items, document access can all be secured with OES. Several other portals have also been secured with OES ex: IBM websphere portal

Q:  How do we enforce Seperation of Duties (SoD) rules using OES (also how does that integrate with a product like OIA) ?

A:  A product like OIM or OIA can be used to set up and govern SoD policies. OES enforces these policies at run time. Role mapping policies in OES can assign roles dynamically to users under certain conditions. So this makes it simple to enforce SoD policies inside an application at runtime.

Q:  Our web application has objects like buttons, text fields, drop down lists etc. is there any ”autodiscovery” capability that allows me to use/see those web page objects so you can start building policies over those objects? or how does it work?

A:  There ae few different options with OES. When you build an app, and make authorization calls with the app in the test environment, you can put OES in discovery mode and have OES register those authorization calls and decisions. Instead of doing  this after the fact, an application like Oracle iFlex has built-in UI controls where when the app is running, a script can intercept authorization calls and migrate those over to OES. And in Oracle ADF, a lot of resources are protected so pages, task flows and other resources can be registered without OES knowing about them.

Q: Does current Oracle Fusion application use OES ? The documentation does not seem to indicate it.

A:  The current version of Fusion Apps is using a preview version of OES. Soon it will be replaced with OES 11g. 

Q: Can OES secure mobile apps?

A: Absolutely. Nowadays users are bringing their own devices such as a a smartphone or tablet to work. With the Oracle IDM platform, we can tie identity context into the access management stack. With OES we can make use of context to enforce authorization for users accessing apps from mobile devices. For example: we can take into account different elements like authentication scheme, location, device type etc and tie all that information into an authorization decision. 

Q:  Does Oracle Entitlements Server (OES) have an ESAPI implementation?

A:  OES is an authorization solution. ESAPI/OWASP is something we include in our platform security solution for all oracle products, not specifically in OES

Q:  ESAPI has an authorization API. Can I use that API to access OES?

A:  If the API supports an interface / sspi model that can be configured to invoke an external authz system through some mechanism then yes

Wednesday Mar 14, 2012

SANS Institute Product Review Webcast: Demystifying External Authorization

We have blogged about the benefits of an External Authorization solution such as Oracle Entitlements Server recently. We believe that there are three primary business drivers fueling the need to externalize authorization from applications. Regulatory considerations are getting more stringent and complex. Meeting modern regulatory demands often requires enforcement of granular access privileges at application runtime. Secondly, a lot of homegrown applications have authorization policies built into the business logic which makes it hard to change policies in response to evolving security and regulatory mandates. And finally, with role based access becoming predominant, many organizations are now dealing with the challenge of role explosion wherein redundant role definitions can often make managing access control more difficult. So role explosion can make it difficult to secure transactions and data on the basis of roles. This has led to the growth of External Authorization solutions which make it easy to externalize and centralize authorization policy definitions. Solutions like Oracle Entitlement Server allow extremely rich policy definitions to be set up on the basis of context, attributes, roles or runtime conditions.

On Mar 21, SANS and Oracle will be hosting a webcast wherein our speakers - Tanya Baccam from SANS and Roger Wigenstam from Oracle, will discuss some of these challenges and how a solution such as Oracle Entitlements Server can help organizations overcome these problems.  

In this webcast, Tanya Baccam will discuss business drivers for external authorization, real world use case scenarios and highlight some critical capabilities that organizations should bear in mind when evaluating and deploying external authorization solutions. Tanya will also share her experiences reviewing Oracle Entitlements Server. This webcast will also feature Roger Wigenstam who will discuss unique product capabilities.  Registering for this Webcast will put you at the top of the list to receive Tanya Baccam’s new white paper on external authorization.

Register for this webcast here

Monday Aug 01, 2011

Externalizing Fine-grained Authorization from Applications

In a recent article published by Sys-Con, Marc Chanliau from Oracle highlighted the mechanics and benefits of externalizing fine-grained authorization policies from applications.

While URL-based coarse-grained authorization can be enforced using conventional web access management solutions, fine-grained authorization decisions are typically enforced at application run-time. For instance, if access to confidential data (such as user’s Social Security Number) is granted to a user only if he meets certain conditions, then those checks are typically performed at run-time. This led to complexities with building security for applications. It also led to a joint evolution of security policies with application logic which negatively impacted developer productivity. In this article, Marc Chanliau explores the need to externalize authorization from applications and then delves into the mechanics of externalizing authorization policies using Entitlement Servers.

Here’s a link to the complete article.

If you’d like to learn more about externalizing authorization from applications, check out the replay of our recent webcast on Oracle Entitlements Server 11g. We also have two additional webcasts coming up which explore the declarative security paradigm and its business benefits.

· Webcast: Demystifying Declarative Security

· Webcast: Declarative Security for Mobile Apps 

Thursday Jul 28, 2011

Oracle Entitlements Server (OES) 11g Webcast Q&A

We recently announced Oracle Entitlements Server (OES) 11g. OES externalizes authorization policies from applications eliminating the complexity of building authorization inside applications. By decoupling authorization policy evolution from the application lifecycle, OES does for authorization what Single Sign-On did for authentication.

In our recent July 14 webcast on OES 11g, we dug deeper into some of the new capabilities and design themes in OES 11g. Thanks to everyone who joined our webcast. We have captured answers to the questions asked for your reference.

What is new in OES 11g?

OES 11g introduces several breakthroughs in externalized authorization management. 1) Real-time External Authorization ensures minimal latencies in mission-critical deployments for applications making a massive number of authorization checks 2) Comprehensive Standards Support for a broad spectrum of authorization standards including XACML, NIST RBAC, Enterprise RBAC, ABAC, JAAS and OpenAZ. This gives customers plenty of choices, and flexibility of deployment. 3) Rapid Application Integration accelerates integration with a broad spectrum of application platforms.

Does OES 11g integrate with non-Oracle systems?

Yes. OES integrates with a large number of heterogeneous (non-Oracle) platforms including various custom and 3rd party applications, application servers, databases, directory servers, content management systems, SOA and cloud environments, web portals, and XML gateways, development platforms and programming languages.

What’s the difference between OES 11g and Oracle Platform Security Services (OPSS)?

OPSS is the underlying security foundation for Oracle Fusion Middleware and Oracle Fusion Applications. It is a security framework that provides a broad set of security services for applications - anything from authentication, audit, secure credential storage, identity profile, and authorization among others. OES is the authorization engine sitting underneath OPSS.

OAM and OES both can handle authorization. What else can OES offer when compared to OAM authorization?

OAM is primarily an authentication and Single Sign-On solution. While it does have coarse grained authorization capabilities, you will need a fine grained authorization solution like OES for page/portal customization or page entity level security checks (button enable/disable, text box graying out), transactional checks, checks at method or function level, and for data redaction.

Does OES 11g integrate with Microsoft Active Directory?

Sure. OES can work with external user/group/role/attribute repositories. As a best practice we recommend that you leverage your existing identity stores like AD.

Does OES 11g integrate with other Oracle Identity Management products like Oracle Access Manager (OAM) and Oracle Adaptive Access Manager (OAAM)?

OES integrates with other Identity and Access Management solutions. It can integrate well with an SSO solution like OAM or an adaptive authentication solution like OAAM. Integration with OES delivers fine grained authorization capabilities such as page/portal personalization, function/module level checks, attribute based checks, data redaction etc. OES integrates with other components of the Oracle Identity Management stack as well.

Do you recommend performing data redaction at the database rather than at the UI or business logic layer?

Nearly all large deployments have to make a decision on this at some time. While some scenarios may force you to make the authorization decision at Data Source (DB level), we tend to recommend redaction at a data service layer (for example at the hibernate layer). In general, this is a very subjective decision. OES 11g provides various architecture choices. Decisions vary on a case by case basis.

With 11g the OES PEP/PDP is now integrated into the WLS OPSS SM. When using OES Administration Server (PDP) in conjunction with WLS 11g, do you have to license the integrated PEP/PDP on WLS or is its usage covered by the WLS licensing?

OES is licensed separately.

How does OES compare to LDAP or Tivoli security application?

LDAP by itself is just a repository and does not provide any policy enforcement capabilities.

Where are the roles stored?

In OES Roles are policy based. At a high level, the role policies can be based on users or groups or user attributes where these entities can be managed in any standard user repositories (ex: AD).

How is OES integrated with Oracle ADF? Can I authorize ADF component seamlessly, transparently (ADF developer do not execute OES) and how?

Absolutely. The OES admin console itself is based on OES. Since OES can plug in under the OPSS (Oracle Platform Security Services) layer, all Oracle FMW and Applications (that are based on OPSS) automatically leverage the OES authorization engine.

Does OES support Single Sign On?

OES is not a WebSSO product, it does fine grained authorization. That said, it works with and integrates with any customer's single sign-on solution to take advantage of the user context that gets established and any other information the SSO product provides that you want to leverage in your authorization policies. Oracle Access Manager (our WebSSO product) internally leverages an embedded version of OES to do URL level (coarse grained) authorization.

Do you need the Enterprise Gateway to perform this sort of context authorization or can this be performed by WLS/OPSS, etc?

The Oracle Enterprise Gateway makes it extremely easy to integrate with web services as it is natively integrated with OES - this requires no changes to the application code. A similar integration can be done with Oracle Web Services Manager with some customization.

Does OES integrate with Layer 7 gateways?

Yes, OES can integrate with Layer 7 gateways

Does OES provide database level integration with IBM DB2?

You can definitely use OES for data security with DB2 through business tier integration.

Can OES integrated with non-Java applications (C/C++)?

OES provides Web Service and RMI interfaces that can be of help in these cases. We have done a lot of work with financial services companies that we will be happy to discuss offline.

Can authorization policies be stored in an Oracle database?

Authorization policies can be stored in Oracle RDBMS. The user and groups can be retained in their existing enterprise stores - AD/LDAP/RDBMS

Do you provide or recommend tools to extract security rules from home-grown code so they can be externalized?

We have not come across any tools that do rules redaction from code very effectively.

Are there any IDEs (like Eclipse) that support application owners in development for developers and architects?

There are probably two parts to this question, the OES libraries can be used with any IDE. Our own JDeveloper IDE provides security wizards that help developers, provides declarative support, and helps automate the development lifecycle - this is planned to be certified with OES 11g later this year. We also have plans to extend this for 3rd party IDE's

How do you integrate OES with Oracle Identity Manager (OIM) and Oracle Identity Analytics (OIA)?

OIM provisions the users and group membership (enterprise roles) in the ID store(s) that OES can then leverage in authorization decisions/policies. OIM may also control certain user attributes that may be used in your authorization policies. (OIM uses an embedded version of OES for defining delegated admin policies). OIA can then be used for recertification / attestation of the role memberships and relevant attributes, Separation of Duties (SoD) policies etc

Check out the webcast replay to learn more about OES 11g.

Sunday Jul 24, 2011

The Business Case For Entitlements Server

Much of our content today discusses how to apply an entitlements server to provide external authorization, but less time has been spent discussing the business case for fine-grained entitlements. As we wrap up a week of sales training, I want to spend some time summarizing some of the data-points on how organizations rationalize the benefits of entitlements servers. The topic of role-based access has a rich academic history since role-based access control draws from a diverse range of subjects.

The demand for entitlements servers has increased drastically in the past few years as application and data security moved into the foreground. Despite the large number of “off the shelf” solutions used in IT, the majority of mission critical “line of business” applications are home grown. Financial services companies are perhaps the most mature users of fine-grained authorization because of the regulatory pressure and intrinsic monetary value of the data. In the past few years, demand has picked up in many verticals from healthcare to manufacturing. In cases where business processes are being outsourced, providing policy based control over data and transactions is essential. 

A few years ago, the banking world was rocked by the scandal of a rouge trader who utilized his knowledge of gaps in control procedures to create a $7.1B loss for a major bank. While this case is certainly sensational, this type of insider fraud happens more often than we think. Some sources suggest more than 46% of fraud is caused by insiders. Separate of looking for an economic ROI for deploying an entitlements server, the most compelling reason is the security of the business itself. When a “line of business” application like a trading system or a clinical trials application gets compromised, the impact is always financially disastrous.

Today most of the organizations deploying an entitlements server solution have well defined requirements to separate access due to internal or external regulatory guidelines. The regulatory pressure alone provides the business case. In most of the cases, the customer's existing homegrown approach became too difficult to maintain and scale as security requirements changed. Looking across deployments, two economic value propositions are found in all cases:

  • Time to value: Re-tooling applications to address security changes can take many months. Many organizations that deployed an entitlements server have reduced this time to weeks. This provides significant time to value when the organization is trying to address an audit finding or closing a security risk gap.
  • Reduced development cost: Most organizations save 10's of thousands of dollars on a per application basis after deploying an entitlements server because so much time was spent hard coding security into the application. In one anecdotal case a company saved over $265K annually over 7 applications by externalizing security. Thanks to Andy Vallila for sharing this particular example.

We are still in the early adoption phase of entitlements servers. The customers who adopt have the most urgent security need. As we survey and summarize the results of the early adopters, we will gain better ROI data. For more background on entitlements servers and how to apply them the following resources may be helpful:


Oracle Identity Management is a complete and integrated next-generation identity management platform that provides breakthrough scalability; enables organizations to achieve rapid compliance with regulatory mandates; secures sensitive applications and data regardless of whether they are hosted on-premise or in a cloud; and reduces operational costs. Oracle Identity Management enables secure user access to resources anytime on any device.


« July 2016