Friday Feb 27, 2015

New eBook: Establishing a Mobile Security Architecture

Today, just as organizations are starting  to understand the first wave of the mobile revolution, there are now numerous demands being placed on IT to support the second wave of mobility as a new generation of devices and applications are coming online to take advantage of these new capabilities in today’s corporate environments.

"Establishing a Mobile Security Architecture" provides a deeper understanding of not only the fundamentals, but also the complex issues related to mobile security in today’s corporate mobility environment. If you maintain the role of a mobility planner, security architect, CISO, security director, IT director, operations manager or just simply want to better understand the best application of technologies for each area of mobility within your organization and how to reduce risk, then download this free copy of  "Establishing a Mobile Security Architecture".

Some of the areas covered in this eBook:

  • A look at the changing mobile and business requirements
  • Deep dive in the technologies used to secure the mobile platform today
  • Containerization and application management
  • The role Identity Management plays on the mobile device
  • The broader view of securing the mobile stack

Register now for your free copy of the "Establishing a Mobile Security Architecture" eBook.

Wednesday Feb 18, 2015

ISACA Webcast Replay - Manage, Monitor & Audit the Mobile User

The greatest threat of a data breach –intentional or not - continues to be from employees, contractors and partners – people you are supposed to be able to trust. On February 12th, Oracle presented to ISACA members on the critical nature of establishing policies, technology and best practices to manage, monitor and audit the use of mobile devices as part of a larger Identity Management strategy.

Our presenter was Mark Wilcox, who is a Senior Principal Product Manager at Oracle. Leveraging his 20 years of experience in the computing industry and the Identity and Access space, Mark delivered a very focused session on best practices and industry guidance that would benefit any organization evaluating their mobile strategy.   Please click on the following link to replay the event from February 12th, 2015.

For more information on ISACA, and how they can support you on a student, professional or academic level, please visit them on their website at www.isaca.org  or directly on their Membership Page

Replay Webcast Here


Thursday Jan 08, 2015

Shoulder Surfed by a Kid: Why cruel and unusual mobile security policies compromise security…

Author: Clayton Donley, Vice President of Product Management, Oracle Identity Management & Mobile Security.

“Thank you for your purchase of Mojo! Your credit card has been billed $19.95.”

As I leaned back and reviewed my morning email on my iPad, I was surprised to see a receipt for a purchase of something called Mojo. However, it quickly dawned on me exactly what it was and how this had happened.

You see, for a few weeks my son had been playing a free-to-play game on his iPad. In this game, there was a virtual currency called Mojo. He had been asking for me to spend real money to buy some of this virtual currency and I had spent an equal amount of time denying this request. So when the receipt landed in my inbox, I knew exactly what it was and who did it. What I didn’t know was how he had managed to make the purchase.

My iTunes password had lower and upper characters, a special character, no dictionary words, and a number. I wasn’t using it on any other site and hadn’t even given it to my wife.

What I had done was type it on my iPad that morning before I left for work, allowing each character of the password to echo on the screen as I typed it.

Apparently, a properly motivated 9-year-old (at the time) can easily watch these characters echo over your shoulder and enter them later on their own device.

What if this was an Enterprise Password?

Many companies still use login/password to access corporate VPNs and business applications.

Imagine that you work for one of these companies and visit a conference or trade show and that you have decided check a file share, CRM application, or wiki using your mobile device.

You pull out your device, unlock it, and launch the application. Usually you’ve entered at least two layers of passwords by this point (perhaps using your fingerprint or swiping rather than entering a PIN to unlock your device).

While the device unlock is important, it requires that someone actually have your device to make it useful. The second sequence, where you connect to your corporate network (or cloud provider) is much more interesting. This is where you go from giving someone access to 32GB of data on your phone to countless terabytes stored in your enterprise.

If your organization hasn’t put into place one-time tokens or two-factor authentication, you’ve potentially given a motivated attacker an easy way to get access to your network. It’s much easier to watch your screen echo your password than it ever was to watch you touch-type your password.

Where some organizations get things exceptionally wrong is by enforcing even more frequent policies on authentication when coming from a mobile device. The idea is that because devices can more easily lost or stolen, it’s ideal to request users re-authenticate frequently to prove that they are still in control of the device.

This particularly cruel and unusual policy not only degrades user experience and encourages people to choose easier-to-type passwords, but also subjects these passwords to more frequent exposure.

Fortunately there are better security policies and better software to make those policies work well.

What Actually Works?

The easiest solution to this problem is to use the device itself as an authentication factor. This means that a hacker needs both my password and the device in order to login. This can be as simple as device fingerprinting and as complicated as leveraging digital certificates.

An even better solution is to move away from using any passwords in the first place, leveraging PKI and other established technology to handle the authentication between the device and the service, while using emerging technology like containerization to ensure that only appropriate applications on the device can leverage that session.

With employees bringing their own devices to work in BYOD programs, it’s very important to take an approach that focuses on applications, rather than devices. Over-hardening security at the device-level (e.g. even just to play Angry Birds), rather than just stepping up authentication when it is really needed (e.g. to view customer data), over-exposes credentials and gives users incentives to work around the inconvenience of security.

What about the Young Hacker?

With no shortage of hidden pride (and considering his promising future black hat career working with the LizardSquad and CryptoWall teams), I let my son know that he wasn’t allowed to do this sort of thing anymore.

Within a few days he proceeded to get my next few passwords, but “only used them to get free apps”. At this point I gave up.

About the Author


Clayton Donley is the Vice President of Product Management for Oracle’s Identity Management and Mobile Security products.
You can follow Clayton on Twitter at @cdonley.

Visit the Oracle Technology Network for more information about Oracle Identity Management Products including downloads, documentation and samples

Engage with us on Twitter @oracleidm and follow us here in the Identity Management blog.

Tuesday Jan 06, 2015

Oracle Magazine: Reducing Risk While Mastering the Digital Identity

Just released - the latest issue of Oracle Magazine is focused on security and features two great case studies you will want to share with your customers. These two stories highlight how companies are reducing risk and at the same time mastering digital identity. "Businesses need identity management systems to provide a single point of access and control while reducing costs and improving operational efficiency. Learn how two organizations are turning to the Oracle Identity Management solution to enable growth and business transformation."( Phillip Gill, Oracle Mag 2015)


Oracle Magazine, January - February 2015

A United Workforce
Vodafone
At Vodafone Group, the world’s second-largest telecommunications company, the first step in adapting to the mobile, social, and cloud evolution was to unite corporate identity and access management.

Empowering Customers
Electrabel
Electrabel GDF Suez, the largest supplier of electricity and gas in Belgium, is counting on identity management to help it reach out to millions of its residential customers to reduce energy consumption.

Monday Jan 05, 2015

Minecraft and Identity Management - What an Identity Management guy learned from managing a world populated by tweens and teens

Author: Clayton Donley, Vice President of Product Management, Oracle Identity Management & Mobile Security.

“Lava and TNT is covering the entire spawn, dad! Can you fix it?”

I help my 12-year-old son run a Minecraft server for his friends, as well as random strangers (500+ at last count). Players point their Minecraft game at his server and work collaboratively (or so we hope) with others to build things, chat, and otherwise have fun.

In the span of two years, there’s been a lot of learning when it comes to managing a system where the bulk of the users have pre-teen or early teen levels of maturity.

What Could Possibly Go Wrong?

Apparently on a server loaded with pre-teen users, there’s actually a LOT that go wrong…frequently.

In addition to my Saturday mornings of cleaning up lava and TNT (CoreProtect is your friend), I’ve needed to unban dozens of legitimate users, revoke privileges from griefers who have decided to destroy parts of the world, and kill off entire populations of zombies, creepers, and other creatures that were placed with the intent to DDoS the server with lag.

While on the surface these all seem to be different problems, they all ultimately come down to the wrong people having too much access and a lack of visibility into who has access to do what.

Who can you Trust?

To be clear, this access generally started with one person (my son), but as a server grew, this power got distributed to other helpers. These helpers get roles like Admin, Mod, Builder, etc… that give them a range of powers.

Minecraft servers support a notion of privilege systems. These systems allow you to very granularly define what each of these groups have access to do. For example, the Builder role might have access to make broad changes to the world by placing blocks in bulk using the WorldEdit, while users in the Mod role may have access to kick a player off the server or ban them. Figuring out which role grants access to what privileges involves manually sifting through pages of roles and permissions in a text file. Users can also have permissions that override the ones defined in their roles or have their roles and permissions restricted to only certain worlds or regions within the server.

If you’ve ever visited a multi-player Minecraft server, you’ll notice that the chat logs are inundated with kids asking others for all kinds of elevated access. If you’ll only make them a Mod, they’ll be your friend for life, bring all their friends to your server, build great things, and help you keep everything running smoothly. They’re friends with so-and-so, who runs the biggest Minecraft server you can imagine, and she will get so-and-so to send people to your server as well.

This is all bulls***. You’re much better off giving your password to the guy on the phone claiming to be from IT or clicking a phishing link.

Apparently, when kids hear this kind of thing, they start giving everyone crazy levels of access without considering the consequences. At one point when things were particularly out of control on the server, I audited user permissions and found that approximately half the active users had some level of privileged access. There was actually a network effect of kids giving it to other kids.

To make things worse, plugins all have their own permissions. Some of these permissions are quite powerful and allow players to change large parts of the world. It’s not always obvious when such privileges have been granted until they are granted to the wrong people — who then take advantage of it.

Who is this Really?

The Minecraft game itself costs money (~$27). Many families buy a single copy that gets shared by everyone in the family. Some kids even share their software with other friends that may not have bought a copy. All of this is done by sharing a single Minecraft login/password.

This means that even if you’ve got a great contributor who is building great things and interacting with a level of maturity well beyond their years…five minutes later a completely different kid could be accessing your server with the exact same account…and this kid could be a disaster!

Not only that, but nearly everyone who does something bad to your sever will claim that it was not really them that did it at all…but their terrible brother/sister/friend/etc… Hackers are frequently invoked. Those of you with multiple kids (or dysfunctional teams) know exactly what I’m talking about.

It’s like asking who left up the toilet seat or ate the last cookie — maybe a ghost?

Regardless of who did it, the damage is done and you’re left cleaning up the mess.

Enterprise Software is Different, Right?

Your typical enterprise is running hundreds or thousands of applications. Each of these systems also has roles and permissions that determine who gets access to which data or functions. Ideally, the security on these systems is being managed in a way that is different from the way my son runs his Minecraft server.

IT and the business need to understand some fundamental things about the users of mission critical systems:

  • Who has access to which systems, functionality, and data?
  • How is this access requested and approved?
  • Who is certifying that this access continues to be appropriate?
  • What users have toxic permission combinations (e.g. create/pay their own POs)?
  • Who has highly privileged access (e.g. super-user) and what are they doing with it?

This is where Identity Governance comes into play.

Identity Governance solutions connect to various systems in the enterprise to manage accounts, roles, and entitlements for users.

When an employee joins the company, they get a standard set of privileges for their role in the enterprise. This might be things like sending email or submitting expense reports. Additional privileges can be easily requested and approved as appropriate by the business and IT. Finally, when an employee leaves the company, their accounts and privileges are centrally revoked across all of these systems.

Lack of proper controls open enterprise applications to various insider threats. Additionally, over-privileged accounts are a goldmine for hackers that have already gained basic access via common attacks like phishing and malware.

Avoiding Lava and TNT

Hooking up an Identity Governance solution to a Minecraft server is a bit overkill — though don’t think I didn’t consider it.

Instead, I simply went user-by-user, role-by-role to limit everyone’s access to the bare minimum. We then selected a few users that would be given the ability to do more privileged things, but didn’t allow these users to further delegate their privileges. Additional plugins were added that allow for tracking and rollback if these permissions were abused (similar to privileged session recording).

Cleaning things up with 500 users in a half-dozen roles on a single, relatively simple system took several hours.

Scaling this manual process up to tens of thousands of users, thousands of roles, and hundreds of systems without the benefit of automation would have been completely impossible without cutting corners and reducing overall security.

That said, in the case of the Minecraft server, this significantly improved the stability of the server and eliminated some of the large-scale griefing that was taking place.

About the Author


Clayton Donley is the Vice President of Product Management for Oracle’s Identity Management and Mobile Security products.
You can follow Clayton on Twitter at @cdonley.

Visit the Oracle Technology Network for more information about Oracle Identity Management Products including downloads, documentation and samples

Engage with us on Twitter @oracleidm and follow us here in the Identity Management blog.

Wednesday Dec 03, 2014

Drivers for Identity and Access Management in Today's Businesses

Author: Paul Toal

Most organizations know from experience that Identity and Access Management isn’t a project, but more of a multi-phase, multi-year programme. Those who treat it as a single project, or even worse, as a milestone deliverable within another project (i.e. delivering a new business application) will be destined to fail. However, it is typically individual projects that surface the need for IAM and are forced to implement tactical fixes whilst the organization catches up with a more strategic solution. It is easy to see the challenges that individual projects face. No project sponsor wants to foot the bill for an enterprise-wide IAM platform, just to deliver the subset of capabilities they need. On the flipside, it is often difficult to get sufficient buy-in at the board level to invest in a strategic IAM platform. Implementing such a platform is often seen as a cost with very little ROI. 

However, that is no longer the case. The days of committing to a lengthy and costly IAM programme with very little return are gone. Let’s look at the evolution of IAM business cases in relation to IT security as a whole.

Fear

Anyone who has worked in IT security for any length of time will be more than familiar with this approach. Vendors used to sell IT security-related products on fear. IT departments then used the same approach with their investment boards. Pick the worst case scenario of what would happen if you didn’t have a particular IT security product (e.g. firewall) and convince the business that the scenario is highly likely and therefore they absolutely must invest in the project. This approach worked well in the early days when threats on the internet weren’t as well understood and many organizations didn’t take a risk management approach to handling IT security. As use of the internet for business increased and the risks were better understood, the approach of selling on fear started to wane, coupled with the fact that this approach also had very little demonstrable ROI.

Enablement

As business started pushing back against throwing endless pots of money at IT security with very little to show for it, the industry needed to evolve. By now, use of the internet for business was widespread and organizations were looking at how to take advantage of this shift to online business. As part of this shift, businesses realized that the foundation of any online business is security, and in relation to that, identity. For a company looking to deploy, for example, as eCommerce platform, or online banking, how could this possibly be done unless it was secure? Also, how could online services be provided to consumers unless you know who the consumer is. Once you know their identity and they have proven ownership of their identity (authenticated) you can provide then with the right services (authorization) to meet their needs.

The approach of deploying IAM as a business enabler has been key to obtaining investment from the business. We also know from our everyday experience that there is real ROI associated with this approach. Using the online channel, as end-users, we are transacting more money online than ever before. For many people, the online channel is the first, and preferred channel of engagement. Indeed, it can also be a differentiator when you are looking for a company to provide a service to you. For example, positive answers to questions such as “Can I manage my accounts online?” can set one business apart from its competitors.

For a lot of organizations, identity as an enabler is still the business justification for investing in IAM. However, there are a number of drivers within the industry today that are enabling IAM business cases to evolve further.

User Experience

There are many organizations that already offer a strong online presence and online catalog of services for their customers. However, just having these online capabilities is no longer good enough. With the shift of users from laptops and desktops to mobiles and tablets, the expectations around user experience are driving IAM to a new level and forcing organizations to evolve. Consumers have come to expect slick and personalized user experiences whether they are an employee or a customer. What is going to set an organization apart from its competitors isn’t whether they have an online presence, but what the experience for the end user is like. For example, does the company have a mobile application? Is it easy to use? Can it provide me with all the information and services that I need in an intuitive way? There are so many mobile applications on the market today that users know what a good application looks like. They are not prepared to spend hours learning what they must do. If the app isn’t intuitive enough within a couple of minutes, it is easy for the user to delete it and find a different company that provides a better app and user experience.

IAM plays a crucial role within this evolution. We know from the enablement business cases discussed above, that knowing the user is key to providing them with services. However, looking at user experience, IAM also provides a key set of services. Take these examples: 

Social login – Mobiles and tablets are great devices for many things, but filling in long forms with lots of fields (e.g. username, firstname, lastname, email etc) isn’t one of them. However, user registration is one of the key elements to a mobile application. If you can’t get your user up and running with your mobile app easily and quickly, it will be deleted. Enabling customers to register from their social network such as Facebook, Google+ etc is a great solution to this. However, integrating with lots of social networks can be a painful and time-consuming coding exercise for an application developer. Fortunately, a good IAM platform will take that pain away for you, turning social network integration into a configuration rather than coding exercise. 

Step-up authentication – So, now your user has registered and logged into your app from a social network, now what? Well, that level of trust may be good enough to access some basic information but you aren’t going to let a user manage their bank account (I hope) purely based on a social login. A good IAM platform will enable you to understand the level of trust a user has at any point in time and when necessary step-up their level of trust with an additional challenge. This should be flexible but could include options such as a issuing a challenge question or using a one-time passcode.

Multi-channel Single Sign-on – In modern development, the ‘constant beta’ and the focus is on rapid application development and release cycles is very popular. Therefore, it is not always necessary or desirable to implement all of the information and services that are available on the website within the mobile app. This isn’t a problem because you can always drop out from the application into a web browser on a device, or even present web content within your mobile application. However, you need to ensure you maintain the user experience. Users have enjoyed SSO in the web channel for a long time and they expect no less in the mobile channel. Therefore, flows like the one below are unacceptable for users (and so they should be):

A good IAM platform will enable SSO not just within a single channel, i.e. between multiple mobile applications, but also across channel, e.g between a native app and a browser-based application so that the user experience is maintained.

If you are looking for an IAM solution that can address all of the above requirements as well as provide a single, integrated platform for addressing all of your IAM needs, both internally and externally, the Oracle IAM platform is a great option. Whether you are looking to deploy it on-premise or within the cloud, Oracle can help you realize your IAM strategy with its market-leading solutions.

To summarise, it’s not just about user experience. IAM helps many organizations to meet their legal and regulatory requirements. However, in today’s rapidly evolving IT world, we need to look at how IAM can be used, not only as an enabler, but as a differentiator by delivering improved user experience, thus taking it from a pure cost to the business to one that has a demonstrable ROI.

About the Author


Paul Toal is a very passionate and capable IT security consultant specialising in the field of Information Security. He has worked in IT for over 20 years and built up a wide-ranging and in-depth portfolio of knowledge and skills. Equally comfortable talking to C-level execs or technical experts, Paul has worked in both pre-sales and consulting delivery roles covering everything from writing business cases, high-level requirements capturing and solution architecture, through to delivery, training and post-sales support. In addition, he has also been an integral part of designing the UK’s citizen Identity Assurance framework, “Gov.UK Verify”, where he was one of the original authors of the technical specification.
Paul can be reached via LinkedIn
Extend your Security Platform to enable secure, mobile access.
Paul will be speaking at the OKOUG Technology Conference & Exhibition: Dec 8-10, 2014, at the ACC in Liverpool. Find out how you can secure your mobile workforce to enable BYOD strategies




Visit the Oracle Technology Network for more information about Oracle Identity Management Products including downloads, documentation and samples

Engage with us on Twitter @oracleidm and follow us here in the Identity Management blog.

Wednesday Oct 22, 2014

Disconnected Application Framework in OIM 11g R2 PS1

Infosys Limited (NYSE:INFY) is a global leader in technology, consulting and services and an Oracle (Diamond) Partner that has graciously agreed to present on best practices garnered from experience working on large enterprise Identity Management (IDM) deployments in a four part series hosted here in the Identity Management Blog. In this part-2 of the four part series Infosys shares its experience with disconnected application framework for implementing manual provisioning for a large set of applications in Oracle Identity Manager 11g R2 PS1.

In our first blog, we discussed the need to build an abstraction layer to allow for consolidation of identity, account and access information from Oracle Identity Manager (OIM) and other enterprise sources. In the second edition, we will continue exploring further on theme of how organizations can earn an accelerated ROI from the new IDM infrastructure by adopting “Disconnected Application framework”.

Introduction to Disconnected Application Framework in OIM

The first step of introducing an enterprise IDM solution is to build an identity warehouse by reconciling identity sources and key target systems. This is followed by use case deployments like password management, automated provisioning/de-provisioning to platforms, access certifications, etc. These features allow the organizations to make big strides and provide much needed relief to the administration side of identity management operations and compliance teams.
For the lines of business though, automating the access provisioning/de-provisioning of applications holds the key to achieve the desired efficiency of identity management as well as reduction in costs associated with manual provisioning. However, it takes time and effort to fully automate provisioning/de-provisioning to the hundreds of applications in the enterprise ecosystem. Although this might sound a little discouraging for enterprise leaders and architects, there is a middle way to handle the above scenario.

In order to achieve the desired ROI of implementing an integrated IDM solution, Infosys recommends a hybrid model for implementing application provisioning. In our approach, we ask architects and business owners to participate in an application profiling exercise that involves rating of applications across a range of criteria. The questionnaire includes parameters around application criticality, compliance needs, required speed and complexity of provisioning & de-provisioning, complexity of approval workflow, availability of out-of-box integrations etc. The profiling exercise provides the team with a list of potential automation candidates as well as a list of applications that can be onboarded for manual provisioning. Nonetheless, as an IDM integrator, we maintain the focus on providing the key benefits of the IDM solution to the organization for both automated and manual application provisioning.

Key Benefits of Application Integration with an IDM Solution:

  • Speedy/efficient, centralized and secure provisioning processes
  • Scalable provisioning model
  • Compliance adherent application model

In this blog we will focus on the ‘Disconnected Application Framework’ in OIM which can be leveraged by enterprises to easily integrate large number of applications for manual provisioning. We will also present the high level process that should be followed while using the framework. This process was evolved from our recent experience of integrating hundreds of applications in OIM 11g R2 PS1 for manual provisioning at a large enterprise.

In the earlier versions of OIM, one had to explicitly create a custom resource object and associated connector artifacts and use manual tasks for each of the application to assign tasks to application administrators for manual provisioning. It was effort intensive and had its own limitations. OIM 11g R2 offers the concept of disconnected resource/application for easier integration of applications for manual provisioning. This feature leverages existing OIM provisioning components like resource object, provisioning process, provisioning form etc. while providing a seamless integration with SOA engine for manual provisioning workflow. The ‘disconnected application framework’ in OIM provides a browser based creation, configuration and administration of application instances to integrate applications that do not have connectors for automated provisioning.
Here is a list of advantages of the ‘Disconnected Application Framework’:

  • Easy creation, configuration and administration of application instances
  • Browser based application form UI customizations
  • Automated backend creation of underlying connector objects

How to create a single disconnected application?

In one of our recent large scale IDM implementations we had to integrate 150+ applications for manual provisioning with OIM 11g R2 PS1 in a short span of time. During the integration, we noticed that the process of creating and configuring one disconnected application is simple.
High Level process of creating a disconnected application instance:
Steps on OIM Admin Interface

  • Create a Sandbox
  • Create an application instance by selecting the “Disconnected” checkbox in the application instance form
  • Create the application instance form
  • Export the Sandbox as zip file for backup
  • Publish the Sandbox

Steps on OIM End User Interface

  • Create a Sandbox
  • Search and select the application in the catalog
  • Perform any UI level customizations required for the application instance form

A Sandbox in OIM provides a mechanism to isolate the customizations by analysts at runtime enabling the analysts to work on the customizations without affecting the experience of other analysts until the Sandbox is published.
As shown in Figure 1. Application Instance Artifacts below, at the surface we are dealing only with Sandbox to create disconnected application instances. In the background OIM automatically creates the relevant connector objects that are needed for the application. These connector objects are directly created in database even without publishing the Sandbox and are not stored in the Sandbox zip file that is exported.


Figure 1. Application Instance Artifacts

How does the sandbox feature work in OIM 11g?

Sandbox feature in OIM 11g works similar to a typical versioning system but with a distinction. Every time a Sandbox is created a separate copy of the underlying artifact(s) is created from the mainline and all customizations performed within the Sandbox are contained within the ‘copy’ artifact(s) created for that Sandbox.
The distinction of Sandbox from a versioning system is that whenever a Sandbox is published, the artifact(s) in the mainline are overwritten with the ‘copy’ artifacts from the Sandbox instead of merging the changes. This behavior of the Sandbox poses a challenge if you want to create application instances in parallel.
A typical thought process to accelerate creation of disconnect application instances can be to distribute applications among a team of analysts creating applications in parallel in the development environment of OIM 11g.
However in this scenario, where analysts create their own Sandboxes to work in parallel, when an analyst publishes the Sandbox they have created it will overwrite all customizations published by previous analysts. This results in errors related to missing view objects in UI while requesting the applications in Catalog.

How to scale the framework for integrating large number applications?

To resolve the issues that can arise from concurrent application instance creations as explained above, we have come up with best practices that can be followed:

  • In single development environment, create and publish applications in sequence. The issue with overwriting of files will not allow you to gain any efficiency of scales. Slow and steady wins the race here.
  • If you have the luxury of multiple development environments, then create applications in parallel on these separate environments and combine them while migrating to higher environments. Utmost care is needed when combining the applications.
  • Instead of create application in one sandbox, it is a good practice to create separate sandboxes for each of the applications
  • Once a sandbox is published, it cannot be exported. As a best practice export and save the sandbox with a naming convention capturing the application name, time stamp and version before publishing it

Migrating disconnected applications between environments

Once disconnected applications are created and tested in a lower environment, the next step is to migrate these applications to a higher environment. Migrating an application from one environment to another involves exporting and importing of Sandbox and connector objects.


Note: While migrating the application instances when you import the Sandbox from one environment
to another environment, the files in the Sandbox (BizEditorBundle.xlf and CatalogAM.xml)
from source environment will be overwritten on the files in the target/destination environment.
It is necessary to merge the changes from source environment Sandbox files with the destination environment Sandbox files.

Process for migration of applications from source to destination environment:

Step 1: Export application artifacts from source environment

We recommend that the steps be repeated for each of the application to be migrated.

  1. Using Deployment Manager export Application instance corresponding to an application along with dependencies and save as a file (e.g. App1_instance_source.xml)
  2. E.g. of dependencies: Resource, Process Form, Process, IT Resource Definition, IT Resource, Lookup

  3. Using Deployment Manager export Request Dataset corresponding to the application and save it to a file (e.g.  App1_Req_Dataset_source.xml)
  4. Get the Sandbox zip file that was exported before publishing in the source environment (e.g. App1_Sandbox_source.zip)

Step 2: Extracting and preparing destination artifacts

The following steps will be completed in destination environment in preparation for merging the sandbox artifact changes from lower environment.

  1. Backup the complete Metadata Services (MDS)
  2. Get latest version of BizEditorBundle.xlf and CatalogAM.xml files form destination
    1. Method 1: Create a dummy Sandbox and create a dummy application
    2. Method 2: Create a dummy Sandbox and edit an existing application instance with a very minor change

    The above 2 methods will get you the latest version of BizEditorBundle.xlf and CatalogAM.xml files from destination into your dummy sandbox.

  3. Export the Sandbox (e.g. Destination_DummyApp_Sandbox.zip)
  4. Publish the Sandbox created above
  5. Copy and extract the Sandbox zip file (Destination_DummyApp_Sandbox.zip) to a folder on a machine from which you can access OIM admin interface of the destination environment

Let us call it Master_Sandbox_Destination folder.

Step 3: Importing Applications in the destination environment

Repeat the below steps to migrate each application exported from source
environment in Step 1

i. Using Deployment Manager import the application instance xml file (App1_instance_source.xml) followed by import of the request dataset xml file (App1_Req_Dataset_source.xml) exported from the source environment in Step 1
ii. Extract the application Sandbox zip from the source environment of Step 1 (App1_Sandbox_source.zip)


a. Open xliffBundles\oracle\iam\ui\runtime\BizEditorBundle.xlf and copy the elements corresponding to the application being migrated and merge them with the BizEditorBundle.xml in the extracted Sandbox zip file from destination environment (i.e Master_Sandbox_Destination folder). You can look for the ‘trans-unit’ elements with the application instance form name of the application that is being migrated. The first element always corresponds to ITResource. Below is an example


b. Open persdef\oracle\iam\ui\catalog\model\am\mdssys\cust\site\site\CatalogAM.xml file and copy the elements corresponding to the application being migrated and merge them with the CatalogAM.xml in the extracted Sandbox zip file from destination environment (i.e Master_Sandbox_Destination folder). You can look for <mds:insert> elements with the app instance form name of the application being migrated


iii. Zip the Sandbox folder Master_Sandbox_Destination folder and import it to the destination environment using Sandbox manager in OIM sysadmin console
iv. Publish the Sandbox imported in the above sub-step

The above process represents the steps to be followed for one application and can be easily replicated for large set of applications. To expedite the process, we have created custom accelerators to automate the integration of applications in batches.

To Conclude

The ‘Disconnected Application Framework’ in OIM 11g can be leveraged to quickly integrate applications for manual provisioning. However with large number of applications to be integrated in a short span of time, without forethought and planning it can become a challenge to create and migrate the applications between environments. Following the process described above allowed us to avert most of the challenges and achieve a smooth application integration.

Coming in the next post:

While we all understand that OIM solution holds the keys to the kingdom of security in an enterprise, there is a growing need to ensure your OIM deployment is secure due to ever increasing rate of insider threats. One of the ways to secure all communication channels to/from OIM is via SSL. It's a common practice that in enterprise class deployments OIM is front-ended by a web server/load balancer. While typically the communication between the end users and web server/load balancer is secured via SSL sometimes securing the channel between and OIM and web server/load balancer or SOA is overlooked.
In our next post we share our experience with implementing SSL between OIM and load balancer & SOA in one of our recent implementations of OIM 11g R2 PS1, challenges to expect and relevant resolutions.

About the Author


Rajesh Gaddam is a Senior Technology Architect with the Enterprise Security & Risk Management (ESRM) practice at Infosys Limited. He has over 10 years of experience in architecting, designing and implementing IAM solutions for multiple clients from different verticals.
Rajesh can be reached via LinkedIn

Wednesday Oct 15, 2014

Design Considerations: Implementing Oracle Identity Management for large enterprises

Infosys Limited (NYSE:INFY) is a global leader in technology, consulting and services and an Oracle Diamond Partner that has graciously agreed to present on best practices garnered from experience working on Large Enterprise Identity Management deployments in a four part series hosted here in the Oracle Identity Management Blog.

Large Enterprises: Large Challenges

During the course of deploying Oracle Identity Management suite for various large enterprises, the Infosys Enterprise Security & Risk Management (ESRM) technology team has identified a few typical organizational scenarios:

  • Oracle Identity Manager (OIM) version upgrades
  • OIM deployments for Organizations with existing custom user request Interfaces
  • Migration from other Identity Management products to OIM
  • Coexistence of OIM with another Identity Management product
  • Upgrades to request interface of OIM

While some organizations implement the end-to-end product suite of OIM, others replace specific parts of the Identity Management solution of the enterprise with matching modules of OIM suite.

Provided by security engineers from the Infosys ESRM team, this four part blog series will serve as an overview on design consideration on following topics:

  • The importance of an abstraction layer
  • Disconnected application framework
  • Implementing SSL within layers of Oracle Identity Manager
  • Introducing Roles in an Enterprise

In this first of the four part series, we will discuss the need to build an intermediate or abstraction layer to allow for consolidation of identity, account and access information from OIM and other enterprise sources.

The importance of an abstraction layer

Infosys follows its proven “Accelerated Integration Methodology” (AIM) for rolling out Identity Management components. It consists of four phases –

  • Envision” phase: Strategy of deploying the Identity Management capabilities are finalized
  • Enable” phase: Core Identity Management components are deployed
  • Empower” phase: Additional capabilities like Single Sign On, Fine Grained Authorization and Role Based Access are enabled
  • Extend” phase: Extending the identities across organizational barriers using federation

The “envision” state of an Identity and Access Management program is the initial phase where the Enterprise Security team finalizes the approach to consolidate the identities and accounts across the enterprise and provide the lifecycle flow of identities to various target platforms and applications. The detailed analysis of the existing Identity Management practices sometimes reveals patterns of applications and interfaces accessing the enterprise identity sources directly and business validations and decisions embedded in the applications. This leads to duplication of logic and usage of outdated identity and account information across enterprise systems.

After introducing OIM to consolidate the identities and accounts, the process to update the existing applications to use the identity and account data provided by OIM is time consuming. To ease the situation, the organization can plan for a “co-existence phase” during which the older IDM processes exists side by side with the new IDM infrastructure. But the co-existence phase leads to some interesting challenges. Viz. in some cases organizations maintain multiple request and provisioning systems due to legacy issues, thus triggering a need to track the status of one access request across multiple provisioning engines beyond the migration project. After reaching steady state, the organization will have only OIM as the one identity management tool.

These scenarios require an abstraction layer to be created on top of OIM for both provisioning and data services. This layer can then expose the OIM identity and account data and even data from outside OIM (which doesn’t need to be consolidated in OIM) in a consistent and faster way to all interfacing applications. This can also provide an interface where any new access can be added or modified on the connected targets using OIM.

An “Abstraction Layer” by definition hides the details of implementation while exposing secure and simple interface for identity and account data to outside systems or even to OIM forms. It also provides an interface to manage request submission and status retrieval use cases across multiple request and provisioning system. It provides a platform to consolidate the business decisions and a common interface that can be consumed by many applications. Even if there are standards and specifications available in market, we suggest analyzing the possibility of building a service that is consistent with the long term strategy of the enterprise.

So, how this can be achieved and how does this help?

Creating an additional layer can be a challenging process. We have to build an “Enterprise Identity and Account Services" layer that can receive requests from multiple systems and query OIM data and other system data for applications and platforms.
It should be simple and scalable to service requests in a faster and secure way. It should also provide different types of interfaces (Web services, database tables etc.) for a wide variety of systems that needs to be serviced. It needs careful analysis of what data is available in OIM and what needs to be fetched from outside OIM and how frequent these updates should be made. And, it should also pave the way for creating a single source of Identity, Account and Governance Data.

There can be multiple methods and interfaces created as part of this exercise. Drawing from the Infosys ESRM team's experience, we recommended having these services grouped under the following four categories.

  • User and Account data services: Services to expose the user, account and attribute information
  • Provisioning Services: Services to create/update/delete/enable/disable the accounts and users
  • Audit Services: Account and User Request / Entitlement history services
  • Governance Services: Access certification data services

Although provisioning systems like OIM and user repositories like LDAP provide native APIs to access all the information, the key in large enterprise Identity Management implementations is to provide usage-agnostic consolidated data services without compromising the security aspects of such data access and usage. Simple but critical requests like “get all service accounts owned by a user” or “get all access which were not assigned through a role” etc. can be easily exposed by building the right interfaces.

In addition to the above use cases, we have also come across enterprises that use OIM along with other IDM tools. In such cases, the user access requests have to be split across multiple provisioning systems but the status has to be tracked by a single request key in OIM. We’ve implemented such requirements by consolidating the provisioning services provided by underlying provisioning engines in the abstraction layer. The request system remains completely agnostic to the provisioning process and the systems involved in granting the access.

Reference Architecture: Abstraction Layer Implementation for Enterprise IDM
There are also access certification use cases where the closed loop compliance can be achieved using the services provided by abstraction layer. It can be used to submit access request, manage the access provisioning, track the request lifecycle, retrieve certification data and revoke unwanted access. The layer can service audit needs by exposing access history information to disparate enterprise audit tools.

In Conclusion

While embarking on an ambitious Identity & Access Management strategy, enterprises have to continue using the investments made in the past. A well-built abstraction layer allows the organization to build on top of the existing infrastructure and processes. The simplicity of the solution also hides the complexities involved in marching large enterprises forward on the journey of unified identity & access management processes. The layer allows applications and provisioning engines to reuse business logic while keeping them agnostic to the implementation. The investments made in ‘Abstraction Layer’ also open up opportunities for new applications to reuse business logic and processes that would otherwise have to be written again.

Coming Up Next …

Automated application access provisioning/de-provisioning is one way to secure the benefits of IDM solution. But the time and effort it takes to achieve this level of automation is prohibitive. Another approach to win a quick ROI on IDM solution is to enable manual application provisioning. ‘Disconnected Application Framework’ in OIM 11g R2 provides a fast and easy way of integrating applications for manual provisioning.
In the next blog, we will share the recent Infosys experience with integrating 150+ applications in OIM 11g R2 using ‘Disconnected Application Framework’ along with the challenges we faced and the steps to avoid common pitfalls.

About the Author


Abhishek Nair is a Senior Technology Architect with the Enterprise Security & Risk Management (ESRM) practice at Infosys Limited. He has over 13 years of experience in Identity and Access Management domain. He has played key role in designing and architecting large IAM solution for Infosys customers with a prime focus on Oracle IAM products.
Abhishek may be reach via LinkedIn

Wednesday Oct 01, 2014

Thursday October 2nd: Identity Management at Oracle OpenWorld '14

Join us at Oracle OpenWorld 2014 and find out how and why our customers and partners around the world, spanning nearly every industry, continue to choose Oracle Identity Management to provide seamless and secure access to nearly any application from any device, to identify and automate who has access to what and to provide a common view of the user across multiple channels.

Below you'll find a list of the Identity Management Sessions at Oracle OpenWorld 2014 for Thursday, October 2nd, by order of date and time, to help you as you plan your week. Click on each to find out more information and don't forget to register for those you want to attend as sessions can and do fill out.


Conference Sessions


Managing Telenet’s Identities in Practice
Bart Cools, Partner, Cronos NV
Mark Van Tiggel, Team Manager ERP, Telenet NV
9:30 AM - 10:15 AM Moscone West - 3020 CON3995

There and Back Again: Journey to a Successful Deployment
Alex Bolante, Managing Director, Accenture
Viresh Garg, Director, PwC
Andrew Morrison, Partner / Principal, Deloitte & Touche LLP
Aaron Perry, President, Aptec LLC
Matthew Berzinski, Principle Product Manager, Oracle
12:00 PM - 12:45 PM Moscone West - 3020 CON8025

Self-Service Access Control: Help Yourself to More Productivity
Patrick Landry, IT Technical Director, USAA
David Mathias, Information Security Manager - Product Management, US Bank
Atul Goyal, Product Manager, Oracle
Volker Scheuber, Principal Sales Engineer, Oracle
1:15 PM - 2:00 PM Moscone West - 3018 CON8007

Architecting a Complete Access Solution for the Cloud Economy
Bernard Diwakar, Security & IAM Architect, Intuit
Marc Chanliau, Director, Product Management, Oracle
1:15 PM - 2:00 PM Moscone West - 3020 CON7975

Shake, Rattle, and Roll: Managing Large-Scale Identity Management Deployments
Gebhard Herget, Architect, Bundesagentur für Arbeit
Perren Walker, Senior Principal Product Manager, Oracle
2:30 PM - 3:15 PM Moscone West - 3020 CON8045


To maximize your attendance at Oracle OpenWorld 2014, running in San Francisco, CA from September 28th to October 2nd, be sure to review the complete listing of Oracle Identity Management Sessions and Demos.

The Schedule Builder is an invaluable tool to use when plan your visit to the conference. Be sure to pre-enroll in sessions of your interest as rooms can fill up. You can search identity management sessions using the term “identity+management” in the Content Catalog.

Identity Management executives and experts will be readily available for discussions and follow ups. Don’t forget to catch live demonstrations of our complete Oracle Identity Management solutions set while at OpenWorld.

Before and during, follow the conversation about Oracle OpenWorld 2014 on Twitter with #oow14 and, as always, engage with us @oracleidm and follow the Identity Managment blog. We hope to see you there!

Tuesday Sep 30, 2014

Wednesday October 1st: Identity Management at Oracle OpenWorld 2014

Join us at Oracle OpenWorld 2014 and find out how and why our customers and partners around the world, spanning nearly every industry, continue to choose Oracle Identity Management to provide seamless and secure access to nearly any application from any device, to identify and automate who has access to what and to provide a common view of the user across multiple channels.

Below you'll find a list of the Identity Management Sessions at Oracle OpenWorld 2014 for Wednesday, October 1st, by order of date and time, to help you as you plan your week. Click on each to find out more information and don't forget to register for those you want to attend as sessions can and do fill out.


Conference Sessions


Customer Success Stories: How to Eliminate the Blind Spots in Enterprise Risk
Angelo Cascio, SVP, Head of Identity and Access Management, Jefferies
Rich Flees, Staff Manager IT, Qualcomm, inc
Bob Jamieson Jamieson, Information Security Director, UL LLC
Neil Gandhi, Principal Product Manager, Oracle
10:15 AM - 11:00 AM Moscone West - 3020 CON7991

Modern Identity Management: Upgrading to Meet Requirements of the Digital Economy
Sherry Gray, Identity & Access Functional Analyst, ICBC
Judy Hatchett, Best Buy
Stacy Knoup, Asst Dir-IT, Principal Financial Group
Matthew Berzinski, Principle Product Manager, Oracle
11:30 AM - 12:15 PM Moscone West - 3020 CON8023

Securely Extend Applications to Mobile Devices: Developing a Mobile Architecture
Dawn Johnson, Director, IDM, First National of Omaha
RAKESH Meena, Security Architect, Aurionpro Solutions, Inc.
Kanishk Mahajan, Principal Product Manager, Oracle
12:45 PM - 1:30 PM Moscone West - 3020 CON7994

Beyond Brute Force: Strategies for Securely Leveraging Mobile Devices
Bob Beach, Security Technologies Strategist, Chevron Information Technology
Rajesh Pakkath, Senior Principal Product Manager, Oracle
Andy Smith, Sr Dir of Product Management, Oracle
3:30 PM - 4:15 PM Moscone West - 3020 CON7973

Trust but Verify: Best Practices for Monitoring Privileged Users
Chirag Andani, VP, Identity Access Management PDIT, Oracle
Olaf Stullich, Principal Product Manager, Oracle
Arun Theebaprakasam, PMTS, Oracle
4:45 PM - 5:30 PM Moscone West - 3020 CON8005

To maximize your attendance at Oracle OpenWorld 2014, running in San Francisco, CA from September 28th to October 2nd, be sure to review the complete listing of Oracle Identity Management Sessions and Demos.

The Schedule Builder is an invaluable tool to use when plan your visit to the conference. Be sure to pre-enroll in sessions of your interest as rooms can fill up. You can search identity management sessions using the term “identity+management” in the Content Catalog.

Identity Management executives and experts will be readily available for discussions and follow ups. Don’t forget to catch live demonstrations of our complete Oracle Identity Management solutions set while at OpenWorld.


Before and during, follow the conversation about Oracle OpenWorld 2014 on Twitter with #oow14 and, as always, engage with us @oracleidm and follow the Identity Managment blog. We hope to see you there!

Monday Sep 29, 2014

Tuesday: Identity Management at Oracle OpenWorld '14

Join us at Oracle OpenWorld 2014 and find out how and why our customers and partners around the world, spanning nearly every industry, continue to choose Oracle Identity Management to provide seamless and secure access to nearly any application from any device, to identify and automate who has access to what and to provide a common view of the user across multiple channels.

Below you'll find a list of the Identity Management Sessions at Oracle OpenWorld 2014 for Tuesday, September 30th, by order of date and time, to help you as you plan your week. Click on each to find out more information and don't forget to register for those you want to attend as sessions can and do fill out.


Conference Sessions


Securing the New Perimeter: Strategies for Mobile Application Security
Josh Bregman, VP Solutions, Aurionpro Solutions, Inc
Thai Thai, Infrastructure Solution Architect, Safeway Inc
Andy Smith, Sr Dir of Product Management, Oracle
10:45 AM - 11:30 AM Moscone West - 3020 CON7993

Identity as a Service: Extend Enterprise Controls and Identity to the Cloud
Sanjeev Topiwala, Group Manager, Intuit
Roger Wigenstam, Sr. Director, Product Management, Oracle Identity & Access Management, Oracle
3:45 PM - 4:30 PM Moscone West - 3020 CON8040

The Age of Megavolume: Oracle’s Next-Generation Directory and Future Strategy
Rafik Alsawalhy, Manager, City of Los Angeles
Jerome Cartagena, Staff IT Engineer, Qualcomm, Inc.
Etienne Remillon, Senior Principal Product Manager, Oracle
5:00 PM - 5:45 PM Moscone West - 3018 CON8043

Identity Services in the New GM
Andrew Cameron, Enterprise Architect, Identity Management, GENERAL MOTORS
Susie Godfrey, Directory & Platform Services Manager, GM
5:00 PM - 5:45 PM Moscone West - 3020 CON2007


To maximize your attendance at Oracle OpenWorld 2014, running in San Francisco, CA from September 28th to October 2nd, be sure to review the complete listing of Oracle Identity Management Sessions and Demos.

The Schedule Builder is an invaluable tool to use when plan your visit to the conference. Be sure to pre-enroll in sessions of your interest as rooms can fill up. You can search identity management sessions using the term “identity+management” in the Content Catalog.

Identity Management executives and experts will be readily available for discussions and follow ups. Don’t forget to catch live demonstrations of our complete Oracle Identity Management solutions set while at OpenWorld.

Before and during, follow the conversation about Oracle OpenWorld 2014 on Twitter with #oow14 and, as always, engage with us @oracleidm and follow the Identity Managment blog. We hope to see you there!

Sunday Sep 28, 2014

Monday: Identity Management at Oracle OpenWorld 2014


Join us at Oracle OpenWorld 2014 and find out how and why our customers and partners around the world, spanning nearly every industry, continue to choose Oracle Identity Management to provide seamless and secure access to nearly any application from any device, to identify and automate who has access to what and to provide a common view of the user across multiple channels.

Below you'll find a list of the Identity Management Sessions at Oracle OpenWorld 2014 for Monday, September 29th, by order of date and time, to help you as you plan your week. Click on each to find out more information and don't forget to register for those you want to attend as sessions can and do fill out.


MONDAY, SEP 29, 2014

General Sessions


General Session: The Cloud Platform for Digital Business—Presented by Thomas Kurian
Steve Holland, Chief Technology & Digital Officer, 7-Eleven, Inc.
Thomas Kurian, EVP, Oracle
1:15 PM - 2:15 PM Marriott Marquis - Salon 7/8/9 GEN8589

Conference Sessions


Ready for the Digital Economy? Oracle’s Vision of How Identity Helps
Sanjeev Topiwala, Group Manager, Intuit
colin anderson, VP-IT & CISO, safeway
Amit Jasuja, Senior Vice President, Oracle
10:15 AM - 11:00 AM Moscone West - 3020 CON7989

Identity Governance Across the Extended Enterprise
Dominic Fedronic, Senior Business Leader, VISA
Chris Guttridge, IS Architect, AAA - The Auto Club Group
Bernhard Hübl, Teamleader Middleware, SPAR AG
Jim Taylor, Snr. Director of Product Management, Oracle
11:45 AM - 12:30 PM Moscone West - 3020 CON7968

Access Without Fear: Delivering an Optimal Multichannel User Experience
Thai Thai, Infrastructure Solution Architect, Safeway Inc
Paul Van Nieuwenhuyze, Service Manager, GDF Suez
Jie Yin, Senior Director, Product Management, Oracle
2:45 PM - 3:30 PM Moscone West - 3020 CON7995

Oracle Management Pack Plus for Identity Management Best Practices and Lessons Learned
Byron Amstutz, Executive Principle, Technical Architecture, Accenture-CalHEERS
Andrew Cameron, Enterprise Architect, Identity Management, GENERAL MOTORS
Perren Walker, Senior Principal Product Manager, Oracle
4:00 PM - 4:45 PM Moscone South - 200 CON8212

Securing Oracle Applications and the Extended Enterprise with Identity Management
Naynesh Patel, Sr. Partner, SIMEIO SOLUTIONS
Vaidyanathan Sree, Senior Director Business Application, Sony Computer Entertainment Amercia
Matthew Berzinski, Principle Product Manager, Oracle
5:15 PM - 6:00 PM Moscone West - 3018 CON8874

Architecting Appiications with Intelligent Authentication and Authorization
Ranjan Jain, Enterprise IT Architect, Cisco Systems Inc
Roger Westman, Prin IA Engineer, MITRE Corporation
Svetlana Kolomeyskaya, Group Product Manager, Oracle
5:15 PM - 6:00 PM Moscone West - 3020 CON7978


To maximize your attendance at Oracle OpenWorld 2014, running in San Francisco, CA from September 28th to October 2nd, be sure to review the complete listing of Oracle Identity Management Sessions and Demos.

The Schedule Builder is an invaluable tool to use when plan your visit to the conference. Be sure to pre-enroll in sessions of your interest as rooms can fill up. You can search identity management sessions using the term “identity+management” in the Content Catalog.

Identity Management executives and experts will be readily available for discussions and follow ups. Don’t forget to catch live demonstrations of our complete Oracle Identity Management solutions set while at OpenWorld.


Before and during, follow the conversation about Oracle OpenWorld 2014 on Twitter with #oow14 and, as always, engage with us @oracleidm and follow the Identity Managment blog. We hope to see you there!

Friday Sep 26, 2014

Oracle Identity Management: Customers, Partners & OpenWorld 2014

Join Oracle, our partners and customers at Oracle OpenWorld 2014 as we relate experiences with and demonstrate how Oracle's Identity Management solutions increase security and allow companies to homogenize and defragment identity information and services, which can result in faster deployment times, faster upgrades, and lower cost of ownership by providing consistent access controls and an optimized user experience across the extended enterprise. To help organizations offer more digital services, Oracle Identity Management provides the foundation to connect to the internet value chain and economies of scale to manage users across all channels of interaction including cloud, mobile, and social.

Listen in customer led sessions and hear about real world implementations of Oracle Identity Management solutions across multiple markets in these and more sessions with Oracle partners and customers.

Session
Partner/Customer
Ready for the Digital Economy? Oracle’s Vision of How Identity Helps
Intuit, Safeway
Identity as a Service:
Extend Enterprise Controls and Identity to the Cloud
Intuit
Securing the New Perimeter: Strategies for Mobile Application Security
AurionPro
Customer Success Stories:
How to Eliminate the Blind Spots in Enterprise Risk
Qualcomm, UL, Jeffries
Identity Governance Across the Extended Enterprise
Visa, SPAR, Dewpoint Inc.
The Age of Megavolume:
Oracle’s Next-Generation Directory and Future Strategy
Qualcomm, City of Los Angeles
There and Back Again: Journey to a Successful Deployment
Deloitte & Touche LLP, Aptec LLC
Securing Oracle Applications and the Extended Enterprise with IdM
Simeio Solutions, Sony Computer Entertainment Amercia

Learn from the expert as they demonstrate the Identity Management solutions that can help reduce complexity and risk while lowering costs and providing improved user experiences. See all the Identity Management demos at OOW14 here.

Demo
Location
Identity Management for the Cloud
Moscone South, Left - SLM-123
Identity Management Monitoring with Enterprise Manager 12c
Moscone South, Left - SLM-141
Oracle Mobile Security Suite: Secure Enterprise Applications
Moscone South, Left - SLM-136
Oracle Mobile Security Suite: Enable Secure Access to B2C Applications
Moscone South, Left - SLM-134
Access Management: Complete, Intelligent, and Scalable
Moscone South, Left - SLM-121
Access Management: External Fine-Grained Authorization
Moscone South, Left - SLM-122
Identity Governance: Increased Productivity with Business-Friendly Self-Service
Moscone South, Left - SLM-143

Identity Management executives and experts will be readily available for discussions and follow ups. Don’t forget to catch live demonstrations of our complete Oracle Identity Management solutions set while at OpenWorld.

To maximize your attendance at Oracle OpenWorld 2014, running in San Francisco, CA from September 28th to October 2nd, be sure to review the complete listing of Oracle Identity Management Sessions and Demos. The Schedule Builder is an invaluable tool to use when plan your visit to the conference. Be sure to pre-enroll in sessions of your interest as rooms can fill up. You can search identity management sessions using the term “identity+management” in the Content Catalog.

Before and during, follow the conversation about Oracle OpenWorld 2014 on Twitter with #oow14 and, as always, engage with us @oracleidm and follow the Identity Management blog. We hope to see you there!

Tuesday Sep 23, 2014

Pre-Registration Now Open for eBook: Oracle Mobile Security Primer

Today, just as organizations are starting   to understand the first wave of the mobile revolution, there are now numerous demands being placed on IT to support the second wave as new generation devices and applications are coming online to take advantage of these new capabilities in today’s corporate environment.

Pre-Registration has just opened for the new eBook: Oracle Mobile Security Primer which provides a deeper understanding of not only the fundamentals, but also the complex issues related to mobile security in today’s corporate mobility environment. If you maintain the role of a mobility planner, security architect, CISO, security director, IT director, operations manager or just simply want to stay up on the latest trends around mobile security, then pre-register for this new eBook: Oracle Mobile Security Primer.

Some of the areas covered in this eBook:

  • A look at the changing mobile and business requirements
  • Deep dive in the technologies used to secure the mobile platform today
  • Containerization and application management
  • The role Identity Management plays on the mobile device
  • The broader view of securing the mobile stack

Registration will allow Oracle to provide notification to you upon its availability in both eBook and printed form by McGraw-Hill.

www.mhprofessional.com/mobsec

Friday Sep 19, 2014

Are you ready to take on the Digital Economy securely?

As organizations consume an increasing number of cloud services and applications, identity management becomes fragmented. Organizations have inconsistent access policies and lose visibility into who has access to what. To avoid these risks and costs, they are increasingly adopting a strategy of extending enterprise identity services to the cloud.

Join Amit Jasuja, Senior Vice President, Identity Management and Security, Oracle, and representatives from Intuit and Safeway at Oracle OpenWorld 2014 as they explore how customers are using Oracle Identity Management to deliver a unified identity management solution that provides users with access to all their data from any device while giving administrators an intelligent, centralized view into user access rights. See more detail here and don't forget to register for this session [CON7989] taking place at OOW14 on Monday, Sep 29, 10:15 AM - 11:00 AM PT.

To maximize your attendance at Oracle OpenWorld 2014, running in San Francisco, CA from September 28th to October 2nd, be sure to review the complete listing of Oracle Identity Management Sessions and Demos.

The Schedule Builder is an invaluable tool to use when plan your visit to the conference. Be sure to pre-enroll in sessions of your interest as rooms can fill up. You can search identity management sessions using the term “identity+management” in the Content Catalog.

Identity Management executives and experts will be readily available for discussions and follow ups. Don’t forget to catch live demonstrations of our complete Oracle Identity Management solutions set while at OpenWorld.


Before and during, follow the conversation about Oracle OpenWorld 2014 on Twitter with #oow14 and, as always, engage with us @oracleidm and follow the Identity Managment blog. We hope to see you there!

Wednesday Aug 27, 2014

A Journey from Customization to Standardization - Umer Aziz

It was a cold evening back in fall 2010 when a succinct but impressive cake cutting ceremony was held at Oslo’s massive indoor stadium, Telenor Arena. The ceremony progressed with some speeches and presentations, leading to a delicious cake and refreshments.  The gathering also comprised of brilliant IT Security and Identity & Access Management professionals, who were accompanied by personnel from other IT disciplines. Most of the audience showed great enthusiasm and pitched very interesting questions which were responded with great passion and confidence by those energetic professionals.

It was the launching ceremony of an application that received OracleFusion Middleware Innovation award at Oracle Open World, in the same year. The application was built on the concept of ‘Identity as a service’ for group companies and proved to be a great addition in application portfolio of our Shared Services organization.

Customized GUI over top of Oracle Identity Manager
The application was built as a customized layer upon Oracle Identity Manager 10g and offered user friendly Certification audits and Access Request Management, powered by a multi-tenant architecture. The features were a bit early of their time in IdM world and were key reasons to build customized layer over top of standard solution of Oracle. Though it was not the first time that we built customized application using APIs of standard identity manager, we had already done that in the form of “user creation management GUI” on top of Oracle Identity Manager 9i.

Shortcomings of Customized solution
Though customization results a product according to customer’s desire and fulfills requirements more precisely, but we shall have to believe that technology has somewhat matured recently and companies are offering off-the shelf solutions, better than the traditional tailored products.

Following are the major shortcomings of Customized solution that were faced.

  • A tailored solution is always more expensive than using an off-the shelf product. The logic is simple – customized product are made for a single customer and consequently all development expenses are borne by one entity.
  • Upgrade to newer version is always a big challenge when using a customized solution, but it becomes even bigger when customization is heavily dependent upon the application interfaces (APIs and WebServices). I still remember the mayhem while upgrading from OIM 10g to OIM 11gR1 :)
  • Maintenance and development of a customized solution (application) requires considerable time and resources as compared to the standard solution. A dedicated team of programming geeks is a must, for successfully running a tailored solution. Another relevant challenge is training and coaching of newly hired resources. Every time a new resource is hired to fulfill a vacant position, a hands-on training will be required for him to understand the architecture and approach used for customization.
  • The product support community does not offer any support for a customized product, so if you get a bug or challenge in your customized solution, you will be the only one to resolve that.
  • It is admitted by many of the solution providers, that customization has resulted in slow performance of their application instances. Allowed customization approaches use standard APIs or related interfaces to interact with core application, which have always been considered performance degraders due to the formalities of applications towards external interfaces. This challenge is not only true for Identity Management but similar feedback has been reported by experts of other products i.e. Oracle E-business suite and Oracle SOA suite.


Oracle’s Beta testing program
The Beta Testing Program is a joint venture featuring Oracle and its customers. This initiative provides a structured approach to include users of Oracle applications from selective organizations in the Beta Testing Programs. The overall goal is to allow selected users to perform in depth testing and analysis of Oracle's new products and releases in order to help Oracle deliver better products to market. As a beta testing participant, testers perform in-depth testing of the next generation of Oracle products. This also helps to build personal knowledge base, become an industry recognized technology leader, and help influence Oracle's future product direction.

Our organization, as a Shared Services Solution Provider of Identity and Access Management, was also involved in the beta testing for patch set 2 (PS2) of Identity and Access Management suite 11gR2. The focus area from our side was limited to Identity Governance – more specifically, features of Multi-Tenancy and Access Request Management.

Decommissioning of Tailored layer and rollout of Off-The-Shelf Solution
It's a common misunderstanding that boundaries limit creativity. It may sounds unreasonable, but boundaries can actually boost creativity. Instead, we need to impose boundaries by tightening our processes and one way to achieve this effectively is with Off-The-Shelf solutions.

As involvement in beta testing program resulted in the confidence on much awaited functionalities, last week we have decided to decommission the customized layer by moving functionalities in OIM 11gR2 PS2. The work has actually been started and intention is to complete before summer vocation of 2014. We're crossing our fingers and hoping that the rollout of Off-The-Shelf solution stays fine.

Umer Aziz is an ITIL Specialist Change Manager with Telenor Global Shared Services and has an extensive consulting background in Identity and Access Management in real world deployments. 

Thursday Jul 31, 2014

Identity Management at Oracle OpenWorld 2014


Are you registered for Oracle OpenWorld 2014 to be held in San Francisco from September 28th to October 2nd? Visit the Oracle OpenWorld 2014 site today for registration and more information. We have highlighted some of the most talked about sessions that attendees will be trying to get in to see this year.  For the latest information on sessions (such as schedule changes to dates, times, venue locations) please continue to check back at the links below.

Business Transformation Case Studies in Identity Consolidation (CON7989) - This session will explore how customers are using Oracle Identity Management to deliver a unified identity management solution that gives users access to all their data from any device while providing an intelligent centralized view into user access rights. See how Oracle Identity management can securely accelerate your adoption of cloud services in the new digital economy.

Identity Governance Across the Extended Enterprise (CON7968) - In this session, see how Oracle's Identity Governance solution reduces risks and costs, while providing fast access to new services through an intuitive user self-service solution to thrive into today's economy.

Securing The New Perimeter: Strategies for Mobile Application Security (CON7993) - In this session, we will cover how enterprise mobility and the Internet of Things are both new IT endpoints that require melding device and user identities for security.

Access without Fear:Delivering an Optimale Multi-Channel user experience (CON7995) - In this session, we will review the role of the Oracle Access Management Platform and how it delivers an optimal user experience while guaranteeing the security of all access events.

Identity as a Service - Extend Enterprise Controls and Identity to the Cloud (CON8040) - In this session, we will cover how the Oracle Cloud Identity Service extends enterprise controls to the cloud, automating SaaS account provisioning, enabling single sign-on and providing detailed activity reports for today's customers.

Check back often, for a complete listing of all sessions available at Oracle OpenWorld 2014.

Identity Management executives and experts will also be at hand for discussions and follow ups. And don’t forget to catch live demonstrations of our complete Oracle Identity Management solutions set while at OpenWorld.

Follow the conversation on Oracle OpenWorld 2014 on Twitter with #OOW14 and as always, engage with us @oracleidm.

We recommend the use of the Schedule Builder tool to plan your visit to the conference and for pre-enrollment in sessions of your interest. You can search identity management sessions using the term “identity management” in the Content Catalog. We hope to see you there!

Wednesday Jul 30, 2014

Exploring the OIM API Wrapper (Part 2 of 2)

This is part 2 of a 2 part series. In part 1, we discussed developing these web service wrappers and handling security for both the OIM credentials and web service endpoints. In part 2, we'll demonstrate how to invoke these web services from your BPEL Approval Workflow (and even how to store your web service user credentials in the CSF).

We wanted to pass along a suggestion to use Fault Policies around your web service calls to retry the operation in the event of network issues. We won't cover the use of Fault Policies in this series of posts, but may discuss it in a future post. For more information about Fault Handling in BPEL specifically, check out this document from Oracle Documents Online

Invoking the Web Service
Now that you have deployed your web service and protected it with an OWSM policy, you will need to configure your BPEL Approval workflow to invoke the web service. This is actually quite simple and JDeveloper does most of the work for you.

To start, we will assume you already have created a workflow (if not, see Oracle's How-To document for more information).

Once you have a new workflow, you must create a new partner link. To do this, open the bpel file for your workflow (such as ApprovalProcess.bpel) and drag the Partner Link activity from the Component Palette onto the Partner Links swim lane section of your workflow screen.

The Create Partner Link window will appear. Here you will specify the name of the Partner Link, as well as the WSDL URL. After typing in the WSDL URL, click the Parse WSDL button. You will see a prompt notifying you that there are no Partner Link Types defined in the current WSDL. Click Yes. This prompt may appear twice, so click Yes both times. You will see the Partner Link Type field has been populated. Finally, under Partner Role, choose the role listed and then click OK. You will see the new Partner Link appear in the Partner Links swim lane.



Now that you have a Partner Link defined, you must define an Invoke activity by dragging and dropping it from the Component Palette into the main swim lane. Double click the new Invoke activity and the properties window will appear.

Type in a name for the Invoke activity, and then choose a Partner Link using the Partner Link Chooser (select the one you just created). You will see a list of operations to choose from. In our case, we’ll select Disable User.

For Input and Output variables, you will have to create these by clicking the + icon, starting with the Input variable. When the Create Variable dialog box appears, click OK to accept the defaults.  Repeat this process to create the Output variable.



Finally, click OK to close the Invoke properties box. You will see a line connecting the Invoke activity you just created to the Partner Link you created previously. Make sure you save the bpel file in JDeveloper.


Now that you have defined an Invoke activity for the new Partner Link, you must use the Assign activity to assign the proper input values to the Input variable you created in the previous step. Drag and drop an Assign activity from the Component Palette onto the BPEL workflow. As with any other BPEL assignment, simply choose the source value on the left side of the Copy Rules screen, and drag to a corresponding variable element on the right side, then click OK.



Repeat this process for the Output variable, if necessary. You have now successfully configured your BPEL workflow to invoke the custom web service. In the next section, we will cover how to pass credentials to the web service using the OWSM Client Policy.

Configure OWSM Client Policy
Previously we protected the Web Service endpoint with an OWSM Policy that required a username and password be provided along with the SOAP request, so we will have to configure our Partner Link to provide these credentials when the service is invoked. This is actually quite easy in JDeveloper. You could also this do in Enterprise Manager at runtime, but it will not persist if you redeploy the BPEL Approval workflow.

In your BPEL Workflow project, open the composite.xml file. On the right under the External Service swim lane, right click on your Partner Link and click Configure WS Policies. Beside Security, click the + sign to add a Security policy.





Choose oracle/wss_username_token_client_policy and click OK. Back on the Configure SOA WS Policies screen, select the policy under Security and click the pencil icon to edit the policy settings. For the csf-key row, you can specify a csf key name under Override Value or use the default value (basic.credentials). Here you must use a CSF key that has been defined in the oracle.wsm.security CSF map. This is very important – only keys defined in oracle.wsm.security will work. In our case, we defined a custom key called owsmUserCred that contains a valid username and password. At runtime, Weblogic will retrieve this CSF credential and use it to authenticate.



Click OK, and then click OK again to close the Configure SOA WS Policies window. Save the composite.xml file, then deploy your web service to the SOA server and associate it to an OIM Approval Policy as needed.

You now have successfully configured your BPEL Approval workflow to use the custom Web Service and to pass the credentials necessary to satisfy the OWSM policy assigned to the endpoint.

Justin Hinerman is an Identity and Access Management Engineer with IDMWORKS.  As a key Oracle Partner, IDMWORKS takes a focused approach to the implementation of a Service Oriented Architecture and Identity Management-based solutions.

Thursday Jul 17, 2014

Exploring the OIM API Wrapper (Part 1 of 2) - IDMWORKS

The need for custom OIM API operations within BPEL approval workflows happens more often than one might think. While there exists a capability to embed Java code within a BPEL workflow (with the Java Embedding activity), this is far from ideal, as anyone who has tried this will understand. In fact, the Java Embedding activity is designed to provide easy access to some basic utility code, not hundreds of lines worth of functionality. Therefore, we recommend that clients deploy custom Web Service wrappers for the OIM API calls.

This is part 1 of a 2 part series. In part 1, we will discuss developing these web service wrappers and handling security for both the OIM credentials and web service endpoints. In part 2, we'll demonstrate how to invoke these web services from your BPEL Approval Workflow (and even how to store your web service user credentials in the CSF).

Development

We’re not going to dig deep into the detail of developing these web services, mostly because it is outside the scope of this post, and there are several other fine resources out there that can walk you through creating JAX-WS web services. Refer to Oracle's documentation at the Oracle JDeveloper Tutorial page for more information.

At a high level, you can create a dynamic web project in Eclipse, and then create your classes and methods however you want. For every class that contains a web service, it must be annotated with @WebService, and every method you want to expose as an operation must be annotated with @WebMethod. Note there are some limitations on input and return parameters with web services created in this way, notably collections. For example, if you wish to return a HashMap<String, String> from a web service, you can’t do it. But if you wrap the HashMap in a wrapper class, it will work fine.

For example:

public class Response() {

public HashMap<String, String> items;

HashMap<String, String> getResponse() {};

public void setResponse(HashMap<String, String> items) {};

}

@WebMethod

public Response webOperation(String input) { … }

OIM Authentication

When invoking the API calls to OIM, you will need to authenticate with a user who has certain Administrative rights within OIM, such as xelsysadm. Creating a new OIMClient instance requires the username, password, and OIM t3 URL. In this case, the Credential Store Framework is perfectly suited to store these credentials. In our case, we store the OIM credentials using a Password key type in CSF, and the OIM t3 URL using a Generic key type.



Once the credentials were in place in the CSF, we simply invoked the CSF API (reference documentation) to retrieve the credentials. Note that the OOTB JPS policy should allow access to a key stored in the OIM map by default if your application is deployed on the Weblogic server and your classpath contains the jps-api.jar file located in the $MW_HOME/oracle_common/modules/oracle.jps_11.1.1/ directory. Otherwise, you will have to define an explicit policy (in Enterprise Manager, the System Policies screen).

Configure Web Service Policy In Owsm

Obviously exposing web service without any authentication that could create and modify users, provision accounts, etc. would be a huge risk from a security standpoint. Fortunately, you can use the Oracle Web Services Manager (OWSM) to require authentication when invoking the web services. If you use JDeveloper or the Oracle Enterprise Pack for Eclipse, you can define OWSM policies locally in your IDE. You can also do this via WLST. In our case, we’ll show you how to use Enterprise Manager to define these policies after you deploy your application.

To do this, login to Enterprise Manager and navigate Weblogic Domain -> Domain Name -> Server Name (for example, IDMDomain -> AdminServer). Right click on the server and click Web Services. You will see a list of Web Services deployed on your server.


Choose the Endpoint Name you wish to protect. The Web Service Endpoint screen will appear. Choose the OWSM Policies tab, and then click Attach/Detach. On the Attach/Detatch Policies screen, select the “oracle/wss_username_token_service_policy” policy. This will enforce a username and password for authentication on the web service call. You will see the policy appear in the “Attached Policies” section of the screen at the top.


Click OK. You will be returned to the Web Service Endpoint screen and the attached policy will be listed in the OWSM Policies list.

If you click Web Services Test (or use something similar such as SoapUI), you can validate that the policy has been applied. Click to expand the Security tab, then select the OWSM Security Policies radio button, and choose oracle/wss_username_token_client_policy from the list of available client policies. Provide the users for any user in the Weblogic domain security realm (such as the weblogic user), and click Test Web Service. Depending on your implementation, you may have to provide parameters in the Input Arguments tab, but in our case if we pass no input we just get back an error. This validates the security policy enforcement.


One important point here is that if you redeploy the web services application, you must re-apply the policies using the steps above.

That covers it for Part 1, and we hope you will check back next week for Part 2 in this blog series. 

Monday Jun 16, 2014

It’s Time for Businesses to get Serious about BYOD

It’s Time for Businesses to get Serious about BYOD
Klaus Bergius, Director of Technology Marketing EMEA at Oracle

Bring Your Own Device (BYOD) is a corporate reality that is already affecting virtually every business operating today. In some ways BYOD is inevitable, with businesses having little choice but to adapt to it. Consumer smartphones, tablets and laptops may eventually end the corporate mandating of employee devices. But currently, there is widespread concern and even denial in enterprises, while embracing BYOD could create new opportunities. This is what the Oracle European BYOD Index Report, based on research carried out in January and February 2014, reveals.

This Index assesses the opinions of Chief Security Officers, Chief Information Security Officers or other personnel responsible for information security at 700 businesses in the Nordics, Germany and Switherland (DCH), Benelux, the UK, France, Italy and Iberia (Portugal and Spain) – across all major industry verticals. It seeks to understand where in the deployment of key BYOD technologies and processes European businesses are and what their opinions are with regards to the future of BYOD.

Barriers to Adoption
The latest research  from Oracle suggests that few businesses in Europe have fully warmed to BYOD, with 44 per cent of businesses stating that they dislike BYOD and only allow it in exceptional circumstances. A further 22 per cent have a complete ban on data or information residing on a BYOD device and – perhaps most worrying – 20 per cent have no rules in place at all. Half of organizations are not managing smartphones as part of BYOD, and there seem to be big concerns around security. Device security (45 percent), application security (53 percent) and data security (63 percent) were all listed as areas of concern.  Full BYOD Index Report

The Awareness Gap
This issue, however, is not a technological or process one – it is an educational one. For me, the main thing hindering further adoption of BYOD across Europe is a lack of awareness of what exactly it is  and what can be done to secure it. Fortunately the technology already exists to cost-effectively deliver secure BYOD. Containerization, or sand-boxing as it is sometimes referred to, illustrates this point perfectly.  But in our survey the majority (37 percent) of the IT professionals we asked had never even heard of it, let alone deployed it (only 8 percent reported that they have deployed containerization).  Full BYOD Index Report

Device vs. Application Management
Functions such as locking or remote wiping the device content or doing firmware upgrades are the domain of MDM (Mobile Device Management). Managing applications on devices typically is in the MAM (Mobile Application Management) area. But why should we continue to separate them from each other, thus fragmenting the overall solution into small pieces that are addressed by multiple vendors? Why shouldn’t we view MDM and MAM as overlapping areas, and moreover, treat it as ‘just’ an extension of corporate Identity and Access Management, by simply extending this solution to include device and application management features? This is exactly what Oracle Mobile Security Suite does.  Full BYOD Index Report

Outlook
In an attempt to widen this research and find out what the readiness and opinion towards BYOD is in other parts of the world, Oracle is currently preparing a second version which shall cover North America, South America, Eastern Europe, Middle East and Africa as well as Asia Pacific countries. And in addition to the aspects of data security, device security and application security, we will also include cloud security as an additional aspect. It will be extremely interesting to compare results, so stay tuned for an update!


Thursday Jun 12, 2014

BYOD is not a fashion statement; it’s an architectural shift - by Indus Khaitan

Ten years ago, if you asked a CIO, “how mobile is your enterprise?”. The answer would be, “100%, we give Blackberry to all our employees.”

Few things have changed since then:

1.    Smartphone form-factors have matured, especially after the launch of iPhone.
2.    Rapid growth of productivity applications and services that enable creation and consumption of digital content
3.    Pervasive mobile data connectivity

There are two threads emerging from the change. Users are rapidly mingling their personas of an individual as well as an employee. In the first second, posting a picture of a fancy dinner on Facebook, to creating an expense report for the same meal on the mobile device.

Irrespective of the dual persona, a user’s personal and corporate lives intermingle freely on a single hardware and more often than not, it’s an employees personal smartphone being used for everything.
A BYOD program enables IT to “control” an employee owned device, while enabling productivity. More often than not the objective of BYOD programs are financial; instead of the organization, an employee pays for it.  More than a fancy device, BYOD initiatives have become sort of fashion statement, of corporate productivity, of letting employees be in-charge and a show of corporate empathy to not force an archaic form-factor in a world of new device launches every month.

BYOD is no longer a means of effectively moving expense dollars and support costs. It does not matter who owns the device, it has to be protected.  BYOD brings an architectural shift.  BYOD is an architecture, which assumes that every device is vulnerable, not just what your employees have brought but what organizations have purchased for their employees. It's an architecture, which forces us to rethink how to provide productivity without comprising security.

Why assume that every device is vulnerable?

Mobile operating systems are rapidly evolving with leading upgrade announcement every other month. It is impossible for IT to catch-up. More than that, user’s are savvier than earlier.  While IT could install locks at the doors to prevent intruders, it may degrade productivity—which incentivizes user’s to bypass restrictions. A rapidly evolving mobile ecosystem have moving parts which are vulnerable.

Hence, creating a mobile security platform, which uses the fundamental blocks of BYOD architecture such as identity defragmentation, IT control and data isolation, ensures that the sprawl of corporate data is contained.

In the next post, we’ll dig deeper into the BYOD architecture.

Tuesday Jun 10, 2014

Nominations now open for the Oracle FMW Excellence Awards 2014

2014 Oracle Excellence Award Nominations
Who Is the Innovative Leader for Identity Management?



•    Is your organization leveraging one of Oracle’s Identity and Access Management solutions in your production environment?
•    Are you a leading edge organization that has adopted a forward thinking approach to Identity and Access Management processes across the organization?
•    Are you ready to promote and highlight the success of your deployment to your peers?
•    Would you a chance to win FREE registration to Oracle OpenWorld 2014?


Oracle is pleased to announce the call for nominations for the 2014 Oracle Excellence Awards: Oracle Fusion Middleware Innovation.  The Oracle Excellence Awards for Oracle Fusion Middleware Innovation honor organizations using Oracle Fusion Middleware to deliver unique business value.  This year, the awards will recognize customers across nine distinct categories, including Identity and Access Management

Oracle customers, who feel they are pioneers in their implementation of at least one of the Oracle Identity and Access Management offerings in a production environment or active deployment, should submit a nomination.  If submitted by June 20th, 2014, you will have a chance to win a FREE registration to Oracle OpenWorld 2014 (September 28 - October 2) in San Francisco, CA.  Top customers will be showcased at Oracle OpenWorld and featured in Oracle publications.  

The  Identity and Access Management Nomination Form

Additional benefits to nominees
Nominating your organization opens additional opportunities to partner with Oracle such as:
•    Promotion of your Customer Success Stories
Provides a platform for you to share the success of your initiatives and programs to peer groups raising the overall visibility of your team and your organization as a leader in security

•    Social Media promotion (Video, Blog & Podcast)
Reach the masses of Oracle’s customers through sharing of success stories, or customer created blog content that highlights the advanced thought leadership role in security with co-authored articles on Oracle Blog page that reaches close to 100,000 subscribers. There are numerous options to promote activities on Facebook, Twitter and co-branded activities using Video and Audio.

•    Live speaking opportunities to your peers
As a technology leader within your organization, you can represent your organization at Oracle sponsored events (online, in person or webcasts) to help share the success of your organizations efforts building out your team/organization brand and success.

•    Invitation to the IDM Architect Forum
Oracle is able to invite the right customers into the IDM Architect Forum which is an invite only group of customers that meet monthly to hear technology driven presentations from their own peers (not from Oracle) on today’s trends.  If you want to hear privately what some of the most successful companies in every industry are doing about security, this is the forum to be in. All presentations are private and remain within the forum, and only members can see take advantage of the lessons gained from these meetings.  To date, there are 125 members.

There are many more advantages to partnering with Oracle, however, it can start with the simple nomination form for Identity and Access Management category of the 2014 Oracle Excellence Award

Monday May 12, 2014

Modernizing UK Government with Aurionpro Sena

Around the world governments are transforming to deliver online citizen services and gain economies of scale by removing silos across departments. For many people, the images of government include: long lines, lots of paper work, and bureaucracy. While taxes continue to rise, the quality of service has continued to lag. A study by McKinsey showed that 50% of citizens are demanding access to government services on the weekends and many governments are stepping up to address the need. The UK government is setting the example for efficiency with a digital services strategy. In a recent newsletter article, Aurionpro Sena shares how Identity and Access Management initiatives in the UK government are de-fragmenting the infrastructure that connects people and removing roadblocks to collaboration. As a result, the UK government is now an innovation center.

The first phase of the initiative is modernizing 25 services delivered by 14 agencies across 8 government departments. The results so far are amazing. The report estimates that moving services from offline to digital channels will save the UK government £1.7 and £1.8 billion per year.  If you are interested in reading the strategy document, click here.

Our partners at Aurionpro Sena have been busy working closely with the Cabinet office on their deployment and documented the results in a recent newsletter article. Using Oracle's Identity Management, Aurionpro Sena started working with a number of UK government departments in 2013 to design, build, and support a federated identity shared service that could be securely hosted within a Public Service Network (PSN) accredited data center. The resulting service, Aurionpro's Public Sector Internal Identity Federation (PSIIF) Hub will enable easier sharing of information across the public sector, increasing the security of data access and enabling public sector organizations to realize savings across the government's information and communications technology (ICT) program. The PSIIF hub is now available for procurement through the government's Cloudstore. Full article here.

The GDS (Government Digital Services) organization produced the video below as a demonstration of the services being rolled out. These examples are inspirational and will change the way we think about government. One day we may scarcely remember that renewing your driver's license meant taking a day off from work to go to the DMV (Department of Motor Vehicles) to take a number and wait for your name to be called. Calling the state tax office only to be transferred to multiple people who couldn't help you will be a story told in a medieval history class. Click to enjoy the video of the Sprint Alpha Transformation Demo from GDS on Vimeo.

Friday May 09, 2014

Three User Friendly Strategies for BYOD Security

For most CIO's, securing corporate data on mobile devices is top of mind. With enterprises producing more data than ever before in human history, much of that data will be accessible via mobile devices and mobile applications. In fact, studies suggest that 80% of enterprise access will be via mobile devices by 2020 vs. just 5% today. Amit Jasuja's recent article on the Forbes Oracle Voice, discusses three strategies for CIO's that can reduce the risk and simplify the user experience.

Wednesday May 07, 2014

Deploying the Oracle IAM Suite with the Deployment Wizard - by Alex Stanciu (IDMWORKS)

With the release of Identity & Access Management suite R2 PS2 (11.1.2.2.0), Oracle has released a new deployment tool, called the Oracle Identity and Access Management Deployment Wizard, to automate the installation and configuration of products related to the IAM suite.



With the Deployment Wizard, you can fully automate the installation, configuration and integration of WebLogic Server, SOA Suite, Oracle Identity Manager, Oracle Access Management, Oracle Unified Directory, Oracle HTTP Server and Webgates. The tool allows you to select one of three deployment topologies: OIM, OAM or OIM integrated with OAM and OUD. As an Oracle Partner in this space, IDMWORKS has taken our extensive experiences in this field and pulled together a detailed paper on the usage of this Deployment Wizard that will help to give insight to those of you looking for help in understanding how to take advantage of the latest capabilities from Oracle in the deployment of Oracle's Identity and Access Management offerings. For this detailed whitepaper, please follow the link to the IDMWORKS website


About

Oracle Identity Management is a complete and integrated next-generation identity management platform that provides breakthrough scalability; enables organizations to achieve rapid compliance with regulatory mandates; secures sensitive applications and data regardless of whether they are hosted on-premise or in a cloud; and reduces operational costs. Oracle Identity Management enables secure user access to resources anytime on any device.

Search

Archives
« February 2015
SunMonTueWedThuFriSat
1
2
3
5
6
7
8
9
10
11
12
13
14
15
16
17
20
21
22
23
24
25
26
27
28
       
       
Today