Thursday Sep 12, 2013

Oracle OpenWorld: Context and Risk-Aware Access Control: Any Device Anywhere

Are you attending Oracle OpenWorld 2013?  What are you doing to manage access to information, from any device, anytime...and from anywhere?

Customers expect consistent levels of service across laptop, tablet, and smartphone, but the very nature of mobile computing introduces a whole new range of security concerns, such as device type and configuration, location, type of connection, data to be accessed, and transactions to be performed. All of these factors are to be evaluated at runtime in an authentication and authorization decision. Essentially, a security system must adapt to changes in context and risk level at the time of the request. This session will help you understand how Oracle’s access management technology intelligently reacts to changes in context across a variety of devices to maximize levels of security and control.  REGISTER NOW for this session at this year's Oracle OpenWorld 2013.  For a complete listing of Security focused tracks at this year's OOW2013, please click HERE


Monday Sep 09, 2013

Webinar: The benefits of adopting cloud-based technologies - Register TODAY!

It is vital that hospitals effectively manage how users are able to access and use information. Effective identity management (IdM) dramatically improves organizational efficiency, reduces the health care providers IT footprint and cost, supports regulatory compliance, improves security, and enables access to emerging technologies such as mobility and patient portals. CloudIdentity provides health care specific identity management capabilities based on Oracle technology and delivered securely via the cloud, allowing hospitals to quickly realize the many benefits of IdM.

Join John Houston Vice President of Privacy and Information Security, Associate Counsel at UPMC & President of CloudConnect Health IT for this informative webinar series, as he discusses how IdM allows health care organizations to securely unlock the potential of health care IT. REGISTER

Identity and Access Management: Coming of Age in Health Care
September 11, 2013
2:00pm EDT/11:00am PDT

The use of IdM allows a health care provider to enforce appropriate access to its health care applications. IdM is also critical to improving efficiency and enabling support for new technologies
like mobility. Attendees will learn how this unique blend of market leading technology and health care identity management expertise will allow your organization to affordably access the many benefits of idM. To join part 1 of this 3 part series, click below to REGISTER:

https://cc.callinfo.com/cc/s/registrations/new?cid=1qxyimffb4jwd

Friday Aug 23, 2013

Implementing Oracle Identity & Access Governance with Database Security (Deloitte)

As organized cyber-attacks become sophisticated and targeted, organizations, particularly those in the financial and health sectors, have come under strict regulations. The growing security risks from internal and external sources have brought focus on both preventive and detective controls working together to protect data. In this edition of the Oracle IAM blog series, we will take a look at how an organization can leverage Oracle’s Identity and Access Management technologies in conjunction with Oracle’s database security offerings.

Challenge

Traditionally, encryption has been considered as the required approach to protect information. However, complex information systems have led to implementation of a defense-in-depth approach to database security that includes stronger preventive and detective controls. In addition to encryption, preventive measures should also include restricting access to data within the organization. Compliance requirements on the other hand, have driven adoption of detective controls such as database activity monitoring and auditing. Detective controls complement preventive controls by filtering attempts to connect to the information system, generating activity reports, and help investigations of potential breaches.

A common concern identified in several organizations is the lack of insight about the access users have. This usually stems from multiple points to manually create users and ad-hoc processes, such as a phone call, to grant access to applications. By relying on incoherent manual processes to provide, monitor and audit user access, the organization risks drastic implications on the privacy and integrity of their information. Deloitte approaches this problem by leveraging solutions like Oracle’s IAM stack to pro-actively restrict database access by defining user profiles and centrally managing user life cycle. This, coupled with preventive and detective controls, can offer a holistic approach to securing information.

Separation of Duties

Separation of duties is an important component to managing user access because it separates the responsibility of sensitive tasks into multiple people, so that no one person has all power. Oracle Database Vault, an add-on to Oracle database, protects against insider threats by restricting read/write access to sensitive data. For example, an administrator can be allowed to increase or decrease the size of a table, but given the role, they will be denied read/write access to the contents of the table. By securing access to the data based on multi-factor policies such as application, IP address, and other pre-determined factors, organizations have granular control over what, when, where, and how users can access sensitive data.

Deloitte’s strategy lets the client manage access to its data layer by separating approach vectors, such as internal or external clients, or type of access such as web and mobile applications. Oracle Access Manager helps to control user’s access to web applications, and Oracle Entitlement Server allows administrators to control what a user can see within an application.

Preventive Controls

The first step in this direction is to have a least-privilege approach to endeavor to provide that each user has a base profile giving them minimum access to the database. These profiles can be configured through Oracle Identity Manager (OIM). If a user’s business function requires elevated access, it can be requested. Requests access can be made through a central portal and provisioned automatically through OIM. The requirement for approvals adds a layer of control for the client over what a user can view or modify.

In order to have granular access control, the information stored within the database should be ranked based on sensitivity; this can be achieved by deploying Oracle Label Security (OLS). With OLS in place, only the users with read/write access to sensitive information will be able to interact with the data. By comparing a user’s profile and the level assigned to the data, level based access to data is determined. These data ranks are defined according to the organization’s requirements with the highest level assigned to the most sensitive information. Adding finer security controls, data is put in “compartments” that can have their own levels. For example, the financial compartment can have the highest level ranking.

Detective Controls

As mentioned above, Oracle Database Vault provides security by preventing access. There is a lot that can be done to secure information above the data level. Database defense-in-depth also includes database activity monitoring and auditing. Oracle Audit Vault and Database Firewall monitor database traffic to detect and block threats. The tools help improve compliance reporting by consolidating audit data from databases, operating systems, directories, and other sources. The following illustration shows how the two can work together:


Logs from the Database Firewall and other systems in the network, can be fed into the Audit Vault. Then, custom and template-driven database activity reports can be generated to help address compliance and regulations.

Conclusion

Deloitte suggests organizations establish a database defense-in-depth strategy that includes multiple layers of both preventive and detective security controls. By logging the entire process of user account creation, granting access, changing roles, and user account termination, the organization has a 360-degree approach to access governance. Detective controls add valuable context for investigations and provide a critical layer of security during a security breach incident. If network firewalls are by-passed, or in the case of an insider threat, preventive controls can offer a strong defense. Since these security controls are granular, they can be effectively configured to limit employees to their day-to-day activities. Identity and access management helps setup work flows for provisioning and defining roles to limit access; this coupled with encryption, activity monitoring and reporting, form a holistic defense-in-depth approach to security and compliance.

Wednesday Aug 14, 2013

Integrating Identity Management and GRC: Decreasing Risk Across Your Organization (Deloitte)

In this edition of the Oracle IDM blog, we’ll look at a case study for integrating Oracle Identity Manager (OIM) 11g with Oracle Governance, Risk, and Compliance (GRC) as part of an enterprise deployment and an integrated risk management strategy. We will incorporate specific use cases that leverage an integration of the two solutions to address risk and promote operational efficiency for routine tasks such as access requests and certification.  In addition to the primary focus between OIM and GRC, we will also highlight how Oracle E-Business Suites (EBS) roles are defined, synchronized, and provisioned using a combination of these two solutions providing an end-to-end integrated solution of the Oracle “suite.”

Abstract

When we think about Identity Management, we often relegate it to the IT Security or Infrastructure groups where it is traditionally used to address manual security and administration functions such as creating accounts, e.g., “hire and fire” scenarios, granting additional entitlements, and providing report-outs on information access for audit purposes. As identity systems improved their ability to manage the access they provisioned, it has become clear that there was a powerful relationship between IAM and GRC initiatives to better manager enterprise compliance in an integrated, less redundant fashion.

In many organizations today, GRC initiatives are often spread across multiple infrastructure silos and managed by different business units or IT groups. Tackling the constantly evolving regulatory requirements, coupled with increased business complexity, may present an uphill battle for a compliance department within the organization. Organizations are being asked not only to understand ever-changing global regulations, but also to create appropriate strategies in addressing their GRC needs.

Knowing who has access to what is not only important from a traditional security sense, but is important to financial controls groups being able to attest that financially significant systems have minimal risk through inappropriate access. By integrating Oracle’s GRC and Identity Management platforms and the associated processes, organizations can improve user lifecycle management, continuous monitoring and automated controls enforcement to assist with sustainable risk and compliance management. 

 
Figure 1 – Solution architecture

Solution Architecture

For a visual reference of the type of integration we are discussing, we have included an overview of how the systems can potentially interact.  In Figure 1, you will notice a typical Human Resource authoritative source system feeds OIM and OIM then provisions to target resources.  What’s different is the call-out to Oracle GRC to perform policy checks.

We won’t reference all of the GRC functionality available in this blog, but will focus on the segregation of duties (SoD) integration and relevant use case. [for detailed instructions on this integration, please see: http://docs.oracle.com/cd/E14899_01/doc.9102/e14763/segregation_duties.htm].    What’s interesting about this integration is OIM is able to leverage the information EBS and GRC already have about the roles that exist.  Using OIM scheduled tasks, we are able to synchronize those roles into OIM so that there is no need to manually build them in OIM.  Moreover, if the roles get end-dated in EBS, OIM reconciliation with EBS will end-date the roles and the related access for the users who have that role assigned with a goal of end-to-end compliance.  Both OIM and GRC offer a web services interface for performing common transactions.  More information about this can be found at http://docs.oracle.com/cd/E14507_01/apirefs.1112/e14133/using003.htm

Compliant User Provisioning

In our use case, we will explore how during an access request, a real-time validation can be performed against known SoD conflicts to determine if a role being requested has a conflict.  Through OIM’s Service-Oriented Architecture (SOA) workflow functionality, we can include an additional layer of approval if a conflict is presented.  A conflict is often unavoidable and, in many cases, requires a power user from the compliance organization to step in, review the request, and document a mitigating control before accepting.  In this example, we’ll show a request by a Payables Manager for an Invoice Entry EBS role.
 
As you can see in this process flow, there is cross-functional behavior between the OIM and GRC solutions to identify the SoD violation and apply a mitigating control if required.  Ultimately, OIM manages the provisioning of the role in the end system (EBS in this example) and, therefore, will be able to continually track that entitlement.

There are three take-a-ways from this use case.  With GRC and IAM integration, organizations can:

• Automate provisioning and de-provisioning of business application users, with appropriate authorization and compliance checks.
• Improve the management of enterprise accounts and efficiently produce reports such as “who has access to what.”
• Reduce the cost of compliance by removing the need for after the fact remediation.

In Conclusion

At Deloitte , we see the need to not only install and configure an IAM solution, but to work with our clients to get value out of an enterprise compliance approach.  Solutions can be leveraged in their individual capacity to achieve benefits for an organization, but when organizations leverage cross-platform synergies, such as the ones that Oracle has intentionally created within their OIM and GRC solutions, the sum can become greater than the parts.  An integrated approach to an organization’s IAM and GRC programs can assist in reducing costs and redundancies, and improving value to the organization.

About the Author

Kevin Urbanowicz is a Manager in Deloitte & Touche LLP’s Security & Privacy practice with eight years of experience in information technology with a focus on Identity & Access Management (IAM).  He has served primarily in the Oil & Gas sector where he has helped his clients identify the business drivers and build the business case for establishing world-class IAM solutions that maximize IT efficiency and minimize security and compliance risk. 

Wednesday Aug 07, 2013

Oracle IAM in Telematics: A case study in the Automotive Sector (Deloitte)

In this edition of the Oracle Identity Management (IDM) blog, we’ll look at a case study of IDM/IAM in the Automobile Industry and where it plays a significant role in enabling security to support the telematics initiative.  In a broad sense, telematics is the integrated use of telecommunications with information and communications technology. This technology involves sending, receiving and storing information relating to remote objects, such as vehicles, via telecommunication devices.

Using telematics, organizations can monitor the location, movements, status and behavior of a vehicle or fleet. This is achieved through a combination of a Global Positioning System (GPS) receiver and an electronic Global System for Mobile Communications (GSM) device installed in each vehicle, which then communicates with the user and web-based software. In addition to location data, a telematics system can provide a list of your vehicles with the status of each. You can see when a vehicle is started up and shut down, as well as its idling status, location and speed. This information gives organizations a complete, up-to-the-minute knowledge of vehicle activities in one centralized, web-based interface. All of this information can help:

• Increase productivity
• Improve communications
• Reduce labor costs
• Control fuel costs
• Improve customer service
• Increase fleet safety and security
• Reduce operating expenses
• Reduce environmental impact
• Reduce unauthorized vehicle use

In addition to these benefits, various legislative resolutions and mandates, such as the resolution passed by the European parliament stipulating that all new cars must be fitted with a GPS system and GSM communication links, are driving the implementation of telematics to a large scale. 

While telematics gives organizations all the above mentioned flexibility and benefits, it is prone to the same security challenges as usage of services on the web. Think about a situation where someone gets hold of a mobile device that is connected to several vehicles. A nefarious user can wreak havoc with a vehicle’s systems as well as the personal data which the vehicle has access to.

 Some of the notable challenges around telematics security include:
 
• Password and user management – Management of multiple passwords and user identities for each vehicle.

• Device management – Management of authentication and authorization of devices allowing users to access the vehicle. High mobile device turnover by the user populations calls for new devices to be re-registered and at the same time blacklisting/wiping-out of the personal and vehicle information must be done on the older devices.

• Service management – Management of various telematics and key-off functionalities on a vehicle in a secure environment.

• Data and privacy concerns- As part of telematics services automobile manufacturers need to access personal data to customize the user experience thereby bringing in the challenge of data privacy both in-transit and when it is being processed.

The following section describes how the above-mentioned aspects are managed and how challenges and issues related to managing your telematics services are addressed by using Oracle Access Manager Mobile and Social (OAMMS) and Oracle API Gateway (OAG). 


Fig 1: Oracle IAM integration with Mobile Device

User and device registration: Typically telematics applications send service registration requests through mobile applications which would validate pre-requisites (like validating vehicle identification – Vehicle Identification Number (VIN), payment information, etc.) with the telematics service provider. Once validation is complete against the telematics service provider, identification of the customer identity along with a vehicle and device identity will be created by calling the Mobile and Social Representational state transfer (REST) interface for registration. During this registration process OAG can be made to act as the front end to the OAMMS REST interface to confirm that requests come from legitimate sources and to protect the infrastructure against any intrusion.

Authentication and telematics operations: The above diagram explains how a user request gets authenticated and passed over to a telematics service provider to perform the requested activity. Before accessing the telematics service, the user provides his credentials in the form of a user id and password, which is used to authenticate the user against the enterprise identity store and also create an Oracle Access Manager  token (or JSON Web Token – JWT) on the user’s device. The token is then passed to the telematics service provider with the vehicle information (i.e., VIN) available on the mobile device and the command (requested operation).

Once the token is available to the telematics service provider, it passes the same token over to the OAMMS to validate the authenticity of the request. Once the token is validated, the user’s credentials are authenticated and the requested command is executed on the vehicle.


The token information can be saved for a longer duration in the user’s mobile device for improved user experience and reduced operational time and effort.  For example, a user sends a request to find a vehicle from his mobile device. The assumption is that the user is already authenticated against the enterprise identity store and the token exists on the mobile device. As soon as the user submits the request, a request object is sent to the telematics service provider along with the identity token. The telematics service provider passes the token to OAMMS to validate the account status. OAMMS in conjunction with OAG validates the received token for the user’s account status, session timeout, etc.  Once authenticated a command is sent to the telematics service provider to perform a wakeup call to find the vehicle. The response returned from the vehicle back to the telematics service provider is passed over to the mobile device to locate the vehicle.

The built-in reporting and auditing capability of OAMMS captures each of the transactions. This can be leveraged to define controls for the telematics service. Apart from OAMMS and OAG, Oracle Access Manager and Oracle Adaptive Access Manager can also be deployed to provide a robust solution hence including device marking, wiping out the contents in the device in case the device is lost and also providing two-factor authentication upon accessing a sensitive operation on the vehicle.

In conclusion

In all, telematics services have evolved to better suit the needs of consumers but at the same time have a tradeoff on security to confirm end user usability. These trade-offs increasingly contribute to security risks for the user, organization and their vehicles including theft of vehicle, loss of personal data, malfunction with the vehicle, etc… Security should be addressed in an effective manner with increasingly strict regulations to protect against these risks. The Mobile Access management solution using Oracle API Gateway technology unifies telematics requests across network boundaries to mobile devices. It can provide enhanced security, regulatory compliance and increased usability.

About the Author

Debi Mohanty is a Senior Manager in Deloitte & Touche LLP’s Security & Privacy practice with a focus on Identity and Access management and Information Security. He advises several Fortune 100 clients globally on cloud and mobile security, privacy and identity & access management across diverse industries such as financial services, retail, healthcare, state government, and aerospace and defense.

 

Wednesday Jul 31, 2013

Oracle Waveset to Oracle Identity Manager: A Case Study in Higher Education (Deloitte)

Deloitte is excited about the opportunity to introduce the first blog in a series of four blogs that will look at real world case studies involving Oracle Identity and Access Management (IAM). Our future blogs will expand on relevant IAM topics including: 1) Oracle Waveset to Oracle Identity Manager, 2) Oracle IAM in Telematics, 3) Oracle IAM with Governance Risk and Compliance, and 4) Oracle Identity & Access Governance with Database Security. Throughout this blog series, readers are encouraged to submit questions or comments which will feed into a roundtable type Q&A blog responding to selected comments and questions received.

In this edition of the Oracle IAM blog, we’ll look at a case study for migration from Oracle Waveset to Oracle Identity Manager for a higher education statewide system of community colleges, state universities and technical colleges. This also highlights how the flexibility of Oracle’s IAM product landscape contributed to creating a dynamic and sustainable solution for a public-facing system with nearly 500,000 users.

Current State Evaluation and Replication

The legacy Oracle Waveset instance connected to numerous institutional directories and provided end-user functionalities such as user self-service, account activation and password management as well as administrative help-desk functions with a highly customized interface and set of workflows.

As we analyzed these functions, we identified that a majority of these were available within Oracle Identity Manager (OIM) 11g R2 which simplified their replication. Further, the User Interface (UI) enhancements in OIM 11g R2 allowed for significant customization to the end-user pages, such as the ‘My Information’ page, with minimal custom code.  Initial replication of the core functionalities was crucial to the overall project and allowed for the replacement of Waveset as an end-user facing solution on Day 1 of the OIM go-live. However, this did not cover the numerous resource integrations that Waveset had behind the scenes that would also need to be migrated. Several functionalities such as account activation and password reset/forgot password that required specific workflows and service integration were replicated in separate Oracle ADF-based applications that were split away from the OIM managed servers. This allowed for the highly used end-user functions to run separate of the OIM instances to provide for increased flexibility in load management and tuning.

Resource Migration Approach

As the numerous resources requiring migration would take significant time and effort, it was decided that these resources would be moved over in a phased manner requiring both OIM and Waveset to operate in parallel for a period of time. This approach reduced risk, as a single cutover would have been highly complex with multiple moving parts across colleges and campuses. To enable this to be possible, OIM and Waveset would need to operate together as we migrated each campus from the old Waveset platform to the new OIM platform. To help accomplish this, a custom connector between OIM and Waveset was built to synchronize certain user attributes so that Waveset could update and maintain those attributes on the resources that remained to be managed by it.

Overall, this approach turned out to be highly beneficial as it allowed the team time to ease into using the new identity solution, reduced the risks that would have been present in a single “big bang” cutover event and allowed for a quick win which displays critical progress and success to solution stakeholders. 
 

Figure A – Oracle Waveset to Oracle Identity Manager resource migration approach

Additional Important Success Factors

Throughout the migration, we encountered a number of items that were deemed critical for meeting project goals that primarily focused on the following:

User Experience

As the solution’s primary users were public individuals that would likely not have significant training or usage guidance, focusing on a refined and calculated user experience such as clear verbiage, font sizing and coloring as well as succinct and detailed error messages was important. While these items may seem minor or insignificant to some readers, they, as expected, ended up being extremely beneficial to end-users and reduced support needs.

Performance and Tuning

With our highly active user-base, performance of the solution was critical to success. Use of the existing Oracle Fusion Middleware Performance and Tuning Guide as well as the OIM 11g R2 Reconciliation Tuning Whitepaper were critical for maintaining performance and ongoing stability of a solution with this size. Also important were key architectural decisions around load balancing, managed server clustering, as well as database clustering (e.g. RAC). Providing enough horsepower behind the solution and conducting due diligence around performance testing will reduce the amount of performance-related issues encountered in production.

In Conclusion

The phased migration of Oracle Waveset to Oracle Identity Manager 11g R2 allowed for a quick win in the initial cutover of end-user functions, a lower risk migration path and well as constant stream of “good news” as various campuses were migrated from the old solution to the new one in a phased manner. A focus on user experience and performance tuning also helped to create an effective environment for end-user interaction and contributed to achieving the goals of the initiative. Finally, the new OIM architecture will provide a solid infrastructure for future enhancements and a greatly increased user base that the prior Waveset environment could no longer support.

About the Author

Derek Dahlen is a Manager in Deloitte & Touche LLP’s Security & Privacy practice with over eight years of experience in information security. He specializes in managing, designing and architecting large-scale identity and access management projects with a focus on the Oracle product stack. He has worked with various clients across the financial services and state government sectors.

Tuesday Jul 23, 2013

No Where to Go but Up: Extending the Benefits of Accelerated IAM by Nish Patel (Accenture)

For a number of years the innovation for corporate applications revolved around functionality drivers such as better user interfaces, interoperability with legacy systems, and web enablement.  The next wave of innovation is being driven by enhancing the customer experience, data analytics, business responsiveness, and the integration of systems in the company’s business ecosystem.  All of this is occurring in a demanding economic climate—where speed is of the essence to help meet revenue and profitability targets— with an ever-demanding and  increasingly sophisticated user base.

What does the changing face of corporate applications look like and how does security play a role?  You can start by looking at Oracle’s own strategy with Fusion Applications.  The Fusion Apps integrate business processes, complex workflows, web services, business intelligence, and analytics.  This amalgamation has seemingly endless data points and touch points utilized by an ecosystem of users, consumers, providers, and so on.  This is all secured using Oracle’s own IAM stack.  Hence, the Fusion Apps security model is a very different approach from the old E-Business, PeopleSoft, and JD Edwards security models.  This adds security complexity, yet also adds security value.  However, to obtain the value, you have to understand how to take a highly flexible solution and cater it to your business’s needs.  So how do you configure it the right way quickly?  We’ll get to that later.

What other corporate application changes are we seeing?  We’re all aware that over the last 5 years there has been a significant and growing shift in the consumerization of technology in the work place.  The bring-your-own-device or BYOD trend began shortly after the auspicious availability of the original iPhone in June of 2007 and has hit substantial strides in subsequent years with the introduction of the iPad and Android devices.  The portability and ease of use—and let’s face it, the “coolness” factor—have driven demand for applications to be readily available outside the standard company walls and desktop/laptop confines.

Looking at a graph of the pace and demand for mobile applications brings to mind Mt. Everest:  it’s steep, scary, and without the right Sherpa, you might just freeze to death from the challenge.  As the sophistication of mobile applications has improved to meet business demand, one of those Everest-like challenges is how to secure the ever increasing amount of sensitive and critical information that goes with it.

For example, we are seeing clients take applications that were typically considered “back office” and using them as a strategic driver, such as mobilizing purchasing data to provide valuable insight to buyers in the field making decisions.  We are seeing banks now allowing check deposits via mobile devices to increase customer satisfaction and decrease in-person service times and overhead.

Information that was typically within the four walls is now zipping around wherever there is a cell signal.  It is being consumed on devices that are easily passed around, shared, and lost.  It is being consumed by customers, employees, company partners, and vendors.  How do you ensure that only the right consumer, in the right context, in the right scenario, on the right device is accessing valuable company data?  Additionally, how do you rapidly secure applications to quicken deployment cycles and cut costs?

One of the common ways IT departments approach security is to take each application and bolt on its own security framework for mobility.   An example would be adding on a Spring Security framework for authentication and authorization.  Sometimes this involves a duplication of already existing authentication and authorization mechanisms in place.  If you take this approach for each application you “mobilize”, you can see how it can quickly become an administrative nightmare.  From having to provision users manually to each application, to de-provisioning for terminations or job role changes, to password management, to troubleshooting, and so on, this approach is duplicative and wasteful. 

So how do you address security adequately and rapidly across the situations and scenarios we’ve described?  Accenture utilizes Oracle’s IAM suite of products to enable security across the spectrum of our client’s needs.  For example, for mobilization of applications, we utilize Oracle’s Mobile and Social Access as part of the access management solution.  We utilize Oracle API Gateway’s numerous features for web services security.  We’ve also built many of our own proprietary Accenture Software solutions on the 11g platform, leveraging the Oracle security stack to employ a common security framework to simplify development and deployment. Furthermore, we leverage our Accenture Foundation Platform for Oracle (AFPO) to accelerate and reduce costs.
 
Accenture Foundation Platform for Oracle


AFPO is a reference architecture, reference implementation and a set of associated assets that provide a generic and common foundational platform based on Oracle Fusion Middleware 11g Technology.  AFPO is a jumpstart kit for Oracle IAM that accelerates delivery.  It is aligned with Oracle’s Fusion Reference Architecture (OFRA) and was built with feedback and reviews from Oracle Product Management. It’s also a combination of Oracle products & guidance with Accenture intellectual property based on project experience.

When we speak of acceleration, we are talking install: day 1; customize and integrate: day 2!  Fast enough for you? Clients have been able to trim as much as 30% off of implementation costs utilizing AFPO.  At an educational non-profit we rapidly deployed an Oracle IAM foundation leveraging AFPO to meet tight timelines required for the upcoming school year. Our client’s Release 1 deployment scope included building, testing, and deploying 5 Oracle IAM products in 5 months.  Our client’s development team needed a way to quickly learn the products in order to rapidly build extensions and customizations for these products.  AFPO provided a testing ground for rapid design prototyping and gave developers the quick, hands-on experience needed to transition to building the new infrastructure.

 
To learn more about Accenture, our AFPO platform, how we can help you with your security strategy and implementation, please contact
nishith.patel@accenture.com

Wednesday Jul 17, 2013

Registration now open! - Managing the Healthcare IT Transformation “On the Go and In the Cloud”

Mobility, cloud-based services, healthcare reform, meaningful use, health information exchange and continued changes in privacy and security regulations has each had a profound effect on healthcare IT.  To support this transformation, it is vital that an organization effectively manages how its users are able access and use information.   Unfortunately, to date, many organizations have failed to develop the necessary foundational infrastructure.  UPMC, through its subsidiary CloudConnect Health IT, has developed a solution called CloudIdentity, which provides healthcare specific identity management capabilities that are based on Oracle technology and delivered securely via the cloud.  Join John Houston Vice President of Privacy and Information Security, Associate Counsel at UPMC & President of CloudConnect Health IT for this informative webcast, as he discusses the healthcare transformation and how healthcare organizations can securely unlock the potential of healthcare IT. Click HERE to register for this webcast, scheduled for August 20th.

Tuesday Jul 16, 2013

The Art of the Possible: Real Life Case Study in Oracle IAM 11gR2 Performance Tuning by Alex Bolante (Accenture)

In our last post, we walked through a handful of practical tips and tricks to fine tune your Oracle Identity Management 11gR2 deployment.  This week we look at a real life case study, focused on Oracle Directory Services, where we applied our pragmatic approach and solutions.

Case study: a multinational financial services corporation.  With presence in over 200 countries, this financial services company enables consumers, businesses, financial institutions and governments to use digital currency instead of cash and checks through one of the world’s most advanced processing networks, capable of handling more than 20,000 transactions per second.  Like many legacy customers, the company sought Accenture’s help to strategically plan, design and upgrade to an improved version of Oracle Directory Services that provided:

• Improved directory services performance
• Multi-user topology support
• Enhanced replication
• Increased security

The implementation comprised of approximately 50 servers located across multiple, geographically distributed data centers supporting over 100 applications and more than 250,000 users – included financial institutions, payment product processors and others doing business with this financial services company. 

Environment design specification

Our environment design specification was initially developed to support legacy applications, but given a new set of business and technical requirements, we needed to modify and scale the solution to support future business services with enough capacity to grow up to 40% year over year.  Key performance requirements included:

• Optimized for reads, writes and replication across data centers located across the globe
• Performs 1000 operations per second
• Supports response time of 0.05 milliseconds for single user id searches
• Supports response time of 0.15 milliseconds for single user attribute writes
• Supports 200 concurrent searches
• Supports growth rate of 10,000 objects per month over the next 5 years
• Provides real time password replication using prioritization

Modifying and scaling the solution:
Our process for modifying and scaling the solution included  engaging Oracle product managers and engineers directly to validate our hardware configuration.

Product: Oracle Directory Services
Operating System: 64-bit Solaris 10 Update 10 or higher
Hardware: SPARC T-series
Memory: 64 GB
Disk Space: 270 GB
Swap Space: 15 GB
Tmp Space: 10 GB
File Descriptor Limit: 8192
Replication Topology: Multi-master with no restrictions on the number of masters

We made several recommended configuration changes and tuned the Operating System, Database Cache, Entry Cache, Import Cache, File System Cache and Indexes. 

Disable schema check for fast replication
$dsconfpath/dsconf set-server-prop -p portNum check-schema-enabled:off

Set DB cache size to 1000M
$dsconfpath/dsconf set-server-prop -p portNum db-cache-size:1000M

Set entry cache size to 1000M
$dsconfpath/dsconf set-suffix-prop -p portNum suffixDN entry-cache-size:1000M

Import-cache-size
$dsconfpath/dsconf set-server-prop -p portNum import-cache-size:200M

Set all-ids-threshold
$dsconfpath/dsconf set-server-prop -p portNum all-ids-threshold:8000

Set repl-purge-delay to 1 days
$dsconfpath/dsconf set-server-prop -p portNum repl-purge-delay:1d

Change log path
dsconf set-log-prop -p portNum ACCESS path:/var/ldaplogs/access
dsconf set-log-prop -p portNum AUDIT path:/var/ldaplogs/audit
dsconf set-log-prop -p portNum ERROR path:/var/ldaplogs/error

Enable Audit log
dscond f set-log-prop -p portNum AUDIT enabled:on

The outcome:

After we applied our performance tunings, we performed our tests in production-like environments, verified and documented our results, profiled and monitored our solution, tweaked and tuned our environment and cycled through this step-by-step process until we were satisfied that we had met all requirements.  We shared the results with our Oracle peers to validate – including our testing approach which included search rates and modification rates based on 100 users and 200 users connecting concurrently – and the numbers were right on point with our expectations from the Directory Services upgrade.


How can you apply this to your environment? 

Step 1:
Talk to Oracle Product Management, Development and Engineering directly
,get them involved in your project as early as possible and keep them engaged throughout your project.  It helps to have knowledgeable subject matter experts who can bring your implementation up to par with leading implementations.  Some guidelines for checkpoints include:

Checkpoint 1: Before statement of work (SOW) is signed:
• Is the SOW clearly defined?
• Is the described product functionality feasible?
• Are measurable and achievable success criteria defined?

Checkpoint 2: Before requirements, architecture and project plan are delivered:
• Can the product fulfill the defined requirements?
• Is the architecture and solution design sound and scalable?
• Is the customer's environment ready?

Checkpoint 3: Before the design is delivered:
• Is the design technically sound?
• Can the design be implemented, migrated and supported?
• Are the test plans and approach reasonable?

Step 2:
Define specific, measurable objectives for performance tunings based on your requirements.
  To start with, you can use Accenture’s predefined set of key attributes for developing “good” requirements that are measurable.

• Necessary – an important capability or element of a solution which cannot be compensated for if absent
• Understandable – stated in a context which conveys the essence of what is needed
• Complete – stated in a standalone context which does not rely upon supplemental and/or assumed definitions
• Consistent – does not contradict by context or terminology nor is contradicted by other statements (e.g. is not mutually exclusive)
• Unambiguous – cannot have more than one interpretation
• Attainable – a capability which can be implemented within the constraints of available resources and technology (e.g. product, cost, schedule)
• Verifiable – can establish that the statement has been satisfied through specific measurements, test, demonstration, inspection, and/or analysis

Step 3:
Determine how you plan to implement performance tunings.
There is more than one way to skin a cat.  In addition to the tuning configuration changes made to the environment, you also have to consider hardware sizing and configurations, middleware technologies, application and data samples used for testing and how you measure/analyze results.  For example, hardware sizing guides are meant to provide you with a baseline for your deployment, but they are not exact specifications for your Oracle Identity & Access Management deployment. 

The same applies for a vendor certification matrix – while Oracle’s Identity & Access Management product might be certified or supported on another vendor’s middleware or platform stack, that does not automatically imply it is the ‘optimal’ configuration for your deployment.  Most organizations already have infrastructure standards (e.g. we use WebSphere Application Server for our J2EE apps), but you need to carefully consider that your Oracle Identity & Access Management deployment may be harder to tweak and tune if implemented on top of multiple vendor stacks.  In fact, the more unique your configuration design is, the more challenging it will be to support and the less likely your deployment will be up to par with common practices.

Step 4:
Apply your performance tunings, perform your tests, verify and document your results, profile and monitor your solution, tweak and tune it – wash, rinse and repeat.
  Consider the testing tools you will use to conduct your performance tests and their limitations.  We used both SLAMD and HP LoadRunner for our Directory Services deployment.  SLAMD had resource limitations on the number of connections and threads we could test, especially if it was not running off a dedicated server.  HP LoadRunner had a limitation with testing multiple attribute updates until we applied a hot fix that the vendor eventually provided.

Also, most deployments are two- to three-tier architectures, so you have to tune the database/directory server, middleware/application server, web servers and every component in between each tier (e.g. load balancers for SSL acceleration).  In fact, each tier requires its own performance tuning, pruning, cleaning, care, feeding and regular maintenance.  At its core, there are several performance bottlenecks to consider:

• Start with your server or system resources (e.g. over clocked CPU, maxed out memory, resource contention, insufficient space)
• Tune your way up from data tier to application/web tier (e.g. database/directory servers typically require specific optimizer tunings, predefined indexes and table pruning while application servers typically require proper JVM heap size allocation, connection pooling and message queue thresholds)

Step 5:
Share your experiences with the Oracle Security community at large.
  By now, your Oracle Identity & Access Management solution should be designed to support not only your legacy applications, but also scaled to support future business services!

Stay tuned for our next post on No Where to go but up: Extending the benefits of accelerated IAM to enable new solutions and features where we highlight interesting trends in Security and Identity & Access Management.

References:
Oracle Directory Services: Overview
http://www.oracle.com/us/products/middleware/identity-management/directory-services/resources/index.html

Oracle Directory Services: Discussion Forums https://forums.oracle.com/community/developer/english/fusion_middleware/identity_management/oracle_directory_server_enterprise_edition_sun_dsee/content?start=0

Monday Jul 15, 2013

Mobile Application Security Framework by Pawan Yadav (SDG Corporation)

Mobile Application Security Framework

Enterprise Mobility is rapidly expanding opportunities for companies to enhance clients' engagement levels and simplify and improve their interactions. Unfortunately, those opportunities also create significant security threats for businesses and consumers.
Pawan Yadav, Vice President and Chief Technologist from SDG (www.sdgc.com), in this very topical white paper, outlines the unique challenges that are arising from the explosion of enterprise mobile applications, multiple devices, and platforms.

Read the white paper: click to download

About the Author:

Pawan Yadav

Enterprise Mobility, Practice Leader
Pawan, in his capacity as a SDG Practice Leader, has direct senior management responsibility for the firm's strategy, planning, staffing, engagement deliverance, and commercial operations for the Enterprise Mobility Practice. He brings to this position over 16+ years of IT experience, primarily in the Financial Services - Retail Banking and Credit Card sectors. His expertise includes leading large and complex development programs - time and materials with upper cap and fixed bid, web and enterprise mobility applications services and solutions delivery management, personnel and staff management, and contract and cost management.

About SDG:
SDG Corporation empowers forward thinking companies to strategize their future, realize their vision, and minimize IT risk. SDG distinguishes itself by offering flexible business models to fit their clients’ needs; faster time-to-market with its pre-built solutions and frameworks; a broad-based foundation of domain experts, and deep program management expertise. (www.sdgc.com)

Friday Jul 12, 2013

CSO Webcast with Mary Ann Davidson & CSO Magazine

According to a recent survey by IDG Research, 40 percent of respondents felt that a fragmented reactive approach to security left them more vulnerable. More than 35 percent felt that their organization was reactive to sensational news about security threats. To better align IT security resources with risk, organizations will need to refocus on strategic assets

Join us for a Webcast with Oracle Chief Security Officer, Mary Ann Davidson and CSO magazine to learn how an inside-out security approach enables you to concentrate your security efforts where they matter most.

  • Protect your most valuable assets
  • Rethink security inside out
  • Improve security governance
Register now and attend the live webcast to chat with security experts and receive a copy of the full IDG Research report.

Thursday Jul 11, 2013

NEC Australia hosts Part 2: Identity Governance Key Insights

NEC Australia is back with Part 2, in their two part series with key leaders from the Oracle Identity Management product team. Host Larry Samuels of NEC Australia takes us into the topic area of "Identity Governance Key Insights".  This includes key information on point-in-time audits and their use as a baseline, as well as steps your organization can take to minimize your risk by better understanding the complexity of your identity enviroment.  To view this video, click HERE

 

Wednesday Jul 10, 2013

NEC Australia hosts video Roundtable on "Key Trends in Identity Management" (Part 1)

Join NEC Australia as they host a Roundtable discussion with key members from Oracle, to discuss the Key Identity Management Trends. Host Larry Samuels of NEC Australia leads this conversation with experts in the field of Identity Management to discuss how the landscape is changing and evolving to encompass the new demands of Cloud, Mobile and regulatory compliance.  With him are Amit Jasuja, Sr Vice President of Identity Management at Oracle Corporation, to help us navigate the ever changing demands of IT, and how partners like NEC are working with Oracle to meet those demands. To view Part 1 of this video, click HERE

Tuesday Jul 09, 2013

Necessity is the mother of invention: Technical Solutions Developed in the Field by Kishan Malineni (Accenture)

As promised in last week’s post, today we will go into tuning specifics and address well proven tricks of the trade, used by IAM guru’s to maximize your solution while addressing the requirements of global organizations.

 

In this post we will use a specific, anonymous project example to walk you through the process, specifically:

  1. Setting the Stage: Establish Service Level Agreements and Critical Project Metrics
  • In our example, the goal was to support page load times for OIM access requests of less than 5 seconds for 40 concurrent users. All of this would have to be possible with a 100,000+ active user base dispersed globally.
  1. Approach:
  • Accenture teamed with Oracle Product Development and Field Engineering to troubleshoot the performance issues
  • Identify the issues and release appropriate Merge Label Requests (patches) on top of Bundle Patch 06
  • Secure Socket Layer (SSL) Certificates presented a unique scenario, which when pushed to all end users through a Group Policy Object (GPO), they decreased load time for the pages listed below by up to 15 seconds:
      • Login page
      • Home page/dashboard
      • User Search
      • User account details
  1. Getting Started in your Implementation:
  • Technical Steps
  • Proactively teaming with Oracle 

4.      Challenges:

  • Single server location presents network concerns for distributed user base which compounds the need for high application performance.
  • Internet Explorer is client standard and is dramatically slower than open source browsers due to the complex ADF framework.
  • Traditional downtime non-existent with users in time zones across the globe
  • Despite having 4 physical servers with 8 managed nodes, page load times were not meeting the 5 second or less requirement
  • This client was an early adopter of 11gR2 release, as part of the Oracle Beta program

 

The goal for any new software implementation is for it to be fast and that’s no different for this Global Financial Services client. The Accenture team worked closely with the client to address numerous requirements including mapping complex provisioning, de-provisioning, and numerous other lifecycle changes.

 

Naturally for requirements as demanding as these, a robust technical architecture was required. Within the Design Phase and into the Test Phase, the Accenture team was seeing page load times of more than five seconds.

 

After engaging Oracle via a service request, the project team was able to engage Oracle engineers to specifically resolve the performance issues that were identified. Initially, baselines were taken across multiple browsers including Internet Explorer 8, Mozilla Firefox, and Google Chrome. Oracle was able to help the project team to identify a bundle patch that was expected to dramatically decrease page load times. With the OIM code fully optimized, the magnifying glass could be applied to the browsers within the client’s enterprise standard builds.  

 

Through a collaborative effort involving extensive testing, it was determined that Internet Explorer 8 (IE8) required additional security certificates to be pushed to the intermediate store. Through this change, page load times decreased by up to 15 seconds. Fortunately, through a Group Policy Object, the client is able to push this change to all users within the enterprise.

 

With the help of Oracle Product Management, several iterations of testing were performed to collect test data and provide to the client stakeholder team. During this process Accenture and Oracle provided daily updates to the client to ensure awareness of all stakeholders.

 

Step 1 of Problem Solving:

The combined Oracle and Accenture team performed the following steps to dramatically improve the page load times for 40 concurrent users:

  • Modified Java Virtual Machine settings and increased memory to each managed node
  • Applied Bundle Patch 04
  • Applied performance patch for Catalog and My Access which provided the following page load times:

 

Step 2: The Project Team and Oracle Team then performed the following changes:

  • Modified OIM operations, Java message service, SOA, applications data sources
  • Applied HTTP compression
  • Applied performance patch for user profile/search
  • Disabled web cache

 

 

Step 3: After seeing a dramatic decrease in page load times, the final performance tweaks were applied:

 

  • Applied Bundle Patch 06
  • Applied Application Development Framework (ADF) Merge Label Request
  • Apply OIM Merge Label Request for User Interface Self Service Workflows
  • Internet Explorer 8 (IE8) specific Issues: Unchecking “Check for Server Certificate Revocation” within IE8. This update will be performed through a Group Policy Object (GPO) change.

 

Final Results:

 

Conclusion: Upon achieving the desired results for page load times the Accenture Project Team was able to deploy the OIM to Production environments.

   

While this client experience highlights specific examples of performance tuning for Oracle IAM, the approach and collaboration are just as critical and can be applied to many other implementation challenges.  Additionally, it is also critical to use industry leading practices for planning and implementing your IAM program, including:

  • Clustering OIM managed servers
  • Clustering SOA servers
  • Using Oracle database real application cluster
  • Using fully qualified domain names
  • Ensure ports used are non-conflicting and similar across the clustered servers
  • Utilizing Coherence for SOA (SOA clustering)
  • Oracle HTTP Server configuration is critical to load balance between clustered servers correctly
  • Set ideal connection pool settings, message buffer size, caching, statement cache size, inactive connection timeout parameters for the system data sources deployed with OIM

Implementing a high performance IAM implementation will have a substantial impact on the success of your team and your program and it requires a combination of well-trained IAM SMEs, clearly established metrics and SLAs, leveraging best practices and industry leading solutions, and most importantly a strong collaborative approach across teams.

Please stay tuned for next week’s series installment on The Art & Science of Performance Tuning of Oracle IAM 11gR2 where we will share war stories of clients across industries finding paths to success with Oracle IAM and Accenture

Tuesday Jul 02, 2013

Taking the training wheels off: Accelerating the Business with Oracle IAM by Brian Mozinski (Accenture)

Today, technical requirements for IAM are evolving rapidly, and the bar is continuously raised for high performance IAM solutions as organizations look to roll out high volume use cases on the back of legacy systems.  Existing solutions were often designed and architected to support offline transactions and manual processes, and the business owners today demand globally scalable infrastructure to support the growth their business cases are expected to deliver.

To help IAM practitioners address these challenges and make their organizations and themselves more successful, this series we will outline the:

• Taking the training wheels off: Accelerating the Business with Oracle IAM
The explosive growth in expectations for IAM infrastructure, and the business cases they support to gain investment in new security programs.

• "Necessity is the mother of invention": Technical solutions developed in the field
Well proven tricks of the trade, used by IAM guru’s to maximize your solution while addressing the requirements of global organizations.

• The Art & Science of Performance Tuning of Oracle IAM 11gR2
Real world examples of performance tuning with Oracle IAM

• No Where to go but up: Extending the benefits of accelerated IAM
Anything is possible, compelling new solutions organizations are unlocking with accelerated Oracle IAM

Let’s get started … by talking about the changing dynamics driving these discussions.

Big Companies are getting bigger everyday, and increasingly organizations operate across state lines, multiple times zones, and in many countries or continents at the same time.  No longer is midnight to 6am a safe time to take down the system for upgrades, to run recon’s and import or update user accounts and attributes.  Further IT organizations are operating as shared services with SLA’s similar to telephone carrier levels expected by their “clients”.  Workers are moved in and out of roles on a weekly, daily, or even hourly rate and IAM is expected to support those rapid changes.  End users registering for services during business hours in Singapore are expected their access to be green-lighted in custom apps hosted in Portugal within the hour.  Many of the expectations of asynchronous systems and batched updates are not adequate and the number and types of users is growing.

When organizations acted more like independent teams at functional or geographic levels it was manageable to have processes that relied on a handful of people who knew how to make things work …. Knew how to get you access to the key systems to get your job done.  Today everyone is expected to do more with less, the finance administrator previously supporting their local Atlanta sales office might now be asked to help close the books for the Johannesburg team, and access certification process once completed monthly by Joan on the 3rd floor is now done by a shared pool of resources in Sao Paulo.  

Fragmented processes that rely on institutional knowledge to get access to systems and get work done quickly break down in these scenarios.  Highly robust processes that have automated workflows for connected or disconnected systems give organizations the dynamic flexibility to share work across these lines and cut costs or increase productivity.

As the IT industry computing paradigms continue to change with the passing of time, and as mature or proven approaches become clear, it is normal for organizations to adjust accordingly. Businesses must manage identity in an increasingly hybrid world in which legacy on-premises IAM infrastructures are extended or replaced to support more and more interconnected and interdependent services to a wider range of users. The old legacy IAM implementation models we had relied on to manage identities no longer apply.

End users expect to self-request access to services from their tablet, get supervisor approval over mobile devices and email, and launch the application even if is hosted on the cloud, or run by a partner, vendor, or service provider.

While user expectations are higher, they are also simpler … logging into custom desktop apps to request approvals, or going through email or paper based processes for certification is unacceptable.  Users expect security to operate within the paradigm of the application … i.e. feel like the application they are using.

Citizen and customer facing applications have evolved from every where, with custom applications, 3rd party tools, and merging in from acquired entities or 3rd party OEM’s resold to expand your portfolio of services.  These all have their own user stores, authentication models, user lifecycles, session management, etc.  Often the designers/developers are no longer accessible and the documentation is limited.  Bringing together underlying directories to scale for growth, and improve user experience is critical for revenue … but also for operations.

Job functions are more dynamic.... take the Olympics for example.  Endless organizations from corporations broadcasting, endorsing, or marketing through the event … to non-profit athletic foundations and public/government entities for athletes and public safety, all operate simultaneously on the world stage.  Each organization needs to spin up short-term teams, often dealing with proprietary information from hot ads to racing strategies or security plans.  IAM is expected to enable team’s to spin up, enable new applications, protect privacy, and secure critical infrastructure.  Then it needs to be disabled just as quickly as users go back to their previous responsibilities.

On a more technical level …
Optimized system directory; tuning guidelines and parameters are needed by businesses today. Business’s need to be making the right choices (virtual directories) and considerations via choosing the correct architectural patterns (virtual, direct, replicated, and tuning), challenge is that business need to assess and chose the correct architectural patters (centralized, virtualized, and distributed)

Today's Business organizations have very complex heterogeneous enterprises that contain diverse and multifaceted information. With today's ever changing global landscape, the strategic end goal in challenging times for business is business agility. The business of identity management requires enterprise's to be more agile and more responsive than ever before. The continued proliferation of networking devices (PC, tablet, PDA's, notebooks, etc.) has caused the number of devices and users to be granted access to these devices to grow exponentially. Business needs to deploy an IAM system that can account for the demands for authentication and authorizations to these devices.

Increased innovation is forcing business and organizations to centralize their identity management services. Access management needs to handle traditional web based access as well as handle new innovations around mobile, as well as address insufficient governance processes which can lead to rouge identity accounts, which can then become a source of vulnerabilities within a business’s identity platform. Risk based decisions are providing challenges to business, for an adaptive risk model to make proper access decisions via standard Web single sign on for internal and external customers,. Organizations have to move beyond simple login and passwords to address trusted relationship questions such as: Is this a trusted customer, client, or citizen? Is this a trusted employee, vendor, or partner? Is this a trusted device?

Without a solid technological foundation, organizational performance, collaboration, constituent services, or any other organizational processes will languish. A Single server location presents not only network concerns for distributed user base, but identity challenges. The network risks are centered on latency of the long trip that the traffic has to take. Other risks are a performance around availability and if the single identity server is lost, all access is lost.

As you can see, there are many reasons why performance tuning IAM will have a substantial impact on the success of your organization.  In our next installment in the series we roll up our sleeves and get into detailed tuning techniques used everyday by thought leaders in the field implementing Oracle Identity & Access Management Solutions.

Wednesday Jun 26, 2013

Taking the Plunge - or Dipping Your Toe - into the Fluffy IAM Cloud by Paul Dhanjal (Simeio Solutions)

In our last three posts, we’ve examined the revolution that’s occurring today in identity and access management (IAM). We looked at the business drivers behind the growth of cloud-based IAM, the shortcomings of the old, last-century IAM models, and the new opportunities that federation, identity hubs and other new cloud capabilities can provide by changing the way you interact with everyone who does business with you.

In this, our final post in the series, we’ll cover the key things you, the enterprise architect, should keep in mind when considering moving IAM to the cloud.

Invariably, what starts the consideration process is a burning business need: a compliance requirement, security vulnerability or belt-tightening edict. Many on the business side view IAM as the “silver bullet” – and for good reason. You can almost always devise a solution using some aspect of IAM.

The most critical question to ask first when using IAM to address the business need is, simply: is my solution complete? Typically, “business” is not focused on the big picture. Understandably, they’re focused instead on the need at hand: Can we be HIPAA compliant in 6 months? Can we tighten our new hire, employee transfer and termination processes? What can we do to prevent another password breach? Can we reduce our service center costs by the end of next quarter?

The business may not be focused on the complete set of services offered by IAM but rather a single aspect or two. But it is the job – indeed the duty – of the enterprise architect to ensure that all aspects are being met. It’s like remodeling a house but failing to consider the impact on the foundation, the furnace or the zoning or setback requirements. While the homeowners may not be thinking of such things, the architect, of course, must.

At Simeio Solutions, the way we ensure that all aspects are being taken into account – to expose any gaps or weaknesses – is to assess our client’s IAM capabilities against a five-step maturity model ranging from “ad hoc” to “optimized.” The model we use is similar to Capability Maturity Model Integration (CMMI) developed by the Software Engineering Institute (SEI) at Carnegie Mellon University. It’s based upon some simple criteria, which can provide a visual representation of how well our clients fair when evaluated against four core categories:

·         Program Governance

·         Access Management (e.g., Single Sign-On)

·         Identity and Access Governance (e.g., Identity Intelligence)

·         Enterprise Security (e.g., DLP and SIEM)

Often our clients believe they have a solution with all the bases covered, but the model exposes the gaps or weaknesses. The gaps are ideal opportunities for the cloud to enter into the conversation.

The complete process is straightforward:

1.    Look at the big picture, not just the immediate need – what is our roadmap and how does this solution fit?

2.    Determine where you stand with respect to the four core areas – what are the gaps?

3.    Decide how to cover the gaps – what role can the cloud play?

Returning to our home remodeling analogy, at some point, if gaps or weaknesses are discovered when evaluating the complete impact of the proposed remodel – if the existing foundation wouldn’t support the new addition, for example – the owners need to decide if it’s time to move to a new house instead of trying to remodel the old one.

However, with IAM it’s not an either-or proposition – i.e., either move to the cloud or fix the existing infrastructure. It’s possible to use new cloud technologies just to cover the gaps.

Many of our clients start their migration to the cloud this way, dipping in their toe instead of taking the plunge all at once. Because our cloud services offering is based on the Oracle Identity and Access Management Suite, we can offer a tremendous amount of flexibility in this regard. The Oracle platform is not a collection of point solutions, but rather a complete, integrated, best-of-breed suite. Yet it’s not an all-or-nothing proposition. You can choose just the features and capabilities you need using a pay-as-you-go model, incrementally turning on and off services as needed. Better still, all the other capabilities are there, at the ready, whenever you need them.

Spooling up these cloud-only services takes just a fraction of the time it would take a typical organization to deploy internally. SLAs in the cloud may be higher than on premise, too. And by using a suite of software that’s complete and integrated, you can dramatically lower cost and complexity.

If your in-house solution cannot be migrated to the cloud, you might consider using hardware appliances such as Simeio’s Cloud Interceptor to extend your enterprise out into the network. You might also consider using Expert Managed Services. Cost is usually the key factor – not just development costs but also operational sustainment costs. Talent or resourcing issues often come into play when thinking about sustaining a program. Expert Managed Services such as those we offer at Simeio can address those concerns head on.

In a cloud offering, identity and access services lend to the new paradigms described in my previous posts. Most importantly, it allows us all to focus on what we're meant to do – provide value, lower costs and increase security to our respective organizations. It’s that magic “silver bullet” that business knew you had all along.

If you’d like to talk more, you can find us at simeiosolutions.com.

Tuesday Jun 25, 2013

It's not just “Single Sign-on” by Steve Knott (aurionPro SENA)

It is true that Oracle Enterprise Single Sign-on (Oracle ESSO) started out as purely an application single sign-on tool but as we have seen in the previous articles in this series the product has matured into a suite of tools that can do more than just automated single sign-on and can also provide rapidly deployed, cost effective solution to many demanding password management problems.

In the last article of this series I would like to discuss three cases where customers faced password scenarios that required more than just single sign-on and how some of the less well known tools in the Oracle ESSO suite “kitbag” helped solve these challenges.

Case #1

One of the issues often faced by our customers is how to keep their applications compliant. I had a client who liked the idea of automated single sign-on for most of his applications but had a key requirement to actually increase the security for one specific SOX application. For the SOX application he wanted to secure access by using two-factor authentication with a smartcard. The problem was that the application did not support two-factor authentication. The solution was to use a feature from the Oracle ESSO suite called authentication manager. This feature enables you to have multiple authentication methods for the same user which in this case was a smartcard and the Windows password.  Within authentication manager each authenticator can be configured with a security grade so we gave the smartcard a high grade and the Windows password a normal grade. Security grading in Oracle ESSO can be configured on a per application basis so we set the SOX application to require the higher grade smartcard authenticator.

The end result for the user was that they enjoyed automated single sign-on for most of the applications apart from the SOX application. When the SOX application was launched, the user was required by ESSO to present their smartcard before being given access to the application.

Case #2

Another example solving compliance issues was in the case of a large energy company who had a number of core billing applications. New regulations required that users change their password regularly and use a complex password. The problem facing the customer was that the core billing applications did not have any native user password change functionality. The customer could not replace the core applications because of the cost and time required to re-develop them. With a reputation for innovation aurionPro SENA were approached to provide a solution to this problem using Oracle ESSO.

Oracle ESSO has a password expiry feature that can be triggered periodically based on the timestamp of the users’ last password creation therefore our strategy here was to leverage this feature to provide the password change experience. The trigger can launch an application change password event however in this scenario there was no native change password feature that could be launched therefore a “dummy” change password screen was created that could imitate the missing change password function and connect to the application database on behalf of the user.

Oracle ESSO was configured to trigger a change password event every 60 days. After this period if the user launched the application Oracle ESSO would detect the logon screen and invoke the password expiry feature. Oracle ESSO would trigger the “dummy screen,” detect it automatically as the application change password screen and insert a complex password on behalf of the user. After the password event had completed the user was logged on to the application with their new password. All this was provided at a fraction of the cost of re-developing the core applications.

Case #3

Recent popular initiatives such as the BYOD and working from home schemes bring with them many challenges in administering “unmanaged machines” and sometimes “unmanageable users.”

In a recent case, a client had a dispersed community of casual contractors who worked for the business using their own laptops to access applications. To improve security the around password management the security goal was to provision the passwords directly to these contractors. In a previous article we saw how Oracle ESSO has the capability to provision passwords through Provisioning Gateway but the challenge in this scenario was how to get the Oracle ESSO agent to the casual contractor on an unmanaged machine.

The answer was to use another tool in the suite, Oracle ESSO Anywhere. This component can compile the normal Oracle ESSO functionality into a deployment package that can be made available from a website in a similar way to a streamed application. The ESSO Anywhere agent does not actually install into the registry or program files but runs in a folder within the user’s profile therefore no local administrator rights are required for installation. The ESSO Anywhere package can also be configured to stay persistent or disable itself at the end of the user’s session.

In this case the user just needed to be told where the website package was located and download the package. Once the download was complete the agent started automatically and the user was provided with single sign-on to their applications without ever knowing the application passwords.

Finally, as we have seen in these series Oracle ESSO not only has great utilities in its own tool box but also has direct integration with Oracle Privileged Account Manager, Oracle Identity Manager and Oracle Access Manager. Integrated together with these tools provides a complete and complementary platform to address even the most complex identity and access management requirements.

So what next for Oracle ESSO?

“Agentless ESSO available in the cloud” – but that will be a subject for a future Oracle ESSO series!

                                                                                                                              

Wednesday Jun 19, 2013

Identity in an Interconnected World: by Paul Dhanjal (Simeio Solutions)

In today’s interconnected world, we’re being forced to re-think what identity means and to adopt entirely new models for managing it. One thing’s for sure: it’s no longer confined to inside the walls of the enterprise. The lines between internal and external data ownership are blurring. In this, our third post in the series, we’ll delve a bit deeper into what these external identities look like to help us understand the implications for IT.

Let’s start by reviewing the old model. Traditionally, all identity data was internal – each application or service stored and managed all the user information it needed – completely self contained.

But “self-contained” is really just a nice way of saying “silo.” We encounter these identity silos all the time. A large corporation may have dozens, the result of mergers and acquisitions or through the independent initiatives of multiple lines of business. We see it among business partners in value chains – retail partners, ISVs, distributors, etc. We see it in government where various departments – DMV, tax collector, police department, social services, etc. – all separately collect and manage overlapping data on the same set of users.

For companies, these identity silos are costly to build and maintain – the duplication of capabilities and data is highly inefficient, and synchronizing changes across silos is difficult or impossible. They limit visibility and insight. It’s difficult to recognize an individual customer across services, for example – what looks like 10 different users is often the same person.

New cloud-based identity and access management (IAM) models have emerged to address these issues, powered in large part by two key technologies: virtual directories and identity hubs.

Virtual directories, such as Oracle Virtual Directory (OVD), are designed to provide a single, centralized authentication point for multiple services. They unify multiple directories, providing a real-time consolidated view of a person’s identity record regardless of where it’s stored. Because they typically come with adapters for most major directories and databases including those from Oracle, Sun, IBM, Microsoft and Novell, they can be remarkably easy to deploy.

The actual user accounts are still decentralized – created and maintained in the original authentication sources, not in the virtual directory. But to an application or service that’s part of the network, it appears that there’s one centralized source for authentication, removing a ton of complexity from the application, breaking down silos, and allowing you to recognize an individual across all your services.

The identity hub completes the picture. It serves as a broker between the application and the various authoritative sources of identity attributes in both enterprise and federated scenarios. It provides a single authoritative view of user data in what is generally a decentralized environment where user data is scattered among multiple repositories.

More importantly, that view changes depending on who is accessing it. Each application (or business unit, department, division, or customer) has a view that’s limited to only the information that’s deemed appropriate. That’s determined by the owner of the information, which can be another division within the same company, an external partner, or even an individual customer.

 

By combining the identity hub with a governance framework for identity federation via the cloud, you can easily share these views with partners who provide services, while ensuring the appropriate (and only the appropriate) information is securely delivered to each service provider by you, the identity provider. Simeio’s Cloud Services, for example, uses Oracle Access Manager 11g R2 to gather the requested attributes within the identity hub and build an encrypted claim in a form tailored for the consuming service.

Once you or your partners can access this information on demand, it may no longer be necessary to own or even store any portion of a user’s identity – certainly not their password, which would instantly get you out of the business of password management, including support desks and reset mechanisms.
In this new model, identity is no longer something isolated in individual applications and maintained in a single organization. Information becomes fluid, on-demand, real-time, relevant to business units, and – most important – transportable to other businesses or clients, which reduces complexity and speed to market, and opens the door to entirely new business models and revenue streams. We’ll have more on this in our fourth and final chapter.

Tuesday Jun 18, 2013

The Keys to the Password Vault by Matthew Scott (aurionPro SENA)

Super user accounts are, unfortunately, a necessary evil. It’s just a fact of life in the IT industry that someone, somewhere, has to have the ability to make fundamental (and therefore potentially catastrophic!) changes to key systems.

One of my least favourite experiences as a consultant was gaining access to an account though a process that was reminiscent of a spy thriller  – the password was typed onto a card, which was cut in two, with each half stored in a separate safe and each key entrusted to a meticulous security officer. Navigating the procedures to get the halves together in time to be useful was a trial of persuasion and scheduling – I can see why Tom Cruise prefers to abseil in through the roof instead of filling in yet another form!

Compliance officers are increasingly scrutinising privileged accounts and the processes that control access to them – not surprisingly, since surveys have shown that up to a quarter of IT professionals have experienced misuse of such accounts, and almost half of all companies fail to manage these accounts in accordance with the law (http://www.computerweekly.com/news/2240111956/One-in-four-IT-security-staff-abuse-admin-rights-survey-shows). The results can be spectacular and sobering – the UBS trader Kweku Adoboli cost his company $2.3 billion after making disastrous trades using a privileged account which he was not authorised to use.

Thankfully, there is now a better way. As we’ve seen in this series, with the ESSO suite the technology exists to manage user passwords without the user having to actually ‘know’ that password. It is possible to extend this functionality to include those previously hard to manage privileged accounts by introducing Oracle Privileged Accounts Manager (OPAM). OPAM acts as a secure password vault for privileged accounts, but unlike other password vaults it can be connected directly to the ESSO Logon Manager agent so that passwords can be requested, obtained and used, all from the user’s desktop.

OPAM is particularly useful for companies with large, decentralised UNIX environments. We are currently engaged with a large financial organisation which has several hundred servers, with various distributions of Linux and UNIX that are managed by different teams. With OPAM, all those precious root accounts have for the first time been corralled together in one location, where they can be released as needed to any authorised user. OPAM is equally adept at managing identities stored in directories, including Windows service accounts within Active Directory.

To calm the fears of any compliance officers who may be reading these words nervously, it is possible to implement workflows to control the request process. This may include approvals from a higher authority, complete with email or mobile notifications to the approver. And of course ESSO and OPAM feature end-to-end audit trails – from request, to check out, to each use of the privileged account, through to check in. Tracking who has being doing what with each account has never been easier.

In addition to managing privileged accounts, the ESSO suite also allows users to distribute their personal accounts in a similar manner. Many of us have experienced the frustration of needing access to a system, a record or an email only to discover that the person with access is on holiday or otherwise unavailable. In extreme cases, this may require that the absent user’s Windows account be reset to allow another user to log on and gain access. ESSO’s Account Delegation allows these key users to pro-actively devolve their account credentials to another user for a set period – no passwords required!

Monday Jun 17, 2013

SIM to OIM Migration: Strategies for Success

In the fall of 2012, Oracle launched a major upgrade to its IDM portfolio: the 11gR2 release.  11gR2 had four major focus areas:

  • More simplified and customizable user experience
  • Support for Cloud, Mobile, and Social applications
  • Extreme scalability
  • Clear upgrade path

For many SUN customers, the upgrade path continues to not be so clear. There are two main strategies for this type of upgrade: the “big bang” complete reimplementation, and the incremental migration/coexistence strategy.

To help better understand your upgrade choices, I am pleased to introduce the first in a series of three whitepapers focused on SUN Identity Manager (SIM) to Oracle Identity Manager (OIM) migration.

In Part 1, Santosh Kumar Singh from SDG will take you through a discussion of the Migration Approach, Methodology, and Tools for you to consider when planning a migration from SIM to OIM.

Read the white paper: http://www.sdgc.com/images/content/whitepapers/sim-to-oim-migration-whitepaper-05.23.13-jm.pdf

Then, in Part 2, he will discuss the proper steps that should be taken during the planning phase to ensure a smooth transition from SIM to OIM.

Finally in Part 3, Santosh will talk about the types and kinds of accelerators that can be used to help move your migration at an accelerated pace.

About the Author:

Santosh Kumar Singh

Identity and Access Management (IAM) Practice Leader

Santosh, in his capacity as SDG Identity and Access Management (IAM) Practice Leader, has direct senior management responsibility for the firm's strategy, planning, competency building, and engagement deliverance for this Practice. He brings over 12+ years of extensive IT, business, and project management and delivery experience, primarily within enterprise directory, single sign-on (SSO) application, and federated identity services, provisioning solutions, role and password management, and security audit and enterprise blueprint. Santosh possesses strong architecture and implementation expertise in all areas within these technologies and has repeatedly lead teams in successfully deploying complex technical solutions.

About SDG:

SDG empowers forward-thinking companies by partnering seamlessly to strategize, create and implement innovative business and technology solutions that help clients manage IT risk and enable growth. SDG combines industry-leading consulting and advisory expertise with specialized implementation services and product portfolio to deliver robust and scalable solutions for compliance, security, risk management and collaboration. (www.sdgc.com)

Are you registered for the "Embracing Mobility in the Workspace" Webinar yet?

Excitement is building around an upcoming webinar hosted by Oracle Partner, AmerIndia on June 27th. Arun Mehta, Sr Consultant with @AmerIndia, and Sid Mishra from Oracle, will be speaking on the subject of Mobility in the Enterprise and the implications of BYOD has on the security postures of the organization and the steps you can take to reduce your risk. 

 

Online space for this Webinar is limited, so we recomend you register ASAP at http://www.amerindia.net/webinars.php to secure your spot for this exciting event on June 27th.

 

For a preview on what you can expect to learn from this webinar, check out the editorial posted here on the OracleIDM blog last week by AmerIndia "Embracing Mobility in the Workspace" by Arun Mehta.  Arun addresses in this editorial, a segment of what he plans to cover in this Webinar. 

 

Look forward to seeing you on the 27th!

Wednesday Jun 12, 2013

Abandoning our "Last Century" IAM Models by Paul Dhanjal (Simeio Solutions)

In our previous blog, we looked at the business drivers behind the growth of cloud-based Identity and Access Management (IAM). These drivers, combined with cultural and technology trends, have made cloud-based IAM more attractive – and, frankly, more necessary – than ever.

Now that business has evolved to offer more and more interconnected and interdependent services to a wider range of users, the old models we had relied on to manage identities no longer apply. Our old identity management and security models designed for internal users simply can’t keep up with the rapidly evolving landscape. The forces that are shaping this new reality are so powerful, their momentum so great, that they now dictate the terms of how identity must be managed within an organization. The balance of power has shifted away from the IT organization and into the hands of end-users. If you are to meet their expectations, if you hope to compete and remain relevant, you must make the transition from build-your-own IAM to out-of-the-box IAM, from customization to configuration.

While there may be a big stick pushing us to make this transition, the carrots are equally compelling: lower costs, faster time to market, enhanced security, greater flexibility and, perhaps most important, the freedom to focus on the value and quality of the services you provide instead of how they’re provided.

There may be no better example of this than bring-your-own-device (BYOD). For years, IT laid down the law to prevent it. Now, fueled by the consumerization of mobile devices and tablets, BYOD has become the rule rather than the exception. It was inevitable. BYOD not only reduces strain on the organization to purchase and support such devices, it also increases employee satisfaction and productivity.

But, of course, the concerns behind the original reticence to allow BYOD remain. In fact, those concerns are magnified now that we’ve moved from uniform desktops tethered to the office to diverse mobile devices that can literally be taken – and lost  – anywhere in the world.

Here’s where out-of-the-box solutions such as Oracle Access Management Suite come to the rescue. They’re designed to enable centralized policy management for securing access to services via mobile applications, going beyond web single sign-on, authentication and authorization. Such solutions are designed from the ground up to handle the added complexity of password management and security in a mobile world, including strong authentication, real-time behavioral profiling, and device fingerprinting. Adaptive products such as those from Oracle provide a multi-faceted approach to mitigate breaches into mobile and Web Applications, all while tying into a closed loop audit process with powerful reporting and notification engines.

Another example is the growing need to manage external identities – those of partners or customers. It may be tempting to use existing capabilities designed for internal identities for this. After all, the same basic services are involved, including handling access requests, granting access, and password management. But the differences are simply too great. There are different business needs, different security concerns, different compliance requirements, even different licensing issues.

Here, too, the new cloud-based IAM models offer us a solution. Their multi-tenancy capabilities mean a single instance of software can serve multiple constituencies discretely by virtually partitioning the management of identities based on any criteria or business need.

As they say on those late night infomercials, that’s not all. The cloud model and its converging standards open the door to entirely new ways of dealing with external identities. For example, products such as Oracle Access Manager allow users to register for a site's services using their social login IDs as an authentication mechanism (using OAuth and OpenID standards). This gets the organization out of the business of managing these external identities altogether, delegating password management, user profile, account settings, etc. to a third party – Google or Facebook, for example. 

If you’re not willing to delegate these tasks, you can still leverage external identities during registration by pulling the user’s basic identity information from a trusted third-party identity provider (IDP). This approach marries the old with the new, maintaining a security perimeter for user access by ensuring audit and closed-loop certification processes are still in place, while reducing the burden on the user who no longer has to provide basic information in order to register.

Delegation is a recurring theme in new IAM models. Cloud-based IAM, for example, makes it easy to push out user administration, certification and operational request management to individual lines of business. This in turn enables you to downsize centralized call support by using delegated authorities within those business units – managers who are closer (both conceptually and physically) to the users who require access. This is done via strong workflow management, which ties into a well-governed and managed role service as well as enterprise roles and processes for mover/joiner/leaver scenarios.

Case in point: the HR systems the US government uses to provision all roles (for resources and entitlements). Users request access directly from their managers. End-dates are used to enforce de-provisioning of all granted access, even during termination. The result is end-to-end lifecycle management with delegated administration, while ensuring compliance with a centralized audit process.

In our next post, we’ll explore what identity looks like in a secure, connected world and what that means for your business.

Tuesday Jun 11, 2013

Achieving "Zero-Touch" Password Management by Steve Knott (aurionPro SENA)

Traditionally when a user is on-boarded into an organisation they are given a desktop password along with a whole host of other passwords to access the required business applications to enable them to do their job. Inevitably there will be numerous associated company information security policies that dictate that passwords should not be written down or shared with colleagues etc.

Trying to remember numerous passwords can be onerous on the end user at the best of times and can lead to a plethora of password sins committed by the end user. Whilst we can deploy some SSO technologies to relieve password fatigue, the on-boarding provisioning process often means that the user needs to know their passwords at some point – or do they?

I recently worked on a project at a leading engineering company who were in the process of deploying a large new ERP system. The end users were highly skilled engineers focusing on cutting edge technology but password security was not high on their list of priorities. Traditionally within the organisation, credentials for new applications were sent by email and sometimes they were communicated over the phone. Inevitably these were written down in text files and diaries or passwords were changed to be the same “pet’s name” type password for multiple applications.

This was a huge concern for the Chief Architect who wanted to remove end user password management and provide “zero touch” credential provisioning for the new ERP applications. He also wanted to satisfy auditing and compliance requirements by enforcing complex passwords whilst preventing unauthorised credential sharing. All this needed to be achieved without inconveniencing the users.

We discussed the tried and tested approach of using of a full blown identity management solution.  However, his response to this was that although wider identity management was on their long term roadmap, he had a hard deadline to deliver the ERP system within three months and with limited resources. With traditional user provisioning ‘out the window’ we had to come up with another approach.  Everyone would be using the new ERP system for their timesheets on the same day, and with any business impact due to unavailability therefore being potentially very significant, the customer couldn’t afford to have issues related to logging in.

One product that they already had licensed was the Oracle Enterprise Single Sign-on (ESSO) suite. Oracle ESSO is a well- known established product which provides single sign to any application at the desktop. Not so well known are the additional tools provided within the suite. One of these additional tools is Oracle ESSO Provisioning Gateway. Provisioning Gateway is a web based application that complements the other tools in the suite by enabling the provisioning of application credentials directly to the SSO agent without user interaction.

The Provisioning Gateway server exposes a web service interface that allows it to receive instructions submitted by any other provisioning server. Although Provisioning Gateway is more commonly deployed connected to an identity management system it does have command line interface (CLI) utilities supplied with the software. These utilities allow for scripted interactions with the Provision Gateway server including batch operations.

For this customer it was possible to export the user credential data out of the ERP system into a text-file format.  Then, armed only with the tools provided within the Oracle ESSO suite it was possible to script the provisioning of these user credentials in batches of 500-1000 to the Provisioning Gateway server. The server provisioned the credentials to the ESSO repository and the credentials were synchronised to the desktop SSO agent at user logon.

So far, so good.  At this stage, the users were still unaware that anything had happened.  The new ERP system wasn’t live yet, but in anticipation of its general release we now had each individual’s username and password ready to go in their SSO credential store – ready for first login.

For security reasons, the ERP system was configured to require a password change at first logon. Therefore, when the user launched the application for the first time on its launch date an application change password event was triggered. The Oracle ESSO agent was configured to recognise and respond to this change password event, automatically generating and inserting a new password leaving the user logged on with a new complex password. The end user did not know their password at any point of the on-boarding process or for subsequent logons.  Therefore the opportunity of sharing their logon details with colleagues was eliminated.  Furthermore, issues with the distribution of new passwords was avoided altogether.

The aurionPro SENA fast rollout template for Oracle ESSO enabled this customer to hit the implementation deadline of the ERP project and also address the security requirements of the organisation. ESSO Provisioning Gateway also has a management interface and this customer exploited this feature to allow the helpdesk team to apply the zero touch methodology to other applications.

As we discussed in the first blog (Putting the EASY into SSO) - Oracle ESSO provides more than just single sign-on to desktop applications.  Its use for zero-touch provisioning shows its versatility and that it can form a core part of an integrated identity and access management framework.  It’s not just a tactical tool for a single issue.  Stay tuned for next week’s blog in this series where we’ll be investigating the capabilities of Oracle ESSO still further.

Monday Jun 10, 2013

Embracing Mobility in the Workspace: Oracle API Gateway

Embracing Mobility in the Workspace using Oracle API Gateway

 

 

“In 2013, mobile devices will pass PCs to be most common Web access tools. By 2015, over 80% of handsets in mature markets will be smart phones.”

                                                                                                                                                                                                                       -Gartner Research

 

 

Across the globe, corporations are embracing the influx of mobility and the last five years have seen an expanding role of mobility in the workspace. Enterprises everywhere are coming up with innovative initiatives to support the mobility needs of personnel working for them. In addition, a variety of mobile applications and services are being offered to the workforce to make them more effective and efficient at work. Such applications and services unify different user populations within the organization, including internal workforce, partners, customers, and consumers, with the internal and external resources of the organization.

 

 

There are numerous reasons why enterprises are embracing mobility in the workspace and the chart below highlights the most important ones:

 

 

 

The devices used by the user populations are usually diverse in nature and leads to a fragmented and a disconnected landscape. As a result, IT architects and product managers of organizations are compelled to develop applications that can be ported to mobile devices of users. However, the deployed in-house applications aren’t capable of averting increasingly sophisticated identity thefts and data breaches of today.  Development and utilization of secured mobile applications is often the primary concern that bothers infrastructure & solution architects today.

 

Forrester Consulting commissioned a study on behalf of Cisco Systems in 2012 to gather information on top security concerns and compatibility issues that concern senior-level decision-makers. The chart below illustrates the results.

 

 

 

There are a lot of aspects that should be managed to effectively support mobile devices. They are:

 

·         Password and User management – Management of multiple passwords and user identities for each application

 

·         Device Management – Management of authentication and authorization of devices allowing users to access company resources securely. A high mobile device turnover by user population calls for re-registration of new devices and blacklisting/wiping-out of corporate information from older devices. Device management automates such processes in a structured manner

 

·         Application Access Management – Management of role-based access that is usually absent or is being managed locally in the application leading to unauthorized access to applications. And the local role management leads to redundant and expensive management of access to applications via roles

 

·         API Management – Management of central publishing, promoting, and monitoring of exposed APIs within a secure and scalable environment that is often missing. Many applications todays exposes web services which may not consumed by mobile devices as efficiently as possible.

 

Following section describes how the above-mentioned aspects are managed and how challenges and issues related to adoption of mobile devices are addressed by using Oracle API Gateway and a variety of other components of Oracle Access management stack.

 

·         User Management – The mentioned aspects and challenges are addressed by having a User Provisioning tool like Oracle Identity Manager (OIM). OIM streamlines user provisioning and de-provisioning, and other identity based lifecycle events in the organization. Along with that, users are also provisioned access to various target systems. Once the step of access provisioning is completed, Oracle Access Management (OAM) steps in for users who wish to access the target system by using single sign-on. The authentication can be done by binding to LDAP, but OAM brings additional advantages as it allows various policies and procedures to be defined and implemented for the users accessing target systems within the enterprise. Furthermore, access request to all resources on mobile devices are intercepted by Oracle API Gateway or OAG (deployed in DMZ) in order to enforce the policies that define the steps involved.  OAG gathers the necessary user, application, device, and network context data to enable authentication decisions and validates the gathered data using the Access Management tool as per the policies laid down.

 

However, this approach only performs user authentication and relies on Access Management tool to perform coarse grain authorization, and may not be sufficient for the detailed authorization rules defined within the application itself.

 

Please refer to the figure below for a better understanding.

 

 

 

·         Device Management – Mobile devices used by users are registered through Identity Manager as an asset and this information is provisioned to an LDAP, DB device, or an App registry. Also, Oracle API Gateway is used to perform device authentication by using the custom authentication logic it comes with. Once the device is authenticated, a device token is generated, and the same is used by mobile devices in subsequent interactions in order to fetch the desired information from the applications. This is a simple approach and can be employed to achieve the desired results in small work environments where functionalities like device profiling, blacklisting and whitelisting, knowledge based authentication, and device control is of less importance.

 

For work environments that are larger and more complex, and where the previously mentioned functionalities are important, Access Management component can be extended to include and deploy Oracle Adaptive Access Manager (OAAM) along with Mobile and Social Services components. By doing this, the desired Device Management functionality is implemented.

 

In other scenarios, device registration can also be delegated to OAAM components rather than registering it through Oracle Identity Manager against the user record. Here, mobile and social services components play a crucial role of mediating security tokens for mobile devices to access enterprise resources and cloud based applications.

 

Please refer to the figure below for a better understanding.

 

 

·         Application Access Management – The above two architectures explain how Oracle API Gateway (OAG) manages and performs user and device authentication. Oracle API gateway is Policy enforcement point for mobile devices in a similar way Web-Gates are policy enforcement for Oracle Access Management. However, the fine-grained authorization can’t be overlooked.

 

Classical approach of programming included embedding the authorization logic within the application itself, making the management and extension of application security cumbersome. And it can lead to failed audit and compliance objective requirements of certifying who has what access and at what level. This may not be acceptable in today’s world of increased scrutiny of applications and their access.

 

Fortunately, Oracle Entitlement Server (OES) comes to rescue and serves as a central policy decision/definition point where all applications can externalize authorization rules. When used with OAG, the authorization policies set by OES are enforced. In addition, the combo can also redact the data elements based on various roles of users accessing applications through mobile devices.

 

The figure below will be able to help you understand the concepts better.

 

 

 

·         API Management – Enterprises today have applications that expose web services primarily meant for either intranet use or exchanging information with business-partner applications. That paradigm has taken a major shift with the proliferation in on-boarding of mobile devices and the need to access the respective applications on these devices. Mobile devices may not be able to consume the exposed web-services as efficiently and thus, require enterprises to adopt strategies to either re-write or extend those web-services for such use-cases, or rely on Oracle API Gateway (OAG) features and functionalities.

 

OAG provides functionalities that shield these efforts and perform content transformation on the fly in order to make it adaptable for mobile device use. Oracle API Gateway provides controlled connection between APIs and applications that exposes them. OAG also allows access related metrics for any APIs managed by it. In a well laid-out architecture and implementation of OAG, enterprises can expose these services confidently with additional benefits such as Threat protection and XML Acceleration while having the same performance levels, and exceptional reporting and analytics capabilities across all services.

 

In all, mobile devices have evolved to better suit the needs of consumers but at the same time have traded of their security to ensure usability. These trade-offs increasingly contribute to security risks when such devices connect to the enterprise resources.

 

The security risks should be addressed in an effective manner to protect precious company resources and comply with increasingly strict regulations. Mobile Access management solution using Oracle API Gateway technology unifies enterprise resources and cloud-based resources across network boundaries to mobile devices. This solution assures enhanced security, regulatory compliance, improved governance, and increased productivity. 

 

Webinar

 

For more information on registration on our upcoming joint webinar with guest presenters Arun Mehta from AmerIndia, and Sid Mishra from Oracle Corporation, please go to  http://www.amerindia.net/webinars.php. Here you will be able to pre-register for this event, where we will discuss the changing face of mobile devices in today’s work environment and the risks associated with this upcoming trend. In addition, solutions available to address such risks will be described, while also highlighting solutions specific to different types of organization.

 

Author

 

 

Arun Mehta

Mobile Security Practice Leader

AmerIndia Technologies Inc.

 

Arun Mehta is Principal Solution Architect in Mobile Security, Security Solutions practice at AmerIndia Technologies Inc. In this role, Arun leads a team of specialist technical consultants and architects across North America focusing on Oracle's Security and Identity Management technology. Arun has been in the field of Security for over a decade and has experience across large and complex Identity Management projects in the North America region covering multiple industry verticals. More recently, he has been engaged on a number of projects including enterprise security platforms and mobile access management to help customers enable digital and business transformation initiatives.

  

 

 

AmerIndia Technologies Inc.

AmerIndia Technology Inc. is a full-service information security consulting firm and an Oracle Gold Partner. We specialize in security assessments, software security, mobile security, identity and access management, cloud identity management, API management, certification, regulatory compliance, and vulnerability management. AmerIndia serves clients throughout the United States.

 

Our expertise and client base spans all major verticals. Customers include Fortune 5000 companies in the financial, technology, healthcare, insurance, education and manufacturing sectors. Because of our wide range of experience and subject matter knowledge, major consulting firms also rely on AmerIndia as a trusted partner.

For more information, visit our website: www.amerindia.net

 

 

Wednesday Jun 05, 2013

The Cloud-based IAM Revolution by Paul Dhanjal (Simeio Blog Series - Ch1)

One of the most significant advancements in IT in the last few years has been the shift to cloud-based Identity and Access Management (IAM). While the word “revolution” is all-too-often used in IT, arguably it’s the right word to describe the transformation that the cloud brings to identity.

Over the next four weeks, we’ll delve into the details of this revolution, including a look at its impact on how you’ll do business, why change is needed, and what you’ll need to know to make the transition. Let’s get started by looking at the business drivers.

In just a few short years, cloud-based IAM has matured from simple portals offering single sign-on for a handful of Software-as-a-Service (SaaS) applications to sophisticated, comprehensive solutions that integrate seamlessly with virtually any directory service and application – on-premise, legacy or SaaS. They provide automated workflows for user access request submission and review, provisioning and attestation. They enable federation. And they simplify compliance with regulatory mandates.

The cloud model itself comes in a variety of flavors that provide enough flexibility to meet almost any organization’s needs, from public clouds that dramatically lower TCO through multi-tenancy to private clouds that can meet even the most stringent security and control requirements.

The drivers behind this revolution will be familiar to any CXO.

First, CXOs are facing increased pressure to reduce cost and complexity. They’re expected to follow the popular business school advice to “stick to the knitting”: focus exclusively on the core business and jettison everything else. IAM is squarely in the cross hairs, a tempting target for organizations looking to outsource services that don’t offer a clear and direct competitive advantage.

At the same time, IT is now expected to be a business enabler – to help grow the business, not just support it. This requires IT to be more flexible and nimble to meet ever-changing business demands, including the ability to quickly and easily provide employees, partners and customers with secure and role-appropriate access to a rapidly growing and evolving set of information, applications and other online resources.

User expectations, too, are rising rapidly. As users become accustomed to using more and more services online from filing their taxes to sharing their photos, they now expect the convenience of moving seamlessly between multiple services using a single set of credentials – their Facebook or Google accounts, for example.

Add to the mix the growing security, compliance and regulatory mandates tied to identity, and the challenge can seem insurmountable.

Thankfully, the cloud has offered us a clear path forward. The benefits are just as clear.

First, the cloud delivers on the promise of outsourcing: reducing capital strain and freeing the business to focus on its core competencies. It eliminates the large investment required to stand up an IAM infrastructure: the hardware costs, in many cases the software licenses, and all the configurations and integrations in between. It eliminates ongoing maintenance and upgrade costs, too.

Many cloud-based IAM solutions offer on-demand services with pay-as-you-go pricing – you get and pay for the capability when and only when you need it. They also significantly reduce operational costs so that companies have the benefit of automated IAM without the costs of implementing and maintaining an in-house IAM infrastructure.

In addition to the rise of secure and reliable ISO 27001 compliant data centers and complete, enterprise-ready solutions such as Oracle Cloud Computing, standards-based protocols have dramatically reduced the risk of making the leap to cloud-based IAM. As the saying goes, “the nice thing about standards is that there are so many to choose from.” While many of the first cloud-based IAM solutions seemed to add more to the list, today we’re seeing a real convergence toward a small set of widely adopted standards that have made implementation and integration remarkably easy, including REST-based APIs, OAuth, SAML and OpenID Connect.

While some dive in headlong, many dip their toe in the water with quick-win implementations – to address rising costs for password management by offering self-service, for example – and then progress through provisioning into a handful of core identity systems, synchronization of passwords between authoritative system, etc. This approach often allows the organization time to see that identity can be leveraged as a service for other business needs.

A large financial institution, for example, mandated that all its lines of business use a centralized in-house identity governance solution, then charged each LOB to use the service. This could be done only with a service approach to identity, which became possible once the beachhead of self-service password management had been established.

In our next post, we’ll explore the reasons why organizations must make the transition to new, cloud-based IAM models if they hope to compete in a world where business has moved online. For more information on the services and offerings at Simeio Solutions, you can learn more by going to www.simeiosolutions.com

 

About

Oracle Identity Management is a complete and integrated next-generation identity management platform that provides breakthrough scalability; enables organizations to achieve rapid compliance with regulatory mandates; secures sensitive applications and data regardless of whether they are hosted on-premise or in a cloud; and reduces operational costs. Oracle Identity Management enables secure user access to resources anytime on any device.

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
3
4
5
6
7
8
11
12
13
15
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today