Tuesday Jun 04, 2013

Putting the EASY into ESSO! by Matthew Scott (aurionPro SENA Blog Series - Ch1)

Enterprise Single Sign-On occupies an unusual position in the field of IAM. In automating the sign-on of users to their applications, it is somewhat uniquely, a client-side application. For some of our customers, the role of enterprise SSO in an IAM programme isn’t entirely clear. I’ve spoken with many security architects who view its use as somehow tantamount to cheating. Surely, they assert, if we fully integrate systems at the back-end then the need for a client component doing sign-on becomes unnecessary. Architecturally this may be true. But the realities are that users have issues with passwords right now. Enterprise single sign-on addresses problems immediately. However, it’s also much more than just a tool that signs the user on to anything from their desktop. It is a tool that can be used to solve related business problems and technical challenges just as well as it can deliver users from their credential nightmares.

In this series of four articles, we will explore how enterprise SSO can be used to deliver these additional benefits. We will cover zero touch credential provisioning, making enterprise single sign-on an integrated part of an IAM programme and the management of delegated accounts. First, however, we’ll start with an easy one… making everyone happy all at the same time!

Capturing business requirements for identity and access management projects can be an art. There are so many interested parties – technical, legal, HR, end-users, application owners to name but a few – that it’s rare to reach a speedy consensus. I was in one such meeting with a customer a while back who were trying to explore what the success criteria would be for their enterprise single sign-on initiative. Relatively straightforward, you’d think, but after five hours the customer was still going round in circles! It wasn’t until the project sponsor finally arrived at the meeting and spoke about his vision that sanity was restored. His single request? His single measure? “Make it easy for my users!” That’s all he wanted. If other benefits accrued, that was a bonus.

Oracle’s Enterprise Single Sign-non Suite Plus (Oracle ESSO) is designed to do precisely what the project sponsor wanted. It includes a number of technologies designed to relieve the pain of passwords, by reducing the number of forgotten or incorrect credentials that a user has, whilst simultaneously making it easier to provide those same credentials to users without compromising security. What’s more, these benefits can be obtained surprisingly quickly – Oracle ESSO has a very light footprint and a flexible framework approach to managing credentials for almost any application. Web, Windows, Cloud or mainframe, passwords can quickly be eliminated as a source of pain for users and IT staff alike.

Oracle ESSO takes the management of credentials away from users. It stores passwords in a secure manner so that the user cannot forget it. It manages the password lifecycle, securely updating credentials when they expire. And it streamlines the user experience – application logon is handled automatically, so the user can get to work immediately without having to fumble over the username and password.

Of course, Oracle ESSO also allows the organisation to achieve lots of other benefits if it’s implemented correctly – reduced number of calls to helpdesk, increased productivity through faster password resets and so on. But fundamentally, as a user-facing tool it has to be one that’ll gain rapid acceptance for its deployment to be heralded as a success. The additional benefits won’t appear if the users don’t adopt the new tools they’re given.

aurionPro SENA has considerable experience with the Oracle ESSO suite. In fact, we’ve got the deployment of Oracle ESSO down to a fine art. Referring back to our original customer above – speed of deployment was important. “Proof of concept in days, pilot in weeks, deployment in two months” was the mantra. All with no significant operational impact on either end-users or IT personnel. We helped the customer achieve these goals. Deploying Oracle ESSO requires a delicate balance of technical knowledge, light-touch project management and extremely well-managed engagement with the end-user community. The last element is the most important. Involving key users as early as possible when their applications are being ‘profiled’ for single sign-on helps to ensure that they buy in to the end goal. They understand how Oracle ESSO will enhance the way that they work and are keen to share this with other users. If done right, a cascade of anticipation can ripple through the user community so that, rather than fearing change as can often happen with IT projects, the users are willing the change to arrive sooner! The use of appropriate briefing tools, promotion of the new system and similar techniques can further enhance the effectiveness of the final Oracle ESSO rollout.

So, Oracle ESSO makes it easy for end-users. That’s great, that’s exactly what our customer wanted, and it’s what any user-facing application should strive to do. Deploying Oracle ESSO, when managed properly, is one of those very unusual IT projects, though. Not only does it make things easier for end-users, it also makes things easier for IT support teams, helpdesk operators, auditors and a whole range of teams within the organisation. So it’s win-win all round.

But this is just the starting point. Oracle ESSO acts as a great launch pad for customers looking to further streamline credential management, giving users a better experience whilst also improving security and providing previously unavailable audit data. Stay tuned as we demonstrate how you can unlock the potential of Oracle ESSO.


Wednesday May 29, 2013

Understanding API management for mobile app security

Earlier this month I heard a customer talk about his experience with a recent Oracle API Gateway (OAG) implementation.  OAG sits between your back end systems and your mobile applications to monitor and manage the messages that flow back and forth.  One of the key functions of OAG is it's ability to transform SOAP messages into other protocols, such as REST and JSON which are optimized for mobile applications.  This means you can expose business systems and data with a minimum amount of coding - and therefore create mobile apps very quickly.

After listening to his presentation, I asked him, to identify some key points about OAG.  Here is what he said:

  • Time to market – I would suggest that you could deliver solutions faster because you could leverage existing software assets.  In fact, delivering it fast but SECURE is the benefit.  Sometimes, they are separate but I think it’s worth noting.
  • New platform – New web paradigms such as web 2.0 (REST/JSON) can be tapped and be built on existing legacy solutions.
  • Paradigm shift – The security layer just isn’t about security anymore.   The presentation layer has shifted to client deployment so the security layer is now the business layer.  It’s more of an integration layer for UI and Non-UI scenarios.  I’m actually more a desktop developer so it’s old hat to me.  It’ll be new for a lot web developers. 
  • Thin air – You can make a service or application out of thin air.  This is against traditional coding styles but when you consider the value proposition, it’s hard to argue. 

 He was careful to point out, that OAG won't remove all coding tasks, and in fact he said that if you have a strong coding team, the end result would be event better.

Follow the link below to read more about OAG.


Tuesday May 28, 2013

See How Qualcomm Enforces Compliance with Oracle Identity Management

Qualcomm discusses the benefits of closed loop compliance remediation and other key features of Oracle’s latest Identity Management release, that enable them to meet business objectives, manage user access attestations, and enforce compliance.

Join us in watching this short video to understand how Oracle is enabling Qualcomm to meet and exceed their compliance goals with Oracle Identity Management. Click HERE to watch the video


Sunday May 19, 2013

Unified Directory Goes Virtual: IdM R2 PS1

Oracle Unified Directory has set the bar for performance. Built ground up to provide elastic scale, Oracle Unified Directory (OUD) is interoperable with all directories in the Oracle Directory Services Suite.

With the Patchset 1 release OUD now combines the capabilities of Oracle Virtual Directory. With a combined directory, organizations can lower operating cost by consolidating directory silos using a single directory server. Instead of having multiple infrastructures and separate administrators, a unified solution can provide better administrative ratios and economies of scale.

A unified solution helps organizations embracing the cloud with a single solution to provide high scale reads and writes for authentication and authorization. For cloud applications, a single directory can store location data, personalization data and provide a single interface for external data. 

For more information on getting started with Identity Management R2 PS1 click here for the documentation. You can learn more about Identity Management R2 PS1 from these resources:

Thursday May 16, 2013

Oracle On Demand Provisioning Service

The growing number of business applications and services that employees need to access makes it increasingly difficult for organizations to create and remove accounts and privileges in a timely fashion, and keep track of everything for compliance purposes. Help-desk costs related to manual account administration and password reset also prove challenging.

To learn more how Oracle can help your organization deal with these challenges by reducing costs, decreasing exposure and risk, and improving IT efficiencies through Identity Management, download our data sheet on Oracle On Demand Provisioning Service

Wednesday May 15, 2013

What Can Oracle API Gateway Do for You?

Author: Sid Mishra

The Application Programming Interface (API) is an emerging technology trend for integrating applications using web technology. Adoption of a cloud based computing approach using an API based model results in greater operational efficiencies and lower costs than many traditional IT deployments. The approach is gaining popularity because it is based on well-understood techniques and leverages existing infrastructure. APIs and traditional services in a SOA model have a 1:1 relationship: an API is the interface of a service. Services are about the implementation and are focused on the provider, while an API is about using the functionality, and is focused on the consumer.

However, as with any new technology, security is often a major inhibitor to adoption. A cloud service consumer or subscriber based computing model is associated with concerns over visibility into these services, less control over security policies, new threats facing shared deployment environments and complexity of demonstrating compliance. Also, it can be a mistake to think APIs should be secured using the same methods and technology used to secure conventional browser-centric web. While it is true that APIs share many of the same threats as the web and a consistent and centralized access control is a growing pain point for most deployments, APIs are fundamentally different from web sites and have a unique risk profile that must also be addressed.

Oracle API Gateway as a standards-based, policy-driven, standalone software security and API management solution provides first line of defense in Service-Oriented Architecture (SOA) and cloud environments. It enables organizations to securely and rapidly adopt Cloud, Mobile and SOA Services by bridging the gaps and managing the interactions between all relevant systems. Oracle API Gateway as a central access control point manages how internal users and application assets are exposed to outside cloud offerings and reduces cloud related security risks. It allows enterprises to leverage their existing Identity and Access Management investments by extending authentication, authorization and risk policies to mobile, cloud and enterprise applications – without requiring change to back-end applications and services. Oracle API Gateway as Mobile Access Gateway simplifies the process of adapting internal data, application and security infrastructure for mobile use. It provides a centralized way to control security and management policies for information assets exposed via internet APIs, to mobile applications and developers.

To learn more about API Management and secure cloud connectivity using Oracle API Gateway, refer to the product datasheet links here and here.

Monday May 13, 2013

What do your employees think of Identity Management?

Identity Management isn't exciting, it's not fun, in fact employees think Identity Management is downright restrictive, something to get around, something that limits productivity.  What if you could hear what employees really think?  I mean, hear that they REALLY think about IdM.  Well now you can.

Our undercover investigative team has contacted and interviewed IdM to get the real story - not the sugar coated PowerPoint version of what is going on, we are talking about the no-holds barred, really dirty truth about IdM.  Register using this link to read the whole eBook interview and see what we mean.

Warning: this may not be suitable for new IdM professionals, and some content may not be suitable for the office.  Readers are cautioned to proceed at their own risk.

Friday May 10, 2013

UPMC to Secure Access for 75,000 IT System Users at Midsize Hospitals with Robust Identity Management Suite

Committed to developing and delivering life-changing medicine, University of Pittsburgh Medical Center (UPMC) is a US$10 billion, integrated, global health enterprise and one of the leading health systems in the United States. UPMC operates more than 20 academic, community, and specialty hospitals and 400 outpatient sites; employs more than 3,200 physicians; and offers an array of rehabilitation, retirement, and long-term care facilities. It is also Pennsylvania’s largest employer and the first nonprofit health system to fully adopt Sarbanes-Oxley standards.

A recognized innovator in information technology, UPMC has deployed an electronic health record across its hospitals and has implemented a semantic interoperability solution to unify information from multiple systems.

UPMC had an in-house-developed identity and access management system in place for eight years. As the healthcare organization’s identity management requirements continue to evolve and become more complex, it decided to move to a commercial, off-the-shelf offering and chose Oracle Identity and Access Management Suite. The solution will provide UPMC with the scalability it requires―managing identities and access for more than 75,000 system users, which include employees, as well as contract staff and medical students on rotation in the organization. It will also deliver the flexibility UPMC requires to continue to adapt its environment to accommodate new systems and requirements.

For the full article, click HERE

For more information on how UPMC and Oracle have partnered to help smaller hospitals with identity management, check our PRESS RELEASE.  

Wednesday May 08, 2013

Looking Back at The Biggest IT Security Failures

Earlier this morning, the feature on Biggest IT Security Failures on CFO Insight caught my eye. The article captures some of the more well known recent IT security incidents and discusses how these news stories may just be the tip of the iceberg. Bigger stories around cyber-espionage (check out the blog post from Oracle’s Ricardo Diaz on this subject) go unnoticed or unreported.

Looking at the companies mentioned, it is obvious that IT Security is not really about budgets. Or rather, it is not ONLY about budgets. If throwing money at the problem will have gotten rid of the problem that is "security breaches", big brands wouldn’t have made the headlines with these news stories. A smarter, Security inside out approach is called for. Secure the data where it resides, build in security within the layers from infrastructure, database, middleware to applications, and manage access to these systems. Adopt a platform approach to security so that your resources, all the way from infrastructure up to the applications, can leverage security processes and solutions in a standardized, repeatable and consistent way. This will also allow you to extend your security framework as your infrastructure grows or as you look to support applications in the cloud or mobile access. Build a sound security platform and then leverage it across it all and through time to maximize your existing investment. A standard security platform also eases your compliance burden since you will not be dealing with silo’ed information.

Take a look at Oracle’s platform approach to Identity Management and tell us what you think.

Sunday May 05, 2013

Good News For IT Audit: IdM R2 PS1

If you have downloaded the latest Identity Management release, then you will find these notes helpful. If you have not downloaded the latest release, you can download it hereThis article is the first in a series that will explore new features in the R2 PS1 release. R2 PS1 is the latest release to continue the convergence of the Identity suite. If you are using Identity Manager for provisioning or Identity Analytics for access certification you will like the new converged Identity Auditor feature that provides integrated analytics directly in the provisioning process. 

Now provisioning and analytics share a single integrated data model. This is good news for audit and compliance because it insures that the data being certified is as recent as possible. For many organizations, by the time the certification actually takes place, the data being certified may be out of date. By having a single repository, the latest data from the provisioning process is used directly in the certification review. This removes the need for a compensating control.

The integrated data model has the added benefit of close to real time certification which means that changes to user entitlements can automatically trigger certification reviews without any integration necessary. The goal is to reduce the workload of access certification and keep the organization always certified.

For more information on getting started with Identity Management R2 PS1 click here for the documentation. You can learn more about Identity Management R2 PS1 from these resources:

Friday Apr 26, 2013

Globe Trotters Edition: The Economic Impact of Security

Author: Ricardo Diaz

News on cyber crime recently made front page news.

Vast majority of global cyber-espionage emanates from China, report finds -Washington Post April 2013.

The economic threat of cyber crime is serious, has and will impact our daily lives and unfortunately been a threat most businesses haven't taken serious for decades. Rather, for decades, we have mis-directed our efforts to focus elsewhere as opposed to what really needs to be protected - our data or intellectual property. Economic Espionage is a threat you, your business and organizations you do business with should take a long, hard look at before your next security investment.

Mis-directed? You know what I am talking about. Consider what we think about the "real threat" of cyber crime. Some punk teenage hacker, hyped up on Redbull and Pixie Sticks, whose sole focus is to create havoc by breaking into your home PC or defacing your corporate website before he runs off to his next all night rave. This is the common portrayal of threat that we come across on media. Unfortunately this highlights a common misconception that most security threats are carried out to either hack your wallet or hack some government facility to crack into a top secret military facility.

Why would a major World Power be interested in our corporate data? Simple... It's the power of economics and competitive advantage! The economic impact of losing corporate intellectual property to a competitor, most business executives understand. What they don't understand is where is the threat coming from, if this ever happens to them and how common economic espionage attacks happen frequently and not from traditional places or people we thought.

Still, how does this impact you? Well, "everyone gets burned if you think about it", is how a fellow security mate of mine put it. The cost of data loss = loss of credibility, stock price going down, liability lawsuits, cost of compliance, brand tarnished and maybe your job. It may impact your job because not enough investment may be made in your projects, additional resources or financial incentives cut down, meanwhile as you send out your résumé, how attractive is it to put that tarnished company name on it? Not very!

Everyone is impacted!

What specifically is under attack or being stolen? It's not the devices or the systems but the data on it. What is the bigger threat? Losing your iPhone or losing the data with those passwords on it? Yes, that's right... The threat of Data loss, now more than ever, not only is on the inside of your business but now travels in our pocket, bags and purses of your employees everyday. Thank you BYOD to work!!

So, what is to be done? Secure the data by building data security controls and access controls and of course building a compliance process around it all to keep it all in check and prove compliance. Realize security is not orthogonal to business growth/profit, Security can save the cost we talked about earlier and actually create business opportunity (reach out to new customers using secure social media, attract new talent with BYOD, bring agility with secure cloud). We just need to think differently about security it is not wires, padlocks, just firewalls or multiple authentication controls; instead we should take a holistic approach to securing your data.

Hence why I love working at Oracle and with the global security team. There is no better place for a security technology aficionado than at Oracle. Massive R&D investments in security acquisitions (over $1 Billion In Identity Management since 2004), industry leading technology (Leaders position in Magic Quadrants in Identity Management for years), a plethora of thought leaders and cutting edge innovations (e.g. Oracle Mobile and Social Access Management - see SUPERVALU use case) are the hooks that have kept me planted at Oracle for the past 9 years. Where else can one find a security technology solution to enforce Separation-of-Duty (SoD) policy, automatically across the enterprise? Only Oracle.

The economic impact of security related threats to your business is real. Pay attention to WHAT is being stolen (corporate data - intellectual property) in these cyber crime attacks! In this day and age, gaining a competitive advantage has never been easier thanks to cyber espionage. Why develop or research when I can appropriate what I need via my competitors weak technology infrastructure, information security policy and process??

This risk can be mitigated and reduced, significantly, by investing in a risk intelligent, Oracle enterprise security architecture, built to Secure the Digital Experience, Data Centers, Applications and The Cloud. Learn more at www.oracle.com/security

Image Courtesy: thehackernews.com, siliconangle.com


Who is Ricardo Diaz?

Husband, father, technologist, identity management, security and privacy adroit, CrossFitter, ESPN addict and dog lover!

For the better part of my 17+ years as an enterprise security architect, consultant or business advisor, I have traveled many miles across this great planet of ours, to sit down with customers to help evaluate and better understand what the real threats are, how important it is to protect their data/users and put the proper controls/policies/processes in place to mitigate risks.

Thursday Apr 25, 2013

Securing Your Cloud Experience the IRS way

This week we have focused our attention on how to secure cloud deployments since Security continues to be the biggest deterrent in adoption of cloud technology by enterprises. In fact, in a recent OAUG user group survey, 62% of organizations reported concern over losing visibility and control over their data and overall cloud strategy due to proprietary technologies.

The key then is to:

  • Identify the top security challenges with the cloud deployment and address those,
  • Recognize that Security silos only exacerbate the problem and not address it,
  • Standardize with an integrated security platform that is extensible enough to support your on-premise and cloud deployments and offers end-to-end auditing and reporting.

Whether you are an enterprise looking to push applications in the cloud, host cloud services or build using cloud services, an IRS approach will allow you to enforce security, manage regulatory compliance and at the same time, reduce operational costs.

If you missed it, catch the screencast now.

And, download the informative whitepaper to learn how you can unlock the potential opportunities that cloud offers without compromising your user and data security. And, get the complete middleware picture on the Social, Cloud and Mobile imperative by visiting here.

Oracle Identity Management is built on the platform approach to allow you to leverage proven identity solutions across your entire infrastructure. We leave you today with a video of SaskTel, a leading communications provider in Canada, on how the company is leveraging Oracle Identity Management in-house to reduce OpEx and is also offering secure cloud services to its customers scaling the solution across millions of users.

Tuesday Apr 23, 2013

SUPERVALU Manages Access for 2000+ Tablet Computers to Bring Innovation in Business

SUPERVALU is a national grocery retailer and wholesaler with more than 2,200 corporate-owned stores and approximately 2,500 independent franchises. It is also one of the largest food distributors in the country, serving more than 4,300 retail end points via its supply chain and support services.

In our previous posts, we have shared with you a brief video featuring Phillip Black, IT Director for Identity and Access Management, SUPERVALU where he discussed how SUPERVALU is enabling their 2000+ store managers with iPads so they can spend more time interfacing with customers than navigating applications and inventory. Oracle Identity Management is the enabling technology for securing mobile access. We also discussed the IDC write-up on this topic and the recent announcement that was made.

Now check out this recently released snapshot that discusses how SUPERVALU is innovating business and unlocking the huge potential of social and mobile in the retail sector powered by Oracle Identity Management.

Friday Apr 19, 2013

A Recap of Security as a Business Enabler

This week, we talked about how a Security Inside out approach enables organizations to leverage security for their cloud deployments – whether public, hybrid or private. We will continue the conversation on cloud security next week.

Today, we recap our discussion on how Security today is not just about brand and reputation protection but it is actually a business enabler. Here’s a brief screencast with Oracle product marketing director for Security, Naresh Persaud, on how organizations can leverage security today to unlock the business potential from opportunities like cloud, mobile and social.

The key take away – build security within and at the get go but make sure to have a scalable approach to security. Oracle recommends a platform approach to security where security serves as a framework for your entire infrastructure and extends to your application & data in the cloud, or accessed across any device using social or other logins. Access this whitepaper to learn how you can have Identity Management for internet scale built in your IT program.

Feedback? We’d love to hear it. Do send us your comments.

Thursday Apr 18, 2013

How to Mitigate Risk in the Cloud

Yesterday we talked about how risk varies with the type of cloud deployment with public clouds posing greater risk than hybrid or private. Thankfully, a built-in security approach offers you protection for either of those deployments. Irfan Saif, Principal at Deloitte goes through the top 5 things you need to consider to mitigate the risk in the cloud and bolster security.

Watch the 3rd in the series of CIO Insights video and get the experts’ insights to find out how to build security in your cloud strategy. Mark Sunday, Oracle’s CIO hosts the executive panel.

Wednesday Apr 17, 2013

Different Clouds Equal Different Risks

Earlier this week, I posted the first in a series of three video CIO Insights series on the Top 5 Things to Look for in a Cloud Provider When It Comes to Security.

The second video here underscores the fact that not all clouds are the same. The risk level varies based on the type of cloud deployment. The risk increases proportionally with the distance from your enterprise, meaning as you go from private to hybrid to public cloud, the risk increases substantially. So, how do you manage risk and maintain audit control across your cloud deployments?

Watch this video where Oracle CIO, Mark Sunday discusses this very issue with Gail Coury, Vice President, Risk Management at Oracle and Irfan Saif, Principal at Deloitte. Learn how secure authentication and centralized authorization play a crucial role in securing your cloud deployment.

Monday Apr 15, 2013

Top 5 Things To Look For In A Cloud Security Provider When It Comes To Security

Recent surveys confirm that security continues to be the number one barrier in cloud adoption. The impact of a security breach or failure to meet regulation guidelines is too large to ignore. So, how do you keep control of security for your data and applications in the cloud?

Cloud security is a discussion that needs to happen between you and your cloud provider. This week we tackle an important aspect of cloud security – what are the top 5 things YOU need to ask your cloud provider when it comes to security. The CIO Insights Series explores organizations' top security and risk management considerations in the cloud as well as the framework for your security discussion with your cloud provider. Here’s the first in a three part CIO Insights Series video featuring an experts panel - Oracle CIO, Mark Sunday, Irfan Saif, Principal at Deloitte and the VP of Risk Management at Oracle, Gail Coury that tackles this important topic of discussion.

Friday Apr 12, 2013

Virgin Media goes underground with Oracle IDM - webcast wrap up

On Wednesday, we told you how Virgin Media used Oracle IDM to allow everyone riding the London Underground to use their free Wi-Fi service.

Perry Banton from Virgin Media and Ben Bulpett from aurionPro SENA delivered a great webcast where they discussed how the project was funded, the architecture they chose, and how they overcame the inevitable roadblocks to deliver world class Wi-Fi to the underground.

If you missed it, register here for the replay.  http://event.on24.com/r.htm?e=558738&s=1&k=C9A6E9B7B1FD0238CF2816D5F8510694

We had some good questions about the project, so I'm putting them and the responses below:

Who sponsored the project within Virgin Media?

Mobile and Broadband Marketing teams were the main sponsors. These teams wanted to offer a value-add to the business. Providing a new service offering was compelling to the business.

With such tight timeframes what project approach did you use?

The start of the Olympics was a hard deadline, and free wi-fi was promised by the start. Agile planning, sprints, and checks were used. Short segments were rolled out. Personal devices were used to test the service, testing was very much crowd sourced – all available platforms had to be tested.

Is the service device specific?

No – a range of platforms were supported and tested. The requirement was to be device independent.

Why did you not build another large directory consolidating the back end LDAPs, instead of Oracle Virtual Directory?

There were some data ownership concerns, and the various departments didn’t want to give up management of their customer data, also they didn’t want to setup another LDAP, so a decision was made to use virtual directory technology. Virtual directory also provided a better platform for building future services.

How is the system managed and what service levels are required?

Geographically dispersed data centers were used. Performance and availability were considered a gold service within Virgin Media – which means there would be brand impact if the service became unavailable. Virgin and SENA provided real time management, with an incident response SLA within minutes of problem detection. Oracle Enterprise Manager was used to view system performance and availability.

How much of the service were SENA actually involved in?

Virgin and SENA have been working on architecture and roadmap for a long time. SENA are a gold Oracle partner with extensive experience in IDM implementations, so Virgin engaged SENA for the implementation and support services.

I'm not clear on why entitlements came into play. Were this VM customers authenticating with their email addresses? Was this not open to the general public and if so, I'm guessing you "relied" on whatever email addresses they provided?

OES came into play when VM launched the fee paying service and only wanted certain customers to gain access based upon their subscription with VM.  For the Olympics only OVD was used as a way of aggregating email addresses across the back end platform as the service was “open” to anyone with an email address

Thursday Apr 11, 2013

Drive Innovation, Get Recognition: Oracle Excellence Awards Call for Nomination

Doing something different with your Identity Management implementation? Taking your deployment beyond basic automation? Solving unique challenges for your organization? Or contributing to business growth or innovation with your Identity Management deployment? Then you are the one who we want to hear from.

The call for nomination for the 2013 Oracle Excellence Awards for Oracle Fusion Middleware Innovation is now open. Submit your nomination for Innovation in Identity Management. These highly coveted awards honor customers like you with cutting-edge use of Oracle Identity Management solutions to solve unique business challenges or create business value. Winners are selected based on the uniqueness of their business case, business benefits, level of impact relative to the size of the organization, complexity and magnitude of implementation, and the originality of architecture. Aside from recognition from the IDM community and Oracle executives, customer winners receive a complimentary pass to Oracle OpenWorld 2013 in San Francisco (September 22-26) and will be honored during a special awards ceremony at Oracle OpenWorld. 

For consideration and follow-up, please send a note to Matthew Berzinski. And note that the call for nominations closes at 5 pm PDT on Tuesday, June 18, 2013.

So, give us a shout and get recognized for your work and accomplishments. We look forward to hearing from you.

Wednesday Apr 10, 2013

Virgin Media Secures Wi-Fi for London Underground with Oracle Identity Management

In preparation for London Olympics 2012 that would bring millions of additional passengers - athletes, support crews, vendors, and spectators to London, the task of providing free, secure Wi-Fi services to the London Underground went to Virgin Media.

Virgin Media is the UK’s first combined provider of broadband, TV, mobile and home phone services. Find out how Virgin Media used Oracle Identity Management, Oracle Virtual Directory, and Oracle Entitlements Server to leverage back-end legacy systems for the London Underground Wi-Fi project; systems that were never designed to be externalized.

Learn more about the Wi-Fi project and how Virgin Media is scaling the project to deliver true place-shifting—allowing subscribers to watch pay-per-view assets from any device, anywhere.

You may also want to check out the on-demand webcast with experts from Virgin Media, their implementation partner, aurionPro SENA and Oracle to get more context. And here's the link to a recent newsletter feature on Virgin Media's IDM implementation.

Questions? Send us your comments and we will get those answered right away.

Tuesday Apr 09, 2013

#PrivQA Chat Archive Published

Last week Michael Neuenschwander, Senior Director at Oracle hosted a live conversation on Privacy on twitter. We were honored to have Dr. Ann Cavoukian, Ontario Commissioner for Information and Privacy join #PrivQA chat and contribute actively to the discussion.

The conversation centered around recent privacy news stories like the Indian Government's project, Aadhaar and the privacy concerns around that among other current topics. There was discussion on private sector's role in enforcing privacy and security by embedding it in their strategy, processes and systems. The discussion also got into the difference between privacy and security and how one may facilitate the other but not necessarily enforce it. IDM and Privacy experts and enthusiasts also discussed how and why organizations can be motivated to think about embedding security and privacy from the get-go rather than bolt those on afterwards.

Here is the link to the discussion archive. We encourage you to continue the discussion and share your feedback. And if you have other topics in mind for a discussion, do let us know!

Wednesday Apr 03, 2013

Of Privacy, Security and Compliance – Facts and Such

FACT: Live tweet chat tomorrow, Thurs, Apr 4 at 10 am PDT/ 1 pm EDT, on Privacy featuring well known Privacy expert and the Commissioner for Information & Privacy for Ontario, Dr. Ann Cavoukian along with other industry thought leaders.

OPINION: Privacy is the not the same as Security which is not the same as Compliance. And yet you need all three to not only protect your brand and to manage customer relationships but also to enable business growth via traditional, social, mobile and cloud computing channels.

OPINION: The common denominator across Privacy, Security and Compliance is Context. For Privacy, you need to be up front about what you are going to disclose, to whom, for what purpose, when and via what channel(s) and perhaps the scope of disclosure too. For Security, you need to understand authentication, authorization and administration context. Who needs access to what, when, for how long? And btw, has it been verified that you are who you say you are? If not, I’d need context for your user authentication. For compliance and audit, again the question – who has access to what, approved and administered by whom, when and what the person did with that access. So, context is key!

OPINION: Contrary to popular belief, Privacy, Security and Compliance are not at cross-hairs with business growth or user experience. Customers who know their information, interactions are secure when dealing with your organization tend to make for happy, satisfied and loyal customers. Allowing seamless yet secure access via social and mobile channels or enabling access to cloud applications securely – all part of the master plan to enable friendly user experience and customer trust intact.

OPINION: No one size fits all for defining Privacy, Security and Compliance plans. Regions, industries, business units and more all add to the mix. So, while it makes sense to build in Security, Privacy and Compliance in your architecture plans versus bolting it on afterwards, IT or Privacy teams alone can’t be the sole stakeholders.

FACT: All opinions are incidentally up for debate and discussion. We will be hosting and participating in the Privacy conversation tomorrow. Feel free to challenge us, ask your own questions and add your commentary. #PrivQA tmrw at 10 am PDT/ 1 pm EDT on twitter

FACT: We look forward to hearing from you!

Tuesday Apr 02, 2013

You do know you are on camera...don't you?

On Thursday, Dr. Ann Cavoukian, Ontario's Commissioner of Information and Privacy will be joining the IDM team for a live Twitter chat about privacy.  Here are the details:


Live Twitter Conversation with the Ontario Commissioner of Privacy

Thursday, April 4, 10 a.m. PDT/1 p.m. EDT

Join on twitter using #PrivQA


This got me thinking about privacy, and how cameras have silently invaded all aspects of our lives.  Security cameras are not new: see the video below.

OK - it's clear this guy expected a camera to be on him when he breaks in, but somehow he didn't expect the camera to be watching him before...?  And, what's up with those crazy pants?  But, I digress...

Cameras in stores, cameras in office buildings, traffic cameras - and now that your phone is a camera, they are with you everywhere you go.  It used to be: "hey that's a good picture, can you email it to me?" now we say, "hey that's a good picture, can you post it on Facebook so everyone can see?"   Instagram has over 100M users now, and it's clear that the younger generation is definitely very comfortable sharing their pictures with anyone and everyone.

There used to be a lot more complaints and resistance to cameras being everywhere, with the fear that the government was getting into every aspect of our personal lives.  The truth is, we are voluntarily exposing ourselves!

So with cameras everywhere, is your life private? 

Securely Social SuperMarkets: SUPERVALU Embraces Secure Social and Mobile

Oracle announced today that SUPERVALU is leveraging Oracle Identity Management Release 2 to empower its employees to securely use social and mobile environments in an effort to bring efficiency and agility at grocery storefronts.

SUPERVALU is a leading grocery retailer and supply chain operator that has over 2000 retail locations and 2,500 independent franchises, as well as extensive supply chain services that are leveraged by the company, customers and government organizations across the country.

Powered by Oracle Identity Management, SUPERVALU’s advanced social and mobile strategy serves as an excellent example of how companies today are leveraging social and mobile to enable business and improve customer experience. Read the press release and take a look at this brief video we recorded with SUPERVALU’s Phillip Black.

What is your business case for social and/or mobile? Do tell.

Wednesday Mar 27, 2013

Why You Should Care About Privacy

Author: Phil Hunt

On April 4, at 10am Pacific, Oracle Identity Management (@OracleIDM) will be hosting a twitter conversation on privacy (#PrivQA). I am pleased to confirm that the Ontario Commissioner of Information & Privacy, Dr. Cavoukian will be joining the conversation. In particular, I would like to encourage privacy and security industry folks to participate. For more information, see our recent newsletter Q&A (http://www.oracle.com/us/dm/nsl100162749-qadrcavoukian-1919966.html) with links to her whitepaper on privacy by design (PbD).

Privacy is an issue that has been of concern to myself and many other industry professionals. Most of us continue to be amazed that for the most part, both users and the application developer community simply do not care. When the subject arises, eyes immediately shut with yawns soon to follow. 

Yet, every day, more and more problems emerge in the industry that are leading to monetary and even physical harm. For example, financial fraud appears to be exploding fuelled by easy access to personal information available on social services. Fraudsters combine social demographic information to leverage weak classic communications media like fax and telephone to convince financial institutions to transfer funds (http://www.fcac-acfc.gc.ca/eng/consumers/fraud/onlinefraud/social/). In another case, access to private information in Google, apparently enabled hackers to compromise Mat Honan's Apple accounts, even remotely wiping out his laptop, iPad, and iPhone (http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/). Here, where I live in BC, there is the sad story of Amanda Todd, who was bullied to the point, she committed suicide. Was this a lack of privacy? Was there a lack of appropriate anonymity? Was this poor system design?  We are only just beginning to understand how far reaching privacy issues can be.

These cases also show there are some interesting relationships between anonymity, privacy, and security that need further exploration. Do I need to be anonymous? I live an honest life, why do I need to keep my personal information private? Why should I care about anonymity? The system is secure right? Nobody asks who is the security intended for. What motivates the service providers? What damages do they face in the event of real losses? We are now discovering that while we may have the best of intentions, the fraudsters out there do not. Boring as the subject of privacy may seem, we should all be worried. We should all care.

Dr. Cavoukian's efforts to get our industry to start thinking about Privacy-by-Design are to be applauded. I'm not sure where this will go, but I'm glad this conversation has started. Remember to join in the twitter conversation on April 4 at 10AM (Twitter hashtag #PrivQA).

About the Writer:

Phil Hunt joined Oracle as part of the November 2005 acquisition of OctetString Inc. where he headed software development for what is now Oracle Virtual Directory. Since joining Oracle, Phil works as CMTS in the Identity Standards group at Oracle where he developed the Kantara Identify Governance Framework and provided significant input to JSR 351. Phil participates in several standards development organizations such as IETF and OASIS working on federation, authorization (OAuth), and provisioning (SCIM) standards.  Phil blogs at www.independentid.com and a Twitter handle of @independentid.


Oracle Identity Management is a complete and integrated next-generation identity management platform that provides breakthrough scalability; enables organizations to achieve rapid compliance with regulatory mandates; secures sensitive applications and data regardless of whether they are hosted on-premise or in a cloud; and reduces operational costs. Oracle Identity Management enables secure user access to resources anytime on any device.


« April 2014