- Wanted: Outstanding Oracle Security Experts to Speak @OpenWorld 2016
- RSA Conference 2016: Kevin Mitnick Demonstrates Hacking Techniques with Audience by Zain Rafique
- Next Generation IDaaS: Moving From Tactical to Strategic by Matt Flynn
- The Digital Passport to Identity - by Greg Jensen
- Reducing Exposure to Breaches through Audit and Compliance (Part 4) - Simeio Solutions
- The Lifecycle Management Opportunities of a Data Breach (Part 3) - Simeio Solutions
- Managing the Keys to the Kingdom - Privileged/Shared Accounts - Simeio Solutions
- Ensuring You Don’t Become the Next Data Breach Story (Part 1) - Simeio Solutions
- Focus on Oracle Security @ Oracle OpenWorld 2015
- New Paper and Webcast on Identity's role in the new Digital Economy
Monday Nov 25, 2013
Sunday Nov 24, 2013
By Naresh Persaud-Oracle on Nov 24, 2013
Governments have often been the slowest to adopt new technologies - not any more. This video from the UK government's digital services strategy shares a vision for citizen services that will inspire. This phenomenon is not isolated to the United Kingdom. Across the world citizens are paying more in taxes and demanding better services. All of this is changing the way governments are thinking about security. The new experience is cross channel: mobile, social and online. If we are lucky we may never have to go back to the department of motor vehicles again.
The Pressure to transform:
Monday Nov 18, 2013
By Greg Jensen on Nov 18, 2013
Mobile computing has proven to be a game changer, revolutionizing the way we work, communicate and connect. Arguably, this revolution can trace its roots back to the ‘Personal Computer’, which freed individuals and organizations from the centralized mainframe operating model and we haven’t looked back since then. But what’s remarkable about mobile computing is the unprecedented pace of change and innovation it has brought about. Mobile devices are penetrating and transforming businesses today far faster than any previous generations of computing technologies ,including laptops and desktops.
Today, "going mobile" means a lot more than just modifying the content to fit a browser on a small screen size. Infrastructures can no longer afford to limit remote or mobile access to browser-based functionality. Users need access to more applications and data, from a wider variety of mobile and wireless devices.
Mobile device capabilities have reached new heights, which in turn has spurred demand for rich mobile applications that require access to private enterprise data in order to deliver functionality. These applications have become indispensable tools for end users. They are being inextricably woven into day-to-day business operations in an effort to improve productivity. In spite of the complexity, these devices are becoming a critical component of the computing environment because of their versatility.
Perhaps the single biggest driver of the mobile revolution has been the widespread adoption of “Bring Your Own Device” or “BYOD.” BYOD is the policy of permitting – or even encouraging – employees to bring personally owned mobile devices (laptops, tablets and smart phones) to their workplace, and to use those devices to access privileged company information and applications. Seemingly overnight, BYOD has supplanted the traditional policy of permitting only “corporate-liable” or “CL” devices, those that are owned and issued by the company.
The Benefits of BYOD
BYOD fosters business process efficiency by allowing employees to complete their tasks at any time and from anywhere – whether they are sales representatives, technical analysts in the field, customer-facing employees, manufacturing reps and the like. Every one of these employees needs access to data, which can enable them to make the right decisions, answer queries, come up with proposals, close deals and execute other vital tasks.
The benefits of BYOD include:
Improved workplace flexibility and productivity with secure "anytime, anywhere" access for employees. It promotes employee satisfaction. It also increases effective employee work hours in small increments per week, which in turn translates to a greater throughput from the workforce.
Increased sales revenues from quick, reliable access to business-generating applications on employee-owned devices.
- Competitive appeal for market leadership and recruiting. Adopting innovative technology solutions such as mobility is valued by organizations for maintaining competitive positioning in their respective marketplaces.
- Reduced costs for acquiring, distributing and replacing corporate-liable (CL) devices.
- Reduce complexity and costs from internally maintaining the mobility infrastructure.
- Decreased help desk support with a reduction in the number of inbound calls for CL devices.
- This is definitely not an exhaustive list, but it covers the common factors fueling BYOD adoption.
Imminent Challenges and Risks
It's not too difficult to lose a smart phone or tablet, resulting in confidential data being exposed to non trusted entities. Thus, accessing and storing corporate data on private devices presents unique security challenges to the enterprise.The IT security team and the CIO office are now dealing with questions such as:
Do our enterprise applications qualify as “secure” and “cloud ready”?
- How do we manage security of the enterprise applications in a scenario where a plethora of mobile devices connect to them for accessing sensitive data?
- How can my company enable social trust as a means of connecting to customers and employees?
- What about securing the digital and intellectual property which has been exposed as a result of the BYOD scheme?
- Some of the inevitable challenges for organizations adopting BYOD include:
- Handling the deluge of BYOD demand (tablets, smart phones, smart watches and more)
- Adapting to costs and risk that are no longer "per user" but rather "per device"
- Avoiding the risk of revolt when applying corporate lock-downs and restrictions on devices owned by the employee
- Addressing the increased threats associated with mobile
- Obtaining increased budget to address the risk of mobile
- Configuration management to reduce vulnerability exposure
- Adopting configuration management to reduce vulnerability exposure
- Managing what apps are allowed
- Determining how to track and manage a personal device the same way as a CL device without violating personal privacy
- Using mobile as an "enabling" component to the business instead of a roadblock
There are four primary areas that are putting consumers and enterprises at risk on mobile platforms:
- Access based attacks – Privileged users who have access to more data than they should, or are using legitimate access to steal confidential data, and share or use it in ways that negatively affect the organization.
- Device Loss – The loss of a corporate or personal device that contains confidential data on the device, or within secondary memory, due to loss or theft of the device.
- Rogue malicious apps – Applications that have been compromised by attackers and posted on various app stores that contain hidden payloads that steal data, initiate connections, commit outbound toll-fraud or are used as a launching point for attacks inside a trusted corporate network.
- SMS Attacks – Unwanted inbound SMS messages from attackers that trick users to take actions that can lead to installation of code or to increased carrier based charges.
Identity and Access Management to the Rescue
Luckily, corporations facing these risks and challenges don’t have to go it alone. The field of Identity and Access Management (IAM) has evolved just as rapidly with solutions designed to address key aspects of BYOD adoption:
- Mobile Device Management (MDM)
- Mobile Identity Management (MIM)
- Mobile Application Management (MAM)
IAM solution providers, including our company, Simeio Solutions, have seen tremendous growth in these areas, with new tools, technologies, methodologies and best practices designed to help organizations adopt BYOD securely and effectively.
The need of the hour is seamless and secure digital connectivity for cloud and mobile integration in order for BYOD to prosper.
Here is where a product like Oracle Mobile and Social Access Management comes into the picture. Oracle Mobile and Social Access Management is a solution which enables an organization to secure mobile access to their enterprise applications. It includes a server which acts as a “secure wall” between external mobile client applications and the enterprise applications and data stores (which the mobile applications eventually access) by leveraging the existing back end identity infra services in order to regulate the interaction between both entities.
Oracle Mobile and Social Access Management Offerings
The Oracle Mobile and Social Access Management solution includes features in each of the following key areas: MDM, MIM and MAM.
Mobile Device Management
Device Enrollment – Oracle Mobile and Social Service components enforce device registration as a prerequisite to granting access to sensitive enterprise applications/data. A “Client Registration Handle” is used to process first-time device registration post user authentication via the Mobile and Social server.
- Device Fingerprinting – Mobile and Social Access Server leverages the service from Oracle Adaptive Access Manager (OAAM) in order to deliver functionality such as Device Fingerprinting. OAAM provides capabilities such as One Time Password (OTP) and Knowledge Based Authentication (KBA) based on policies and risk assessments.
- Device Blacklisting – Oracle Mobile and Social Access Services address the inherent risk of smart phone thefts. It provides capabilities to blacklist/block insecure devices and/or wipe out sensitive security information on the device as per threat levels.
Mobile Identity Management
- Mobile User Authentication – Oracle Mobile and Social Services facilitate delegation of mobile user authentication to existing and trusted components such as Oracle Access Manager (OAM) and Oracle Adaptive Access Manager (OAAM for strong authentication)
- Mobile User Authorization – Oracle Entitlements Server (OES), a fine grained authorization server, is leveraged to provide authorization services for mobile users based on its policy driven decision engine in order to enforce appropriate access for mobile users to backend enterprise applications.
- Social Identity support – Oracle Mobile and Social Services facilitates the usage of social internet identities such as Facebook, Twitter, Google, LinkedIn, etc., for signing on users to less sensitive applications. Many of these providers are based on open standards such as OpenID and OAuth, and this in turn can be leveraged to provide rich user experiences.
Leveraging Social Identities
Mobile Application Management
- Mobile Apps Single Sign-On (SSO) – A mobile user can run many mobile applications on the same device without having to authenticate to each application individually. The out-of-the-box software development kit (SDK) shipped as a part of Oracle Mobile and Social can be used to build and configure Mobile SSO agents which can be used as a centralized point from where authentication and SSO can be managed.
- SSO functionality is also available to web based applications in addition to inter-application SSO.
- Application Registration – In order to strengthen mobile application security, Oracle Mobile and Social services ensure application registration before allowing access to sensitive data housed within enterprise applications.
Oracle Mobile and Social Access: The Big Picture
Mobile computing is here to stay. Along with its many luxuries, its penetration has introduced new complexities and challenges to organizations. They cannot afford to fall back on user awareness and user agreements to provide security. The question is no longer about allowing or denying mobile access. The question for today is about effective management.
This post is just the first in a 4-part blog series. In our next post, we’ll have in-depth coverage of Mobile Device Management (MDM).
About the Author
Abhishek Gupta is a Senior IAM Engineer at Simeio Solutions. He has over 5 years of experience in the IAM space and has been involved in design, development and implementation of IAM solutions for Simeio's customers with a prime focus on Oracle IAM Suite.
Friday Nov 08, 2013
By Greg Jensen on Nov 08, 2013
Is your organization just starting your planning for Identity Management 11gR2? Are you unsure what the technical and business value gains are, in upgrading to Oracle's 11gR2? Or are you planning for the upgrade and just unsure of what to expect?
In this webinar, experts from Oracle and AmerIndia will discuss the new features of 11gR2, latest market trends, and how IAM transforms organizations. In addition, planning and implementation strategy of the upgrade process will be discussed. The presenters will also share success stories and highlight challenges faced by organizations belonging to different verticals and how Oracle’s solutions and AmerIndia’s services addressed those challenges.
- Market trends and 11gR2
- Planning an upgrade
- Approach and Implementation Strategy
- Success stories
Wednesday Oct 30, 2013
By Greg Jensen on Oct 30, 2013
For Registration and Information, please follow the link HERE
Sign up for one of the following events below
Americas - Tuesday - November 19th / 9am to 1pm PDT / 12pm to 4pm EDT / 1pm to 5pm BRT
APAC - Thursday - November 21st / 10am - 1:30pm IST (India) / 12:30pm - 4pm SGT (Singapore) / 3:30pm -7pm AESDT
EMEA - Tuesday - November 26th / 9am - 1pm GMT / 1pm - 5pm GST / 2:30pm -6:30pm IST
Wednesday Oct 09, 2013
By Naresh Persaud-Oracle on Oct 09, 2013
Every business is looking to take advantage of the new digital experience to connect with customers. This has become the new strategic imperative of companies all around the world. A recent article in the Sloan Management Review provides some insight into the barriers organizations are facing as they embrace the digital transformation.
For many customers, trust is an important barrier to engaging. Ease of use without security and trust is not enough to get customers to participate. For a more detailed analysis or bedtime reading on how the trust deficit reduces business activity, this Wall Street Journal Article on "How the trust deficit is hurting our economy" provides some good evidence. The net is that our level of economic activity is directly related to our level of trust in the institutions we do business with from banks to retail stores online.
For many organizations, security and trust are the major barriers to enabling customer participation in the digital revolution. The video below was recently created by the customer experience campaign to highlight how experience is critical to customer loyalty.
Friday Oct 04, 2013
By Greg Jensen on Oct 04, 2013
As more organizations develop mobile applications that access ever increasing levels of sensitive data, it is critical that standard security policies can be applied, whether coding native, hybrid or mobile browser-based applications. This session, from OpenWord 2013, will teach you how to code your mobile applications to gain access to Oracle's Mobile Access Management services including device registration, authentication, authorization, step-up authentication and single sign-on. If you missed this, or would like a second opportunity to see this presentation in slide form, join us by checking out "Developing Secure Mobile Applications" today.
Tuesday Oct 01, 2013
By Naresh Persaud-Oracle on Oct 01, 2013
A recent Cisco report estimates by 2020 there will be more than 50 billion devices world wide while the human population will still be under 8 billion people. This short term trend will change the landscape of identity and access management and change the security requirements of enterprises everywhere. While today security executives are concerned with mobile phones and laptops, tomorrow they will be concerned about automobiles, aircraft and projectors on their networks. Each device is a new identity and each user that interacts with the device has a separate context. As a reference, see the paper Identity at Internet Scale Here are some of the new security requirements:
- Multi-user devices
- Dynamic user volumes
- User authentication on the device
- Service availability
- Encryption of data at rest and in flight
- Secure container on the device
- Device authentication
- User authentication
The devices themselves will interact very differently since they must now communicate with other devices and humans. Here is a great youtube video that paints a very interesting and perplexing picture of the future.
From the video, a few interesting things happen.
- The device communication is very personal and follows our social media conventions
- The devices must trust the people involved in the interaction and people have to trust the devices
- The scale of the interaction grows geometrically as more devices and users collaborate
Here are the slides from the recent CSO Summit at Open World. Oracle's approach is a singular platform for all devices that manage device identity and user identity.
Oracle OpenWorld 2013: Leveraging the Cloud to simplify your Identity Management implementation (CON8836)
By Greg Jensen on Oct 01, 2013
Applications moved into a managed cloud environment need Identity and Access Management services to ensure user accounts, passwords and roles are all managed properly for the purposes of Security and Audit. In this session, we’ll discuss the key considerations for a Hosted Private Cloud deployment of Oracle applications integrated with Oracle Identity Management Suite to provide self-service account provisioning and federated Single Sign-on (SSO) for an organization’s internal and external users. You will also hear from a customer on how their key business requirements were addressed with Managed Identity Services from Oracle running at Oracle. This was one of many of highly attended conference sessions at this year's Oracle OpenWorld 2013. If you missed this, or would like a second opportunity to see this presentation in slide form, join us by checking out "Leveraging the Cloud to simplify your Identity Management implementation " today.
By Greg Jensen on Oct 01, 2013
With new computing technologies to transform business, is your underlying directory infrastructure ready to support mobile, cloud and social networking? How can I simplify my directory architecture but deliver high scalability, availability and performance? How to leverage directory to easily make your applications location aware and social relationship aware? How do I migrate existing directories to OUD? How to optimize OUD performance on T5/ T4 hardware? This was one of many of highly attended conference sessions at this year's Oracle OpenWorld 2013. If you missed this, or would like a second opportunity to see this presentation in slide form, join us by checking out "Next Generation Optimized Directory" today.
Monday Sep 30, 2013
By Greg Jensen on Sep 30, 2013
Access governance has become more complex
as regulations have increased and audit controls now span multiple
applications. Audit requirements for single applications are simple by
comparison to multiple system requirements. As the number of applications increase,
streamlining becomes more important. In this session, David Cusick, Group
Information Security Director at Zurich Insurance, shares his learning
experiences from streamlining access governance. Join David for an encore presentation of this webcast, hosted by ISACA.
Friday Sep 27, 2013
By Greg Jensen on Sep 27, 2013
John Houston Vice President of Privacy and Information Security, Associate Counsel at UPMC & President of CloudConnect Health IT presents this informative webinar, as he discusses how IdM allows health care organizations to securely unlock the potential of health care IT. Join us for this encore presentation with John Houston!
Monday Sep 23, 2013
By Greg Jensen on Sep 23, 2013
Is your organization emphasizing an approach of developing privacy and security within every aspect of your application architecture? Are you a software developer struggling to understand how to merge privacy and security into your code? Are you a systems integrator working to keep up with the latest regulatory, compliance and privacy needs and how to merge this into your customers? Or are you a corporate CISO/CIO wanting to understand how your organization should be developing the strongest Privacy and Security processes?
Today, we are pleased to announce publication of a paper entitled “Privacy and Security by Design: An Enterprise Architecture Approach,” written by Ann Cavoukian, Ph.D., Information & Privacy Commissioner, Ontario, Canada, and co-authored by Mark Dixon from Oracle.
In the foreword to the paper, Dr. Cavoukian wrote:
In an earlier paper with Oracle, we discussed the convergence of paradigms between the approach to privacy I have long championed called Privacy by Design, and a similar approach to security called ‘Security by Design.’ The current and future challenges to security and privacy oblige us to revisit this convergence and delve deeper. As privacy and security professionals, we must come together and develop a proactive approach to security – one that is indeed “by design.” To this end, I am delighted to be partnering with Mark Dixon, Enterprise Architect, Information Security, at Oracle Corporation, on this joint paper.
This paper has two key objectives:
- Define a set of foundational “Security by Design” principles that are modelled upon and support the 7 foundational principles of Privacy by Design.
- Illustrate an enterprise-level process for defining and governing the strategic journey of Security by Design through an enterprise architecture approach.
To achieve these objectives, the paper includes the following major sections:
- Foundational Principles of Privacy by Design
- Foundational Principles of Security by Design
- The Enterprise Security Journey
This is a great opportunity to hear some of the best practices being recommended by both Oracle, and leading government agencies to understand how Privacy and Security should be factored in, across the board.
Click on the link, to get access to the Privacy by Design page which is hosting not only the whitepaper, but a great video with Ann Cavoukian, outlining some of what you will learn in this paper. We hope this paper will assist developers, integrators and enterprises to deliver stronger security and better privacy, for all of their stakeholders – a win/win proposition.
Wednesday Sep 18, 2013
By Greg Jensen on Sep 18, 2013
Is your organization prepared for the expanding roles of mobile & cloud, and the enabling capabilities of REST-based APIs and Web services?
API Management: Enable Your Infrastructure for Secure Mobile and Cloud Use CON8817 will explore how organizations are able to launch mobile and cloud applications with little or no change to their existing systems by leveraging Oracle’s complete mobile access management solution. In addition to presenters from Oracle, this session will also feature Peter Tsatsaronis (nab) and Matt Topper (UberEther, Inc).
Plan on attending this session on:
Tuesday, Sep 24, 5:15 PM - 6:15 PM - @ Moscone West - 2017
Tuesday Sep 17, 2013
By Greg Jensen on Sep 17, 2013
Why do you have so many virtual identities? Most individuals currently have an internet mail identity, several social networking identities, and corporate virtual identities...and don’t really want more identities to manage.
Attract New Customers and Users by Leveraging Bring Your Own Identity (BYOI) CON8834 explores the trend of enabling people to identify themselves by using popular social networking identities to access business services. Presenting in this session will be Vikas Mahajan (AARP), Robert Arnaud (BeachBody) and Jie Yin (Oracle Product Management).
Plan on attending this session on:
Tuesday, Sep 24, 3:45 PM - 4:45 PM - @ Moscone West - 2018
By Greg Jensen on Sep 17, 2013
Online communication has been transformed by the advent of effective mobile computing, and more organizations are providing employee and customer access to services via mobile devices.
Securely Enabling Mobile Access for Business Transformation [CON8896] will review the security and usability concerns that are further compounded by bring your own device (BYOD) policies. In addition to speakers from Oracle, this session will also include presenters Arup Thomas (Verizon Wireless) and Abdullah Togay (Ministry of National Education).
Plan on attending this session on:
Tuesday, Sep 24, 12:00 PM - 1:00 PM - @ Moscone West - 2018
Saturday Sep 14, 2013
By Naresh Persaud-Oracle on Sep 14, 2013
If you are attending Leaders Circle this year, be sure to catch the CSO Summit. This year will feature several customer case studies and a panel discussion featuring Mary Ann Davidson, Oracle's CSO and Chris Gavin, Oracle's VP of Information Security. Below are a few links to previous CSO Summit talks that you may find interesting.
CSO Summit Recorded Presentations:
Thursday Sep 12, 2013
By Greg Jensen on Sep 12, 2013
Enterprises deploy Information Technology (IT) applications in various ways today. They may use on-premise physical servers, virtualization, private clouds, public clouds, or a combination thereof. In all cases, the main goals include improving the ease of application deployment, increasing system performance, providing security across the enterprise, and ensuring contained costs.
By Greg Jensen on Sep 12, 2013
Are you attending Oracle OpenWorld 2013? What are you doing to manage access to information, from any device, anytime...and from anywhere?
Customers expect consistent levels of service across laptop, tablet, and smartphone, but the very nature of mobile computing introduces a whole new range of security concerns, such as device type and configuration, location, type of connection, data to be accessed, and transactions to be performed. All of these factors are to be evaluated at runtime in an authentication and authorization decision. Essentially, a security system must adapt to changes in context and risk level at the time of the request. This session will help you understand how Oracle’s access management technology intelligently reacts to changes in context across a variety of devices to maximize levels of security and control. REGISTER NOW for this session at this year's Oracle OpenWorld 2013. For a complete listing of Security focused tracks at this year's OOW2013, please click HERE
Monday Sep 09, 2013
By Greg Jensen on Sep 09, 2013
Join John Houston Vice President of Privacy and Information Security, Associate Counsel at UPMC & President of CloudConnect Health IT for this informative webinar series, as he discusses how IdM allows health care organizations to securely unlock the potential of health care IT. REGISTER
Identity and Access Management: Coming of Age in Health Care
September 11, 2013
2:00pm EDT/11:00am PDT
The use of IdM allows a health care provider to enforce appropriate access to its health care applications. IdM is also critical to improving efficiency and enabling support for new technologies
like mobility. Attendees will learn how this unique blend of market leading technology and health care identity management expertise will allow your organization to affordably access the many benefits of idM. To join part 1 of this 3 part series, click below to REGISTER:
Friday Aug 23, 2013
By Greg Jensen on Aug 23, 2013
As organized cyber-attacks become sophisticated and targeted, organizations, particularly those in the financial and health sectors, have come under strict regulations. The growing security risks from internal and external sources have brought focus on both preventive and detective controls working together to protect data. In this edition of the Oracle IAM blog series, we will take a look at how an organization can leverage Oracle’s Identity and Access Management technologies in conjunction with Oracle’s database security offerings.
Traditionally, encryption has been considered as the required approach to protect information. However, complex information systems have led to implementation of a defense-in-depth approach to database security that includes stronger preventive and detective controls. In addition to encryption, preventive measures should also include restricting access to data within the organization. Compliance requirements on the other hand, have driven adoption of detective controls such as database activity monitoring and auditing. Detective controls complement preventive controls by filtering attempts to connect to the information system, generating activity reports, and help investigations of potential breaches.
A common concern identified in several organizations is the lack of insight about the access users have. This usually stems from multiple points to manually create users and ad-hoc processes, such as a phone call, to grant access to applications. By relying on incoherent manual processes to provide, monitor and audit user access, the organization risks drastic implications on the privacy and integrity of their information. Deloitte approaches this problem by leveraging solutions like Oracle’s IAM stack to pro-actively restrict database access by defining user profiles and centrally managing user life cycle. This, coupled with preventive and detective controls, can offer a holistic approach to securing information.
Separation of Duties
Separation of duties is an important component to managing user access because it separates the responsibility of sensitive tasks into multiple people, so that no one person has all power. Oracle Database Vault, an add-on to Oracle database, protects against insider threats by restricting read/write access to sensitive data. For example, an administrator can be allowed to increase or decrease the size of a table, but given the role, they will be denied read/write access to the contents of the table. By securing access to the data based on multi-factor policies such as application, IP address, and other pre-determined factors, organizations have granular control over what, when, where, and how users can access sensitive data.
Deloitte’s strategy lets the client manage access to its data layer by separating approach vectors, such as internal or external clients, or type of access such as web and mobile applications. Oracle Access Manager helps to control user’s access to web applications, and Oracle Entitlement Server allows administrators to control what a user can see within an application.
The first step in this direction is to have a least-privilege approach to endeavor to provide that each user has a base profile giving them minimum access to the database. These profiles can be configured through Oracle Identity Manager (OIM). If a user’s business function requires elevated access, it can be requested. Requests access can be made through a central portal and provisioned automatically through OIM. The requirement for approvals adds a layer of control for the client over what a user can view or modify.
In order to have granular access control, the information stored within the database should be ranked based on sensitivity; this can be achieved by deploying Oracle Label Security (OLS). With OLS in place, only the users with read/write access to sensitive information will be able to interact with the data. By comparing a user’s profile and the level assigned to the data, level based access to data is determined. These data ranks are defined according to the organization’s requirements with the highest level assigned to the most sensitive information. Adding finer security controls, data is put in “compartments” that can have their own levels. For example, the financial compartment can have the highest level ranking.
As mentioned above, Oracle Database Vault provides security by preventing access. There is a lot that can be done to secure information above the data level. Database defense-in-depth also includes database activity monitoring and auditing. Oracle Audit Vault and Database Firewall monitor database traffic to detect and block threats. The tools help improve compliance reporting by consolidating audit data from databases, operating systems, directories, and other sources. The following illustration shows how the two can work together:
Logs from the Database Firewall and other systems in the network, can be fed into the Audit Vault. Then, custom and template-driven database activity reports can be generated to help address compliance and regulations.
Deloitte suggests organizations establish a database defense-in-depth strategy that includes multiple layers of both preventive and detective security controls. By logging the entire process of user account creation, granting access, changing roles, and user account termination, the organization has a 360-degree approach to access governance. Detective controls add valuable context for investigations and provide a critical layer of security during a security breach incident. If network firewalls are by-passed, or in the case of an insider threat, preventive controls can offer a strong defense. Since these security controls are granular, they can be effectively configured to limit employees to their day-to-day activities. Identity and access management helps setup work flows for provisioning and defining roles to limit access; this coupled with encryption, activity monitoring and reporting, form a holistic defense-in-depth approach to security and compliance.
Wednesday Aug 14, 2013
By Greg Jensen on Aug 14, 2013
In this edition of the Oracle IDM blog, we’ll look at a case study for integrating Oracle Identity Manager (OIM) 11g with Oracle Governance, Risk, and Compliance (GRC) as part of an enterprise deployment and an integrated risk management strategy. We will incorporate specific use cases that leverage an integration of the two solutions to address risk and promote operational efficiency for routine tasks such as access requests and certification. In addition to the primary focus between OIM and GRC, we will also highlight how Oracle E-Business Suites (EBS) roles are defined, synchronized, and provisioned using a combination of these two solutions providing an end-to-end integrated solution of the Oracle “suite.”
When we think about Identity Management, we often relegate it to the IT Security or Infrastructure groups where it is traditionally used to address manual security and administration functions such as creating accounts, e.g., “hire and fire” scenarios, granting additional entitlements, and providing report-outs on information access for audit purposes. As identity systems improved their ability to manage the access they provisioned, it has become clear that there was a powerful relationship between IAM and GRC initiatives to better manager enterprise compliance in an integrated, less redundant fashion.
In many organizations today, GRC initiatives are often spread across multiple infrastructure silos and managed by different business units or IT groups. Tackling the constantly evolving regulatory requirements, coupled with increased business complexity, may present an uphill battle for a compliance department within the organization. Organizations are being asked not only to understand ever-changing global regulations, but also to create appropriate strategies in addressing their GRC needs.
Knowing who has access to what is not only important from a traditional security sense, but is important to financial controls groups being able to attest that financially significant systems have minimal risk through inappropriate access. By integrating Oracle’s GRC and Identity Management platforms and the associated processes, organizations can improve user lifecycle management, continuous monitoring and automated controls enforcement to assist with sustainable risk and compliance management.
Figure 1 – Solution architecture
For a visual reference of the type of integration we are discussing, we have included an overview of how the systems can potentially interact. In Figure 1, you will notice a typical Human Resource authoritative source system feeds OIM and OIM then provisions to target resources. What’s different is the call-out to Oracle GRC to perform policy checks.
We won’t reference all of the GRC functionality available in this blog, but will focus on the segregation of duties (SoD) integration and relevant use case. [for detailed instructions on this integration, please see: http://docs.oracle.com/cd/E14899_01/doc.9102/e14763/segregation_duties.htm]. What’s interesting about this integration is OIM is able to leverage the information EBS and GRC already have about the roles that exist. Using OIM scheduled tasks, we are able to synchronize those roles into OIM so that there is no need to manually build them in OIM. Moreover, if the roles get end-dated in EBS, OIM reconciliation with EBS will end-date the roles and the related access for the users who have that role assigned with a goal of end-to-end compliance. Both OIM and GRC offer a web services interface for performing common transactions. More information about this can be found at http://docs.oracle.com/cd/E14507_01/apirefs.1112/e14133/using003.htm
Compliant User Provisioning
In our use case, we will explore how during an access request, a real-time validation can be performed against known SoD conflicts to determine if a role being requested has a conflict. Through OIM’s Service-Oriented Architecture (SOA) workflow functionality, we can include an additional layer of approval if a conflict is presented. A conflict is often unavoidable and, in many cases, requires a power user from the compliance organization to step in, review the request, and document a mitigating control before accepting. In this example, we’ll show a request by a Payables Manager for an Invoice Entry EBS role.
As you can see in this process flow, there is cross-functional behavior between the OIM and GRC solutions to identify the SoD violation and apply a mitigating control if required. Ultimately, OIM manages the provisioning of the role in the end system (EBS in this example) and, therefore, will be able to continually track that entitlement.
There are three take-a-ways from this use case. With GRC and IAM integration, organizations can:
• Automate provisioning and de-provisioning of business application users, with appropriate authorization and compliance checks.
• Improve the management of enterprise accounts and efficiently produce reports such as “who has access to what.”
• Reduce the cost of compliance by removing the need for after the fact remediation.
At Deloitte , we see the need to not only install and configure an IAM solution, but to work with our clients to get value out of an enterprise compliance approach. Solutions can be leveraged in their individual capacity to achieve benefits for an organization, but when organizations leverage cross-platform synergies, such as the ones that Oracle has intentionally created within their OIM and GRC solutions, the sum can become greater than the parts. An integrated approach to an organization’s IAM and GRC programs can assist in reducing costs and redundancies, and improving value to the organization.
About the Author
Kevin Urbanowicz is a Manager in Deloitte & Touche LLP’s Security & Privacy practice with eight years of experience in information technology with a focus on Identity & Access Management (IAM). He has served primarily in the Oil & Gas sector where he has helped his clients identify the business drivers and build the business case for establishing world-class IAM solutions that maximize IT efficiency and minimize security and compliance risk.
Wednesday Aug 07, 2013
By Greg Jensen on Aug 07, 2013
In this edition of the Oracle Identity Management (IDM) blog, we’ll look at a case study of IDM/IAM in the Automobile Industry and where it plays a significant role in enabling security to support the telematics initiative. In a broad sense, telematics is the integrated use of telecommunications with information and communications technology. This technology involves sending, receiving and storing information relating to remote objects, such as vehicles, via telecommunication devices.
Using telematics, organizations can monitor the location, movements, status and behavior of a vehicle or fleet. This is achieved through a combination of a Global Positioning System (GPS) receiver and an electronic Global System for Mobile Communications (GSM) device installed in each vehicle, which then communicates with the user and web-based software. In addition to location data, a telematics system can provide a list of your vehicles with the status of each. You can see when a vehicle is started up and shut down, as well as its idling status, location and speed. This information gives organizations a complete, up-to-the-minute knowledge of vehicle activities in one centralized, web-based interface. All of this information can help:
• Increase productivity
• Improve communications
• Reduce labor costs
• Control fuel costs
• Improve customer service
• Increase fleet safety and security
• Reduce operating expenses
• Reduce environmental impact
• Reduce unauthorized vehicle use
In addition to these benefits, various legislative resolutions and mandates, such as the resolution passed by the European parliament stipulating that all new cars must be fitted with a GPS system and GSM communication links, are driving the implementation of telematics to a large scale.
While telematics gives organizations all the above mentioned flexibility and benefits, it is prone to the same security challenges as usage of services on the web. Think about a situation where someone gets hold of a mobile device that is connected to several vehicles. A nefarious user can wreak havoc with a vehicle’s systems as well as the personal data which the vehicle has access to.
Some of the notable challenges around telematics security include:
• Password and user management – Management of multiple passwords and user identities for each vehicle.
• Device management – Management of authentication and authorization of devices allowing users to access the vehicle. High mobile device turnover by the user populations calls for new devices to be re-registered and at the same time blacklisting/wiping-out of the personal and vehicle information must be done on the older devices.
• Service management – Management of various telematics and key-off functionalities on a vehicle in a secure environment.
• Data and privacy concerns- As part of telematics services automobile manufacturers need to access personal data to customize the user experience thereby bringing in the challenge of data privacy both in-transit and when it is being processed.
The following section describes how the above-mentioned aspects are managed and how challenges and issues related to managing your telematics services are addressed by using Oracle Access Manager Mobile and Social (OAMMS) and Oracle API Gateway (OAG).
Fig 1: Oracle IAM integration with Mobile Device
User and device registration: Typically telematics applications send service registration requests through mobile applications which would validate pre-requisites (like validating vehicle identification – Vehicle Identification Number (VIN), payment information, etc.) with the telematics service provider. Once validation is complete against the telematics service provider, identification of the customer identity along with a vehicle and device identity will be created by calling the Mobile and Social Representational state transfer (REST) interface for registration. During this registration process OAG can be made to act as the front end to the OAMMS REST interface to confirm that requests come from legitimate sources and to protect the infrastructure against any intrusion.
Authentication and telematics operations: The above diagram explains how a user request gets authenticated and passed over to a telematics service provider to perform the requested activity. Before accessing the telematics service, the user provides his credentials in the form of a user id and password, which is used to authenticate the user against the enterprise identity store and also create an Oracle Access Manager token (or JSON Web Token – JWT) on the user’s device. The token is then passed to the telematics service provider with the vehicle information (i.e., VIN) available on the mobile device and the command (requested operation).
Once the token is available to the telematics service provider, it passes the same token over to the OAMMS to validate the authenticity of the request. Once the token is validated, the user’s credentials are authenticated and the requested command is executed on the vehicle.
The token information can be saved for a longer duration in the user’s mobile device for improved user experience and reduced operational time and effort. For example, a user sends a request to find a vehicle from his mobile device. The assumption is that the user is already authenticated against the enterprise identity store and the token exists on the mobile device. As soon as the user submits the request, a request object is sent to the telematics service provider along with the identity token. The telematics service provider passes the token to OAMMS to validate the account status. OAMMS in conjunction with OAG validates the received token for the user’s account status, session timeout, etc. Once authenticated a command is sent to the telematics service provider to perform a wakeup call to find the vehicle. The response returned from the vehicle back to the telematics service provider is passed over to the mobile device to locate the vehicle.
The built-in reporting and auditing capability of OAMMS captures each of the transactions. This can be leveraged to define controls for the telematics service. Apart from OAMMS and OAG, Oracle Access Manager and Oracle Adaptive Access Manager can also be deployed to provide a robust solution hence including device marking, wiping out the contents in the device in case the device is lost and also providing two-factor authentication upon accessing a sensitive operation on the vehicle.
In all, telematics services have evolved to better suit the needs of consumers but at the same time have a tradeoff on security to confirm end user usability. These trade-offs increasingly contribute to security risks for the user, organization and their vehicles including theft of vehicle, loss of personal data, malfunction with the vehicle, etc… Security should be addressed in an effective manner with increasingly strict regulations to protect against these risks. The Mobile Access management solution using Oracle API Gateway technology unifies telematics requests across network boundaries to mobile devices. It can provide enhanced security, regulatory compliance and increased usability.
About the Author
Debi Mohanty is a Senior Manager in Deloitte & Touche LLP’s Security & Privacy practice with a focus on Identity and Access management and Information Security. He advises several Fortune 100 clients globally on cloud and mobile security, privacy and identity & access management across diverse industries such as financial services, retail, healthcare, state government, and aerospace and defense.
Wednesday Jul 31, 2013
By Greg Jensen on Jul 31, 2013
Deloitte is excited about the opportunity to introduce the first blog in a series of four blogs that will look at real world case studies involving Oracle Identity and Access Management (IAM). Our future blogs will expand on relevant IAM topics including: 1) Oracle Waveset to Oracle Identity Manager, 2) Oracle IAM in Telematics, 3) Oracle IAM with Governance Risk and Compliance, and 4) Oracle Identity & Access Governance with Database Security. Throughout this blog series, readers are encouraged to submit questions or comments which will feed into a roundtable type Q&A blog responding to selected comments and questions received.
In this edition of the Oracle IAM blog, we’ll look at a case study for migration from Oracle Waveset to Oracle Identity Manager for a higher education statewide system of community colleges, state universities and technical colleges. This also highlights how the flexibility of Oracle’s IAM product landscape contributed to creating a dynamic and sustainable solution for a public-facing system with nearly 500,000 users.
Current State Evaluation and Replication
The legacy Oracle Waveset instance connected to numerous institutional directories and provided end-user functionalities such as user self-service, account activation and password management as well as administrative help-desk functions with a highly customized interface and set of workflows.
As we analyzed these functions, we identified that a majority of these were available within Oracle Identity Manager (OIM) 11g R2 which simplified their replication. Further, the User Interface (UI) enhancements in OIM 11g R2 allowed for significant customization to the end-user pages, such as the ‘My Information’ page, with minimal custom code. Initial replication of the core functionalities was crucial to the overall project and allowed for the replacement of Waveset as an end-user facing solution on Day 1 of the OIM go-live. However, this did not cover the numerous resource integrations that Waveset had behind the scenes that would also need to be migrated. Several functionalities such as account activation and password reset/forgot password that required specific workflows and service integration were replicated in separate Oracle ADF-based applications that were split away from the OIM managed servers. This allowed for the highly used end-user functions to run separate of the OIM instances to provide for increased flexibility in load management and tuning.
Resource Migration Approach
As the numerous resources requiring migration would take significant time and effort, it was decided that these resources would be moved over in a phased manner requiring both OIM and Waveset to operate in parallel for a period of time. This approach reduced risk, as a single cutover would have been highly complex with multiple moving parts across colleges and campuses. To enable this to be possible, OIM and Waveset would need to operate together as we migrated each campus from the old Waveset platform to the new OIM platform. To help accomplish this, a custom connector between OIM and Waveset was built to synchronize certain user attributes so that Waveset could update and maintain those attributes on the resources that remained to be managed by it.
Overall, this approach turned out to be highly beneficial as it allowed the team time to ease into using the new identity solution, reduced the risks that would have been present in a single “big bang” cutover event and allowed for a quick win which displays critical progress and success to solution stakeholders.
Figure A – Oracle Waveset to Oracle Identity Manager resource migration approach
Additional Important Success Factors
Throughout the migration, we encountered a number of items that were deemed critical for meeting project goals that primarily focused on the following:
As the solution’s primary users were public individuals that would likely not have significant training or usage guidance, focusing on a refined and calculated user experience such as clear verbiage, font sizing and coloring as well as succinct and detailed error messages was important. While these items may seem minor or insignificant to some readers, they, as expected, ended up being extremely beneficial to end-users and reduced support needs.
Performance and Tuning
With our highly active user-base, performance of the solution was critical to success. Use of the existing Oracle Fusion Middleware Performance and Tuning Guide as well as the OIM 11g R2 Reconciliation Tuning Whitepaper were critical for maintaining performance and ongoing stability of a solution with this size. Also important were key architectural decisions around load balancing, managed server clustering, as well as database clustering (e.g. RAC). Providing enough horsepower behind the solution and conducting due diligence around performance testing will reduce the amount of performance-related issues encountered in production.
The phased migration of Oracle Waveset to Oracle Identity Manager 11g R2 allowed for a quick win in the initial cutover of end-user functions, a lower risk migration path and well as constant stream of “good news” as various campuses were migrated from the old solution to the new one in a phased manner. A focus on user experience and performance tuning also helped to create an effective environment for end-user interaction and contributed to achieving the goals of the initiative. Finally, the new OIM architecture will provide a solid infrastructure for future enhancements and a greatly increased user base that the prior Waveset environment could no longer support.
About the Author
Derek Dahlen is a Manager in Deloitte & Touche LLP’s Security & Privacy practice with over eight years of experience in information security. He specializes in managing, designing and architecting large-scale identity and access management projects with a focus on the Oracle product stack. He has worked with various clients across the financial services and state government sectors.
Tuesday Jul 23, 2013
By Greg Jensen on Jul 23, 2013
For a number of years the innovation for corporate applications revolved around functionality drivers such as better user interfaces, interoperability with legacy systems, and web enablement. The next wave of innovation is being driven by enhancing the customer experience, data analytics, business responsiveness, and the integration of systems in the company’s business ecosystem. All of this is occurring in a demanding economic climate—where speed is of the essence to help meet revenue and profitability targets— with an ever-demanding and increasingly sophisticated user base.
What does the changing face of corporate applications look like and how does security play a role? You can start by looking at Oracle’s own strategy with Fusion Applications. The Fusion Apps integrate business processes, complex workflows, web services, business intelligence, and analytics. This amalgamation has seemingly endless data points and touch points utilized by an ecosystem of users, consumers, providers, and so on. This is all secured using Oracle’s own IAM stack. Hence, the Fusion Apps security model is a very different approach from the old E-Business, PeopleSoft, and JD Edwards security models. This adds security complexity, yet also adds security value. However, to obtain the value, you have to understand how to take a highly flexible solution and cater it to your business’s needs. So how do you configure it the right way quickly? We’ll get to that later.
What other corporate application changes are we seeing? We’re all aware that over the last 5 years there has been a significant and growing shift in the consumerization of technology in the work place. The bring-your-own-device or BYOD trend began shortly after the auspicious availability of the original iPhone in June of 2007 and has hit substantial strides in subsequent years with the introduction of the iPad and Android devices. The portability and ease of use—and let’s face it, the “coolness” factor—have driven demand for applications to be readily available outside the standard company walls and desktop/laptop confines.
Looking at a graph of the pace and demand for mobile applications brings to mind Mt. Everest: it’s steep, scary, and without the right Sherpa, you might just freeze to death from the challenge. As the sophistication of mobile applications has improved to meet business demand, one of those Everest-like challenges is how to secure the ever increasing amount of sensitive and critical information that goes with it.
For example, we are seeing clients take applications that were typically considered “back office” and using them as a strategic driver, such as mobilizing purchasing data to provide valuable insight to buyers in the field making decisions. We are seeing banks now allowing check deposits via mobile devices to increase customer satisfaction and decrease in-person service times and overhead.
Information that was typically within the four walls is now zipping around wherever there is a cell signal. It is being consumed on devices that are easily passed around, shared, and lost. It is being consumed by customers, employees, company partners, and vendors. How do you ensure that only the right consumer, in the right context, in the right scenario, on the right device is accessing valuable company data? Additionally, how do you rapidly secure applications to quicken deployment cycles and cut costs?
One of the common ways IT departments approach security is to take each application and bolt on its own security framework for mobility. An example would be adding on a Spring Security framework for authentication and authorization. Sometimes this involves a duplication of already existing authentication and authorization mechanisms in place. If you take this approach for each application you “mobilize”, you can see how it can quickly become an administrative nightmare. From having to provision users manually to each application, to de-provisioning for terminations or job role changes, to password management, to troubleshooting, and so on, this approach is duplicative and wasteful.
So how do you address security adequately and rapidly across the situations and scenarios we’ve described? Accenture utilizes Oracle’s IAM suite of products to enable security across the spectrum of our client’s needs. For example, for mobilization of applications, we utilize Oracle’s Mobile and Social Access as part of the access management solution. We utilize Oracle API Gateway’s numerous features for web services security. We’ve also built many of our own proprietary Accenture Software solutions on the 11g platform, leveraging the Oracle security stack to employ a common security framework to simplify development and deployment. Furthermore, we leverage our Accenture Foundation Platform for Oracle (AFPO) to accelerate and reduce costs.
Accenture Foundation Platform for Oracle
AFPO is a reference architecture, reference implementation and a set of associated assets that provide a generic and common foundational platform based on Oracle Fusion Middleware 11g Technology. AFPO is a jumpstart kit for Oracle IAM that accelerates delivery. It is aligned with Oracle’s Fusion Reference Architecture (OFRA) and was built with feedback and reviews from Oracle Product Management. It’s also a combination of Oracle products & guidance with Accenture intellectual property based on project experience.
When we speak of acceleration, we are talking install: day 1; customize and integrate: day 2! Fast enough for you? Clients have been able to trim as much as 30% off of implementation costs utilizing AFPO. At an educational non-profit we rapidly deployed an Oracle IAM foundation leveraging AFPO to meet tight timelines required for the upcoming school year. Our client’s Release 1 deployment scope included building, testing, and deploying 5 Oracle IAM products in 5 months. Our client’s development team needed a way to quickly learn the products in order to rapidly build extensions and customizations for these products. AFPO provided a testing ground for rapid design prototyping and gave developers the quick, hands-on experience needed to transition to building the new infrastructure.
To learn more about Accenture, our AFPO platform, how we can help you with your security strategy and implementation, please contact firstname.lastname@example.org
Oracle Identity Management is a complete and integrated next-generation identity management platform that provides breakthrough scalability; enables organizations to achieve rapid compliance with regulatory mandates; secures sensitive applications and data regardless of whether they are hosted on-premise or in a cloud; and reduces operational costs. Oracle Identity Management enables secure user access to resources anytime on any device.
- /Access Management
- /External Authorization
- /Identity Administration
- /Identity Management
- /Identity and Access Governance