Friday Mar 30, 2012

ING: Scaling Role Management and Access Certification to Thousands of Applications

Organizations deal with employee and user access certifications in different ways.  There’s collation of multiple spreadsheets, an intense two-week exercise by managers or use of access certification tools to do so across a handful of applications. But for most organizations compliance is about certifying user access for thousands of employees across hundreds of systems. Managing and auditing millions of entitlement combinations on a periodic basis poses a huge scale challenge.

ING solved the compliance scale challenge using an Identity Platform approach. Join the live webcast featuring ING’s enterprise architect, Mark Robison, as he discusses how a platform approach offers value that is greater than the sum of its parts and enables ING to successfully meet their security and compliance goals. Mark will also share his implementation experiences and discuss the key requirements to manage the complexity and scale of access certification efforts at ING. Mark will be joined by Neil Gandhi, Principal Product Manager for Oracle Identity Analytics.

Live Webcast
ING: Scaling Role Management and Access Certification to Thousands of Applications
Wednesday, April 11th at 10 am Pacific/ 1 pm Eastern
Register Today

Thursday Mar 29, 2012

UK Oracle User Group Event: Trends in Identity Management

As threat levels rise and new technologies such as cloud and mobile computing gain widespread acceptance, security is occupying more and more mindshare among IT executives. To help prepare for the rapidly changing security landscape, the Oracle UK User Group community and our partners at Enline/SENA have put together an User Group event in London on Apr 19 where you can learn more from your industry peers about upcoming trends in identity management.

Here are some of the key trends in identity management and security that we predicted at the beginning of last year and look how they have turned out so far. You have to admit that we have a pretty good track record when it comes to forecasting trends in identity management and security.

  • Threat levels will grow—and there will be more serious breaches:   We have since witnessed breaches of high value targets like RSA and Epsilon. Most organizations have not done enough to protect against insider threats. Organizations need to look for security solutions to stop user access to applications based on real-time patterns of fraud and for situations in which employees change roles or employment status within a company.
  • Cloud computing will continue to grow—and require new security solutions: Cloud computing has since exploded into a dominant secular trend in the industry. Cloud computing continues to present many opportunities like low upfront costs, rapid deployment etc. But Cloud computing also increases policy fragmentation and reduces visibility and control. So organizations require solutions that bridge the security gap between the enterprise and cloud applications to reduce fragmentation and increase control.

  • Mobile devices will challenge traditional security solutions: Since that time, we have witnessed proliferation of mobile devices—combined with increasing numbers of employees bringing their own devices to work (BYOD) — these trends continue to dissolve the traditional boundaries of the enterprise. This in turn, requires a holistic approach within an organization that combines strong authentication and fraud protection, externalization of entitlements, and centralized management across multiple applications—and open standards to make all that possible. 
  • Security platforms will continue to converge: As organizations move increasingly toward vendor consolidation, security solutions are also evolving. Next-generation identity management platforms have best-of-breed features, and must also remain open and flexible to remain viable. As a result, developers need products such as the Oracle Access Management Suite in order to efficiently and reliably build identity and access management into applications—without requiring security experts.

  • Organizations will increasingly pursue "business-centric compliance.": Privacy and security regulations have continued to increase. So businesses are increasingly look for solutions that combine strong security and compliance management tools with business ready experience for faster, lower-cost implementations. 

If you'd like to hear more about the top trends in identity management and learn how to empower yourself, then join us for the Oracle UK User Group on Thu Apr 19 in London where Oracle and Enline/SENA product experts will come together to share security trends, best practices, and solutions for your business. Register Here.

Wednesday Mar 28, 2012

Derek Brink shares "Worst Practices in IT Security"

Derek Brink is Vice President and Research Fellow in IT Security for the Aberdeen Group.  He has established himself as an IT Security Expert having a long and impressive career with companies and organizations ranging from RSA, Sun, HP, the PKI Forum and the Central Intelligence Agency.  So shouldn't he be talking about "Best Practices in IT Security?"

In his latest blog he talks about the thought processes that drive the wrong behavior, and very cleverly shows how that incorrect thinking exposes weaknesses in our IT environments.

Check out his latest blog post titled: "The Screwtape CISO: Memo #1 (silos, stovepipes and point solutions)"

Hear Derek speak live during the Aberdeen event series 

Tuesday Mar 27, 2012

Oracle Executive Strategy Brief: Enterprise-Grade Cloud Applications

Cloud Computing has clearly evolved into one of the dominant secular trends in the industry. Organizations are looking to the cloud to change how they buy and consume IT. And its no longer about just lower up-front costs. The cloud promises to deliver greater agility and free up resources to focus on innovation versus running and maintaining systems. But are organizations actually realizing these benefits?

The full promise of cloud is not being realized by customers who entrust their business to multiple niche cloud providers. While almost 9 out of 10 companies  expect more IT agility with cloud, only 47% are actually getting it (Source: 2011 State of Cloud Survey by Symantec). These niche cloud customers have also seen the promises of lower costs, efficiency gains, improved security, and compliance go unfulfilled. Having one cloud provider for customer relationship management (CRM) and another for human capital management (HCM), and then trying to glue these proprietary systems together while integrating to a back-office financial system can add to complexity and long-term costs. Completing a business process or generating an integrated report is cumbersome, and leverages incomplete data.

Why can’t niche cloud providers deliver on the full promise of cloud? It’s simple: you still need to complete business processes. You still need reporting that enables you to take action using data from multiple systems. You still have to comply with SOX and other industry regulations. These requirements don’t go away just because you deploy in the cloud. Delivering lower up-front costs by enabling customers to buy software as a service (SaaS) is the easy part. To get real value that lasts longer than your quarterly report, it’s important to realize the benefits of cloud without compromising on functionality and while having the right level of control and flexibility. This is the true promise of cloud.

Oracle’s cloud strategy centers around delivering the benefits of cloud—without compromise. We uniquely empower our customers with complete solutions and choice. From the richest functionality to integrated reporting and great user experience. It’s all available in the cloud. And it works not just with other Oracle cloud applications, but with your existing Oracle and third-party systems as well. This helps protect your current investments and extend their value as you journey to the cloud. We’ve made the necessary investments not only in our applications but also in the underlying technology that makes it all run—from the platform down to the hardware and operating system. We make it all. And we’ve engineered it to work together and be highly optimized for our customers, in the cloud. With Oracle enterprise-grade cloud applications, you get the benefits of cloud plus more power, more choice, and more confidence.

Read more about how you can realize the true advantage of Cloud with Oracle Enterprise-grade Cloud applications in the Oracle Executive Strategy Brief here

You can also attend an Oracle Cloud Conference event at a city near you. Register here

Monday Mar 26, 2012

IOUG Webcast Series on Identity Management

Identity Management for Business Empowerment

Identity Management has gone from the realm of IT tools to being a business solution. Security and Identity Management offer confidence in doing secure and compliant business. But more than that, Identity Management today contributes to business growth with secure social, cloud, mobile and internal & external ecosystem enablement.

Cloud computing has heightened the interest in user access security, mobile computing brings access to information beyond the enterprise and a bring your own device culture in-house, social media has added a new dimension to user identity and increasing security compliance pressure has made organizations rethink their roles and entitlements strategy.

To discuss the industry trends, maturity and framework for security, compliance and business empowerment with identity management, Oracle is proud to collaborate with IOUG to launch a series of live webcasts. Covering a span of topics from identity platform to entitlements managements, privilege access management and cloud, mobile and social security, these webcasts will provide direct access to subject matter experts and technology specialists. Hear first-hand about best practices, a pragmatic approach to security implementation, customer success stories and more.

Register today for the individual webcasts or the series.

And just a reminder that the conversation starts at COLLABORATE 12 in Las Vegas from April 22nd – 26th. In addition to our conference sessions, as an added value this year, we are offering a half-day deep dive session on Oracle Identity Management: Building a Security and Compliance Framework for Oracle Systems. The session is scheduled for Sunday, April 22nd from 9 am to 3 pm and will cover relevant topics such as:

• A Primer on Identity Management
• Security and Compliance with Oracle Identity Management
• Security for Oracle Applications, Fusion Applications
• Managing Identities in The Cloud and Mobile World
• Best Practices: Building an Identity Roadmap and Getting Started

To get a head start on your compliance and security program, pre-register for this session today.

Wednesday Mar 21, 2012

Webcast Q&A: Demystifying External Authorization

Thanks to everyone who joined us on our webcast with SANS Institute on "Demystifying External Authorization". Also a special thanks to Tanya Baccam from SANS for sharing her experiences reviewing Oracle Entitlements Server. If you missed the webcast, you can catch a replay of the webcast here.

 Here is a compilation of the slides that were used on today's webcast. 

We have captured the Q&A from the webcast for those who couldn't attend.

Q: Is Oracle ADF integrated with Oracle Entitlements Server (OES) ?

A:  In Oracle Fusion Middleware 11g and later, Oracle ADF, Oracle WebCenter, Oracle SOA Suite and other middleware products are all built on Oracle Platform Security Services (OPSS). OPSS privodes many security functions like authentication, audit, credential stores, token validaiton, etc. OES is the authorization solution underlying OPSS. And OES 11g unifies different authorization mechanisms including Java2/ABAC/RBAC. 

Q: Which portal frameworks support the use of OES policies for portal entitlement decisions?

A:  Many portals including Oracle WebCenter 11g  run natively on top of OES. The authorization engine in WebCenter is OES. Besides, OES offers out of the box integration with Microsoft SharePoint. So SharePoint sites, sub sites, web parts, navigation items, document access can all be secured with OES. Several other portals have also been secured with OES ex: IBM websphere portal

Q:  How do we enforce Seperation of Duties (SoD) rules using OES (also how does that integrate with a product like OIA) ?

A:  A product like OIM or OIA can be used to set up and govern SoD policies. OES enforces these policies at run time. Role mapping policies in OES can assign roles dynamically to users under certain conditions. So this makes it simple to enforce SoD policies inside an application at runtime.

Q:  Our web application has objects like buttons, text fields, drop down lists etc. is there any ”autodiscovery” capability that allows me to use/see those web page objects so you can start building policies over those objects? or how does it work?

A:  There ae few different options with OES. When you build an app, and make authorization calls with the app in the test environment, you can put OES in discovery mode and have OES register those authorization calls and decisions. Instead of doing  this after the fact, an application like Oracle iFlex has built-in UI controls where when the app is running, a script can intercept authorization calls and migrate those over to OES. And in Oracle ADF, a lot of resources are protected so pages, task flows and other resources can be registered without OES knowing about them.

Q: Does current Oracle Fusion application use OES ? The documentation does not seem to indicate it.

A:  The current version of Fusion Apps is using a preview version of OES. Soon it will be replaced with OES 11g. 

Q: Can OES secure mobile apps?

A: Absolutely. Nowadays users are bringing their own devices such as a a smartphone or tablet to work. With the Oracle IDM platform, we can tie identity context into the access management stack. With OES we can make use of context to enforce authorization for users accessing apps from mobile devices. For example: we can take into account different elements like authentication scheme, location, device type etc and tie all that information into an authorization decision. 

Q:  Does Oracle Entitlements Server (OES) have an ESAPI implementation?

A:  OES is an authorization solution. ESAPI/OWASP is something we include in our platform security solution for all oracle products, not specifically in OES

Q:  ESAPI has an authorization API. Can I use that API to access OES?

A:  If the API supports an interface / sspi model that can be configured to invoke an external authz system through some mechanism then yes

Sunday Mar 18, 2012

Mike Neuenschwander on the Identity Platform

If you are in London on March 22nd, check out the Identity Platform Event. Mike is deeply passionate about the platform. I caught up with Mike recently for an interview to discuss his perspective on the Oracle Identity Platform. Identity Management is not a department level initiative. To unlock the business potential of Identity Management, we have to think organizationally and holistically. To learn more about how to take a strategic approach to Identity Management, visit one of our physical events globally.  Here are some of the listings and registrations world wide: North America, Asia Pacific, Europe .

Friday Mar 16, 2012

Webcast Q&A: Cisco's Platform Approach to Identity Management

Thanks to all who attended the live webcast we hosted on Cisco: Best Practices for a Platform Approach on Wed, March 14th. Those of you who couldn’t join us, the webcast replay is now available.

Many thanks to our guest speaker, Ranjan Jain, Security Architect at Cisco for walking us through Cisco’s drivers and rationale for the platform approach, the implementation strategy, results, roadmap and recommendations. We greatly appreciate the insight he shared with us all on the deployment synergies with a platform approach to Identity Management. A forward looking organization, Cisco also has plans for secure cloud and mobile access enablement so it was interesting to learn how the Platform approach to Identity Management today is laying down the foundation for those future initiatives.

While we tackled a good few questions during the webcast, we have captured the responses to those that we weren’t able to get to:

Q.Can you provide insight into how you approached developing profiles for each user group
A. At Cisco, the user profile was already available to IT before the platform consolidation started. There is a dedicated business team that manages the user profiles.

Q. What is the current version of Oracle Identity Manager in the market?
A. Oracle Identity Manager 11gR1 is the latest version of our industry leading user provisioning/identity administration solution.

Q. Is data resource segmentation part of the overall strategy at Cisco?
A. It is but it is managed by the business teams and not at the IT level.

Q. Does Cisco also have an Active Directoy LDAP? Do they sync AD from OID or do the provision to AD as another resource?[
A. Yes, we do. AD is provisioned using in-house tools and not via Oracle Identity Manager (OIM).

Q. If we already have a point IDM solution in place (SSO), can the platform approach still work?
A. Yes, the platform approach calls for a seamless, standardized framework for identity management to support the enterprise’s entire infrastructure, both on-premise or in the cloud. Oracle Identity Management solutions are standards based so they can easily integrate and interoperate with existing Oracle or non-Oracle solutions.

Hope you enjoyed the webcast and we look forward to having you join us for the next webcast in our Customers Talk: Identity as a Platform webcast series:
ING: Scaling Role Management and Access Certification to Thousands of Applications
Wednesday, April 11th at 10 am PST/ 1 pm EST
Register Today

We are also hosting a live event series in collaboration with the Aberdeen Group. To hear first-hand, the insights from the recently released Aberdeen Report and to discuss the merits of the Platform approach, do join us at this event. You can also connect with Oracle Identity Management SMEs and get your questions answered live.

Aberdeen Group Live Event Series: IAM Integrated - Analyzing the "Platform" vs. "Point Solution" Approach
North America, April 10 - May 22
Register for an event near you

And here’s the slide deck from our Cisco webcast:


Thursday Mar 15, 2012

Webcast and Event Series You Can't Miss

Register for the Aberdeen Events here.

Register for the webcast series  and catch them on demand here.

Wednesday Mar 14, 2012

SANS Institute Product Review Webcast: Demystifying External Authorization

We have blogged about the benefits of an External Authorization solution such as Oracle Entitlements Server recently. We believe that there are three primary business drivers fueling the need to externalize authorization from applications. Regulatory considerations are getting more stringent and complex. Meeting modern regulatory demands often requires enforcement of granular access privileges at application runtime. Secondly, a lot of homegrown applications have authorization policies built into the business logic which makes it hard to change policies in response to evolving security and regulatory mandates. And finally, with role based access becoming predominant, many organizations are now dealing with the challenge of role explosion wherein redundant role definitions can often make managing access control more difficult. So role explosion can make it difficult to secure transactions and data on the basis of roles. This has led to the growth of External Authorization solutions which make it easy to externalize and centralize authorization policy definitions. Solutions like Oracle Entitlement Server allow extremely rich policy definitions to be set up on the basis of context, attributes, roles or runtime conditions.

On Mar 21, SANS and Oracle will be hosting a webcast wherein our speakers - Tanya Baccam from SANS and Roger Wigenstam from Oracle, will discuss some of these challenges and how a solution such as Oracle Entitlements Server can help organizations overcome these problems.  

In this webcast, Tanya Baccam will discuss business drivers for external authorization, real world use case scenarios and highlight some critical capabilities that organizations should bear in mind when evaluating and deploying external authorization solutions. Tanya will also share her experiences reviewing Oracle Entitlements Server. This webcast will also feature Roger Wigenstam who will discuss unique product capabilities.  Registering for this Webcast will put you at the top of the list to receive Tanya Baccam’s new white paper on external authorization.

Register for this webcast here

Tuesday Mar 13, 2012

Identity Management at COLLABORATE 12


Getting ready for COLLABORATE 2012? If Security and Identity Management are top of mind for you, then we have some recommendations for you.

Bringing together Oracle Applications and Technology education, COLLABORATE 2012 is a forum designed and delivered by Oracle users. Produced by the three independent user groups, Independent Oracle Users Group (IOUG), Oracle Applications Users Group (OAUG) and Quest International Users Group (Quest), COLLABORATE offers keynotes, deep-dives, workshops and user-driven sessions spanning technology, application and cross solutions. This year the conference is from April 22- 26 at Mandalay Bay Convention Center in Las Vegas.
Oracle Identity Management solutions enable organizations to secure critical data and applications, efficiently enforce regulatory compliance and reduce operational costs. In addition to our conference sessions, as an added value this year, we are offering a half-day deep dive session on Oracle Identity Management: Building a Security and Compliance Framework for Oracle Systems. The session is scheduled for Sunday, April 22nd from 9 am to 3 pm and will cover relevant topics such as:
• A Primer on Identity Management
• Security and Compliance with Oracle Identity Management
• Security for Oracle Applications, Fusion Applications
• Managing Identities in The Cloud and Mobile World
• Best Practices: Building an Identity Roadmap and Getting Started

To get a head start on your compliance and security program, pre-register for this session today.

The Identity Management sessions are supported by subject matter experts on technology, consulting and implementation so you are sure to get the complete perspective on what it takes to design and implement a successful program to meet your security and compliance objectives.

To find out more about Identity Management at COLLABORATE 12, here’s our recommended roadmap:
1. If you haven’t done so, do browse through COLLABORATE 12 website and register with the user group for information and events most tailored to your needs.
2. Click on “My Show Planner” and enter “Identity Management” in the keyword search box.
3. Pre-register for the sessions by clicking on “Add to Planner”


Look forward to seeing you at COLLABORATE 12 in Las Vegas next month.

Monday Mar 12, 2012

ING Closes Compliance Gaps with Oracle

The Aberdeen research highlights the economic synergy of deploying multiple identity solutions from a single vendor. If you have not read the report, you can download  a copy of the report here. You can hear the Aberdeen story in a city near you - register for the event here.

Many companies today are determining whether to start with provisioning or to start with certification review. ING started with user provisioning and then deployed certification review with great results. This case study highlights the benefits of a closed loop approach to compliance. 

Sunday Mar 11, 2012

Dave Profozich on Oracle Security

Identity Management and Database Security are core to Oracle's security offerings. Dave shared his thoughts on Oracle as security company and his passion for security across the oracle stack. His commentary on the first Chief Security Officer summit is entertaining and provides some perspective on Oracle's security DNA. 

Take aways: 

  • "Security is the next ERP caliber platform"
  •  Heterogenous - secure the red stack and horizontally across the enterprise  
  •  Oracle is a strategic partner to secure your data and applications 

Thursday Mar 08, 2012

A Primer on Entitlements Server

In preparation for our SANS Review webcast, Subbu Devulapali ,Principal Product Manager for OES, presented a short primer on Oracle Entitlements Server. If you missed the webex session, you can view a replay here.  The session was focused on presenting the problems addressed by declarative security and on demonstrating a banking application example complete with policies for regulatory compliance with a live demonstration.  To learn more, catch the SANS product review webcast on Oracle Entitlements Server on March 21st - register here.

There were a couple questions we did not get to:

Q: Is OES integrated with Hyperion MDM ?

A: Currently OES is not but, it will be integrated with the next generation Oracle Fusion Apps Financials  

Q: How many policies were included in the demonstration ?

A: There were about 5 policies in the use cases demonstrated

To connect with an Oracle, expert join us at one of  the upcoming Aberdeen events coming to a city near you.  Space is limited so register here to attend.

Wednesday Mar 07, 2012

Identity and Access Partner Interview

[Read More]

Tuesday Mar 06, 2012

Cisco's Platform Approach to Identity Management

As Security Architect for Enterprise Identity and Access Management Service in Cisco Systems, Inc., Ranjan Jain knows a few things about how to get Identity Management right. After all, he has spent over 12 years in the Security industry in various roles from administrator to technical lead to domain expert and security architect.  

On March 14th, join industry veteran, Michael Neuenschwander as he hosts a live, online interview with Ranjan to discuss the drivers, challenges and merits of the Platform approach to Identity Management. Using Cisco's own implementation as the backdrop, Ranjan and Michael will discuss the roadmap to a successful Identity Platform implementation. We are hoping that Ranjan would also elaborate on his belief that "password is the necessary evil and enterprises should be proactive in reducing their password footprint".

Join us for this live, complimentary webcast:

Live: Cisco's Platform Approach to Identity Management

Wednesday, March 14, 2012

10 am Pacific/ 1 pm Eastern

Register Now

Monday Mar 05, 2012

A Primer on Identity Analyics

 If you have been watching the Platform Approach webcast series, we hope you have found the information valuable. You can view any of these sessions on demand here. There are still three more sessions remaining and plenty of time to engage with the architects. 

The session with ING Bank will focus on a "Platform Approach" to audit compliance and ING will discuss how they took a provisioning approach then easily adopted Oracle Identity Analytics. As a primer on Oracle Identity Analytics, you can watch the 2 videos below which cover the basic capabilities provided.

Part 2:


Michael Mettenheimer discusses Oracle Security CISO Network

Michael Mettenheimer is Vice President of Business Development for Oracle Security in North America. Mike has an extensive background helping organizations adopt Identity and Access Management. Recently, in an interview with Bill Sieglein - Director of the CISO Network. Mike discusses vendor risk management and how Oracle can help organizations secure data as they outsource and share data with third party vendors. Sharing information is critical for organizations that have an extended value chain.


Thursday Mar 01, 2012

Platform Approach Series in Asia

The Aberdeen report results are not specific to North America alone - the results were global. Fourteen percent of the participants were companies based in Asia. In addition, the results covered companies of different sizes in terms of annual revenue:

  • 32% Small  < $50M
  • 36% Mid-size  $50M - $1B
  • 32% Large >$1B 

The platform approach series will continue in 16 cities in Asia.

Taipei, March 22nd

Beijing, April 17th  

New Delhi, April 18th

Shanghai, April 19th

Bangalore, April 19th 

Singapore, April 19th

Hanoi, April 19th

Bankok, April 24th

Chennai, April 24th

Taiwan, April 25th

Mumbai, April 26th  

Jakarta, April 26th

Melbourne, May 1st

Canberra, May 2nd

Sydney, May 3rd  

Kuala Lumpur, May 15th  


Oracle Identity Management is a complete and integrated next-generation identity management platform that provides breakthrough scalability; enables organizations to achieve rapid compliance with regulatory mandates; secures sensitive applications and data regardless of whether they are hosted on-premise or in a cloud; and reduces operational costs. Oracle Identity Management enables secure user access to resources anytime on any device.


« March 2012 »