Wednesday May 29, 2013

Understanding API management for mobile app security

Earlier this month I heard a customer talk about his experience with a recent Oracle API Gateway (OAG) implementation.  OAG sits between your back end systems and your mobile applications to monitor and manage the messages that flow back and forth.  One of the key functions of OAG is it's ability to transform SOAP messages into other protocols, such as REST and JSON which are optimized for mobile applications.  This means you can expose business systems and data with a minimum amount of coding - and therefore create mobile apps very quickly.

After listening to his presentation, I asked him, to identify some key points about OAG.  Here is what he said:

  • Time to market – I would suggest that you could deliver solutions faster because you could leverage existing software assets.  In fact, delivering it fast but SECURE is the benefit.  Sometimes, they are separate but I think it’s worth noting.
  • New platform – New web paradigms such as web 2.0 (REST/JSON) can be tapped and be built on existing legacy solutions.
  • Paradigm shift – The security layer just isn’t about security anymore.   The presentation layer has shifted to client deployment so the security layer is now the business layer.  It’s more of an integration layer for UI and Non-UI scenarios.  I’m actually more a desktop developer so it’s old hat to me.  It’ll be new for a lot web developers. 
  • Thin air – You can make a service or application out of thin air.  This is against traditional coding styles but when you consider the value proposition, it’s hard to argue. 

 He was careful to point out, that OAG won't remove all coding tasks, and in fact he said that if you have a strong coding team, the end result would be event better.

Follow the link below to read more about OAG.

Tuesday May 28, 2013

Don't Secure Yourself Out of Business

As regulatory pressure and security threats continue to rise, the Chief Security Officer (CSO) role is gaining more importance in many organizations. With security spending at an all time high, many CSO's are re-thinking their priorities and focusing on risk. A recent CSO Market Pulse survey of IT executives, finds that in most organizations IT spending is not aligned with risk.

Mary Ann Davidson, Oracle Corp CSO, joins us for this exclusive webcast to discuss the findings of the survey. One of the most important voices among computer security practitioners today, Davidson describes how CSOs and other IT leaders can use this information to reduce risk in the enterprise. To Register Click Here.

Webcast Date: Thursday, July 18, 2013

Time: 10:00 PM PST

Speaker: Mary Ann Davidson, Chief Security Officer, Oracle

Registration: Click Here

See How Qualcomm Enforces Compliance with Oracle Identity Management

Qualcomm discusses the benefits of closed loop compliance remediation and other key features of Oracle’s latest Identity Management release, that enable them to meet business objectives, manage user access attestations, and enforce compliance.

Join us in watching this short video to understand how Oracle is enabling Qualcomm to meet and exceed their compliance goals with Oracle Identity Management. Click HERE to watch the video


API Security Beyond The Perimeter: IdM R2 PS1

If you are moving applications to the cloud or extending your applications to mobile devices, you will be concerned with securing the device interaction with users and with back end components that reside behind your perimeter. In Identity Management 11g R2 Patch Set 1, we have enhanced and released Oracle API Gateway to enable organizations to address the challenges of service oriented security, applications on mobile devices and applications in the cloud. Patch Set 1 is another step in rationalizing a platform approach to Identity and Access Management to enable organizations to modernize security. For a primer on Oracle API gateway, Apple Bagwell simplified the topic and captured it in a Prezi. Apple recently presented an overview to the Identity Architect Forum which was well received. He does a great job of simplifying and demystifying the topic. Click here to view the Prezi.

The latest docs to the Oracle API Gateway can be found hereFor more resources on Identity Management R2 Patch Set 1, see the links below. 

Sunday May 19, 2013

Unified Directory Goes Virtual: IdM R2 PS1

Oracle Unified Directory has set the bar for performance. Built ground up to provide elastic scale, Oracle Unified Directory (OUD) is interoperable with all directories in the Oracle Directory Services Suite.

With the Patchset 1 release OUD now combines the capabilities of Oracle Virtual Directory. With a combined directory, organizations can lower operating cost by consolidating directory silos using a single directory server. Instead of having multiple infrastructures and separate administrators, a unified solution can provide better administrative ratios and economies of scale.

A unified solution helps organizations embracing the cloud with a single solution to provide high scale reads and writes for authentication and authorization. For cloud applications, a single directory can store location data, personalization data and provide a single interface for external data. 

For more information on getting started with Identity Management R2 PS1 click here for the documentation. You can learn more about Identity Management R2 PS1 from these resources:

Thursday May 16, 2013

Congrats to Virgin Media: Best IAM Project Award

We extend our congratulations to the team at Virgin Media for winning the award for best Identity and Access Management project at the European Identity Conference in Munich this week. Excerpt below from the European Identity Conference.

In the category “Best Identity and Access Management Project”, the award goes to Virgin Media for the implementation of highly polished access control mechanisms with IAM technologies for the WiFi network of the London Underground metro system. This project went live for the 2012 Summer Olympics and had to meet very demanding requirements for high performance user authentication.

You can learn more about the Virgin Media story by viewing this on demand webcast here.

Oracle On Demand Provisioning Service

The growing number of business applications and services that employees need to access makes it increasingly difficult for organizations to create and remove accounts and privileges in a timely fashion, and keep track of everything for compliance purposes. Help-desk costs related to manual account administration and password reset also prove challenging.

To learn more how Oracle can help your organization deal with these challenges by reducing costs, decreasing exposure and risk, and improving IT efficiencies through Identity Management, download our data sheet on Oracle On Demand Provisioning Service

Wednesday May 15, 2013

What Can Oracle API Gateway Do for You?

Author: Sid Mishra

The Application Programming Interface (API) is an emerging technology trend for integrating applications using web technology. Adoption of a cloud based computing approach using an API based model results in greater operational efficiencies and lower costs than many traditional IT deployments. The approach is gaining popularity because it is based on well-understood techniques and leverages existing infrastructure. APIs and traditional services in a SOA model have a 1:1 relationship: an API is the interface of a service. Services are about the implementation and are focused on the provider, while an API is about using the functionality, and is focused on the consumer.

However, as with any new technology, security is often a major inhibitor to adoption. A cloud service consumer or subscriber based computing model is associated with concerns over visibility into these services, less control over security policies, new threats facing shared deployment environments and complexity of demonstrating compliance. Also, it can be a mistake to think APIs should be secured using the same methods and technology used to secure conventional browser-centric web. While it is true that APIs share many of the same threats as the web and a consistent and centralized access control is a growing pain point for most deployments, APIs are fundamentally different from web sites and have a unique risk profile that must also be addressed.

Oracle API Gateway as a standards-based, policy-driven, standalone software security and API management solution provides first line of defense in Service-Oriented Architecture (SOA) and cloud environments. It enables organizations to securely and rapidly adopt Cloud, Mobile and SOA Services by bridging the gaps and managing the interactions between all relevant systems. Oracle API Gateway as a central access control point manages how internal users and application assets are exposed to outside cloud offerings and reduces cloud related security risks. It allows enterprises to leverage their existing Identity and Access Management investments by extending authentication, authorization and risk policies to mobile, cloud and enterprise applications – without requiring change to back-end applications and services. Oracle API Gateway as Mobile Access Gateway simplifies the process of adapting internal data, application and security infrastructure for mobile use. It provides a centralized way to control security and management policies for information assets exposed via internet APIs, to mobile applications and developers.

To learn more about API Management and secure cloud connectivity using Oracle API Gateway, refer to the product datasheet links here and here.

Monday May 13, 2013

What do your employees think of Identity Management?

Identity Management isn't exciting, it's not fun, in fact employees think Identity Management is downright restrictive, something to get around, something that limits productivity.  What if you could hear what employees really think?  I mean, hear that they REALLY think about IdM.  Well now you can.

Our undercover investigative team has contacted and interviewed IdM to get the real story - not the sugar coated PowerPoint version of what is going on, we are talking about the no-holds barred, really dirty truth about IdM.  Register using this link to read the whole eBook interview and see what we mean.

Warning: this may not be suitable for new IdM professionals, and some content may not be suitable for the office.  Readers are cautioned to proceed at their own risk.

Friday May 10, 2013

UPMC to Secure Access for 75,000 IT System Users at Midsize Hospitals with Robust Identity Management Suite

Committed to developing and delivering life-changing medicine, University of Pittsburgh Medical Center (UPMC) is a US$10 billion, integrated, global health enterprise and one of the leading health systems in the United States. UPMC operates more than 20 academic, community, and specialty hospitals and 400 outpatient sites; employs more than 3,200 physicians; and offers an array of rehabilitation, retirement, and long-term care facilities. It is also Pennsylvania’s largest employer and the first nonprofit health system to fully adopt Sarbanes-Oxley standards.

A recognized innovator in information technology, UPMC has deployed an electronic health record across its hospitals and has implemented a semantic interoperability solution to unify information from multiple systems.

UPMC had an in-house-developed identity and access management system in place for eight years. As the healthcare organization’s identity management requirements continue to evolve and become more complex, it decided to move to a commercial, off-the-shelf offering and chose Oracle Identity and Access Management Suite. The solution will provide UPMC with the scalability it requires―managing identities and access for more than 75,000 system users, which include employees, as well as contract staff and medical students on rotation in the organization. It will also deliver the flexibility UPMC requires to continue to adapt its environment to accommodate new systems and requirements.

For the full article, click HERE

For more information on how UPMC and Oracle have partnered to help smaller hospitals with identity management, check our PRESS RELEASE.  

Wednesday May 08, 2013

Looking Back at The Biggest IT Security Failures

Earlier this morning, the feature on Biggest IT Security Failures on CFO Insight caught my eye. The article captures some of the more well known recent IT security incidents and discusses how these news stories may just be the tip of the iceberg. Bigger stories around cyber-espionage (check out the blog post from Oracle’s Ricardo Diaz on this subject) go unnoticed or unreported.

Looking at the companies mentioned, it is obvious that IT Security is not really about budgets. Or rather, it is not ONLY about budgets. If throwing money at the problem will have gotten rid of the problem that is "security breaches", big brands wouldn’t have made the headlines with these news stories. A smarter, Security inside out approach is called for. Secure the data where it resides, build in security within the layers from infrastructure, database, middleware to applications, and manage access to these systems. Adopt a platform approach to security so that your resources, all the way from infrastructure up to the applications, can leverage security processes and solutions in a standardized, repeatable and consistent way. This will also allow you to extend your security framework as your infrastructure grows or as you look to support applications in the cloud or mobile access. Build a sound security platform and then leverage it across it all and through time to maximize your existing investment. A standard security platform also eases your compliance burden since you will not be dealing with silo’ed information.

Take a look at Oracle’s platform approach to Identity Management and tell us what you think.

Monday May 06, 2013

CSO Online Study: Threats are Outside, Risks are Inside

Oracle recently worked with CSO Online to study the economics of security. Despite the the increasing IT spend on security, many organizations don't feel any safer. According to the study, organizations allocate up to 67% of their IT security spend protecting network resources. However, the biggest risk in many organizations is weak governance controls on user access and application security. According to the latest Verizon Data Breach Report 2013 , 76% of attacks utilize lost or stolen credentials as a means of entry or propagating the attack.

According to the survey, 40% believed that implementing fragmented point solutions created gaps in their security and resulted in vulnerability. Fragmentation creates latency in security processes and latency introduces risk. According to a similar study by Aberdeen Research, organizations that take an integrated platform approach had 35% fewer audit deficiencies and were more responsive.

The findings underscore the relevance of Oracle’s “security inside-out” approach which means focusing attention on the organization's most strategic assets which include applications, databases, systems, and users. 

Read the details here

Sunday May 05, 2013

Good News For IT Audit: IdM R2 PS1

If you have downloaded the latest Identity Management release, then you will find these notes helpful. If you have not downloaded the latest release, you can download it hereThis article is the first in a series that will explore new features in the R2 PS1 release. R2 PS1 is the latest release to continue the convergence of the Identity suite. If you are using Identity Manager for provisioning or Identity Analytics for access certification you will like the new converged Identity Auditor feature that provides integrated analytics directly in the provisioning process. 

Now provisioning and analytics share a single integrated data model. This is good news for audit and compliance because it insures that the data being certified is as recent as possible. For many organizations, by the time the certification actually takes place, the data being certified may be out of date. By having a single repository, the latest data from the provisioning process is used directly in the certification review. This removes the need for a compensating control.

The integrated data model has the added benefit of close to real time certification which means that changes to user entitlements can automatically trigger certification reviews without any integration necessary. The goal is to reduce the workload of access certification and keep the organization always certified.

For more information on getting started with Identity Management R2 PS1 click here for the documentation. You can learn more about Identity Management R2 PS1 from these resources:

Thursday May 02, 2013

European Identity Conference

This year's European Identity Conference is devoted to cloud, mobile and social. This promises to be an exciting event this year. Here is a link to the conference.  You will not want to miss Peter Boyle and Mike Neuenschwander. Peter's keynote is on Thursday May 16th. Peter Boyle is Head of Identity Services for BT. Below is an abstract for his talk.

If Your Customers Don't Feel Safe, They Will Leave You

More than 559 million adults have been victims of cyber-crime - that´s more than the population of the European Union. More businesses are trying to connect with customers on social and mobile but, 15% of social networking users have had accounts infiltrated and 21% have fallen prey to mobile or social attacks. Only one incident can cause a customer to shift brands. If you are trying to find new paths to market online, don´t miss this session. Securing the customer experience should be the top priority for any business initiative involving cloud, mobile and social. Faced with the need to secure a growing hosting business with more than 10,000 customers accessing services on-line, British Telecom Identity enabled their applications to secure their customer data and transactions. In this session, Peter Boyle Head of Identity Services for BT will discuss how to keep your customer safe, loyal to your brand and keep them coming back for more.

See Mike Neuenschwander will speak in the following sessions:

  • May 14th 2:00 pm :The Future of IAM
  • May 15th 10:30 am: Next Generation Cloud and Mobile Identity Management 
  • May 15th 2:00 pm: The Future of IAM: "Do not kill IAM, improve and extend it"
  • May 16th 2pm: Life Management Platforms, Personal Data, Private Cloud 

Wednesday May 01, 2013

North American CAB Notes and Key Takeaways

The North American Customer Advisory Board (CAB) was held at Oracle headquarters, April 16-18.  Customers were invited to attend in order to get an update on product direction, participate in discussions on key industry trends, and to meet with Product Managers to discuss product road maps and features.

Day 1 consisted of  an overview of the Oracle IDM business, including key market trends and customer success stories, followed by presentations by Product Management in three key areas: Directory Services, Identity Governance, and Access Management

Day 2 contained moderated discussions on key topics such as Mobile and Cloud Applications, and also a customer presentation by College Board on their IDM implementation.

Day 3 began with a presentation by Oracle IT on how they are using Oracle IDM to manage systems and applications internally, and then moved on to additional breakout and feedback sessions.  There were also opportunities for customers to meet with Product Managers one on one to discuss specific product features and functions.  At the end of the day, customers were invited to provide feedback about the various presentations and discussions, and to identify key priorities for their organizations.

Here are some of the more popular discussion topics:

A lot of discussion around reference architectures for IDM: customers identified the need for additional best practice guidance when sizing and scaling hardware for optimal performance.  A lot of good reference material exists for 10g products (which have been in the market for quite a while) but less is available for 11g products.

Multi-datacenter configurations, as well as configuring for high availability and disaster recovery.

Mobile application security was a hot topic: most of the attendees were delivering and securing mobile applications but there was a lot of variation in what customers were doing.  Most agreed that the management capabilities of IDM for mobile applications needed to improve, and most agreed that mobile application management was a top priority for them.

All of the customers I spoke to agreed that the time was well spent, and that the presentations were detailed and focused on the topics, technologies and timelines that they felt were important.  Everyone agreed that the ability to meet one on one with Product Management was very helpful, and everyone liked the customer presentations.

Thank you to everyone that attended, and shared their concerns, thoughts and suggestions with the IDM team.


Oracle Identity Management is a complete and integrated next-generation identity management platform that provides breakthrough scalability; enables organizations to achieve rapid compliance with regulatory mandates; secures sensitive applications and data regardless of whether they are hosted on-premise or in a cloud; and reduces operational costs. Oracle Identity Management enables secure user access to resources anytime on any device.


« May 2013 »