Wednesday Mar 26, 2014

Multi Channel Architecture & Securing The Mobile Channel - by Ricardo Diaz

This brand NEW series from Oracle's Global Sales Support team will be dive into mobile security risks, dissect MDM, MAM and changes in the wind, device management, fraud, secure containers, extending IdM to mobile, application development and much more.

Multi-Channel Architecture (MCA) projects are trans-formative business trends brought on by I.T. modernization initiatives across industries.  As these customer, partner, vendor or employee channel's technology evolve to meet today's new business opportunities, security and privacy risks have never been greater.  Especially, the Mobile Channel.         

Let's look at one of my favorite industry's multi-channel architectures, BANKING, and why securing the mobile channel is a quickly becoming a priority for businesses globally.

A banks channels, ATM, Branches, Online, IVR, POS, PSE and Mobile, all need air tight information protection policy and rock solid security/privacy controls.  The Mobile channel on the surface, looms as the 800 pound gorilla in the room with many bank enterprise security architects because mobile security, to many, is so new.  In reality, with he right technology partner it doesn’t have to be. 

One of interesting and risky trend I noticed  working with Colombia, Mexico and Australia banks and their MCA projects is where the mobile application development group sits in the enterprise org.  These critical development teams were sitting outside of I.T. !  NO governance.  Weak security.  They did this to speed the development process of their apps.  I get it but this is a good example of what probably is more common than you'd think when it comes to the risks of mobile application development.   So is bringing these development teams under the I.T. umbrella going to secure their apps?  Not necessarily but his type of security challenge highlights the need for not just a good mobile security solution but one that isn't bound by organizational or political barriers.  All these MCA Banking projects had this challenge as a key business driver for a robust secure mobile channel.  Take a look INSIDE your organization.   Is security ubiquitous within your mobile business channel? Are short cuts being taken to speed up development and meet business demand?  Can you extend your enterprise security policy to these mobile devices if these apps were not built to your corporate enterprise architecture or security standard?

In the next GSS blog, we will highlight how the MDM/MAM space has evolved and why these technologies are part of the mobile security answer but not the final answer.

Tuesday Mar 25, 2014

Enabling access to Google Apps through Oracle IDM

Guest blog by Anand Murugesan

Adoption of cloud is enabling organizations to rapidly increase capacity and employee productivity while reducing their cost.  IT organizations are trying to play catchup to this accelerating trend and are faced with technological obstacles in enabling access to cloud applications.  When it comes to enabling employee access to cloud applications, organizations today are using cumbersome techniques including manual provisioning and de-provisioning process that causes delay in cloud enablement.  More over it leaves security vulnerabilities when employees leave the company or move between organizations.   Oracle Identity and Access Management suite (Oracle IAM Suite) addresses these issues with right set of technologies and tools to fast-track cloud adoption.  In this article we will discuss how organizations can enable their users to access Google Applications.  

Organizations can integrate Oracle IAM Suite with Google Applications through either Identity Federation or Identity Synchronization techniques.  The choice depends on the type of access needed for Google Applications.

First option is to use SAML 2.0 based Federation standards to integrate with Google Apps.  As per Google, “Google Apps offers a SAML-based Single Sign-On (SSO) service that provides customers with full control over the authorization and authentication of hosted user accounts that can access web-based applications like Gmail or Google Calendar.”   In this case Google Apps works as a Service Provider (SP).   Oracle Identity and Access Management Federation Service acts as an Identity Provider (IdP).  With this type of integration, when accessing the Google Apps through a web browser, the user is redirected to Federation Service hosted by customer for authentication.  Once authentication is complete the user is redirected back to Google Apps.  Federation Services supports both logout initiated by SP and IdP.  Customer still maintains full control of who has access to Google Apps.

Second option is to use two-way identity synchronization techniques.  Google Apps connector that ships with Oracle Identity Manager (part of Oracle IAM Suite) keeps both on-premise and cloud identities in sync.  This connector manages Google Apps as a ‘managed target resource’, enabling data about users created or modified directly on Google Apps to be reconciled into Oracle Identity Manager. More over the user accounts can be provisioned into Google Apps from Oracle Identity Manager.

Both Federation and Identity Synchronization techniques enable seamless integration with Google Apps.  When would you choose one over the other?   If the customer needs to enable only the web browser based access to the Google Application to their users, then SAML based Federation would be sufficient.  Setting up Federation is fairly simple process.  For more information refer to this white paper.  On the other hand, if the customer wants to enable user access beyond web browser to desktop or mobile clients such as outlook for Google Apps, identity synchronization would be a better option.  For more information on how to setup Google Connector, please refer to Oracle Identity Manager Google Apps Connector documentation.

Monday Mar 24, 2014

A European Perspective on Identity and Access Management

Guest blogger Marcel Rizcallah is the EMEA Domain Leader for Security at Oracle Consulting.

In the last 10+ years working with identity and access management  (IAM) customers, I have had the pleasure to work on different case studies throughout Europe that include specific industry requirements. In doing so, I have assisted customers with the definition of their IAM strategy and implementation roadmap, helping align security policies with business drivers.

I have learned that the European market is characterized by a high level of consolidation with merger and acquisitions in recent years. For example, most of the Telco organizations have consolidated through acquisitions, and now only a few giants remain such as BT, Orange, Vodafone, Telefonica and Telenor. The consequence is difficulty achieving compliance with regulatory laws and controlling operations costs as it’s challenging to get a single view of their European employees and centralize access rights across the various applications and systems, which unfortunately are still based on local and legacy solutions.

As most organizations used to have local and disconnected IAM solutions, they are now starting to rebuild consolidated and brand new IAM infrastructures based on the last versions of
Oracle IAM products. Thanks to the underpinning Oracle FMW stack, organizations can now provide the flexibility and scalability required by such huge implementations with 100 000’s of users and even millions of them, if we include their customers.

In the Public sector, governments and the European Union organization are working on citizen’s services integration to provide better user experience and harmonize citizen’s rights between countries, such as social security, unemployment and retirement services. For that, governments are adopting identity federation services based on SAML 2.0.  Federation is so strategic for them, that countries such as France were part of the Liberty Alliance foundation and were active in elaborating the federation standard with vendors such as Sun. Today, identity federation is also a key component of online government services, providing better citizen experience with access management single-sign-on and identity mapping when moving across online services such as unemployment or tax declaration.

European institutions such as national banks and borders agencies are providing access to their public agents to shared applications across countries. The complexity of such integration resides in the different approval workflows, which are specific to each country, and need to be processed across more than one organization. They have developed complex and custom workflows in their legacy IAM solutions which are difficult and expensive to maintain. This is where modern IAM platforms, with embedded workflows engines such as Oracle BPEL, can bring a strong added value.

In the finance sector, retail and private banks are looking to control critical application access based on employees’ job position and organization. Most of them have defined role models that need to be integrated with a provisioning solution to update accesses on user join, move or leave. Solutions usually rely on custom role modeling tools and corporate directories with groups associated to each role. Those directories must be designed to be highly available and performant to avoid being a single point of failure.

From those few examples we can see that IAM solutions have to address specific challenges per industry sector. Those challenges will increase with Mobile & Social, Big Data and Cloud computing! I will elaborate on this in a next blog.

Use the following links to learn more about Oracle IDM products and Oracle Consulting Services for IDM.

Friday Mar 21, 2014

What's New in PS2? The Cloud Access Portal

Cloud Application management is one of the main themes in the PS2 release.  I have asked Lee Howarth to explain a bit more about the new Cloud Access Portal Service.

With the advent of SaaS applications how do we solve password and single sign-on challenges…… again?

For many years Single Sign-On technology has provided various security and usability benefits, allowing organizations to simplify the user experience to gain access to multiple web and enterprise resources, while forcing more complex password policies to increase security.  Unfortunately this status quo is being challenged by the advent of Software-as-a-Service applications.

Once again users are being asked to remember multiple name and password combinations to their various SaaS accounts, a situation made even more frustrating by the fact that more and more users are accessing these sites from mobile devices.

The types of web applications accessed by a typical corporate user can be grouped into three main categories:

  1. Applications that require a name and password (corporate and SaaS) to be entered directly into a login form
  2. Applications that are protected via some form of Access Management solutions; and
  3. Applications that are federation enabled (corporate partner or SaaS application).

Addressing the password challenge across each of these categories, while simplifying usability and management are key benefits of the new Oracle Access Management - Access Portal Service.
The Access Portal provides:

  • A cross-platform logon portal for web-based applications that automatically adapts to the device form-factor.
  • Single sign-on to SaaS, web, partner and Oracle Access Management protected resources via Identity Federation, Form-Fill and Oracle Access Management session identifiers.
  • Centralized administration and wizard-based form-fill template generation to simplify administrative tasks.
  • RESTful interfaces to enable integration with existing corporate portals.

Administrators define application using the Oracle Access Management administration interface as one of three types – associated to each of the categories mentioned above.

  • Form-Fill Applications:  are applications that require a name and password to be entered into a login form.  The Access Portal service uses proxy technology to provide a form-fill service that supports login forms and can even sense when passwords have changed –perhaps due to password expiration - and enables the user to update securely stored credentials.
  • SSO Agent applications:  are applications protected by Oracle Access Management (OAM).  With this type of application the Access Portal simply represents OAM protected URLs.  Authentication is handled by standard OAM authentication and session management.
  • Federated Applications: are applications that required a federated authentication, be they partner or SaaS applications.  In this case the Access Portal applications are essentially IDP initiated authentication links, which use the Oracle Access Management – Federation Service to authenticate and assert their identity to a target application.

The following diagram represents the high-level architecture for the Access Portal Service (APS):

APS Architecture

For more information, please visit


Wednesday Mar 19, 2014

What's new in PS2? Many enhancements to Identity Governance

As you might know, our official IDM 11gR2 PS2 webcast will be held on April 10, 2014 @ 10:00 am PST

Register for our PS2 Webcast

#OracleIDMPS2 is our offical twitter handle for all things PS2!

In the run up to the webcast, I have asked the PM team to put together a series of blogs to help outline the big changes and new features that were introduced as a part of the PS2 webcast.  This week, the Identity Governance team has put together a post all about Identity Governance

Oracle Identity Governance is a suite of highly flexible and scalable enterprise identity administration solutions that provides operational and business efficiency by providing centralized administration & complete automation of identity and user provisioning events across enterprise as well as extranet applications. It provides role lifecycle management and privileged account management, ensuring consistent enforcement of identity based controls thereby reducing ongoing operational and compliance costs. New features introduced in the Oracle Identity Governance 11gR2 PS2 release are focused on customer success and improving overall reliability and reducing TCO of existing deployments. Highlights include: 

Dynamic Organization Membership

In a typical enterprise or extranet use case scenario, a user will be associated to their home organization but would require membership to other organization entities to perform related functions. For example, a global help desk user who belongs to the Support organization would require access to view and perform certain functions (like password reset) on other organizations like Finance, Sales etc. The solution has the capability to manually assign the help desk user to an Organization Viewer admin role, which is restrictive and more applicable to permission grants. 

Dynamic Organization Membership provides a way to specify a rule that would drive the membership of the user to one or more organizations based on their user attributes. The feature introduces the ability to specify a membership rule for organizations similar to how roles are handled. Once the user is dynamically associated to other organizations, they get implicit viewer privileges to view users, roles and privileges made available to those organizations as well. If certain users are needed to perform certain functions, like the help desk example above, they can still be associated to the corresponding admin role manually. Note that this is dynamic rule based organization membership (not virtual organization) that has to be associated with a physical organization in the solution.

Simplified Request Management

Oracle Identity Governance provides a centralized catalog of access rights, including enterprise and application roles, standard and privileged accounts and entitlements. The solution enables customers to create multiple views of the centralized catalog, like catalog by location, by department or a hierarchical catalog showing all applications along with associated entitlements etc., tailored to their needs. A list of beneficiaries can also be programmatically sent to the catalog enabling customers to integrate with other request initiating systems like a ticketing system.

Oracle Identity Governance provides a business user friendly catalog to request account entitlements. However it required the business user to know any entitlement related dependencies. For example, the user needed to know that they needed an e-Business account before they can request for an entitlement that grants them privileges to raise a purchase order in e-Business. OIG can now automatically request the account for a user when a related entitlement is requested, thereby reducing the burden of the business users to know the account-entitlement relationship.

Business users, requesters, approvers or access certifiers, often require detailed information on what a particular entitlement maps to in the target system. For example, granting an e-Business role or responsibility would grant a user a set of menu/button privileges. OIG now supports such critical hierarchical entitlement metadata to be imported and made available during request, approval and certification processes. Users typically would have more than one account in a target system and OIG supported multiple accounts to be associated with a user.

The solution now supports specifying to which account a specific entitlement in a request needs to be associated with during the request checkout process. In many cases, requesters are required to provide additional information during access request for each item requested. For example, in a request that involves multiple entitlements, the requester might be required to specify the start date and end date for each of the entitlements requested. OIG enables requesters to provide such information during request that can be carried all the way to approval and provisioning processes. OIG also provides an out-of-the-box scheduled task for entitlement grant and revoke based on the start and end dates specified.

Oracle Identity Governance also enables requesters to save the request cart enabling them to validate and submit requests at a later time.

Collaborative Certification Processes with Identity Auditor

Oracle Identity Governance introduces the capability of specifying additional levels of reviews in the certification workflow process. For example, OIG can now launch a certification review process whereby the business manager reviews the users that report to him/her, but is then followed by the managers' manager also reviewing the same access rights, while viewing the decisions made by their subordinate. In addition, collaborative Certification workflows with involvement from representatives from both Business lines and IT can also be launched for improved accountability and remediation. 

Improved Diagnostics

Oracle Identity Governance introduces a new operational console in Oracle Enterprise Manager that enables administrators a complete view of all the defined OIG operations, out-of-the-box and customer defined event handlers, child processes, workflow processes their state and error information without requiring to mine different server logs. This tool does not replace the larger IDM management pack in Enterprise Manager that provides a suite wide monitoring capability but serves as a useful diagnostic tool specifically for OIG. 

Privileged Account Session Management

Recent front-page security breaches have emphasized the fact that access control and monitoring of privileged accounts is critical. In some cases, privileged account password management alone is not enough. The OPAM solution in the OIG suite additionally provides session management and auditing capabilities to address extreme use cases. By creating a single access point to the target resources, OPAM’s Oracle Privileged Session Manager (OPSM) helps administrators to control and monitor all the activities within a privileged session.

 For more information on OPAM, read our blog here: New Session Management in OPAM

Tuesday Mar 18, 2014

What's New in PS2? Oracle Privileged Account Manager session management

As you saw in my previous blog there are a lot of new features in PS2 - and as we count down to our PS2 Webcast (April 10 @ 10:00 am PST - Register Here ) we will be posting a series of blogs detailing the new features.  In this blog, I have invited the PM team to talk about the new session management capability in OPAM.

11gR2 PS2 is an important release for OPAM where we made significant advances in many product areas. One such area is “Session Management”.

So, what is session management? In the past, privileged access management solutions focused on password vaults and providing secure access to the credentials stored in such vaults.

However, this approach raises certain questions:  

  • Can we prevent the end user seeing the actual privileged account password?
  • How can we control how the end user utilizes the password?
  • Can we capture the actions performed by the end user for audit purposes?

Session Management support in OPAM addresses all of these questions by focusing on the following areas:

Session Initiation

  1. Users can initiate a session as a privileged account without knowing the actual account password.
  2. Instead, the user just needs to authenticate himself and access to the target is granted based on the grants he has.
  3. Finally, since OPAM uses a gateway based approach the end user can connect using any protocol compliant 3rd party client.

Click for larger version

Thus privileged session initiation has been secured while not impacting the established working practices of the end user. The end user is still free to use the tools he is familiar with (ex. putty, openSSH etc.) and does not need to explicitly interact with OPAM for every checkout.

Session Control

  1. Sessions can be terminated based on usage policies (ex. after 30 mins)
  2. Sessions can be terminated by  security personal observing suspicious behavior

Since the sessions occur via OPAM’s Session Management server, there’s a controlled single entry point for privileged access. Additionally, since all sessions occur within OPAM’s purview we are able to control what occurs within a session and terminate it as needed.

Session Recording

  1. Session activity is recorded and stored in an Oracle audit database.
  2. It is indexed and searchable.

All action that occurs within a session is recorded, indexed and stored in the OPAM database. Therefore answering questions like who ran a certain command on the fileserver as admin between 9am and 10am on April 1st 2013 is trivial.

In summary OPAM’s Privileged Session Management is an important addition to the existing password vault solution, adding personal accountability and extending audit capabilities. In 11gR2 PS2, we focused on SSH since there is a very large footprint of SSH enabled target systems. However, moving forward we’ll be adding both new protocols and additional functionality as part of our session management offering.

For further details see Oracle Privileged Account Manager - Whitepaper

Thursday Mar 13, 2014

Major Themes of the IDM 11gR2 PS2 Release

On April 10, Amit Jasuja and his Product Management team will be hosting a webcast to explain all of the newest features in the PS2 release. (Register Here for the Webcast)

The PS2 release has 3 major themes: Cloud, Mobile & Simplification.

Oracle continues to expand our management capability for cloud applications, and one of the new features in the PS2 release is the Cloud Access Portal.  The Cloud Access Portal provides a single console for managing access to cloud applications.  Single sign-on, form-fill technology and federation capabilities, that runs on a full size browser, tablet or smart phone, make this new portal a must-have for organizations using cloud apps (who isn't?)

For Mobile application security, the PS2 release brings the introduction of the Mobile Security Suite. See our new web page devoted to specifically to mobile security.

Based on technology from the Bitzer Mobile acquisition, the Oracle Mobile Security suite allow organizations to separate and manage apps and data on mobile devices.  Here's a link to the new data sheet

The final major theme is simplification.  Oracle IDM is a secure, feature rich, highly scalable platform for protecting applications of all architectures.  To make this platform easier to install, patch and upgrade, PS2 introduces an installation automation wizard.  This wizard can capture details of an existing install, and save those parameters which can be used to clone an entire environment.  Installation times are dramatically reduced, as are patching and upgrade tasks.

In addition to these three major themes PS2 also contains: improved OAuth support, strong authentication features, new Privileged Account management features, as well as customizations and UI improvements throughout.

To learn more about the PS2 release: Register for our April 10, 2014 webcast

Wednesday Mar 12, 2014

Save the Date: April 10, 2014 @ 10:00 am PST - IDM 11gR2 PS2 Webcast

Oracle has recently released Patchset 2 for the Oracle IDM 11gR2 platform.  PS2 contains some important updates for Cloud & Mobile applications, as well as significant new features.  Register now to join us on April 10, where you will hear Amit Jasuja, SVP for IDM and Java talk about the focus on this release.  During this webcast, you will hear about:

  • Oracle's strategy for cloud application security - including a demo of the new Cloud Application Portal
  • New capabilities for full support of OAuth 2.0
  • Session recording and new management features for privileged account access
  • New features in the Mobile Security Suite - including a demo showing how business apps and data can be protected on a mobile device
  • New strong authentication functionality
  • All new automated installation wizard
  • Enhancements to Identity Governance

Register Now to Learn about the PS2 release: Webcast registration link


Oracle Identity Management is a complete and integrated next-generation identity management platform that provides breakthrough scalability; enables organizations to achieve rapid compliance with regulatory mandates; secures sensitive applications and data regardless of whether they are hosted on-premise or in a cloud; and reduces operational costs. Oracle Identity Management enables secure user access to resources anytime on any device.


« March 2014 »