Wednesday Apr 30, 2014

Identity Enabling Mobile Security - by Suresh Sridharan

Smart Connected Device Growth: The growth of smartphones and tablet devices has been phenomenal over the past 4 years. Global smartphone shipments have grown extensively from approximately 100m units in 2010 to 725m units in 2012, reaching 1b devices in January 2014. Simultaneously, tablet shipments have grown from 5m units in 2010 to approximately 125m units in 2012. Tablet numbers are likely to touch 400m units by 2017.

This explosion in the shipment of smart connected devices has also led to a significant change in users’ behavior and expectations.

In a corporate environment, the phenomenon of Bring Your Own Device (BYOD) is gaining momentum. Gartner predicts that 38% of all organizations will have an “all BYOD” policy by 2016, up from 6% today (2014). If the same device is being used for both personal and work purposes, users will expect the same experience across corporate and personal apps. Further, employees regularly use similar apps for both business and personal purposes examples include: WhatsApp, Skype and Facebook..

Mobile devices present benefits both for organizations and for individuals. Surveys show that a BYOD policy helps employee gain an extra 37 minutes of productive time every week. To increase sales productivity, some of our customers are mobile-enabling sales teams to ensure that they have access to the latest information when they meet with customers.

Security is one of the most significant mobile device challenges both for consumers and for enterprises. Although mobile-commerce is growing rapidly (to $25b in the US alone), 60% all retail transactions that get to the checkout stage are abandoned with security as one of the main causes, according to recent data.

As corporate data on the device co-mingles with user data on a personal device, it becomes challenging for enterprises to impose restrictions on the use of devices. About 40% of adults do not protect their smartphones with a passcode, with married adults that number goes up to 45%.
In order to address security challenges, IT should be able to define and enforce policies that meet security and privacy standards to protect intellectual property, other corporate assets and optionally, personal employee data.

There are three things to consider while implementing security in the new mobile age:

  1. Implement a strong identity management system that allows one to manage users and ensure that they are able to access information based on the principle of least privilege to carry out the necessary tasks.
  2. Implement an access management solution to secure data based on who is accessing it and the risk profile of that specific transaction.
  3. Implement a mobile security solution that will help secure data on the device and ensure corporate security policies are enforced on the device from which assets are being accessed.

In essence, organizations need to ensure that application data is secured based on the user accessing it and the device and location from which it is being secured. Securing the device and the user identity, in isolation, is not sufficient.

Wednesday Apr 23, 2014

Time Still Left to Register: Webcast on Transformation of the Perimeter

As enterprises increase their usage of mobile devices, there is a fundamental question of "Where is the perimeter moving to, and how best to secure?" Corporate data now spans outside into service provider frameworks accessible from mobile device platforms, partners and even customers, and the pressures to minimize the risk are greater than ever. There is no longer the ability to secure at just the firewall. This presentation will discuss some of the challenges that corporations are facing as they externalize this data for the mobile generation of employees, partners and customers, and what steps that can be implemented to help reduce the risk of expanding the corporate perimeter to the mobile device. 

There is still time left to register for this event:

Date: Thursday, April 24, 2014
Time: 10:00 AM PDT

Wednesday Apr 16, 2014

Management and Provisioning of Mobile Devices - Dave Smith

Today we will explore provisioning and device management. These weren’t always considered to be related topics, but in a bring-your-own-device (BYOD) world, there are new relationships to consider…!

 So what is a device…? In the context of the Internet of Things, it potentially refers to anything having an IP Address, such as an automobile, refrigerator, etc. In the context of mobile security, it refers to smartphones and tablets. The mobile device is the new channel to access corporate content, applications and systems, breaking free from the traditional model of using a desktop computer or laptop to access these assets.

 It should be no surprise that from the perspective of enterprise security, “device management” means controlling the device or better yet, controlling what corporate assets can be accessed from this device. In a BYOD world, employees bring their personal mobile devices into the workplace in order to more flexibly access corporate assets. The BYOD phenomena defines not only an architecture, but also a cultural shift and quite frankly, an expectation of users that their personal devices will continue to provide the experience they are accustomed to for other mobile apps. Device management, therefore, must be carefully deployed, since it has to not only provide easy and familiar access for employees’ devices, while at the same time, must do so without sacrificing corporate security by providing limitless access to corporate assets. While on the surface device management seems to be a device-centric approach, it actually needs to be user-centric.

 So what does provisioning mean to mobile devices? Provisioning means managing access. Often this is associated with managing access to application accounts – e.g. create, update, retrieve or delete of accounts or managing the privileges or entitlements granted through these accounts. However, when considering mobile devices and device management, provisioning must also refer to managing access from the user’s device to corporate assets (content, files/shares, applications, services). So, provisioning includes both digital (e.g. accounts and access) as well as physical access (e.g. enabling network access to corporate assets). Managing someone’s access by group or role (e.g. role-based access control, RBAC) is much more scalable and less brittle than managing access on an individual user-by-user basis.

 Provisioning access can be triggered by a number of factors. One is “birth right” access, based on a new hire event. Another is driven by requests for new access (e.g. similar to online shopping, but where the cart holds new entitlements). With the introduction of mobile devices, a third example describes managing the available catalog of mobile apps that a particular person can download to his/her device, ideally based upon his/her job and role within the company.

 Closely related to provisioning is de-provisioning, which is the removal of access. Historically, de-provisioning occurs when the person leaves the company or when they change jobs and no longer need access. In a BYOD world, de-provisioning must extend to the mobile apps running on the person’s enabled devices. Furthermore, given the fact that mobile devices can be more easily lost or stolen, mobile device management dictates that access has to be de-provisioned or blocked from the device, when the device itself has been compromised.

 In the next blog, we will take a look into the concept of “secure containers”, which are provisioned to the device as a key component to a successful BYOD strategy.

Monday Apr 14, 2014

Follow up Identity Management 11g R2 PS2

If you joined our webcast on Thursday, thanks for tuning in.  Below is a link to the on-demand webcast and we have captured the Q & A from the session in-line.

On demand  Webcast: Click Here

Question: For the customers in the process of moving to cloud and mobile space, is PS2 the right version (whether access or Identity) to be on? : Answer: Absolutely. Particularly for Access with full OAUTH2 support.

Question:Has Consumer and Customer identity requirments for Retail been met full user experience and Admin/provisioning, federated access and delegated admin implemented? any large retail account or case study for the implementation available for sharing? Answer: Yes, we have several retail customers who have implemented unified, enterprise wide identity management to help grow their business (via customer loyalty apps and programs) and streamline/secure their business with complete Identity Governance and life cycle management. Click here to see customer examples:

Question:any large AppStore implementation and Global roll out? Answer: For the Oracle Mobile Security Suite we have some very large Fortune 5 customers with global rollouts including oil & gas, retail and banking.

Question: Can you elaborate on how security concerns were addressed about the form fill technology? Answer:The form fill technology in the Access Portal Service is built on Oracle ESSO Infrastructure. It leverages the same ESSO repository to store credentials and application configuration. It is compatible with the same business logic flows that exist in native ESSO . It fully supports bi-directional crypto between Java and CAPI code. The asymmetric key supports RSA and translation of PK pairs to/from MS PK & Java. The symmetric key support includes AES256 and TripleDES (for compat/upgrade). It fully supports encryption/decryption for ESSO Credentials in Java (compatible with CAPI). The Hashing / MessageDigest supports SHA1 and SHA 256 that is compatible with Java and CAPI

Question:Question from my Tweet - Will the new Access mgmt platform support SAML, OAuth as the standard instead of ObSSO token? Answer:We already support SAML and have now introduced support as an OAuth 2.0 server in PS2 while ensuring that these technologies work seamlessly in conjunction with session management and secure single sign on using OAM 11g technology.

Question:How do we provision deprovision users for Cloud Apps? Answer:We will provide auto provisioning of applications by allowing association to applications directly from the OAM console. Today auto provisioning is only possible using the Enterprise Single Sign-On provisioning gateway.

Question:  Is the Blitzer application available as part of the Oracle Access Manager product? Answer: The Bitzer technology is available in the Oracle Mobile Security Suite

Question: Does OAP provides support for Legacy application (Thick client) (Mainframe apps)? Answer: Access Portal - at this time - is for web-based applications only

Question:Does Cloud Security Portal works with OAM 10G version? Answer: Access Portal is an OAM 11gR2 PS2 service

Question: how do you compare Oracle PS2 with REST APU based security appliance like layer 7 etc? Answer: The Oracle API Gateway (OAG) component provides REST API security in the same way. This is already available and is widely deployed by our customer base -- particularly for their consumer and mobile facing applications.

Question: What are licenses needed for Automated Suite Installation for IDM which was spoken about ? Answer: The automated installation requires only licenses for the software that you are installing. There's not a separate license for the automation.

Question: Do you have PII, PCI compliance patterns implemented for SaaS eCommerce Apps globally? Answer: May need more info to answer this - but if Oracle accepts credit cards for any of its service then obviously it will need to follow PCI etc. Here is a link to a paper on how we align with PCI controls with IDM

Question: Do you see a push in the federal marketplace to implement the Oracle soft token approach to security or is the marketplace still leveraging traditional 2 factor and mobile technologies are lagging behind? Answer: We see a push across all verticals to use the soft token approach 

Question: As OMSS and IDM Suite come separately (2 different product suites) , then how exactly these get wired to achieve SSO. How difficult it is to wire it? Answer: These suites are separate from a licensing perspective  but utilize the same underlying platform.

When We Are All A Heartbeat Away From Data-Loss

Unless you have been sleeping under a rock the last few weeks, one of the biggest items of news in security has been around a vulnerability that has been around since December 2011. The vulnerability CVE-2014-0160, is more widely known as the Heartbleed Bug and is only now making its reputation known after researchers discovered the widespread impact of this vulnerability on data privacy.

The vulnerability is in an older version of the OpenSSL encryption routines used for secure web sessions. For example, when you go to your favorite banking or web email site, and after logging in, you see a padlock in the lower right corner. This “closed” padlock symbolizes that SSL (Secure Socket Layers) has initiated and secured a connection between your browser and the service you are connecting with to ensure nobody can intercept or monitor your communications. This is critical when filing taxes online, or sending private emails on Yahoo, or using cloud based file sharing services over a browser connection.

Without diving into the full details of the way the exploit works, in the simplest terms, this vulnerability allows a remote attacker to simply make a network connection to any remote system, and pull small chunks of data that is left in memory from the SSL session. While this does not mean that an attacker can pick and choose files from your system, it does mean that the kinds of information commonly found in memory are passwords, session IDs, encryption private keys and more. All of this of course is very sensitive information.

The biggest challenge here is that many consumers and corporate users recycle passwords and user names. User names are often their email address, and passwords often are re-used again and again, across all of their web services and web properties they access. So the challenge here is if an attacker is so lucky to collect one password for the online flower website they just purchased flowers on, chances are, that attacker will attempt to use that same user ID and password against mainstream email, financial, retail and services portals associated with that same user. 

The impact of the Heartbleed bug is global. It is as far reaching as any bug, as it affects hundreds of millions of online user accounts. Many researchers are advising to give a few more days until you attempt to change all of your online passwords. Why not sooner? Changing passwords when your systems and the services you connect to are still at risk of being vulnerable, is a wasted effort. By the end of this week, most of the online service providers you use will have all of their systems patched, most browsers will be updated and patched, and most smartphones and tablets will be secured. At that point, it will be highly recommended to change passwords. The best course of advice, check with your service provider such as your online banking website, or whatever your online service provider is, for when they give the "all clear" to reset passwords.

So what are the lessons here? Regardless if you are a member of a major corporation, a non-profit, or you are heading up a family of 3, it is the same advice. As a consumer or corporate user, you must practice implementing a new mindset around a password policy for yourself. Passwords and User IDs must be unique for each service and account you access. Passwords must not be personally tied to you in the sense that you should not have family names, or dates that are tied to you or family members. Rotating and refreshing these every 30 to 90 days is critical. This is called compartmentalizing the risk. The practice is used here so that if a password is compromised, only that one service is at risk, such as your online flower website. What is safe is, your personal banking, your company’s VPN password, your secure email passwords and more, all because you have maintained them separate.

In the corporate world, this can be greatly simplified through the use of Single Sign-On technologies that dozens of unique account credentials that would be hard to remember, and place them under one strong user ID and password that the employee can focus on remembering. For consumers, there are best practices around consumer oriented tools that can accomplish the same goal to help pull passwords together, but buyer be warned. For every one “reputable” product here worthy of storing your most sensitive information, there are 10 others that you should stay away from, as some even are malicious in nature designed to steal information – so be careful.

There are numerous online resources to help you research if your website is vulnerable, as well as many more security research articles that detail additional for administrators looking to remediate their websites.

For more information on how Oracle can help address your organizations needs around account provisioning, Single Sign-on and more, visit us at

Thursday Apr 10, 2014

Securing The Identity of Everything

Securing the Identity of Everything

Along with tremendous economic change, the Internet of Things (IoT) will transform the way IT organizations think about security. Instead of focusing on securing the network perimeter, IT departments will have to secure the new perimeter: people, data and devices. The new point of control will be user access to devices, data and applications. Each device will have an identity on the network, and companies will face the challenge of device tracking, registration and fraud detection. In this session, Ranjan Jain will discuss his current effort to manage the "Identity of Everything" and share how organizations can unlock the potential of this approach. Register now.

Ranjan Jain, IT Architect for Enterprise Identity and Access Management, Cisco 

Naresh Persaud, Senior Director, Product Marketing and Market Development, Oracle

Wednesday Apr 09, 2014

Webcast: Announcing The Oracle Mobile Security Suite

Oracle IDM 11gR2 PS2: Cloud and Mobile Strategy Update Webcast

As cloud applications and personal mobile devices continue to drive new business models, new security challenges for IT teams are on the rise. Oracle recently announced the availability of its latest Oracle Identity Management 11gRelease 2 PS2—which is heavily focused on securing the extended enterprise. 

This live webcast will provide you with an overview of key themes in Oracle Identity Management 11g Release 2 PS2, and cover salient aspects of the release’s cloud and mobile security strategy. You’ll also see a demonstration of the new cloud access portal and mobile security suite. The Twitter feed #OracleIDMPS2 can be used for questions during the live Q&A session at the end of the presentation.

Attend this webcast to:

  • Hear about the latest updates in Oracle Identity Management 11g Release 2 PS2 including new, strong authentication and installation automation features
  • See how Oracle is taking an application-focused approach to mobile security
  • Learn how you can secure your cloud applications with enterprise identity management

Register now to attend this important webcast. Tweet your questions using hashtag #OracleIDMPS2

April 10, 2014 – 10:00 am PST

Copyright © 2013, Oracle and/or its affiliates. 
All rights reserved.

Wednesday Apr 02, 2014

Analyzing How MDM and MAM Stack Up Against Your Mobile Security Requirements - by Matt Flynn

Mobile is the new black. Every major analyst group seems to have a different phrase for it but we all know that workforces are increasingly mobile and BYOD (Bring Your Own Device) is quickly spreading as the new standard. As the mobile access landscape changes and organizations continue to lose more and more control over how and where information is used, there is also a seismic shift taking place in the underlying mobile security models.

Mobile Device Management (MDM) was a great first response by an Information Security industry caught on its heels by the overwhelming speed of mobile device adoption. Emerging at a time when organizations were purchasing and distributing devices to employees, MDM provided a mechanism to manage those devices, ensure that rogue devices weren’t being introduced onto the network, and enforce security policies on those devices. But MDM was as intrusive to end-users as it was effective for enterprises.

In the MDM model, employees relinquished control of their devices to their employer. Big brother knew what was installed, how the devices were used, what data was on the device, and MDM gave organizations full control to wipe device data at-will. As a result, many people chose to carry two devices; one for personal use and the other for work. As device manufacturers dramatically improved products every six months, people quickly began using personal devices as the primary communication mechanism and work devices as-needed to perform certain tasks. It also drove people to insecurely send work data to personal devices for convenience increasing the risk of data loss. For these reasons and with the upswing of BYOD, MDM has been relegated to playing a supporting role in Enterprise Mobile Security.

Mobile Application Management (MAM) has emerged as a better alternative to MDM in the world of BYOD. MAM solutions create a secure mechanism for employees to interact with corporate data and apps without infringing upon personal apps and data. With MAM, organizations can control application and data access, how data is used on mobile devices, and to enable new mobile access scenarios without compromising security. MAM embraces the BYOD movement and encourages employee mobility while also locking down data, reducing exposure, and responding more efficiently to compliance mandates about how data is used. But MAM isn’t the end of the story.

Mobile access isn’t much different than other types of access. It’s just another access point that should be part of an Enterprise Access Management approach. Securing access via mobile devices shouldn’t require an entirely separate technology silo, another set of management interfaces, and yet another point of integration for corporate Access Governance. Also, most MAM solutions fall short on a variety of use-cases. By rationalizing MAM into an enterprise Access Management approach, organizations gain extremely valuable capabilities that are otherwise unavailable in MAM solutions alone.

For example, MAM-type on-device virtual workspace approaches don’t work very well in B2C scenarios where apps are delivered via well-known public app stores. Nor do they make sense from a user experience perspective in those scenarios. Also, for advanced Access Management scenarios such as risk-based transaction authorization, integrating basic app security with back-end adaptive access solutions provides extremely compelling benefits. With apps looking to leverage modern protocols such as REST to access legacy system data, there are benefit from Access Management infrastructure such as API Gateways that provide those services. Providing support for these advanced scenarios in a solution that provides a single point of management, single infrastructure, and unified audit trail is where Mobile security is heading.

Next generation mobile security solutions will see MDM and MAM features integrated into more traditional and enterprise-centric Access Management solutions. This single platform approach simplifies management, reduces cost, and enables an improved user experience. But more importantly, incorporating the capabilities of a robust Access Management platform opens new avenues through which to do business and engage with customers, partners, and the extended community. Oracle has a focus on providing exactly this kind of integrated and consolidated approach to securing the mobile platform through securing the device, applications and the access with the Oracle Mobile Security Suite.

In our next post in this series, we’ll look at the various deployment phases through which cloud technologies are being adopted by increasingly mobile workforces starting with cloud-based file sharing services.

Oracle Identity Management is a complete and integrated next-generation identity management platform that provides breakthrough scalability; enables organizations to achieve rapid compliance with regulatory mandates; secures sensitive applications and data regardless of whether they are hosted on-premise or in a cloud; and reduces operational costs. Oracle Identity Management enables secure user access to resources anytime on any device.


« April 2014 »