Layered Access Management Webcast - Q&A Followup

Thanks to everyone who joined us last week on our webcast with IOUG - “Layering Enterprise Security with Oracle Access Management”. Eric Leach, Director of Product Management for Oracle Access Management, did a great job explaining how Oracle Access Management products can layer on top of enterprise security and help organizations overcome the complexity of dealing with security threats in the cloud, mobile and application delivery ecosystems. Check out Eric's blog post detailing the top themes for the webcast. I have captured the responses to the questions that were asked during the webcast.

See us at Oracle OpenWorld 2011

Q: What product can I use to protect VIP patient data in healthcare establishments?

A: Oracle Adaptive Access Manager (OAAM) provides real time risk analytics that can be leveraged for access monitoring purposes. In certain kinds of environments such as in healthcare establishments or in HR systems it may be possible to access privileged information but it is also important to track who is accessing that information and when they accessed that and for what reason. OAAM has the ability to detect access requests, track and determine whether they are anomalous or not. Oracle today offers a solution for healthcare providers which can help to detect and prevent that kind of access directly. So if you have VIP data then you can prevent frivolous or unauthorized access of such information.

 Q: Where can I find the Aberdeen Report that Eric mentioned?

 A: You can download the Aberdeen Report citing the findings on Platform vs. Point Solution Approach Study    for Identity Management here.

Q:  If Oracle Access Manager (OAM) authenticates me as MARIA on Active Directory and my application requires a username MHALLOM (on RACF) what's the best way to accomplish that?

A:  You would use a combination of Oracle Access Manager and Oracle Enterprise Single Sign-On (ESSO) Suite. If OAM authenticates you against AD for the app and if your RACF app requires credentials you would then generally use a ESSO client to authenticate into that system. So if you have a mixture of web apps and mainframe apps you would typically use a combination of OAM and ESSO to achieve SSO across those different environments. AD can be used as a directory repository for ESSO as well. So you can go ahead and use that as a repository for the RACF application.

Q: In which language are custom authentication modules for Oracle Access Manager (OAM) developed? It was in C in oam10g if I’m not mistaken

Yes that’s correct. Custom Auth modules were developed in C in OAM 10g. OAM 11g works a Java server in WebLogic. So you will build java modules that plug in to the server.

Q. For high availability do you have seamless geographical failover solution in OAM such as disaster recovery since OAM documentation doesn't explain much on it nor provide options

A: There are a number of different documents that can offer some guidance. There is an Enterprise Deployment guide and there is a HA and DR guide that is being updated for the OAM 11g PS1 release. The
basic guideline is to generally reuse data replication methods that are leveraged in your enterprise. If you want to create more custom DR failover scenarios stay tuned to the Oracle Access Manager product page on OTN and we will be putting up more specific documentation on that.

Shall we contextualize Oracle Security Token Service (OSTS) to service layer (ex: business process) in de-coupled way using OAM?

A: You could set STS up as a service that can be used with or without OAM to leverage some of those business flows. You could be trying to use STS to enable an identity propagation event that is based on an authenticated user and you may want to attach a specific set of security requirements based on a downstream web service that the user is trying to access. In that case when you are trying to access the downstream web service there are a certain set of policies that the STS can encapsulate that allows you to do that based on the requirements of the service.

Q: Can I plug in an alternate authentication mechanism besides challenge questions to secure the self service password management flows?

A: The Oracle Access Management Suite through OAAM provides the One-Time Password solution. So you can extend a password reset flow to include an out of band challenge sent to a user’s mobile device sent over SMS. So you can layer services that way so that you can get those advanced capabilities.

Q: How can I be assured that access to SAAS apps is revoked upon an employee leaving the company?

A: When you are managing access to SaaS or 3rd party apps, you can have Oracle ESSO manage random and very complex passwords that the user doesn’t know about or doesn’t see. So when the user is terminated and de-provisioned, instead of having to go out and terminate access on the SaaS side, you can instead more or less ensure they can’t access the SaaS app as they don’t know the password and they cannot reset the password. So you can secure that flow a lot more efficiently than otherwise.

Q: How do the Oracle Identity Manager (OIM) challenge questions differ from Knowledge based Challenge questions (KBA)?

A; The primary value of Knowledge based Authentication that OAAM provides is increased usability. You can account for and tolerate abbreviations, typos and misspellings. That is called Answer Logic – fuzzy logic processing of answers as they are input. And on the questions side, the number and type of questions that get generated can be controlled by both systems. But in general, the OAAM component provides sophistication and control around when to show questions, how many to show, how to pull them out of a pool of questions, etc. So it can avoid some of the common vulnerabilities with password reset associated with brute force attacks. OAAM has capabilities for mitigating that.


Post a Comment:
  • HTML Syntax: NOT allowed

Oracle Identity Management is a complete and integrated next-generation identity management platform that provides breakthrough scalability; enables organizations to achieve rapid compliance with regulatory mandates; secures sensitive applications and data regardless of whether they are hosted on-premise or in a cloud; and reduces operational costs. Oracle Identity Management enables secure user access to resources anytime on any device.


« April 2014