Wednesday Mar 21, 2012

Webcast Q&A: Demystifying External Authorization

Thanks to everyone who joined us on our webcast with SANS Institute on "Demystifying External Authorization". Also a special thanks to Tanya Baccam from SANS for sharing her experiences reviewing Oracle Entitlements Server. If you missed the webcast, you can catch a replay of the webcast here.

 Here is a compilation of the slides that were used on today's webcast. 

We have captured the Q&A from the webcast for those who couldn't attend.

Q: Is Oracle ADF integrated with Oracle Entitlements Server (OES) ?

A:  In Oracle Fusion Middleware 11g and later, Oracle ADF, Oracle WebCenter, Oracle SOA Suite and other middleware products are all built on Oracle Platform Security Services (OPSS). OPSS privodes many security functions like authentication, audit, credential stores, token validaiton, etc. OES is the authorization solution underlying OPSS. And OES 11g unifies different authorization mechanisms including Java2/ABAC/RBAC. 

Q: Which portal frameworks support the use of OES policies for portal entitlement decisions?

A:  Many portals including Oracle WebCenter 11g  run natively on top of OES. The authorization engine in WebCenter is OES. Besides, OES offers out of the box integration with Microsoft SharePoint. So SharePoint sites, sub sites, web parts, navigation items, document access can all be secured with OES. Several other portals have also been secured with OES ex: IBM websphere portal

Q:  How do we enforce Seperation of Duties (SoD) rules using OES (also how does that integrate with a product like OIA) ?

A:  A product like OIM or OIA can be used to set up and govern SoD policies. OES enforces these policies at run time. Role mapping policies in OES can assign roles dynamically to users under certain conditions. So this makes it simple to enforce SoD policies inside an application at runtime.

Q:  Our web application has objects like buttons, text fields, drop down lists etc. is there any ”autodiscovery” capability that allows me to use/see those web page objects so you can start building policies over those objects? or how does it work?

A:  There ae few different options with OES. When you build an app, and make authorization calls with the app in the test environment, you can put OES in discovery mode and have OES register those authorization calls and decisions. Instead of doing  this after the fact, an application like Oracle iFlex has built-in UI controls where when the app is running, a script can intercept authorization calls and migrate those over to OES. And in Oracle ADF, a lot of resources are protected so pages, task flows and other resources can be registered without OES knowing about them.

Q: Does current Oracle Fusion application use OES ? The documentation does not seem to indicate it.

A:  The current version of Fusion Apps is using a preview version of OES. Soon it will be replaced with OES 11g. 

Q: Can OES secure mobile apps?

A: Absolutely. Nowadays users are bringing their own devices such as a a smartphone or tablet to work. With the Oracle IDM platform, we can tie identity context into the access management stack. With OES we can make use of context to enforce authorization for users accessing apps from mobile devices. For example: we can take into account different elements like authentication scheme, location, device type etc and tie all that information into an authorization decision. 

Q:  Does Oracle Entitlements Server (OES) have an ESAPI implementation?

A:  OES is an authorization solution. ESAPI/OWASP is something we include in our platform security solution for all oracle products, not specifically in OES

Q:  ESAPI has an authorization API. Can I use that API to access OES?

A:  If the API supports an interface / sspi model that can be configured to invoke an external authz system through some mechanism then yes

Tuesday Feb 28, 2012

RSA 2012: Oracle at the XACML Interop Showcase

The RSA conference is now in full gear. One of the highlights of the conference this year has been the XACML Interop Showcase. The OASIS group is leading a vendor interoperability showcase on the RSA exhibition floor (Booth #129). Check out the highlights of the XACML interop from this press release published by OASIS this week. 

An XACML based attribute based access control model does for authentication what Single Sign-On did for authentication several years ago. XACML 3 is the latest revision of this standard that enables extremely flexible policy based expressions for fine grained access control. Oracle has been spearheading XACML definition efforts since its inception. Oracle is currently the co-chair and editor of the XACML TC. When it comes to innovating industry standards, at Oracle we have been pushing hard to make sure that there are clearly defined standards. Come by the OASIS booth (#129) and check out the Oracle XACML demos. Oracle experts are available at the booth to answer questions.

Oracle Entitlements Server (OES) is the most mature and the most open external authorization solution in the industry today thanks to a consistent strategy of innovation, contribution and implementation of open standards. Kuppinger Cole recently released a paper describing how organizations can "future proof" their enterprise security with Oracle Entitlements Server.  By taking a declarative security approach, security policy can be flexible and distributed across multiple applications consistently with OES. You can get a copy of the report here.

And that’s not all. At the Oracle booth we have a number of cool identity management and security demos going on. Stop by the Oracle booth (#2425) and talk to our solution experts.  At the Oracle booth, you can enter to win a cool Oracle racing jacket.

To learn more Oracle Entitlements Server and its XACML support, register for this upcoming OES product review webcast from SANS.

Wednesday Feb 15, 2012

SANS Webcast: Oracle Entitlement Server Product Review

SANS Information, Network, Computer Security Training, Research, Resources

Addressing modern enterprise security challenges such as insider threats, changing regulatory mandates, and fragmented application security, requires granular control of authorization and flexibility to change policies. External Authorization solutions address these challenges by decoupling  authorization policy administration from application development. There are a plethora of such solutions in the market  today but choosing the right or wrong solution can mean the difference between simplicity vs. complexity, between money saved vs. money spent, and between flexibility vs. rigidity. Join SANS and Oracle for a  live webcast on Mar 21  for a product review of Oracle Entitlements Server. 

In this webcast, SANS instructor Tanya Baccam will highlight critical capabilities and best practices that organizations should bear in mind when evaluating and deploying external authorization solutions. This webcast will also feature Roger Wigenstam, Director of Product Management at Oracle.  As an added bonus, participants who register for the webcast will receive a copy of the Product Review whitepaper that Tanya is putting together on the same  topic.

Register here for this webcast.

Wednesday Jan 18, 2012

XACML Standards Showcase at RSA Conference 2012

External Authorization does for authorization what Single Sign-On solutions did for authentication many years ago. Externalizing authorization policies from applications not only centralizes authorization policy enforcement but also standardizes how authorization policies are written and enforced by applications. Just like SQL standardized the query language for databases, XACML or eXtensible Access Control Markup Language standardizes attribute based access control policies for applications. XACML 3 is the latest revision of this standard that facilitates extremely flexible expressions for access control. 

Oracle Entitlements Server is our external authorization solution that supports a broad range of authorization standards giving our customers plenty of choices and flexibility for deployment.  Kuppinger Cole recently released a paper describing how organizations can "future proof" their enterprise security by deploying Oracle Entitlements Server.  By taking a declarative security approach, security policy can be flexible and distributed across multiple applications consistently. You can get a copy of the report here.

At this year's RSA Conference, the OASIS group will be organizing an interop showcase for XACML 3. Members of OASIS including Oracle will be onhand to showcase the features of the XACML Intellectual Property Control Profile. Stop by Booth #129 at RSA to learn all about the latest in XACML. 


Oracle Identity Management is a complete and integrated next-generation identity management platform that provides breakthrough scalability; enables organizations to achieve rapid compliance with regulatory mandates; secures sensitive applications and data regardless of whether they are hosted on-premise or in a cloud; and reduces operational costs. Oracle Identity Management enables secure user access to resources anytime on any device.


« August 2016