Tuesday Sep 17, 2013

OOW 2013 Content: Securely Enabling Mobile Access for Business Transformation

Online communication has been transformed by the advent of effective mobile computing, and more organizations are providing employee and customer access to services via mobile devices.

Securely Enabling Mobile Access for Business Transformation [CON8896] will review the security and usability concerns that are further compounded by bring your own device (BYOD) policies. In addition to speakers from Oracle, this session will also include presenters Arup Thomas (Verizon Wireless) and Abdullah Togay (Ministry of National Education).

Plan on attending this session on:

Tuesday, Sep 24, 12:00 PM - 1:00 PM - @ Moscone West - 2018

Wednesday Jun 12, 2013

Abandoning our "Last Century" IAM Models by Paul Dhanjal (Simeio Solutions)

In our previous blog, we looked at the business drivers behind the growth of cloud-based Identity and Access Management (IAM). These drivers, combined with cultural and technology trends, have made cloud-based IAM more attractive – and, frankly, more necessary – than ever.

Now that business has evolved to offer more and more interconnected and interdependent services to a wider range of users, the old models we had relied on to manage identities no longer apply. Our old identity management and security models designed for internal users simply can’t keep up with the rapidly evolving landscape. The forces that are shaping this new reality are so powerful, their momentum so great, that they now dictate the terms of how identity must be managed within an organization. The balance of power has shifted away from the IT organization and into the hands of end-users. If you are to meet their expectations, if you hope to compete and remain relevant, you must make the transition from build-your-own IAM to out-of-the-box IAM, from customization to configuration.

While there may be a big stick pushing us to make this transition, the carrots are equally compelling: lower costs, faster time to market, enhanced security, greater flexibility and, perhaps most important, the freedom to focus on the value and quality of the services you provide instead of how they’re provided.

There may be no better example of this than bring-your-own-device (BYOD). For years, IT laid down the law to prevent it. Now, fueled by the consumerization of mobile devices and tablets, BYOD has become the rule rather than the exception. It was inevitable. BYOD not only reduces strain on the organization to purchase and support such devices, it also increases employee satisfaction and productivity.

But, of course, the concerns behind the original reticence to allow BYOD remain. In fact, those concerns are magnified now that we’ve moved from uniform desktops tethered to the office to diverse mobile devices that can literally be taken – and lost  – anywhere in the world.

Here’s where out-of-the-box solutions such as Oracle Access Management Suite come to the rescue. They’re designed to enable centralized policy management for securing access to services via mobile applications, going beyond web single sign-on, authentication and authorization. Such solutions are designed from the ground up to handle the added complexity of password management and security in a mobile world, including strong authentication, real-time behavioral profiling, and device fingerprinting. Adaptive products such as those from Oracle provide a multi-faceted approach to mitigate breaches into mobile and Web Applications, all while tying into a closed loop audit process with powerful reporting and notification engines.

Another example is the growing need to manage external identities – those of partners or customers. It may be tempting to use existing capabilities designed for internal identities for this. After all, the same basic services are involved, including handling access requests, granting access, and password management. But the differences are simply too great. There are different business needs, different security concerns, different compliance requirements, even different licensing issues.

Here, too, the new cloud-based IAM models offer us a solution. Their multi-tenancy capabilities mean a single instance of software can serve multiple constituencies discretely by virtually partitioning the management of identities based on any criteria or business need.

As they say on those late night infomercials, that’s not all. The cloud model and its converging standards open the door to entirely new ways of dealing with external identities. For example, products such as Oracle Access Manager allow users to register for a site's services using their social login IDs as an authentication mechanism (using OAuth and OpenID standards). This gets the organization out of the business of managing these external identities altogether, delegating password management, user profile, account settings, etc. to a third party – Google or Facebook, for example. 

If you’re not willing to delegate these tasks, you can still leverage external identities during registration by pulling the user’s basic identity information from a trusted third-party identity provider (IDP). This approach marries the old with the new, maintaining a security perimeter for user access by ensuring audit and closed-loop certification processes are still in place, while reducing the burden on the user who no longer has to provide basic information in order to register.

Delegation is a recurring theme in new IAM models. Cloud-based IAM, for example, makes it easy to push out user administration, certification and operational request management to individual lines of business. This in turn enables you to downsize centralized call support by using delegated authorities within those business units – managers who are closer (both conceptually and physically) to the users who require access. This is done via strong workflow management, which ties into a well-governed and managed role service as well as enterprise roles and processes for mover/joiner/leaver scenarios.

Case in point: the HR systems the US government uses to provision all roles (for resources and entitlements). Users request access directly from their managers. End-dates are used to enforce de-provisioning of all granted access, even during termination. The result is end-to-end lifecycle management with delegated administration, while ensuring compliance with a centralized audit process.

In our next post, we’ll explore what identity looks like in a secure, connected world and what that means for your business.

Thursday May 16, 2013

Congrats to Virgin Media: Best IAM Project Award

We extend our congratulations to the team at Virgin Media for winning the award for best Identity and Access Management project at the European Identity Conference in Munich this week. Excerpt below from the European Identity Conference.

In the category “Best Identity and Access Management Project”, the award goes to Virgin Media for the implementation of highly polished access control mechanisms with IAM technologies for the WiFi network of the London Underground metro system. This project went live for the 2012 Summer Olympics and had to meet very demanding requirements for high performance user authentication.

You can learn more about the Virgin Media story by viewing this on demand webcast here.

Thursday May 02, 2013

European Identity Conference

This year's European Identity Conference is devoted to cloud, mobile and social. This promises to be an exciting event this year. Here is a link to the conference.  You will not want to miss Peter Boyle and Mike Neuenschwander. Peter's keynote is on Thursday May 16th. Peter Boyle is Head of Identity Services for BT. Below is an abstract for his talk.

If Your Customers Don't Feel Safe, They Will Leave You

More than 559 million adults have been victims of cyber-crime - that´s more than the population of the European Union. More businesses are trying to connect with customers on social and mobile but, 15% of social networking users have had accounts infiltrated and 21% have fallen prey to mobile or social attacks. Only one incident can cause a customer to shift brands. If you are trying to find new paths to market online, don´t miss this session. Securing the customer experience should be the top priority for any business initiative involving cloud, mobile and social. Faced with the need to secure a growing hosting business with more than 10,000 customers accessing services on-line, British Telecom Identity enabled their applications to secure their customer data and transactions. In this session, Peter Boyle Head of Identity Services for BT will discuss how to keep your customer safe, loyal to your brand and keep them coming back for more.

See Mike Neuenschwander will speak in the following sessions:

  • May 14th 2:00 pm :The Future of IAM
  • May 15th 10:30 am: Next Generation Cloud and Mobile Identity Management 
  • May 15th 2:00 pm: The Future of IAM: "Do not kill IAM, improve and extend it"
  • May 16th 2pm: Life Management Platforms, Personal Data, Private Cloud 

Tuesday Mar 19, 2013

Identity Management Down Under at Victoria University

Educational institutions have a dynamic ecosystem with students, teachers and operational administration requiring significant IT and helpdesk resource investment. Victoria University in Melbourne, Australia embarked on an identity management project to automate and streamline access and authorization to the University’s systems for over 55,000 students and 3000 staff.

Check out the following video to see how the University simplified sign-on process for the students, empowered them with self service and, in the process, eliminated helpdesk overhead.

Monday Feb 25, 2013

You Are Invited: Trizetto Discusses HIPAA This Thursday

Oracle Corporation
Webcast Trizetto Achieves HIPAA Compliance with Identity Management. Oracle Identity Management.

Learn How Oracle Identity Management Can Lower Compliance Costs and Reduce Audit Exposure

Securing patient information means controlling user access to data and applications. Unfortunately, without automation access controls can quickly erode. And the cost of maintaining user access can be expensive—in some organizations, compliance costs are consuming up to 40% of their IT budget.

As Trizetto embarked on a project to streamline HIPAA compliance, Oracle Identity Management provided a foundation for streamlining the audit process and reducing the cost of manual controls.

Join This Important Security Webcast

You’ll hear Darrel Carson, Trizetto Program Manager for Identity and Access, discuss how Trizetto took a platform approach to identity management as part of a long-term plan to streamline HIPAA compliance and secure user access.

You’ll learn how to:

  • Automate rigorous and intrusive government controls
  • Provide faster results with automated remediation
  • Streamline access management through service desks
  • Create a foundation for scale using a platform approach to identity management

Oracle Identity Management helped Trizetto reduce the password footprint and service desk costs while improving the end user experience. Join us and find out how.

Register now for this Webcast, “Trizetto Achieves HIPAA Compliance with Identity Management.”

Join us for this Webcast, Trizetto Achieves HIPAA Compliance with Identity Management.
Thurs., February 28, 2013
10 a.m. PT / 1 p.m. ET
Presented by:
Darrel Carson
Darrel Carson
Program Manager for Identity and Access, Trizetto
Naresh Persaud
Naresh Persaud
Director Product Marketing, Oracle
Hardware and Software, Engineered to Work Together
Copyright © 2013, Oracle and/or its affiliates.
All rights reserved.
Contact Us | Legal Notices and Terms of Use | Privacy Statement

Thursday Jan 10, 2013

Partner Blog Series: Deloitte Talks Part 2: BYOD - An Emerging technology Concept

There’s an accelerating trend in the workplace raising new challenges for today’s CIO: the bring your own device (BYOD) revolution. The use and acceptance of mobile devices in the workplace is a critical issue that many chief executives are considering for their corporate environment. A BYOD strategy enables an employee to use a single device with the flexibility and usability they prefer, while providing access to both their personal and business applications and data. There are also potential cost savings for the enterprise as the employee may bear the cost of the device and the ongoing mobile access plan. An enterprise should consider the extent to which BYOD will be embraced, and the challenges BYOD presents as a part of an enterprise’s overall mobile security management strategy.

Before embarking on this journey, an organization should first decide – why BYOD? Does the increased user productivity and availability of data outweigh the risk and the associated mitigation expense? There are risks introduced at the device, application and infrastructure levels that present new challenges. These challenges may vary from compliance issues, to data leaks, to malware and challenges will likely only intensify as the number of mobile devices and operating systems proliferate. Another option is that the employer can provide employees with a mobile device hoping to enhance their productivity and ability to support the organization remotely. The illustrative chart below depicts some of the Pros and Cons of an employer providing corporate mobile devices versus letting employees use their own mobile phones and tablets.


Bring Your Own

Corporate Provided


  • Device and connectivity costs incurred by employee
  • Addresses increased demand of employees to connect personal devices to corporate networks

  • Tighter device oversight and control
  • Streamlining devices, platforms and OSes simplifies IT support
  • Service fees negotiated with service providers; increased purchasing power


  • Limited device oversight and control
  • Increased challenges with enforcing legal and regulatory requirements
  • Device and data ownership questions

  • Cost of providing devices
  • High employee demand for broader diversity in devices can lead to lower satisfaction and adoption
  • May require potential increase in IT support staffing and skill set requirements
  • Privacy considerations with monitoring of employee usage and activity, etc.

As an organization gains an understanding of the key risks that may affect the business, the next step is determining and defining the approach to a secure BYOD solution deployment. One of the primary risks of mobile devices to the enterprise is the security of data that is stored on the devices. Corporate email, financial and marketing data and any other sensitive data may leak out of the organization if the device is not encrypted and adequately protected.

Another point to consider is how the organization might prevent rogue mobile devices from accessing the network. What will prevent users from bringing in their own unpatched/unapproved devices into the environment? Network Access Control (NAC) solutions may help to solve this issue. These solutions have become a popular way to manage the risk of employee owned devices. NAC allows organizations to control which devices can access each level of the organization’s internal network. For example, NAC can limit how a device can connect to the network, what it can access, prevent downloading and potentially prohibit a device from connecting at all. A “health-check” that inspects for required security configurations and controls can be performed before allowing a device to connect to the network to keep the network safe from viruses and malware that could be on an employee owned mobile device. If a “health-check” is not performed before the device is allowed on the network, the scenario described below could occur:

When determining the desired approach, it is critical for an organization to understand the specific use cases and incorporate key business drivers and objectives. This will allow the enterprise to determine if the primary objectives from a mobile security perspective are device, or data centric or a combination of both for their BYOD program.

Device Centric

Data Centric

Mobile device management (MDM)

Minimal device data footprint

Strict device policy enforcement

Communications encryption

Local data encryption


A device-centric approach focuses on the mobile device and associated security controls. This approach is typically centered on how the devices are managed, how policies are enforced, data encryption on the local device and solutions such as secure containers. Some key considerations supporting this approach include:

  • MDM software secures, monitors, manages and supports corporate-owned and employee-owned mobile devices deployed across an enterprise
  • Policy enforcement supports permissible/non-permissible devices, considers factors such as who can connect to the network (user types, etc.)

A data-centric approach focuses on the data stored or processed by the mobile device and how it is secured and transmitted. This approach considers how the data is managed on the devices, transmission security, virtualization and data integrity. Some key considerations are:

  • Minimizing local data storage on the device reduces the risk associated with device loss or theft
  • Securing the transmission of the data from the mobile device to internal/external servers, applications, or other devices is critical
  • Virtualization is an important technology/solution to consider in a data centric approach: virtual desktops accessible from the mobile device or data stored in virtual/cloud environments are critical elements to evaluate
  • Accessing corporate data from mobile devices introduces the need for data integrity controls

For a solid BYOD approach, not only are well defined policies and standards critical, but the technology that enforces this governance should be in place to help ensure that the standards are adhered to. Many organizations may have well defined and communicated policies, but enforcing these restrictions on their users may be a daunting task without the appropriate technology and security framework. To facilitate this approach, mobile security requirements should be defined. A gap analysis should be conducted comparing current state capabilities to the desired state. Next, an overall mobile security operations framework should be developed and the operational processes to support this framework need to be defined. If the mobile security framework is planned appropriately to support a BYOD program and the risks are mitigated throughout the lifecycle, enterprises may see increased user productivity and satisfaction.

About the Writer:

Tim Sanouvong is a Senior Manager in Deloitte & Touche LLP’s Security & Privacy practice with 13 years of experience in the information security area. He specializes in leading large security projects spanning areas such as security strategy and governance, mobile security, and identity and access management. He has consulted for several clients across diverse industries such as financial services, retail, healthcare, state government, and aerospace and defense.

This document contains general information only and Deloitte is not, by means of this document, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This document is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte shall not be responsible for any loss sustained by any person who relies on this document.

About Deloitte
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see
www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.

Copyright © 2013 Deloitte Development LLC. All rights reserved.
Member of Deloitte Touche Tohmatsu Limited

Monday Oct 22, 2012

Free SANS Mobility Policy Survey Webcast - October 23rd @10:00 am PST

Join us for a free webcast tomorrow, October 23 @ 10:00 am PST as SANS presents the findings from their mobility policy survey.

-- Register here for Part 1: https://www.sans.org/webcasts/byod-security-lists-policies-mobility-policy-management-survey-95429

This is a great opportunity to see where companies are with respect to mobile access policies and overall mobile application management.

This first part is entitled: BYOD Wish Lists and Policies.  Part 2 will be run on October 25th and is entitled: BYOD security practices.

-- Register here for Part 2: https://www.sans.org/webcasts/byod-security-practices-2-mobility-policy-management-survey-95434

Tuesday Aug 07, 2012

User Interface Changes in Oracle Identity Manager 11gR2

As part of the Oracle Identity Management 11gR2 launch, we were able to talk to some of the key people on the team that are really driving innovation.  Recently, I was able to catch up with Marc Boroditsky, VP of Product Management, and I asked him about the changes that the product team made to the access request user interfaces in the R2 release.

Our interview was captured as a short podcast.  Click here to listen.

Wednesday Mar 28, 2012

Derek Brink shares "Worst Practices in IT Security"

Derek Brink is Vice President and Research Fellow in IT Security for the Aberdeen Group.  He has established himself as an IT Security Expert having a long and impressive career with companies and organizations ranging from RSA, Sun, HP, the PKI Forum and the Central Intelligence Agency.  So shouldn't he be talking about "Best Practices in IT Security?"

In his latest blog he talks about the thought processes that drive the wrong behavior, and very cleverly shows how that incorrect thinking exposes weaknesses in our IT environments.

Check out his latest blog post titled: "The Screwtape CISO: Memo #1 (silos, stovepipes and point solutions)"

Hear Derek speak live during the Aberdeen event series 

Monday Mar 26, 2012

IOUG Webcast Series on Identity Management

Identity Management for Business Empowerment

Identity Management has gone from the realm of IT tools to being a business solution. Security and Identity Management offer confidence in doing secure and compliant business. But more than that, Identity Management today contributes to business growth with secure social, cloud, mobile and internal & external ecosystem enablement.

Cloud computing has heightened the interest in user access security, mobile computing brings access to information beyond the enterprise and a bring your own device culture in-house, social media has added a new dimension to user identity and increasing security compliance pressure has made organizations rethink their roles and entitlements strategy.

To discuss the industry trends, maturity and framework for security, compliance and business empowerment with identity management, Oracle is proud to collaborate with IOUG to launch a series of live webcasts. Covering a span of topics from identity platform to entitlements managements, privilege access management and cloud, mobile and social security, these webcasts will provide direct access to subject matter experts and technology specialists. Hear first-hand about best practices, a pragmatic approach to security implementation, customer success stories and more.

Register today for the individual webcasts or the series.

And just a reminder that the conversation starts at COLLABORATE 12 in Las Vegas from April 22nd – 26th. In addition to our conference sessions, as an added value this year, we are offering a half-day deep dive session on Oracle Identity Management: Building a Security and Compliance Framework for Oracle Systems. The session is scheduled for Sunday, April 22nd from 9 am to 3 pm and will cover relevant topics such as:

• A Primer on Identity Management
• Security and Compliance with Oracle Identity Management
• Security for Oracle Applications, Fusion Applications
• Managing Identities in The Cloud and Mobile World
• Best Practices: Building an Identity Roadmap and Getting Started

To get a head start on your compliance and security program, pre-register for this session today.

Tuesday Feb 07, 2012

Oracle Named a Leader in both User Provisioning and Identity and Access Governance

Oracle Identity Management solutions were positioned in the Leaders quadrants, in the two recently published Gartner Magic Quadrant reports. This post is the first in a series of multi-part blog discussion, and over the course of next few weeks, we’d be covering details on what we believe make Oracle’s User Provisioning (Identity Administration) solution, Oracle Identity Manager and our Identity and Access Governance solution, Oracle Identity Analytics truly unique and industry leading.

Gartner published their first-ever Magic Quadrant for Identity and Access Governance and Oracle is a leader.

Source: Gartner Magic Quadrant for Identity and Access Management, Dec. 15, 2011. Doc ID#223606. Authors: Earl Perkins and Perry Carpenter. Page 3

This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available by clicking on the note title. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any of warranties of merchantability or fitness for a particular purpose.

Identity and Access Governance solutions offer business users identity analytics and reports to address governance, audit and compliance challenges. According to Gartner, leaders in Identity and Access Governance (IAG) are “composed of vendors that provide products with a good functional match to client requirements for establishing a governance system for access. These vendors have been successful in building an installed base and revenue stream within the IAG market, and have a relatively high viability rating (because of IAG revenue). Leaders also show evidence of superior vision and execution for anticipated requirements, as they relate to technology, methodology or means of delivery. Leaders typically have significant market share, strong revenue growth, and demonstrated early customer satisfaction with IAG capabilities and/or related service and support.”

Oracle Identity Analytics is an advanced Identity and Access Governance solution from Oracle offering rich analytics, prioritized risk scoring, business-friendly dashboards, and advanced compliance features that monitor, analyze, review, and govern user access to mitigate risk, build transparency and satisfy compliance mandates.

The key challenge we often hear organizations talk about is scaling the compliance processes. Performing access certifications across not a handful but 100s of applications requires not just an automated solution but a powerful (but business friendly) process engine solution powered by analytics to make sense of all the data. To make it a real world discussion rather than a theoretical one, join ING and Oracle on a live webcast:  Scaling Role Management and Access Certification to Thousands of Applications on Wednesday, April 11, 2012 10:00 AM PDT where ING discusses how they successfully tackled the scale challenge.

Close on its heels, Gartner also published its 2011 Magic Quadrant for User Provisioning and Oracle is a Leader.

Source: Gartner Magic Quadrant for User Administration/Provisioning, Dec. 22, 2011. ID# G00219354. Authors: Perry Carpenter and Earl Perkins. Page 4

This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available by clicking on the note title. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any of warranties of merchantability or fitness for a particular purpose.

Two things are clear with these reports. Organizations are looking at integrated, platform solutions to meet their audit and compliance needs. Platform approach is the only viable approach to close security and audit gaps, reduce TCO and derive the complete picture. And we believe with Oracle’s positioning in the leaders quadrant for both User Provisioning and Identity and Access Governance, organizations are assured that they are not only getting the complete solution but also best-in-class, backed by a strategic vision and strong executive commitment. Seamless integration with Oracle Identity Manager 11g makes Oracle Identity Analytics 11g industry's only access governance solution to offer an accurate closed-loop remediation solution with risk feedback calculated over a user’s lifecycle as actionable insight for certification reviews. To get customers’ perspectives on the implementation and results from the platform approach, we recommend you look at our monthly webcast series on the subject:

Customers Talk: Identity as a Platform.

If you are looking at user provisioning and/or compliance solutions, we suggest you start by downloading these analyst reports and our recently issued press release on the subject. For more information on Oracle’s platform approach to Identity Management and to learn more about our best-in-class Identity Management solutions, visit us at www.oracle.com/identity or contact us via our online communities: Facebook, Blog and Twitter.

You may also find the following resources helpful:

Ongoing Webcast Series: Customers Talks: Oracle Identity Management as a Platform

ISACA Webcast: Limiting Audit Exposure and Managing Risk with Metrics-Driven Identity Analytics

Customer stories: Tackling Compliance Challenges with Oracle Identity Analytics

What’s New in Oracle Identity Manager 11g

Wednesday Jan 18, 2012

XACML Standards Showcase at RSA Conference 2012

External Authorization does for authorization what Single Sign-On solutions did for authentication many years ago. Externalizing authorization policies from applications not only centralizes authorization policy enforcement but also standardizes how authorization policies are written and enforced by applications. Just like SQL standardized the query language for databases, XACML or eXtensible Access Control Markup Language standardizes attribute based access control policies for applications. XACML 3 is the latest revision of this standard that facilitates extremely flexible expressions for access control. 

Oracle Entitlements Server is our external authorization solution that supports a broad range of authorization standards giving our customers plenty of choices and flexibility for deployment.  Kuppinger Cole recently released a paper describing how organizations can "future proof" their enterprise security by deploying Oracle Entitlements Server.  By taking a declarative security approach, security policy can be flexible and distributed across multiple applications consistently. You can get a copy of the report here.

At this year's RSA Conference, the OASIS group will be organizing an interop showcase for XACML 3. Members of OASIS including Oracle will be onhand to showcase the features of the XACML Intellectual Property Control Profile. Stop by Booth #129 at RSA to learn all about the latest in XACML. 

Thursday Jan 12, 2012

Security Newsletter January Edition is Out Now

Security Inside Out Newsletter

The January edition of the very popular Security Inside Out Newsletter is now out. This edition puts the spotlight on Security in Healthcare. Whether it is patient privacy or complying with federal and industry regulations like HIPAA, Sarbanes Oxley (SOX), HITECH and more, security issues are top of mind for most healthcare organizations. Oracle's Security Inside Out approach offers comprehensive protection for your data, identity and applications. Check out the top feature in the newsletter to hear how some of your peer organizations are meeting their security, compliance and patient care goals with Oracle Security and Identity Management solutions.

If you attended our recent Enterprise Single Sign-On (ESSO) webcast, you already know that companies on average realize over 140% in return-on-investment (ROI) with the ESSO implementation. Organizations have been able to slash over 80% of password related calls to their helpdesk saving a tremendous amount in helpdesk overhead and improving user productivity. Get your hands on the ESSO Buyers Guide and don't miss this feature article in the newsletter that discusses recent customer success stories.

This edition is also your one-stop shop for getting your hands on the latest materials including a recently issued IDC Report on Data Security, Oracle whitepaper comparing Oracle and Novell Identity Management solutions, SANS product review report on Oracle Database Vault and more. Keep up to date on the latest Oracle Security news, upcoming events, webcasts and more by subscribing to the newsletter now.

Happy reading!

Tuesday Jan 10, 2012

Customers Talk: 5 Identity Platform Webcasts You Can’t Miss

2011 saw talk of Identity Management emerging from under the shadows of IT to serve the needs of the business. We predict 2012 will see a lot of attention paid to how Identity Management is enabling the business, transforming the way IT is leveraged to meet business objectives.

A common theme among their stories is that Identity Management is not a point solution. Identity Management is a platform of complimentary solutions with a rationalized architecture that can be adopted separately but provide strong interoperability to reduce total cost of ownership. A recent study by Abderdeen noted that organizations who have taken a platform approach can save up to 48%.

Oracle is proud to launch a series of webcasts where we’ll explore the diverse challenges that organizations are facing, and you can hear real customers speak to their specific business objectives and how they leveraged the Identity as a Platform approach to tackle those. In this 5-webcast series, you will hear first-hand from your peers at SaskTel, Agilent, Cisco, ING and Toyota, and learn how leading organizations are rethinking Identity Management as a business versus an IT initiative. You will find that the challenge each of these customers was looking to solve was quite different from each other, yet there is a commonality in their approach to the solution.

To register for one or more of these webcasts and to know more, click here.

Build a Secure Cloud with Oracle Identity Management

Wednesday, January 25, 2012 10:00 AM PST

Presenters: Brian Baird, Chief Technology Officer Identity Management Center of Excellence, SaskTel and Marc Chanliau, Director Product Management, Oracle

Best Practices, Getting Started with an Identity Platform

Wednesday, February 15, 2012 10:00 AM PST

Presenters: Balganesh Krishnamurthy, Agilent and Naresh Persaud, Director, Product Marketing, Oracle

Cisco's Platform Approach to Identity Management

Wednesday, March 14, 2012 10:00 AM PDT

Presenters: Ranjan Jain, Domain Architect for Enterprise Identity, Cisco and Michael Neuenschwander, Sr. Director, Product Management, Oracle

Scaling Role Management and Access Certification to Thousands of Applications

Wednesday, April 11, 2012 10:00 AM PDT                                                                           

Presenters: Mark Robison, Enterprise Architect, ING and Neil Gandhi, Principal Product Manager, Oracle

Putting Customers First: Identity Platform as a Business Enabler

Wednesday, May 30, 2012 10:00 AM PDT

Presenters: Mike Colbus, National Technology Delivery Manager, Toyota and Marc Boroditsky, Vice President Product Management, Oracle

Register today and discover how Identity as a Platform can transform the way you do business.

Tuesday Nov 15, 2011

Limiting Audit Exposure and Managing Risk – Q&A and Follow-Up Conversation

Thanks to all who attended the live ISACA webcast on Limiting Audit Exposure and Managing Risk with Metrics-Driven Identity Analytics. We were really fortunate to have Don Sparks from ISACA moderate the webcast featuring Stuart Lincoln, Vice President, IT P&L Client Services, BNP Paribas, North America and Neil Gandhi, Principal Product Manager, Oracle Identity Analytics. Stuart’s insights given the team’s role in providing IT for P&L Client Services and his tremendous experience in identity management and establishing sustainable compliance programs were true value-add at yesterday’s webcast.

And if you are a healthcare organization looking to solve your compliance and security challenges, we recommend you join us for a live webcast on Tuesday, November 29 at 10 am PT. The webcast will feature experts from Kaiser Permanente, PricewaterhouseCoopers and Oracle and the focus of the discussion will be around the compliance challenges a healthcare organization faces and best practices for tackling those. Here are the details:

Healthcare IT News Webcast: Managing Risk and Enforcing Compliance in Healthcare with Identity Analytics

Tuesday, November 29, 2011
10:00 a.m. PT / 1:00 p.m. ET

Register Today

The ISACA webcast replay is now available on-demand and the slides are also available for download. Since we didn’t have time to address all the questions we received during the live Q&A portion of the webcast, we have captured responses to the remaining questions here. Please continue to provide us your feedback and insights from your experience in deploying identity compliance solutions.

Q. Can you please clarify the mechanism utilized to populate the Identity Warehouse from each individual application's access management function / files?

A. Oracle Identity Analytics (OIA) supports direct imports from applications. Data collection is based on Extract, Transform and Load (ETL) that eliminates the need to write connectors to different applications. Oracle Identity Analytics’ import engine supports complex entitlement feeds saved as either text files or XML. The imports can be scheduled on a periodic basis or triggered as needed. If the applications are synchronized with a user provisioning solution like Oracle Identity Manager, Oracle Identity Analytics has a seamless integration to pull in data from Oracle Identity Manager.

Q.  Can you provide a short summary of the new features in your latest release of Oracle Identity Analytics?

A. Oracle recently announced availability of enhanced Oracle Identity Analytics. This release focused on easing the certification process by offering risk analytics driven certification, advanced certification screens, business centric views and significant improvement in performance including 3X faster data imports, 3X faster certification campaign generation and advanced auto-certification features, that  will allow organizations to improve user productivity by up to 80%. Closed-loop risk feedback and IT policy monitoring with Oracle Identity Manager, a leading user provisioning solution, allows for more accurate certification reviews. And, OIA's improved performance enables customers to scale compliance initiatives supporting millions of user entitlements across thousands of applications, whether on premise or in the cloud, without compromising speed or integrity.

Q. Will ISACA grant a CPE credit for attending this ISACA-sponsored webinar today?

A. From ISACA: Hello and thank you for your interest in the 2011 ISACA Webinar Program!  Unfortunately, there are no CPEs offered for this program, archived or live.  We will be looking into the feasibility of offering them in the future. 

Q. Would you be able to use this to help manage licenses for software? That is to say - could it track software that is not used by a user, thus eliminating the software license?

A. OIA’s integration with Oracle Identity Manager, a leading user provisioning solution, allows organizations to detect ghost accounts or unused accounts via account reconciliation. Based on company’s policies, this could trigger an automated workflow for account deletion or asking for further investigation. Closed-loop feedback between the two solutions would then allow visibility into the complete audit trail of when the account was detected, the action taken, by whom, when and the current status.

Q. We have quarterly attestations and .xls mechanisms are not working. Once the identity data is correlated in Identity Analytics, do you then automate access certification?

A. OIA’s identity warehouse analyzes and correlates identity data across various resources that allows OIA to determine a user’s risk profile, who the access review request should go to, along with all the relevant access details of the user. The access certification manager gets notification on what to review, when and the relevant data is presented in a business friendly screen. Based on the result of the access certification process, actions are triggered and results recorded and archived. Access review managers have visual risk indicators that also allow them to prioritize access certification tasks and efforts.

Q. How does Oracle Identity Analytics work with Cloud Security?

A. For enterprises looking to build their own cloud(s), Oracle offers a set of security services that cloud developers can leverage including Oracle Identity Analytics.  For enterprises looking to manage their compliance requirements but without hosting those in-house and instead having a hosting provider offer managed Identity Management services to the organizations, Oracle Identity Analytics can be leveraged much the same way as you’d in an on-premise (within the enterprise) environment. In fact, organizations today are leveraging Oracle Identity Analytics to manage identity compliance in both these ways.

Q. Would you recommend this as a cost effective solution for a smaller organization with @ 2,500 users?

A. The key return-on-investment (ROI) on Oracle Identity Analytics is derived from automating compliance processes thereby eliminating administrative overhead, minimizing errors, maintaining cost- and time-effective sustainable compliance processes and minimizing audit exposures and penalties.  Of course, there are other tangible benefits that are derived from an Oracle Identity Analytics implementation as outlined in the webcast. For a quantitative analysis of your requirements and potential ROI calculation, we recommend you refer to the Forrester Study on Total Economic Impact of Oracle Identity Analytics. For an in-person discussion, please email Richard Caldwell.

Thursday Nov 03, 2011

2011 Innovation Award Winners - Identity Management

The winners of 2011 Innovation Awards were announced last month during Oracle OpenWorld. The Award recognizes customers for achieving significant business value through innovative uses of Oracle Fusion Middleware.  For Identity Management, that meant deriving and proving exceptional business value, delivering architecture innovation, solving unique challenges and driving industry leadership. With over 20 nominations this year, the panelists had a difficult task ahead of them. One thing was certain though, the winners would be great examples of excepetional use of cutting-edge Identity Management solutions.

This year's winners demonstrated new ways of leveraging cloud and social environments to enhance customer interaction and service levels as well as building business intelligence from IT data to empower business and support management decisions. We congratulate the winners of 2011 Innovation Awards for Identity Management:

ING North America Insurance

Looking to streamline the access certification processes for in-time compliance and manage the complexity of user identity administration, ING North America Insurance implemented Oracle Identity Analytics and Oracle Identity Manager. A combination of detailed planning, close collaboration with Oracle and its implementation partner, and the use of advanced industry solutions allowed ING to achieve its compliance and governance goals. In addition, with business friendly reports and actionable insight, ING's implementation empowered business and offered greater transparency. The team was also able to clearly define, measure and present success metrics to the business.

College Board

With over 50 identity stores and multiple point solutions including some custom technologies, the organization found integrating applications and extending the identity management platform to be complex, time-consuming, costly and unscalable. The approach also left security gaps. To tackle these inefficiencies and unnecessary overhead, College Board started with the implementation of Oracle Identity and Access Management Suite Plus. Not only was the organization looking to seamlessly replace the old, non-standard custom system with a centralized, integrated, standards-based platform, College Board was also looking to leverage social media with the enterprise environment. The innovative integration with Oracle Identity Manager and Oracle Identity Federation allows the organization to reach millions of potential users via social media and offer advanced services to the users using federated login. The use of Oracle Access Manager and Oracle Directory Services enable secure authentication services for College Board's users.


A subsidiary of Turk Telecom, TTNET serves over 6.5 million subscribers across Turkey, providing high technology broadband and other value-added services (VAS). TTNET's VAS are different web applications (each with their own authentication server and user repositories) and technologies coming from 10 different partners. Providing a seamless experience to the customer, thus, became a challenge. Lack of a common authentication platform also left security gaps. With the implementation of Oracle Identity and Access Management Suite Plus, TTNET launched its "Tek Sifre" (One Password) project VAS, providing its subscriber base unified single sign-on with secure and standard authentication and user administration in the background. Now, the customers can use secure single sign-on while the company leverages a standards based user access management and identity adminsitration platform for identity management and compliance, SLA reporting.


Here is a great example of cloud-based Identity-as-a-Service implementation. The company wanted to enforce and streamline user access compliance and automate user provisioning but without having the burden to maintain the infrastructure in-house. So, leveraging Oracle Identity Manager and Oracle Identity Analytics technologies via Simeio Solution's DirectAXS offering, the company was able to achieve its compliance, security and user productivity goals. The implementation benefits included streamlined and automated user provisioning, complete with audit trails and efficient access certification with complete view of user privileges and advanced detection and remediation of ghost accounts.

For information on the winners of the Fusion Middleware Awards for 2011, visit:


Thursday Oct 27, 2011

Limting Audit Exposure and Managing Risk: A BNP Paribas, North America Success Story

Audits are not something we look forward to typically. Because audits mean we have to prepare for the exercise in addition to doing our daily jobs. Compliance mandates and company policies, however, have made access certification audits a necessary job function. In a large enterprise, that would mean, reviewing access for thousands of users across hundreds of applications in a dynamic environment i.e., where users change jobs, locations, move to and from projects, join or leave the company. The traditional spreadsheet model clearly can't work here. And even if you are somehow able to enforce access policies, how do you prove to your auditors the same? And hence, Audit Eye! If you haven't seen the video, you should check it out now.


BNP Paribas, North America took the access certification challenge head-on and triumphed. Are you looking at solving your complex access certification (attestation) challenges? Looking to make the the access certification process simpler, quicker and more reliable? Then, we invite you to come listen to Stuart Lincoln's presentation on a live ISACA webcast on how BNP Paribas, North America implemented well thought-out strategy and solution to make access certification review processes sustainable, convenient and streamlined and audits - a lot less painful. We look forward to a good conversation.

Live ISACA Webcast: Limiting Audit Exposure and Managing Risk with Metrics-Driven Identity Analytics
Thursday, November 10, 2011
9 a.m. PDT / 12 p.m. EDT
Register Here

Wednesday Sep 28, 2011

Mobile Security Tradeoffs: OOW Session

The rapid adoption of mobile computing and migration of fraud attacks to mobile devices is forcing enterprises, banks and e-commerce providers to rely on sophisticated fraud detection capabilities. Recently Gartner put out a research note which estimates that by year end 2013, 12.5% of all ecommerce transactions will be conducted via mobile devices. Gartner also says that “The evolution of fraud detection tools will play a part in turning mobile commerce into location- and context-aware commerce by increasing the confidence of businesses, financial institutions and end users”. In the latest release of Oracle Adaptive Access Manager (OAAM), we added several enhancements which deliver context-aware security for mobile computing which are on par with fraud detection capabilities that exist for traditional computing.

Oracle Adaptive Access Manager offers a layered security model that enhances the security of online transactions, including mobile transactions, with multiple different capabilities:

  • Device Identification & Location Awareness: Oracle Adaptive Access Manager (OAAM) delivers fingerprinting and geo-location for mobile devices to quickly detect and prevent new types of fraud or misuse. So let’s suppose John Doe always logs into his online banking application from his laptop or mobile device located in San Francisco. Now suppose there is a transaction to transfer thousands of dollars from John’s bank account and suppose this transaction is initiated from somewhere outside of North America from a device whose identity doesn’t match John’s PC or his mobile. OAAM flags this as an anomaly and can either block the transaction or challenge the user.
  • Predictive Risk Analytics: OAAM has always delivered sophisticated risk analytics which factor risk to detect if a transaction is anomalous or not. In the latest release, OAAM has added predictive risk analysis to complement its flexible rules engine and pattern based auto-learning capabilities. So organizations can rely on a combination of location, end point identity, historical behavior and context-awareness to guarantee higher identity assurance for access from mobile devices.
  • Answer Logic: This is a fuzzy logic based processing technique applied to challenge question responses and can increase the usability of a challenge answer flow by accepting variations of the valid answer. So if a fat-fingered user types in “Missus Smith” instead of “Misses Smith” as his mother’s maiden name, OAAM can automatically detect that this is a medium risk situation and allow the user to complete his transaction.

Join us on Tuesday Oct 4 at 10:15a in Moscone West 3022 to hear more from Mark Karlstrand, Sr. Manager of Product Management at Oracle, about how Oracle Adaptive Access Manager (OAAM) can help secure mobile transactions. Joshua Walderbach from Principal Financial Group will present a case study of OAAM.

For a complete schedule of Identity Management sessions at OpenWorld, see the Identity Management Focus On. 

Thursday Sep 15, 2011

Security Inside Out Newsletter - September Edition

This month’s edition of the Oracle Security Inside Out newsletter is now available.

In this edition we look at some of the OpenWorld sessions that you just don't want to miss. We also discuss Oracle Unified Directory 11g, and reveal the latest in identity management webcasts, videos, events and more.

If you don’t have a subscription to this bi-monthly security information update, you can sign up here.

For a full listing of all the Identity Management sessions at this year's OpenWorld, check out the FocusOn document.

Tuesday Aug 30, 2011

Got Audit Eye?

Are you at a loss come audit time? Still trying to figure out how you can realistically confirm for ALL your employees and across ALL your enterprise systems who has access to what and when? You are not alone; just check out this video and remember Oracle Identity Analytics can help.

 Audit Eye

Sunday Aug 28, 2011

Layered Access Management Webcast - Q&A Followup

Thanks to everyone who joined us last week on our webcast with IOUG - “Layering Enterprise Security with Oracle Access Management”. Eric Leach, Director of Product Management for Oracle Access Management, did a great job explaining how Oracle Access Management products can layer on top of enterprise security and help organizations overcome the complexity of dealing with security threats in the cloud, mobile and application delivery ecosystems. Check out Eric's blog post detailing the top themes for the webcast. I have captured the responses to the questions that were asked during the webcast.

See us at Oracle OpenWorld 2011

Q: What product can I use to protect VIP patient data in healthcare establishments?

A: Oracle Adaptive Access Manager (OAAM) provides real time risk analytics that can be leveraged for access monitoring purposes. In certain kinds of environments such as in healthcare establishments or in HR systems it may be possible to access privileged information but it is also important to track who is accessing that information and when they accessed that and for what reason. OAAM has the ability to detect access requests, track and determine whether they are anomalous or not. Oracle today offers a solution for healthcare providers which can help to detect and prevent that kind of access directly. So if you have VIP data then you can prevent frivolous or unauthorized access of such information.

 Q: Where can I find the Aberdeen Report that Eric mentioned?

 A: You can download the Aberdeen Report citing the findings on Platform vs. Point Solution Approach Study    for Identity Management here.

Q:  If Oracle Access Manager (OAM) authenticates me as MARIA on Active Directory and my application requires a username MHALLOM (on RACF) what's the best way to accomplish that?

A:  You would use a combination of Oracle Access Manager and Oracle Enterprise Single Sign-On (ESSO) Suite. If OAM authenticates you against AD for the app and if your RACF app requires credentials you would then generally use a ESSO client to authenticate into that system. So if you have a mixture of web apps and mainframe apps you would typically use a combination of OAM and ESSO to achieve SSO across those different environments. AD can be used as a directory repository for ESSO as well. So you can go ahead and use that as a repository for the RACF application.

Q: In which language are custom authentication modules for Oracle Access Manager (OAM) developed? It was in C in oam10g if I’m not mistaken

Yes that’s correct. Custom Auth modules were developed in C in OAM 10g. OAM 11g works a Java server in WebLogic. So you will build java modules that plug in to the server.

Q. For high availability do you have seamless geographical failover solution in OAM such as disaster recovery since OAM documentation doesn't explain much on it nor provide options

A: There are a number of different documents that can offer some guidance. There is an Enterprise Deployment guide and there is a HA and DR guide that is being updated for the OAM 11g PS1 release. The
basic guideline is to generally reuse data replication methods that are leveraged in your enterprise. If you want to create more custom DR failover scenarios stay tuned to the Oracle Access Manager product page on OTN and we will be putting up more specific documentation on that.

Shall we contextualize Oracle Security Token Service (OSTS) to service layer (ex: business process) in de-coupled way using OAM?

A: You could set STS up as a service that can be used with or without OAM to leverage some of those business flows. You could be trying to use STS to enable an identity propagation event that is based on an authenticated user and you may want to attach a specific set of security requirements based on a downstream web service that the user is trying to access. In that case when you are trying to access the downstream web service there are a certain set of policies that the STS can encapsulate that allows you to do that based on the requirements of the service.

Q: Can I plug in an alternate authentication mechanism besides challenge questions to secure the self service password management flows?

A: The Oracle Access Management Suite through OAAM provides the One-Time Password solution. So you can extend a password reset flow to include an out of band challenge sent to a user’s mobile device sent over SMS. So you can layer services that way so that you can get those advanced capabilities.

Q: How can I be assured that access to SAAS apps is revoked upon an employee leaving the company?

A: When you are managing access to SaaS or 3rd party apps, you can have Oracle ESSO manage random and very complex passwords that the user doesn’t know about or doesn’t see. So when the user is terminated and de-provisioned, instead of having to go out and terminate access on the SaaS side, you can instead more or less ensure they can’t access the SaaS app as they don’t know the password and they cannot reset the password. So you can secure that flow a lot more efficiently than otherwise.

Q: How do the Oracle Identity Manager (OIM) challenge questions differ from Knowledge based Challenge questions (KBA)?

A; The primary value of Knowledge based Authentication that OAAM provides is increased usability. You can account for and tolerate abbreviations, typos and misspellings. That is called Answer Logic – fuzzy logic processing of answers as they are input. And on the questions side, the number and type of questions that get generated can be controlled by both systems. But in general, the OAAM component provides sophistication and control around when to show questions, how many to show, how to pull them out of a pool of questions, etc. So it can avoid some of the common vulnerabilities with password reset associated with brute force attacks. OAAM has capabilities for mitigating that.

Friday Aug 12, 2011

Layering Enterprise Security with Access Management

As a security professional, one of the surveys I look forward to every year is the Data Breach Investigations Report published by Verizon. In the 2011 edition of the report, there were several glaring statistics. Verizon reports that 76% of all breaches compromised back end servers, 92% of attacks were not highly difficult and an alarming 96% of all security breaches were preventable through simple or intermediate controls. At Oracle, we could not agree more.

Across the enterprise security landscape there are several factors which are increasing risk for organizations. Traditional security has relied on defending the perimeter. But the proliferation of sophisticated attacks internally and externally demands sophisticated defense mechanisms that factor risk into the security equation. Secondly, the modern workforce is increasingly dynamic and mobile. When employees, partners, contractors, customers, suppliers etc all need access to critical applications, access to sensitive information should be restricted to authorized users. Finally, recent IT trends like cloud computing, and mobility have resulted in a proliferation of applications that employees need access to. Applications come in many different flavors (packaged, homegrown, SaaS, mobile apps etc) and when each app has its own notion of the user, how they connect and what they are authorized to do, this increases costs and complexity of integrating security for applications.

At Oracle, our Access Management solutions offer holistic security to help organizations safeguard against security threats, reduce risk, ensure compliance and security for applications, web services and data. In our upcoming webcast on Aug 23 sponsored by IOUG, Eric Leach from Oracle will discuss the latest innovations in Oracle Access Management solutions and how they can help you address your enterprise security and compliance goals.

Register here for the Aug 23 Webcast.

Thursday Aug 11, 2011

Getting IT Right with an End-to-End Access Control - Q&A Follow-Up

Thanks to all who joined us on our last week’s webcast on “Getting IT Right with an End-to-End Access Control Strategy”.  Identity Management is about User Authentication, Authorization, Administration  and Audit (the 4 A’s of Identity Management). But it doesn’t end with task automation. Identity Management needs to be smart (read: intelligent). It needs to ANALYZE the circumstances, understand the CONTEXT and CONTROL or manage the user interaction with the enterprise resources. Marc Boroditsky, Vice President, Oracle Identity Management, did a great job in explaining how end-to-end access control is really about becoming more context-aware with information backed by advanced analytics to offer more control.

The webcast replay is now available and we hope to continue the conversation we started with this webcast. In the meantime, I have captured the responses to the questions asked during the webcast.

Q. Is Identity Management strategic for Oracle?

A. Very much so. Oracle continues to make significant investments in Identity Management across all organizations including product development, customer and sales support, business development, marketing, and more.

Q. Where can I find the Aberdeen Report that Marc mentioned?

A. You can download the Aberdeen Report citing the findings on Platform vs. Point Solution Approach Study for Identity Management here.

Q. I was at one of the major health insurance providers recently. I was told not to bring laptop or any other hardware. I was told not to upload or download a file. Access to servers I was supposed to work on took 3+ weeks. Is that a smart way of doing security?

A. No access or limited access as a policy is detrimental to getting business done. And in fact, it may still not be an effective security measure. A smart approach would be to have layered security whereby only the right people have the right level of access to the right resources at the right time. When a user role or needs change, that change should also trigger user access and administration change. Moreover, all of this should be auditable. An integrated approach to user authentication, access authorization, administration and audit will accomplish this.

Q.  Where can I find product roadmaps for Access and Identity?

A. Technical information for all our Identity Management products is located on Oracle Technology Network. To schedule a roadmap briefing, please request your account manager.

Q. Is Oracle Identity Management part of the Oracle Database binary code?

A. No. Oracle Identity Management solutions are licensed separately.

Q. What differentiates Oracle Identity Management offering from its GRC Suite offering?

A. While GRC deals with standards-based platform for enterprise risk management, regulatory compliance, and controls enforcement, Oracle Identity Management solutions allow enterprises to manage the entire user identity life cycle across all enterprise resources and offer identity audit & compliance capabilities.

Q. How does Oracle Identity Management stack support private/public cloud infrastructure?

A. Oracle’s Identity Management stack plays a critical role in making the cloud environment secure for enterprises.

  • Identity federation is one area where standards such as SAML are quite mature and are being adopted by cloud providers and applications. Oracle Identity Federation (OIF) offers full range of standards-based federation between cloud applications and their customer’s applications.
  • Oracle Identity Manager (OIM) provides standards-based secure provisioning and self service registration of application users to cloud applications via support for SPML services and BPEL workflow definitions.
  • Oracle Enterprise Single Sign-On (ESSO) Suite lets enterprises host ESSO in a private cloud to offer users secure access to heterogeneous enterprise resources from anywhere, anytime.
  • Oracle Access Manager (OAM) provides a robust Single Sign On capability that streamlines identity authentication processes across cloud applications
  • Oracle Adaptive Access Manager (OAAM) provides strong authentication, identity verification, and fraud prevention across service provider’s cloud applications
  • Oracle Web Services Manager (OWSM)  provides policy-based authentication and authorization infrastructure for securing web services

We encourage you to download our Cloud Security Resource Kit for additional detail.

Q. With the layered security approach, are you recommending that there be a specific order of implementation i.e. Directory Services, SSO and Provisioning first and then the remaining pieces?

A. The order of implementation and even the scope of implementation are based on the organization’s needs and the specific issues/business challenges you are trying to solve. Please connect with your account manager to discuss your specific needs and chart out the appropriate implementation plan for the best return-on-investment.

Q. Is Oracle Identity Management a new technology?

A. Oracle has been offering proven, best-of-breed Identity Management solutions for quite some time. With continued investment in technology and resources, Oracle’s Identity Management solutions portfolio has grown significantly over the years. For a complete list of Oracle Identity Management offerings and more information, please visit us at www.oracle.com/identity.

Q. Can I use Oracle Identity Management to centrally manage access for multiple external clients?

A. Yes. Oracle Identity Management solutions allow you to centrally manage user authentication, authorization, administration and identity audit across all resources and for all users regardless of whether they are within or outside your organization. A good example of external user facilitation is:  Qualcomm Case Study: Supporting User Federation using Oracle Identity Federation.

Q. Can Oracle Identity Management provide the visual graphic metrics of all user activities like the Oracle OEM alert metric?

A. Oracle Identity Analytics provides actionable dashboards, graphs and metrics for user and identity audit at any time.  Oracle Adaptive Access Manager provides strong risk-based authentication features like real-time risk alerts based on behavioral profiling and advanced risk analytics.

Q. How do we integrate the new Oracle Identity product with other large apps e.g. Siemens PLM product?

A. Oracle Identity Manager can integrate with Siemens PLM using the application’s API or if the application supports SPML, then by using SPML calls. Oracle Identity Manager’s Identity Connector Framework makes the integration process quite flexible, scalable and efficient. Most market leading applications and systems are supported out-of-the-box.

Q. How can the tool set transit the identity between the layers, for instance if I have a JBOSS server and a WebLogic server, how can I pass the identity from one to the other so that both can participate in this vision?

A. With Oracle Identity Management, you can externalize identities to a centralized identity platform supported by Oracle Platform Security Services (OPSS). OPSS allows you to abstract security, audit, and identity management functionality from applications so you no longer have to hard code these in individual applications thereby reducing the time and cost for application lifecycle. Read more about this revolutionary approach here.

Q. Would I need Oracle Directory Services if I have Oracle Identity Manager in-house?

A. Oracle Directory Services Plus and Oracle Identity Manager are complementary solutions. Oracle Directory Services Plus is the industry’s only integrated solution that offers identity virtualization, storage, proxy and synchronization services for high-performance enterprise and carrier-grade environments. Oracle Identity Manager is an identity administration and user provisioning solution that automates the process of adding, managing, updating and deleting user accounts on enterprise resources, whether on-premise or in the cloud. While these solutions work very well together and solve unique challenges, the implementation of one does NOT require the implementation of the other.

Hope this is just a start of our conversation on this subject. We look forward to hearing your feedback on the approach Marc alluded to during the webcast and how it applies to the organizations today.


Oracle Identity Management is a complete and integrated next-generation identity management platform that provides breakthrough scalability; enables organizations to achieve rapid compliance with regulatory mandates; secures sensitive applications and data regardless of whether they are hosted on-premise or in a cloud; and reduces operational costs. Oracle Identity Management enables secure user access to resources anytime on any device.


« April 2014