Wednesday Sep 28, 2011

Mobile Security Tradeoffs: OOW Session

The rapid adoption of mobile computing and migration of fraud attacks to mobile devices is forcing enterprises, banks and e-commerce providers to rely on sophisticated fraud detection capabilities. Recently Gartner put out a research note which estimates that by year end 2013, 12.5% of all ecommerce transactions will be conducted via mobile devices. Gartner also says that “The evolution of fraud detection tools will play a part in turning mobile commerce into location- and context-aware commerce by increasing the confidence of businesses, financial institutions and end users”. In the latest release of Oracle Adaptive Access Manager (OAAM), we added several enhancements which deliver context-aware security for mobile computing which are on par with fraud detection capabilities that exist for traditional computing.

Oracle Adaptive Access Manager offers a layered security model that enhances the security of online transactions, including mobile transactions, with multiple different capabilities:

  • Device Identification & Location Awareness: Oracle Adaptive Access Manager (OAAM) delivers fingerprinting and geo-location for mobile devices to quickly detect and prevent new types of fraud or misuse. So let’s suppose John Doe always logs into his online banking application from his laptop or mobile device located in San Francisco. Now suppose there is a transaction to transfer thousands of dollars from John’s bank account and suppose this transaction is initiated from somewhere outside of North America from a device whose identity doesn’t match John’s PC or his mobile. OAAM flags this as an anomaly and can either block the transaction or challenge the user.
  • Predictive Risk Analytics: OAAM has always delivered sophisticated risk analytics which factor risk to detect if a transaction is anomalous or not. In the latest release, OAAM has added predictive risk analysis to complement its flexible rules engine and pattern based auto-learning capabilities. So organizations can rely on a combination of location, end point identity, historical behavior and context-awareness to guarantee higher identity assurance for access from mobile devices.
  • Answer Logic: This is a fuzzy logic based processing technique applied to challenge question responses and can increase the usability of a challenge answer flow by accepting variations of the valid answer. So if a fat-fingered user types in “Missus Smith” instead of “Misses Smith” as his mother’s maiden name, OAAM can automatically detect that this is a medium risk situation and allow the user to complete his transaction.

Join us on Tuesday Oct 4 at 10:15a in Moscone West 3022 to hear more from Mark Karlstrand, Sr. Manager of Product Management at Oracle, about how Oracle Adaptive Access Manager (OAAM) can help secure mobile transactions. Joshua Walderbach from Principal Financial Group will present a case study of OAAM.

For a complete schedule of Identity Management sessions at OpenWorld, see the Identity Management Focus On. 

Sunday Aug 28, 2011

Layered Access Management Webcast - Q&A Followup

Thanks to everyone who joined us last week on our webcast with IOUG - “Layering Enterprise Security with Oracle Access Management”. Eric Leach, Director of Product Management for Oracle Access Management, did a great job explaining how Oracle Access Management products can layer on top of enterprise security and help organizations overcome the complexity of dealing with security threats in the cloud, mobile and application delivery ecosystems. Check out Eric's blog post detailing the top themes for the webcast. I have captured the responses to the questions that were asked during the webcast.

See us at Oracle OpenWorld 2011

Q: What product can I use to protect VIP patient data in healthcare establishments?

A: Oracle Adaptive Access Manager (OAAM) provides real time risk analytics that can be leveraged for access monitoring purposes. In certain kinds of environments such as in healthcare establishments or in HR systems it may be possible to access privileged information but it is also important to track who is accessing that information and when they accessed that and for what reason. OAAM has the ability to detect access requests, track and determine whether they are anomalous or not. Oracle today offers a solution for healthcare providers which can help to detect and prevent that kind of access directly. So if you have VIP data then you can prevent frivolous or unauthorized access of such information.

 Q: Where can I find the Aberdeen Report that Eric mentioned?

 A: You can download the Aberdeen Report citing the findings on Platform vs. Point Solution Approach Study    for Identity Management here.

Q:  If Oracle Access Manager (OAM) authenticates me as MARIA on Active Directory and my application requires a username MHALLOM (on RACF) what's the best way to accomplish that?

A:  You would use a combination of Oracle Access Manager and Oracle Enterprise Single Sign-On (ESSO) Suite. If OAM authenticates you against AD for the app and if your RACF app requires credentials you would then generally use a ESSO client to authenticate into that system. So if you have a mixture of web apps and mainframe apps you would typically use a combination of OAM and ESSO to achieve SSO across those different environments. AD can be used as a directory repository for ESSO as well. So you can go ahead and use that as a repository for the RACF application.

Q: In which language are custom authentication modules for Oracle Access Manager (OAM) developed? It was in C in oam10g if I’m not mistaken

Yes that’s correct. Custom Auth modules were developed in C in OAM 10g. OAM 11g works a Java server in WebLogic. So you will build java modules that plug in to the server.

Q. For high availability do you have seamless geographical failover solution in OAM such as disaster recovery since OAM documentation doesn't explain much on it nor provide options

A: There are a number of different documents that can offer some guidance. There is an Enterprise Deployment guide and there is a HA and DR guide that is being updated for the OAM 11g PS1 release. The
basic guideline is to generally reuse data replication methods that are leveraged in your enterprise. If you want to create more custom DR failover scenarios stay tuned to the Oracle Access Manager product page on OTN and we will be putting up more specific documentation on that.

Shall we contextualize Oracle Security Token Service (OSTS) to service layer (ex: business process) in de-coupled way using OAM?

A: You could set STS up as a service that can be used with or without OAM to leverage some of those business flows. You could be trying to use STS to enable an identity propagation event that is based on an authenticated user and you may want to attach a specific set of security requirements based on a downstream web service that the user is trying to access. In that case when you are trying to access the downstream web service there are a certain set of policies that the STS can encapsulate that allows you to do that based on the requirements of the service.

Q: Can I plug in an alternate authentication mechanism besides challenge questions to secure the self service password management flows?

A: The Oracle Access Management Suite through OAAM provides the One-Time Password solution. So you can extend a password reset flow to include an out of band challenge sent to a user’s mobile device sent over SMS. So you can layer services that way so that you can get those advanced capabilities.

Q: How can I be assured that access to SAAS apps is revoked upon an employee leaving the company?

A: When you are managing access to SaaS or 3rd party apps, you can have Oracle ESSO manage random and very complex passwords that the user doesn’t know about or doesn’t see. So when the user is terminated and de-provisioned, instead of having to go out and terminate access on the SaaS side, you can instead more or less ensure they can’t access the SaaS app as they don’t know the password and they cannot reset the password. So you can secure that flow a lot more efficiently than otherwise.

Q: How do the Oracle Identity Manager (OIM) challenge questions differ from Knowledge based Challenge questions (KBA)?

A; The primary value of Knowledge based Authentication that OAAM provides is increased usability. You can account for and tolerate abbreviations, typos and misspellings. That is called Answer Logic – fuzzy logic processing of answers as they are input. And on the questions side, the number and type of questions that get generated can be controlled by both systems. But in general, the OAAM component provides sophistication and control around when to show questions, how many to show, how to pull them out of a pool of questions, etc. So it can avoid some of the common vulnerabilities with password reset associated with brute force attacks. OAAM has capabilities for mitigating that.

Tuesday Aug 09, 2011

Securing Your Electronic Health Records

Thanks to all those who joined our webcast on securing electronic health information records. According to the survey by healthcare IT News many organizations are depending on the EHR vendors to take care of the security requirements; however, a more systematic approach has to be taken in order to meet the compliance and "meaningful" use requirements .  Mark Ford from Deloitte did a great job of setting the context around the legislation and the changing requirements. Thanks for all of the great questions on the webcast and I want to take the time to make sure we capture the answers. I will post a replay. Mike mentioned the Aberdeen report comparing the platform vs the point solution this may provide some benefit as you think about your road map.

  • Question: Looking at certification review with regard to clinician access - we have lots of cases where clinicians have excessive access - what else can I do with regard to a layered ?
  • Answer: So there are two things that we would recommend - many of the excessive access issues can be prevented in the first place by provisioning ( See Oracle Identity Manager) users based on a pre-defined job role. This model works well and can speed up the audit. The second thing that organizations are doing is complimenting certification review with detective monitoring provided by Oracle Security Governor . To streamline the certification review portion - Oracle Identity Analytics has some easy to use reporting that can make this less cumbersome.
  • Question: We have primary care physicians scheduling appointments through our web interface from different parts of the state - can your solution help us manage their user passwords.
  • Answer: Yes - if you are using a web interface then we could enable self service password management for your connecting physicians. You can provide this capability with Oracle Access Manager - also consider the ability for your connecting physicians to connect directly to your external portal with Federation capabilities 
  • Question: Is there a role life-cycle management capability in the Oracle stack. How would I get started in that process
  • Answer: Yes Oracle Identity Analytics provides this - you can download it from our site
  • Question: SSO is well understood by all, but what about signing off? Multiple apps running over one SSO, how do you manage the signing off of individual apps?
  • Answer: This a great question - there are many circumstances where this is required - so with Oracle ESSO there is an ability for sign of where ESSO cleans up the cache so that someone else can use the terminal - we find this case in healthcare a lot.
  • Question: We are a hospital with lots of VIP celebrity patients - how can we secure access to specific the specific vip patient data .
  • Answer: We get asked this a lot - feel free to reach out to us and we can setup a conversation with a couple of our customers who are solving the same problem. Basically, there are a number of ways to solve this. At a detective level our security governor can detect when the incidence has occurred we can also use the Oracle Entitlements Server to guard the data directly at the application level. Would be happy to schedule a demo.
  • Question: What if we have an existing HR system like Peoplesoft can we use that to drive the access provisioning of our clinicians.
  • Answer: Yes if you have Peoplesoft or any other HR system - we can connect and drive provisioning from this source. There are is a white paper on this on our website.
  • Question: Given that there are lots of offerings in the product stack - where should we get started - can we start with any product in the stack
  • Answer: Because we have integrated the stack - customers can start from any point depending on the need. One paper that might be helpful is the recent Aberdeen report that talks about the tremendous cost saving of going with the platform approach.

Hope these answers provide you what you need. If you have follow up questions you can post them as comments below and we will answer them. Thanks again for joining us and we look forward to chatting again soon.


Oracle Identity Management is a complete and integrated next-generation identity management platform that provides breakthrough scalability; enables organizations to achieve rapid compliance with regulatory mandates; secures sensitive applications and data regardless of whether they are hosted on-premise or in a cloud; and reduces operational costs. Oracle Identity Management enables secure user access to resources anytime on any device.


« June 2016