Tuesday Jun 25, 2013

It's not just “Single Sign-on” by Steve Knott (aurionPro SENA)

It is true that Oracle Enterprise Single Sign-on (Oracle ESSO) started out as purely an application single sign-on tool but as we have seen in the previous articles in this series the product has matured into a suite of tools that can do more than just automated single sign-on and can also provide rapidly deployed, cost effective solution to many demanding password management problems.

In the last article of this series I would like to discuss three cases where customers faced password scenarios that required more than just single sign-on and how some of the less well known tools in the Oracle ESSO suite “kitbag” helped solve these challenges.

Case #1

One of the issues often faced by our customers is how to keep their applications compliant. I had a client who liked the idea of automated single sign-on for most of his applications but had a key requirement to actually increase the security for one specific SOX application. For the SOX application he wanted to secure access by using two-factor authentication with a smartcard. The problem was that the application did not support two-factor authentication. The solution was to use a feature from the Oracle ESSO suite called authentication manager. This feature enables you to have multiple authentication methods for the same user which in this case was a smartcard and the Windows password.  Within authentication manager each authenticator can be configured with a security grade so we gave the smartcard a high grade and the Windows password a normal grade. Security grading in Oracle ESSO can be configured on a per application basis so we set the SOX application to require the higher grade smartcard authenticator.

The end result for the user was that they enjoyed automated single sign-on for most of the applications apart from the SOX application. When the SOX application was launched, the user was required by ESSO to present their smartcard before being given access to the application.

Case #2

Another example solving compliance issues was in the case of a large energy company who had a number of core billing applications. New regulations required that users change their password regularly and use a complex password. The problem facing the customer was that the core billing applications did not have any native user password change functionality. The customer could not replace the core applications because of the cost and time required to re-develop them. With a reputation for innovation aurionPro SENA were approached to provide a solution to this problem using Oracle ESSO.

Oracle ESSO has a password expiry feature that can be triggered periodically based on the timestamp of the users’ last password creation therefore our strategy here was to leverage this feature to provide the password change experience. The trigger can launch an application change password event however in this scenario there was no native change password feature that could be launched therefore a “dummy” change password screen was created that could imitate the missing change password function and connect to the application database on behalf of the user.

Oracle ESSO was configured to trigger a change password event every 60 days. After this period if the user launched the application Oracle ESSO would detect the logon screen and invoke the password expiry feature. Oracle ESSO would trigger the “dummy screen,” detect it automatically as the application change password screen and insert a complex password on behalf of the user. After the password event had completed the user was logged on to the application with their new password. All this was provided at a fraction of the cost of re-developing the core applications.

Case #3

Recent popular initiatives such as the BYOD and working from home schemes bring with them many challenges in administering “unmanaged machines” and sometimes “unmanageable users.”

In a recent case, a client had a dispersed community of casual contractors who worked for the business using their own laptops to access applications. To improve security the around password management the security goal was to provision the passwords directly to these contractors. In a previous article we saw how Oracle ESSO has the capability to provision passwords through Provisioning Gateway but the challenge in this scenario was how to get the Oracle ESSO agent to the casual contractor on an unmanaged machine.

The answer was to use another tool in the suite, Oracle ESSO Anywhere. This component can compile the normal Oracle ESSO functionality into a deployment package that can be made available from a website in a similar way to a streamed application. The ESSO Anywhere agent does not actually install into the registry or program files but runs in a folder within the user’s profile therefore no local administrator rights are required for installation. The ESSO Anywhere package can also be configured to stay persistent or disable itself at the end of the user’s session.

In this case the user just needed to be told where the website package was located and download the package. Once the download was complete the agent started automatically and the user was provided with single sign-on to their applications without ever knowing the application passwords.

Finally, as we have seen in these series Oracle ESSO not only has great utilities in its own tool box but also has direct integration with Oracle Privileged Account Manager, Oracle Identity Manager and Oracle Access Manager. Integrated together with these tools provides a complete and complementary platform to address even the most complex identity and access management requirements.

So what next for Oracle ESSO?

“Agentless ESSO available in the cloud” – but that will be a subject for a future Oracle ESSO series!


Tuesday Jun 18, 2013

The Keys to the Password Vault by Matthew Scott (aurionPro SENA)

Super user accounts are, unfortunately, a necessary evil. It’s just a fact of life in the IT industry that someone, somewhere, has to have the ability to make fundamental (and therefore potentially catastrophic!) changes to key systems.

One of my least favourite experiences as a consultant was gaining access to an account though a process that was reminiscent of a spy thriller  – the password was typed onto a card, which was cut in two, with each half stored in a separate safe and each key entrusted to a meticulous security officer. Navigating the procedures to get the halves together in time to be useful was a trial of persuasion and scheduling – I can see why Tom Cruise prefers to abseil in through the roof instead of filling in yet another form!

Compliance officers are increasingly scrutinising privileged accounts and the processes that control access to them – not surprisingly, since surveys have shown that up to a quarter of IT professionals have experienced misuse of such accounts, and almost half of all companies fail to manage these accounts in accordance with the law (http://www.computerweekly.com/news/2240111956/One-in-four-IT-security-staff-abuse-admin-rights-survey-shows). The results can be spectacular and sobering – the UBS trader Kweku Adoboli cost his company $2.3 billion after making disastrous trades using a privileged account which he was not authorised to use.

Thankfully, there is now a better way. As we’ve seen in this series, with the ESSO suite the technology exists to manage user passwords without the user having to actually ‘know’ that password. It is possible to extend this functionality to include those previously hard to manage privileged accounts by introducing Oracle Privileged Accounts Manager (OPAM). OPAM acts as a secure password vault for privileged accounts, but unlike other password vaults it can be connected directly to the ESSO Logon Manager agent so that passwords can be requested, obtained and used, all from the user’s desktop.

OPAM is particularly useful for companies with large, decentralised UNIX environments. We are currently engaged with a large financial organisation which has several hundred servers, with various distributions of Linux and UNIX that are managed by different teams. With OPAM, all those precious root accounts have for the first time been corralled together in one location, where they can be released as needed to any authorised user. OPAM is equally adept at managing identities stored in directories, including Windows service accounts within Active Directory.

To calm the fears of any compliance officers who may be reading these words nervously, it is possible to implement workflows to control the request process. This may include approvals from a higher authority, complete with email or mobile notifications to the approver. And of course ESSO and OPAM feature end-to-end audit trails – from request, to check out, to each use of the privileged account, through to check in. Tracking who has being doing what with each account has never been easier.

In addition to managing privileged accounts, the ESSO suite also allows users to distribute their personal accounts in a similar manner. Many of us have experienced the frustration of needing access to a system, a record or an email only to discover that the person with access is on holiday or otherwise unavailable. In extreme cases, this may require that the absent user’s Windows account be reset to allow another user to log on and gain access. ESSO’s Account Delegation allows these key users to pro-actively devolve their account credentials to another user for a set period – no passwords required!

Tuesday Jun 11, 2013

Achieving "Zero-Touch" Password Management by Steve Knott (aurionPro SENA)

Traditionally when a user is on-boarded into an organisation they are given a desktop password along with a whole host of other passwords to access the required business applications to enable them to do their job. Inevitably there will be numerous associated company information security policies that dictate that passwords should not be written down or shared with colleagues etc.

Trying to remember numerous passwords can be onerous on the end user at the best of times and can lead to a plethora of password sins committed by the end user. Whilst we can deploy some SSO technologies to relieve password fatigue, the on-boarding provisioning process often means that the user needs to know their passwords at some point – or do they?

I recently worked on a project at a leading engineering company who were in the process of deploying a large new ERP system. The end users were highly skilled engineers focusing on cutting edge technology but password security was not high on their list of priorities. Traditionally within the organisation, credentials for new applications were sent by email and sometimes they were communicated over the phone. Inevitably these were written down in text files and diaries or passwords were changed to be the same “pet’s name” type password for multiple applications.

This was a huge concern for the Chief Architect who wanted to remove end user password management and provide “zero touch” credential provisioning for the new ERP applications. He also wanted to satisfy auditing and compliance requirements by enforcing complex passwords whilst preventing unauthorised credential sharing. All this needed to be achieved without inconveniencing the users.

We discussed the tried and tested approach of using of a full blown identity management solution.  However, his response to this was that although wider identity management was on their long term roadmap, he had a hard deadline to deliver the ERP system within three months and with limited resources. With traditional user provisioning ‘out the window’ we had to come up with another approach.  Everyone would be using the new ERP system for their timesheets on the same day, and with any business impact due to unavailability therefore being potentially very significant, the customer couldn’t afford to have issues related to logging in.

One product that they already had licensed was the Oracle Enterprise Single Sign-on (ESSO) suite. Oracle ESSO is a well- known established product which provides single sign to any application at the desktop. Not so well known are the additional tools provided within the suite. One of these additional tools is Oracle ESSO Provisioning Gateway. Provisioning Gateway is a web based application that complements the other tools in the suite by enabling the provisioning of application credentials directly to the SSO agent without user interaction.

The Provisioning Gateway server exposes a web service interface that allows it to receive instructions submitted by any other provisioning server. Although Provisioning Gateway is more commonly deployed connected to an identity management system it does have command line interface (CLI) utilities supplied with the software. These utilities allow for scripted interactions with the Provision Gateway server including batch operations.

For this customer it was possible to export the user credential data out of the ERP system into a text-file format.  Then, armed only with the tools provided within the Oracle ESSO suite it was possible to script the provisioning of these user credentials in batches of 500-1000 to the Provisioning Gateway server. The server provisioned the credentials to the ESSO repository and the credentials were synchronised to the desktop SSO agent at user logon.

So far, so good.  At this stage, the users were still unaware that anything had happened.  The new ERP system wasn’t live yet, but in anticipation of its general release we now had each individual’s username and password ready to go in their SSO credential store – ready for first login.

For security reasons, the ERP system was configured to require a password change at first logon. Therefore, when the user launched the application for the first time on its launch date an application change password event was triggered. The Oracle ESSO agent was configured to recognise and respond to this change password event, automatically generating and inserting a new password leaving the user logged on with a new complex password. The end user did not know their password at any point of the on-boarding process or for subsequent logons.  Therefore the opportunity of sharing their logon details with colleagues was eliminated.  Furthermore, issues with the distribution of new passwords was avoided altogether.

The aurionPro SENA fast rollout template for Oracle ESSO enabled this customer to hit the implementation deadline of the ERP project and also address the security requirements of the organisation. ESSO Provisioning Gateway also has a management interface and this customer exploited this feature to allow the helpdesk team to apply the zero touch methodology to other applications.

As we discussed in the first blog (Putting the EASY into SSO) - Oracle ESSO provides more than just single sign-on to desktop applications.  Its use for zero-touch provisioning shows its versatility and that it can form a core part of an integrated identity and access management framework.  It’s not just a tactical tool for a single issue.  Stay tuned for next week’s blog in this series where we’ll be investigating the capabilities of Oracle ESSO still further.

Tuesday Jun 04, 2013

Putting the EASY into ESSO! by Matthew Scott (aurionPro SENA Blog Series - Ch1)

Enterprise Single Sign-On occupies an unusual position in the field of IAM. In automating the sign-on of users to their applications, it is somewhat uniquely, a client-side application. For some of our customers, the role of enterprise SSO in an IAM programme isn’t entirely clear. I’ve spoken with many security architects who view its use as somehow tantamount to cheating. Surely, they assert, if we fully integrate systems at the back-end then the need for a client component doing sign-on becomes unnecessary. Architecturally this may be true. But the realities are that users have issues with passwords right now. Enterprise single sign-on addresses problems immediately. However, it’s also much more than just a tool that signs the user on to anything from their desktop. It is a tool that can be used to solve related business problems and technical challenges just as well as it can deliver users from their credential nightmares.

In this series of four articles, we will explore how enterprise SSO can be used to deliver these additional benefits. We will cover zero touch credential provisioning, making enterprise single sign-on an integrated part of an IAM programme and the management of delegated accounts. First, however, we’ll start with an easy one… making everyone happy all at the same time!

Capturing business requirements for identity and access management projects can be an art. There are so many interested parties – technical, legal, HR, end-users, application owners to name but a few – that it’s rare to reach a speedy consensus. I was in one such meeting with a customer a while back who were trying to explore what the success criteria would be for their enterprise single sign-on initiative. Relatively straightforward, you’d think, but after five hours the customer was still going round in circles! It wasn’t until the project sponsor finally arrived at the meeting and spoke about his vision that sanity was restored. His single request? His single measure? “Make it easy for my users!” That’s all he wanted. If other benefits accrued, that was a bonus.

Oracle’s Enterprise Single Sign-non Suite Plus (Oracle ESSO) is designed to do precisely what the project sponsor wanted. It includes a number of technologies designed to relieve the pain of passwords, by reducing the number of forgotten or incorrect credentials that a user has, whilst simultaneously making it easier to provide those same credentials to users without compromising security. What’s more, these benefits can be obtained surprisingly quickly – Oracle ESSO has a very light footprint and a flexible framework approach to managing credentials for almost any application. Web, Windows, Cloud or mainframe, passwords can quickly be eliminated as a source of pain for users and IT staff alike.

Oracle ESSO takes the management of credentials away from users. It stores passwords in a secure manner so that the user cannot forget it. It manages the password lifecycle, securely updating credentials when they expire. And it streamlines the user experience – application logon is handled automatically, so the user can get to work immediately without having to fumble over the username and password.

Of course, Oracle ESSO also allows the organisation to achieve lots of other benefits if it’s implemented correctly – reduced number of calls to helpdesk, increased productivity through faster password resets and so on. But fundamentally, as a user-facing tool it has to be one that’ll gain rapid acceptance for its deployment to be heralded as a success. The additional benefits won’t appear if the users don’t adopt the new tools they’re given.

aurionPro SENA has considerable experience with the Oracle ESSO suite. In fact, we’ve got the deployment of Oracle ESSO down to a fine art. Referring back to our original customer above – speed of deployment was important. “Proof of concept in days, pilot in weeks, deployment in two months” was the mantra. All with no significant operational impact on either end-users or IT personnel. We helped the customer achieve these goals. Deploying Oracle ESSO requires a delicate balance of technical knowledge, light-touch project management and extremely well-managed engagement with the end-user community. The last element is the most important. Involving key users as early as possible when their applications are being ‘profiled’ for single sign-on helps to ensure that they buy in to the end goal. They understand how Oracle ESSO will enhance the way that they work and are keen to share this with other users. If done right, a cascade of anticipation can ripple through the user community so that, rather than fearing change as can often happen with IT projects, the users are willing the change to arrive sooner! The use of appropriate briefing tools, promotion of the new system and similar techniques can further enhance the effectiveness of the final Oracle ESSO rollout.

So, Oracle ESSO makes it easy for end-users. That’s great, that’s exactly what our customer wanted, and it’s what any user-facing application should strive to do. Deploying Oracle ESSO, when managed properly, is one of those very unusual IT projects, though. Not only does it make things easier for end-users, it also makes things easier for IT support teams, helpdesk operators, auditors and a whole range of teams within the organisation. So it’s win-win all round.

But this is just the starting point. Oracle ESSO acts as a great launch pad for customers looking to further streamline credential management, giving users a better experience whilst also improving security and providing previously unavailable audit data. Stay tuned as we demonstrate how you can unlock the potential of Oracle ESSO.


Thursday Jan 12, 2012

Security Newsletter January Edition is Out Now

Security Inside Out Newsletter

The January edition of the very popular Security Inside Out Newsletter is now out. This edition puts the spotlight on Security in Healthcare. Whether it is patient privacy or complying with federal and industry regulations like HIPAA, Sarbanes Oxley (SOX), HITECH and more, security issues are top of mind for most healthcare organizations. Oracle's Security Inside Out approach offers comprehensive protection for your data, identity and applications. Check out the top feature in the newsletter to hear how some of your peer organizations are meeting their security, compliance and patient care goals with Oracle Security and Identity Management solutions.

If you attended our recent Enterprise Single Sign-On (ESSO) webcast, you already know that companies on average realize over 140% in return-on-investment (ROI) with the ESSO implementation. Organizations have been able to slash over 80% of password related calls to their helpdesk saving a tremendous amount in helpdesk overhead and improving user productivity. Get your hands on the ESSO Buyers Guide and don't miss this feature article in the newsletter that discusses recent customer success stories.

This edition is also your one-stop shop for getting your hands on the latest materials including a recently issued IDC Report on Data Security, Oracle whitepaper comparing Oracle and Novell Identity Management solutions, SANS product review report on Oracle Database Vault and more. Keep up to date on the latest Oracle Security news, upcoming events, webcasts and more by subscribing to the newsletter now.

Happy reading!

Friday Nov 11, 2011

ESSO Webcast Replay with Live Q&A

In our ESSO webcast on Oct 19th, we discussed how Oracle Enterprise Single-Sign On Suite can not only eliminate your password reset and helpdesk headaches but also offers a healthy ROI which enterprises just cannot overlook. In our webcast we discussed how Oracle ESSO Suite can deliver an ROI of 140% within the first year of deployment.

Due to popular demand, we are now doing a re-broadcast of this webcast in the European time zone. The webcast will be followed by live Q&A. Matt Berzinski, Product Manager for Oracle ESSO Suite will be on air to answer all of your ESSO and Identity Management questions. 

Join us on this webcast to find out how Oracle ESSO Suite Plus can deliver quick wins for your organization. Register here for this webcast.

Monday Oct 17, 2011

Rapid ROI with Oracle Enterprise Single Sign-On Suite

We live in interesting economic times. The housing market has been in a slump for several years now. If you are going into invest in a property today purely for rental purposes, then most likely you will look at how quickly you can break even. I recently read somewhere that the historical price to rent ratio for most housing markets in the continental states is around 15. The price to rent ratio is the price paid for a property divided by the annual rent on the property. So in other words, it takes about 15 years on a historical average basis to break even on an investment in rental property. That’s a long time I would say, don’t you agree?

However, our Oracle Identity Management solutions are designed to offer extremely quick Return on Investment (ROI) to our customers. Let’s take the example of Oracle Enterprise Single Sign-On (ESSO) Suite Plus. Oracle ESSO overcomes the huge burden of productivity losses and helpdesk costs incurred from forgotten passwords. In addition to that, we offer one more compelling reason for our customers to invest in Oracle ESSO. That is its rapid ROI.

Let’s take the example of an organization with about 7000 users where strong password policies are enforced. In many organizations, users are required to change their application passwords frequently (about once a quarter is not uncommon). An average helpdesk call associated with a password reset can cost $40. If such an organization deploys Oracle ESSO, they can eliminate their password headaches and overcome productivity losses that forgotten passwords can inflict. In addition to all that, Oracle ESSO delivers an ROI of 140% within the first 12 months of deployment. In other words, the organization can recover their investment and save additionally with the first year. And within the first five years, Oracle ESSO can save nearly $5 million in costs. Now that’s a very compelling investment.

You can find the Oracle Enterprise Single Sign-On ROI calculator here.

You can download a copy of the Enterprise Single Sign-On Buyer’s Guide here.

Join us on our live webcast Oct 19th to find out how Oracle ESSO Suite Plus can deliver quick wins for your organization. Register here for this webcast.


Oracle Identity Management is a complete and integrated next-generation identity management platform that provides breakthrough scalability; enables organizations to achieve rapid compliance with regulatory mandates; secures sensitive applications and data regardless of whether they are hosted on-premise or in a cloud; and reduces operational costs. Oracle Identity Management enables secure user access to resources anytime on any device.


« April 2014