Monday Apr 14, 2014

Follow up Identity Management 11g R2 PS2

If you joined our webcast on Thursday, thanks for tuning in.  Below is a link to the on-demand webcast and we have captured the Q & A from the session in-line.

On demand  Webcast: Click Here

Question: For the customers in the process of moving to cloud and mobile space, is PS2 the right version (whether access or Identity) to be on? : Answer: Absolutely. Particularly for Access with full OAUTH2 support.

Question:Has Consumer and Customer identity requirments for Retail been met full user experience and Admin/provisioning, federated access and delegated admin implemented? any large retail account or case study for the implementation available for sharing? Answer: Yes, we have several retail customers who have implemented unified, enterprise wide identity management to help grow their business (via customer loyalty apps and programs) and streamline/secure their business with complete Identity Governance and life cycle management. Click here to see customer examples:

Question:any large AppStore implementation and Global roll out? Answer: For the Oracle Mobile Security Suite we have some very large Fortune 5 customers with global rollouts including oil & gas, retail and banking.

Question: Can you elaborate on how security concerns were addressed about the form fill technology? Answer:The form fill technology in the Access Portal Service is built on Oracle ESSO Infrastructure. It leverages the same ESSO repository to store credentials and application configuration. It is compatible with the same business logic flows that exist in native ESSO . It fully supports bi-directional crypto between Java and CAPI code. The asymmetric key supports RSA and translation of PK pairs to/from MS PK & Java. The symmetric key support includes AES256 and TripleDES (for compat/upgrade). It fully supports encryption/decryption for ESSO Credentials in Java (compatible with CAPI). The Hashing / MessageDigest supports SHA1 and SHA 256 that is compatible with Java and CAPI

Question:Question from my Tweet - Will the new Access mgmt platform support SAML, OAuth as the standard instead of ObSSO token? Answer:We already support SAML and have now introduced support as an OAuth 2.0 server in PS2 while ensuring that these technologies work seamlessly in conjunction with session management and secure single sign on using OAM 11g technology.

Question:How do we provision deprovision users for Cloud Apps? Answer:We will provide auto provisioning of applications by allowing association to applications directly from the OAM console. Today auto provisioning is only possible using the Enterprise Single Sign-On provisioning gateway.

Question:  Is the Blitzer application available as part of the Oracle Access Manager product? Answer: The Bitzer technology is available in the Oracle Mobile Security Suite

Question: Does OAP provides support for Legacy application (Thick client) (Mainframe apps)? Answer: Access Portal - at this time - is for web-based applications only

Question:Does Cloud Security Portal works with OAM 10G version? Answer: Access Portal is an OAM 11gR2 PS2 service

Question: how do you compare Oracle PS2 with REST APU based security appliance like layer 7 etc? Answer: The Oracle API Gateway (OAG) component provides REST API security in the same way. This is already available and is widely deployed by our customer base -- particularly for their consumer and mobile facing applications.

Question: What are licenses needed for Automated Suite Installation for IDM which was spoken about ? Answer: The automated installation requires only licenses for the software that you are installing. There's not a separate license for the automation.

Question: Do you have PII, PCI compliance patterns implemented for SaaS eCommerce Apps globally? Answer: May need more info to answer this - but if Oracle accepts credit cards for any of its service then obviously it will need to follow PCI etc. Here is a link to a paper on how we align with PCI controls with IDM

Question: Do you see a push in the federal marketplace to implement the Oracle soft token approach to security or is the marketplace still leveraging traditional 2 factor and mobile technologies are lagging behind? Answer: We see a push across all verticals to use the soft token approach 

Question: As OMSS and IDM Suite come separately (2 different product suites) , then how exactly these get wired to achieve SSO. How difficult it is to wire it? Answer: These suites are separate from a licensing perspective  but utilize the same underlying platform.

Thursday Apr 10, 2014

Securing The Identity of Everything

Securing the Identity of Everything

Along with tremendous economic change, the Internet of Things (IoT) will transform the way IT organizations think about security. Instead of focusing on securing the network perimeter, IT departments will have to secure the new perimeter: people, data and devices. The new point of control will be user access to devices, data and applications. Each device will have an identity on the network, and companies will face the challenge of device tracking, registration and fraud detection. In this session, Ranjan Jain will discuss his current effort to manage the "Identity of Everything" and share how organizations can unlock the potential of this approach. Register now.

Ranjan Jain, IT Architect for Enterprise Identity and Access Management, Cisco 

Naresh Persaud, Senior Director, Product Marketing and Market Development, Oracle


Wednesday Apr 09, 2014

Webcast: Announcing The Oracle Mobile Security Suite



Oracle IDM 11gR2 PS2: Cloud and Mobile Strategy Update Webcast

As cloud applications and personal mobile devices continue to drive new business models, new security challenges for IT teams are on the rise. Oracle recently announced the availability of its latest Oracle Identity Management 11gRelease 2 PS2—which is heavily focused on securing the extended enterprise. 

This live webcast will provide you with an overview of key themes in Oracle Identity Management 11g Release 2 PS2, and cover salient aspects of the release’s cloud and mobile security strategy. You’ll also see a demonstration of the new cloud access portal and mobile security suite. The Twitter feed #OracleIDMPS2 can be used for questions during the live Q&A session at the end of the presentation.

Attend this webcast to:

  • Hear about the latest updates in Oracle Identity Management 11g Release 2 PS2 including new, strong authentication and installation automation features
  • See how Oracle is taking an application-focused approach to mobile security
  • Learn how you can secure your cloud applications with enterprise identity management

Register now to attend this important webcast. Tweet your questions using hashtag #OracleIDMPS2

April 10, 2014 – 10:00 am PST





<image008.gif>
Copyright © 2013, Oracle and/or its affiliates. 
All rights reserved.


Friday Dec 13, 2013

Passing the Puck to the CTO - BeachBody's Miracle Moment of Identity

BeachBody CTO, Arnaud Robert, was prepared for competitive business at an early age.  Showing success on the ice as a captain of his hockey team, taught Arnaud that there are many similarities between the game of hockey, in particular, the position of team captain, and that of today's CTO.  As Arnaud points out, today's CTOs must remain very nimble and capable of acting much like that of a team captain.  Regardless if we are talking pucks and tasks, periods and quarters or games and projects, the methodologies in managing has given Arnaud a focus with the BeachBody business that he has used to expand the BeachBody enterprise in the areas of Identity Management and Mobile Enablement.

Take a moment to watch this great video from Arnaud and see if you and your CTO can relate to the hockey challenges, and how you are responding in the areas of Identity.


Sunday Nov 24, 2013

Securing The Citizen Experience

Governments have often been the slowest to adopt new technologies - not any more. This video from the UK government's digital services strategy shares a vision for citizen services that will inspire. This phenomenon is not isolated to the United Kingdom. Across the world citizens are paying more in taxes and demanding better services. All of this is changing the way governments are thinking about security. The new experience is cross channel: mobile, social and online. If we are lucky we may never have to go back to the department of motor vehicles again.

The Pressure to transform:

Sunday Nov 03, 2013

Patients are Running out of Patience

Healthcare is in a dramatic state of change globally and the change is being driven by patients. Patients are no longer content to wait in line, endure appointment delays and stay on hold waiting for a health insurance representative. Instead, patients are demanding on-line access to physicians, joining communities with fellow patients, scheduling appointments online and resolving claims issues over email. 

To accomodate the demand for patient connectivity, providers are innovating to find new ways to collaborate with patients. To address the demand, providers are providing 24/7 access online and pioneering ways to deliver care via mobile devices -  for example using your iPhone as a heart monitor. Patient vitals can be collected before the patient even walks into the clinic. 

These new approaches promise to enhance the patient experience and reduce the cost of care. Time is money both for the patient and the provider. For insurance companies, all of this is  welcome news because it reduces un-necessary time with the physician which reduces the number of claims.  Oracle is focused on enabling and securing the experience. The video below shares the Oracle healthcare transformation story.

asas

Tuesday Oct 22, 2013

Enjoy Cloud Odyssey The Oracle Movie

If you attended Open World you may have seen the promotions for a new movie produced by Oracle. The movie is called Cloud Odyssey and it chronicles the journey of a hero to the cloud. The movie is an animated sci-fi adventure. This movie will be played at Oracle events around the world so you may soon get an invite to attend. Interesting approach to telling the cloud story. For many IT organizations, the journey to the cloud is a major initiative for end users. I am sure Homer would be proud. In fact perhaps if it is successful, I am hopeful we may see a cloud Iliad. 

Below, I have embedded a trailer to the movie for your viewing pleasure. While it clearly is not the next Iron Man, it is intriguing. Hope you enjoy. 

Monday Oct 14, 2013

CSO Summit Open World

If you attended Open World, you were present for a historic occasion, not only was this the largest Open World, but the Oracle team also won the America's cup against incredible odds. There are a few lessons we can apply to security. Security, like the America's Cup race, is about latency. Since 2007 the boat speeds have gone from 14 mph to 50 mph with greater control and roughly the same number of crew on-board.

Without the technology on-board providing control, these boats would be very difficult to pilot. The mast of the AC72 is as high as a three story building. Yet, despite the large size, these boats almost fly over the water.  Today many businesses face the same challenge, they must grow while maintaining the same level of governance. Security allows companies to accelerate with confidence.

The theme for the CSO Summit was "accelerating with confidence".  With over 18 countries represented across 12 vertical markets, it was truly a world class audience.  Instead of an exclusively security audience, this year the executives came from many lines of business. This reinforces the trend that companies are starting to progressively align security to new business initiatives. For a survey on companies using security as a business enabler see the PWC Global State of Information Survey

Wednesday Oct 09, 2013

Customer Experience and Trust

Every business is looking to take advantage of the new digital experience to connect with customers. This has become the new strategic imperative of companies all around the world. A recent article in the Sloan Management Review provides some insight into the barriers organizations are facing as they embrace the digital transformation.

For many customers, trust is an important barrier to engaging. Ease of use without security and trust is not enough to get customers to participate. For a more detailed analysis or bedtime reading on how the trust deficit reduces business activity, this Wall Street Journal Article on "How the trust deficit is hurting our economy" provides some good evidence. The net is that our level of economic activity is directly related to our level of trust in the institutions we do business with from banks to retail stores online. 

For many organizations, security and trust are the major barriers to enabling customer participation in the digital revolution.  The video below was recently created by the customer experience campaign to highlight how experience is critical to customer loyalty. 

Sunday Oct 06, 2013

Making Cars More Social: Redefining Identity Management

When you were 16, ( or perhaps still believe you are 16) your car was the enabler to your social life providing you with the freedom and means to explore. Today your car is a platform for your life transporting your family and providing transportation to and from work. The average commute time in the US one way is 25.4 minutes. If you are on the east coast or Washington DC that time is significantly greater. In Sao Paulo Brazil, the average commute time is 43 minutes. So if we assume 1 hour a day for 52 weeks a year we can spend more than 300+ hours in our cars. Most commuters are now using their cars as mobile offices and for social time to connect with colleagues, friends and family. As a baseline the average social media user can spend 6.9 hours per month on social media sites. If your car is social enabled, you can probably double your time on Facebook. 

It is not surprising that manufacturers of automobiles are taking advantage of the social revolution both as a means of providing better service to consumers and as a means of enabling consumers to connect and get more work done. The transformation is across the entire life-cyle of the automobile from innovation to consumer experience. This video provides an info-graphic of the transformation.

This new experience is redefining how we think about Identity Management and security. To connect your cars to the social network, the car needs and identity and each passenger needs an identity on the vehicles they drive. The car personalizes to each driver and becomes a platform for applications which means authorization and authentication across applications. All of this moves passenger and driver context into the foreground for automative designers. The graphic below the new requirements for security when we identity enable a car.

Tuesday Oct 01, 2013

The Identity of Everything - CSO Summit Open World

A recent Cisco report estimates by 2020 there will be more than 50 billion devices world wide while the human population will still be under 8 billion people. This short term trend will change the landscape of identity and access management and change the security requirements of enterprises everywhere. While today security executives are concerned with mobile phones and laptops, tomorrow they will be concerned about automobiles, aircraft and projectors on their networks. Each device is a new identity and each user that interacts with the device has a separate context. As a reference, see the paper Identity at Internet Scale Here are some of the new security requirements:

  • Multi-user devices 
  • Dynamic user volumes 
  • User authentication on the device
  • Service availability
  • Encryption of data at rest and in flight
  • Secure container on the device
  • Device authentication
  • User authentication 

The devices themselves will interact very differently since they must now communicate with other devices and humans. Here is a great youtube video that paints a very interesting and perplexing picture of the future.

From the video, a few interesting things happen.

  • The device communication is very personal and follows our social media conventions
  • The devices must trust the people involved in the interaction and people have to trust the devices 
  • The scale of the interaction grows geometrically as more devices and users collaborate

Here are the slides from the recent CSO Summit at Open World. Oracle's approach is a singular platform for all devices that manage device identity and user identity. 

Saturday Sep 14, 2013

CSO Summit Recordings

If you are attending Leaders Circle this year, be sure to catch the CSO Summit. This year will feature several customer case studies and a panel discussion featuring Mary Ann Davidson, Oracle's CSO and Chris Gavin, Oracle's VP of Information Security. Below are a few links to previous CSO Summit talks that you may find interesting.

CSO Summit Recorded Presentations:

Friday Sep 13, 2013

200 Million: Directory Deployment at Verizon CON4535

Verizon Wireless is one of the fastest growing mobile carriers in the world with a brand and reputation for quality of service. Serving more than 90 million users with more than 220 million entries, Verizon required a modern access and directory infrastructure to deliver a secure and user-friendly experience with high performance and availability. To grasp the dramatic scale that telecommunications organizations will have to address, the chart below shows how global data traffic has grown in the past five years with 100% growth between 2011 and 2012. 

They also needed risk-aware, social-ready access control that could adapt in real time to enhance security while improving usability; a high-performance directory capable of searches/modifications in 1 to 2 ms and additions in less than 10 ms, with the ability to quickly load hundreds of millions of entries to ensure performance; and a multi-master setup to deliver scalability and high availability.  The chart below provides a baseline for global smart phone subscription growth and highlights the pressure to gain new subscribers and share of market for Verizon and other telecommunications firms.

Attend this session to learn how Verizon Wireless leverages Oracle Access Management Suite and Oracle Unified Directory to provide exceptional services to its members. Register here 

Wednesday Sep 11, 2013

OOW Session: Who should Have Access to What , Risk = Hazard + Outrage

Risk = Hazard + Outrage. This was Peter Sandman's simple formula for executives to evaluate the risk and response to a potentially brand damaging event. With user access, the formula applies as well. If a trusted administrator gets access to the latest product specs and discloses the information to the public without consent, the hazard is financially high and the shareholder outrage is perhaps equivalently high. The net is directly equivalent to the risk of the event happening. 

So when we consider who should have access to what, different users constitute different risk.  A single administrator with root access may create a higher risk than the intern working in the mail room. The risk is directly related to the system and the data to which these individuals have access. Governing the data is directly related to how we govern the user access. 

If these topics interest you, You will want to catch Jim Taylor and Neil Gandhi at Open World in session "CON8810: Who Should have Access to What -- Better risk management with Identity Governance" . Complete list of sessions click here.

Wednesday Aug 14, 2013

Integrating Identity Management and GRC: Decreasing Risk Across Your Organization (Deloitte)

In this edition of the Oracle IDM blog, we’ll look at a case study for integrating Oracle Identity Manager (OIM) 11g with Oracle Governance, Risk, and Compliance (GRC) as part of an enterprise deployment and an integrated risk management strategy. We will incorporate specific use cases that leverage an integration of the two solutions to address risk and promote operational efficiency for routine tasks such as access requests and certification.  In addition to the primary focus between OIM and GRC, we will also highlight how Oracle E-Business Suites (EBS) roles are defined, synchronized, and provisioned using a combination of these two solutions providing an end-to-end integrated solution of the Oracle “suite.”

Abstract

When we think about Identity Management, we often relegate it to the IT Security or Infrastructure groups where it is traditionally used to address manual security and administration functions such as creating accounts, e.g., “hire and fire” scenarios, granting additional entitlements, and providing report-outs on information access for audit purposes. As identity systems improved their ability to manage the access they provisioned, it has become clear that there was a powerful relationship between IAM and GRC initiatives to better manager enterprise compliance in an integrated, less redundant fashion.

In many organizations today, GRC initiatives are often spread across multiple infrastructure silos and managed by different business units or IT groups. Tackling the constantly evolving regulatory requirements, coupled with increased business complexity, may present an uphill battle for a compliance department within the organization. Organizations are being asked not only to understand ever-changing global regulations, but also to create appropriate strategies in addressing their GRC needs.

Knowing who has access to what is not only important from a traditional security sense, but is important to financial controls groups being able to attest that financially significant systems have minimal risk through inappropriate access. By integrating Oracle’s GRC and Identity Management platforms and the associated processes, organizations can improve user lifecycle management, continuous monitoring and automated controls enforcement to assist with sustainable risk and compliance management. 

 
Figure 1 – Solution architecture

Solution Architecture

For a visual reference of the type of integration we are discussing, we have included an overview of how the systems can potentially interact.  In Figure 1, you will notice a typical Human Resource authoritative source system feeds OIM and OIM then provisions to target resources.  What’s different is the call-out to Oracle GRC to perform policy checks.

We won’t reference all of the GRC functionality available in this blog, but will focus on the segregation of duties (SoD) integration and relevant use case. [for detailed instructions on this integration, please see: http://docs.oracle.com/cd/E14899_01/doc.9102/e14763/segregation_duties.htm].    What’s interesting about this integration is OIM is able to leverage the information EBS and GRC already have about the roles that exist.  Using OIM scheduled tasks, we are able to synchronize those roles into OIM so that there is no need to manually build them in OIM.  Moreover, if the roles get end-dated in EBS, OIM reconciliation with EBS will end-date the roles and the related access for the users who have that role assigned with a goal of end-to-end compliance.  Both OIM and GRC offer a web services interface for performing common transactions.  More information about this can be found at http://docs.oracle.com/cd/E14507_01/apirefs.1112/e14133/using003.htm

Compliant User Provisioning

In our use case, we will explore how during an access request, a real-time validation can be performed against known SoD conflicts to determine if a role being requested has a conflict.  Through OIM’s Service-Oriented Architecture (SOA) workflow functionality, we can include an additional layer of approval if a conflict is presented.  A conflict is often unavoidable and, in many cases, requires a power user from the compliance organization to step in, review the request, and document a mitigating control before accepting.  In this example, we’ll show a request by a Payables Manager for an Invoice Entry EBS role.
 
As you can see in this process flow, there is cross-functional behavior between the OIM and GRC solutions to identify the SoD violation and apply a mitigating control if required.  Ultimately, OIM manages the provisioning of the role in the end system (EBS in this example) and, therefore, will be able to continually track that entitlement.

There are three take-a-ways from this use case.  With GRC and IAM integration, organizations can:

• Automate provisioning and de-provisioning of business application users, with appropriate authorization and compliance checks.
• Improve the management of enterprise accounts and efficiently produce reports such as “who has access to what.”
• Reduce the cost of compliance by removing the need for after the fact remediation.

In Conclusion

At Deloitte , we see the need to not only install and configure an IAM solution, but to work with our clients to get value out of an enterprise compliance approach.  Solutions can be leveraged in their individual capacity to achieve benefits for an organization, but when organizations leverage cross-platform synergies, such as the ones that Oracle has intentionally created within their OIM and GRC solutions, the sum can become greater than the parts.  An integrated approach to an organization’s IAM and GRC programs can assist in reducing costs and redundancies, and improving value to the organization.

About the Author

Kevin Urbanowicz is a Manager in Deloitte & Touche LLP’s Security & Privacy practice with eight years of experience in information technology with a focus on Identity & Access Management (IAM).  He has served primarily in the Oil & Gas sector where he has helped his clients identify the business drivers and build the business case for establishing world-class IAM solutions that maximize IT efficiency and minimize security and compliance risk. 

Wednesday Jul 17, 2013

Registration now open! - Managing the Healthcare IT Transformation “On the Go and In the Cloud”

Mobility, cloud-based services, healthcare reform, meaningful use, health information exchange and continued changes in privacy and security regulations has each had a profound effect on healthcare IT.  To support this transformation, it is vital that an organization effectively manages how its users are able access and use information.   Unfortunately, to date, many organizations have failed to develop the necessary foundational infrastructure.  UPMC, through its subsidiary CloudConnect Health IT, has developed a solution called CloudIdentity, which provides healthcare specific identity management capabilities that are based on Oracle technology and delivered securely via the cloud.  Join John Houston Vice President of Privacy and Information Security, Associate Counsel at UPMC & President of CloudConnect Health IT for this informative webcast, as he discusses the healthcare transformation and how healthcare organizations can securely unlock the potential of healthcare IT. Click HERE to register for this webcast, scheduled for August 20th.

Tuesday Jul 16, 2013

The Art of the Possible: Real Life Case Study in Oracle IAM 11gR2 Performance Tuning by Alex Bolante (Accenture)

In our last post, we walked through a handful of practical tips and tricks to fine tune your Oracle Identity Management 11gR2 deployment.  This week we look at a real life case study, focused on Oracle Directory Services, where we applied our pragmatic approach and solutions.

Case study: a multinational financial services corporation.  With presence in over 200 countries, this financial services company enables consumers, businesses, financial institutions and governments to use digital currency instead of cash and checks through one of the world’s most advanced processing networks, capable of handling more than 20,000 transactions per second.  Like many legacy customers, the company sought Accenture’s help to strategically plan, design and upgrade to an improved version of Oracle Directory Services that provided:

• Improved directory services performance
• Multi-user topology support
• Enhanced replication
• Increased security

The implementation comprised of approximately 50 servers located across multiple, geographically distributed data centers supporting over 100 applications and more than 250,000 users – included financial institutions, payment product processors and others doing business with this financial services company. 

Environment design specification

Our environment design specification was initially developed to support legacy applications, but given a new set of business and technical requirements, we needed to modify and scale the solution to support future business services with enough capacity to grow up to 40% year over year.  Key performance requirements included:

• Optimized for reads, writes and replication across data centers located across the globe
• Performs 1000 operations per second
• Supports response time of 0.05 milliseconds for single user id searches
• Supports response time of 0.15 milliseconds for single user attribute writes
• Supports 200 concurrent searches
• Supports growth rate of 10,000 objects per month over the next 5 years
• Provides real time password replication using prioritization

Modifying and scaling the solution:
Our process for modifying and scaling the solution included  engaging Oracle product managers and engineers directly to validate our hardware configuration.

Product: Oracle Directory Services
Operating System: 64-bit Solaris 10 Update 10 or higher
Hardware: SPARC T-series
Memory: 64 GB
Disk Space: 270 GB
Swap Space: 15 GB
Tmp Space: 10 GB
File Descriptor Limit: 8192
Replication Topology: Multi-master with no restrictions on the number of masters

We made several recommended configuration changes and tuned the Operating System, Database Cache, Entry Cache, Import Cache, File System Cache and Indexes. 

Disable schema check for fast replication
$dsconfpath/dsconf set-server-prop -p portNum check-schema-enabled:off

Set DB cache size to 1000M
$dsconfpath/dsconf set-server-prop -p portNum db-cache-size:1000M

Set entry cache size to 1000M
$dsconfpath/dsconf set-suffix-prop -p portNum suffixDN entry-cache-size:1000M

Import-cache-size
$dsconfpath/dsconf set-server-prop -p portNum import-cache-size:200M

Set all-ids-threshold
$dsconfpath/dsconf set-server-prop -p portNum all-ids-threshold:8000

Set repl-purge-delay to 1 days
$dsconfpath/dsconf set-server-prop -p portNum repl-purge-delay:1d

Change log path
dsconf set-log-prop -p portNum ACCESS path:/var/ldaplogs/access
dsconf set-log-prop -p portNum AUDIT path:/var/ldaplogs/audit
dsconf set-log-prop -p portNum ERROR path:/var/ldaplogs/error

Enable Audit log
dscond f set-log-prop -p portNum AUDIT enabled:on

The outcome:

After we applied our performance tunings, we performed our tests in production-like environments, verified and documented our results, profiled and monitored our solution, tweaked and tuned our environment and cycled through this step-by-step process until we were satisfied that we had met all requirements.  We shared the results with our Oracle peers to validate – including our testing approach which included search rates and modification rates based on 100 users and 200 users connecting concurrently – and the numbers were right on point with our expectations from the Directory Services upgrade.


How can you apply this to your environment? 

Step 1:
Talk to Oracle Product Management, Development and Engineering directly
,get them involved in your project as early as possible and keep them engaged throughout your project.  It helps to have knowledgeable subject matter experts who can bring your implementation up to par with leading implementations.  Some guidelines for checkpoints include:

Checkpoint 1: Before statement of work (SOW) is signed:
• Is the SOW clearly defined?
• Is the described product functionality feasible?
• Are measurable and achievable success criteria defined?

Checkpoint 2: Before requirements, architecture and project plan are delivered:
• Can the product fulfill the defined requirements?
• Is the architecture and solution design sound and scalable?
• Is the customer's environment ready?

Checkpoint 3: Before the design is delivered:
• Is the design technically sound?
• Can the design be implemented, migrated and supported?
• Are the test plans and approach reasonable?

Step 2:
Define specific, measurable objectives for performance tunings based on your requirements.
  To start with, you can use Accenture’s predefined set of key attributes for developing “good” requirements that are measurable.

• Necessary – an important capability or element of a solution which cannot be compensated for if absent
• Understandable – stated in a context which conveys the essence of what is needed
• Complete – stated in a standalone context which does not rely upon supplemental and/or assumed definitions
• Consistent – does not contradict by context or terminology nor is contradicted by other statements (e.g. is not mutually exclusive)
• Unambiguous – cannot have more than one interpretation
• Attainable – a capability which can be implemented within the constraints of available resources and technology (e.g. product, cost, schedule)
• Verifiable – can establish that the statement has been satisfied through specific measurements, test, demonstration, inspection, and/or analysis

Step 3:
Determine how you plan to implement performance tunings.
There is more than one way to skin a cat.  In addition to the tuning configuration changes made to the environment, you also have to consider hardware sizing and configurations, middleware technologies, application and data samples used for testing and how you measure/analyze results.  For example, hardware sizing guides are meant to provide you with a baseline for your deployment, but they are not exact specifications for your Oracle Identity & Access Management deployment. 

The same applies for a vendor certification matrix – while Oracle’s Identity & Access Management product might be certified or supported on another vendor’s middleware or platform stack, that does not automatically imply it is the ‘optimal’ configuration for your deployment.  Most organizations already have infrastructure standards (e.g. we use WebSphere Application Server for our J2EE apps), but you need to carefully consider that your Oracle Identity & Access Management deployment may be harder to tweak and tune if implemented on top of multiple vendor stacks.  In fact, the more unique your configuration design is, the more challenging it will be to support and the less likely your deployment will be up to par with common practices.

Step 4:
Apply your performance tunings, perform your tests, verify and document your results, profile and monitor your solution, tweak and tune it – wash, rinse and repeat.
  Consider the testing tools you will use to conduct your performance tests and their limitations.  We used both SLAMD and HP LoadRunner for our Directory Services deployment.  SLAMD had resource limitations on the number of connections and threads we could test, especially if it was not running off a dedicated server.  HP LoadRunner had a limitation with testing multiple attribute updates until we applied a hot fix that the vendor eventually provided.

Also, most deployments are two- to three-tier architectures, so you have to tune the database/directory server, middleware/application server, web servers and every component in between each tier (e.g. load balancers for SSL acceleration).  In fact, each tier requires its own performance tuning, pruning, cleaning, care, feeding and regular maintenance.  At its core, there are several performance bottlenecks to consider:

• Start with your server or system resources (e.g. over clocked CPU, maxed out memory, resource contention, insufficient space)
• Tune your way up from data tier to application/web tier (e.g. database/directory servers typically require specific optimizer tunings, predefined indexes and table pruning while application servers typically require proper JVM heap size allocation, connection pooling and message queue thresholds)

Step 5:
Share your experiences with the Oracle Security community at large.
  By now, your Oracle Identity & Access Management solution should be designed to support not only your legacy applications, but also scaled to support future business services!

Stay tuned for our next post on No Where to go but up: Extending the benefits of accelerated IAM to enable new solutions and features where we highlight interesting trends in Security and Identity & Access Management.

References:
Oracle Directory Services: Overview
http://www.oracle.com/us/products/middleware/identity-management/directory-services/resources/index.html

Oracle Directory Services: Discussion Forums https://forums.oracle.com/community/developer/english/fusion_middleware/identity_management/oracle_directory_server_enterprise_edition_sun_dsee/content?start=0

Thursday Jul 11, 2013

NEC Australia hosts Part 2: Identity Governance Key Insights

NEC Australia is back with Part 2, in their two part series with key leaders from the Oracle Identity Management product team. Host Larry Samuels of NEC Australia takes us into the topic area of "Identity Governance Key Insights".  This includes key information on point-in-time audits and their use as a baseline, as well as steps your organization can take to minimize your risk by better understanding the complexity of your identity enviroment.  To view this video, click HERE

 

Wednesday Jul 10, 2013

NEC Australia hosts video Roundtable on "Key Trends in Identity Management" (Part 1)

Join NEC Australia as they host a Roundtable discussion with key members from Oracle, to discuss the Key Identity Management Trends. Host Larry Samuels of NEC Australia leads this conversation with experts in the field of Identity Management to discuss how the landscape is changing and evolving to encompass the new demands of Cloud, Mobile and regulatory compliance.  With him are Amit Jasuja, Sr Vice President of Identity Management at Oracle Corporation, to help us navigate the ever changing demands of IT, and how partners like NEC are working with Oracle to meet those demands. To view Part 1 of this video, click HERE

Tuesday Jul 02, 2013

Taking the training wheels off: Accelerating the Business with Oracle IAM by Brian Mozinski (Accenture)

Today, technical requirements for IAM are evolving rapidly, and the bar is continuously raised for high performance IAM solutions as organizations look to roll out high volume use cases on the back of legacy systems.  Existing solutions were often designed and architected to support offline transactions and manual processes, and the business owners today demand globally scalable infrastructure to support the growth their business cases are expected to deliver.

To help IAM practitioners address these challenges and make their organizations and themselves more successful, this series we will outline the:

• Taking the training wheels off: Accelerating the Business with Oracle IAM
The explosive growth in expectations for IAM infrastructure, and the business cases they support to gain investment in new security programs.

• "Necessity is the mother of invention": Technical solutions developed in the field
Well proven tricks of the trade, used by IAM guru’s to maximize your solution while addressing the requirements of global organizations.

• The Art & Science of Performance Tuning of Oracle IAM 11gR2
Real world examples of performance tuning with Oracle IAM

• No Where to go but up: Extending the benefits of accelerated IAM
Anything is possible, compelling new solutions organizations are unlocking with accelerated Oracle IAM

Let’s get started … by talking about the changing dynamics driving these discussions.

Big Companies are getting bigger everyday, and increasingly organizations operate across state lines, multiple times zones, and in many countries or continents at the same time.  No longer is midnight to 6am a safe time to take down the system for upgrades, to run recon’s and import or update user accounts and attributes.  Further IT organizations are operating as shared services with SLA’s similar to telephone carrier levels expected by their “clients”.  Workers are moved in and out of roles on a weekly, daily, or even hourly rate and IAM is expected to support those rapid changes.  End users registering for services during business hours in Singapore are expected their access to be green-lighted in custom apps hosted in Portugal within the hour.  Many of the expectations of asynchronous systems and batched updates are not adequate and the number and types of users is growing.

When organizations acted more like independent teams at functional or geographic levels it was manageable to have processes that relied on a handful of people who knew how to make things work …. Knew how to get you access to the key systems to get your job done.  Today everyone is expected to do more with less, the finance administrator previously supporting their local Atlanta sales office might now be asked to help close the books for the Johannesburg team, and access certification process once completed monthly by Joan on the 3rd floor is now done by a shared pool of resources in Sao Paulo.  

Fragmented processes that rely on institutional knowledge to get access to systems and get work done quickly break down in these scenarios.  Highly robust processes that have automated workflows for connected or disconnected systems give organizations the dynamic flexibility to share work across these lines and cut costs or increase productivity.

As the IT industry computing paradigms continue to change with the passing of time, and as mature or proven approaches become clear, it is normal for organizations to adjust accordingly. Businesses must manage identity in an increasingly hybrid world in which legacy on-premises IAM infrastructures are extended or replaced to support more and more interconnected and interdependent services to a wider range of users. The old legacy IAM implementation models we had relied on to manage identities no longer apply.

End users expect to self-request access to services from their tablet, get supervisor approval over mobile devices and email, and launch the application even if is hosted on the cloud, or run by a partner, vendor, or service provider.

While user expectations are higher, they are also simpler … logging into custom desktop apps to request approvals, or going through email or paper based processes for certification is unacceptable.  Users expect security to operate within the paradigm of the application … i.e. feel like the application they are using.

Citizen and customer facing applications have evolved from every where, with custom applications, 3rd party tools, and merging in from acquired entities or 3rd party OEM’s resold to expand your portfolio of services.  These all have their own user stores, authentication models, user lifecycles, session management, etc.  Often the designers/developers are no longer accessible and the documentation is limited.  Bringing together underlying directories to scale for growth, and improve user experience is critical for revenue … but also for operations.

Job functions are more dynamic.... take the Olympics for example.  Endless organizations from corporations broadcasting, endorsing, or marketing through the event … to non-profit athletic foundations and public/government entities for athletes and public safety, all operate simultaneously on the world stage.  Each organization needs to spin up short-term teams, often dealing with proprietary information from hot ads to racing strategies or security plans.  IAM is expected to enable team’s to spin up, enable new applications, protect privacy, and secure critical infrastructure.  Then it needs to be disabled just as quickly as users go back to their previous responsibilities.

On a more technical level …
Optimized system directory; tuning guidelines and parameters are needed by businesses today. Business’s need to be making the right choices (virtual directories) and considerations via choosing the correct architectural patterns (virtual, direct, replicated, and tuning), challenge is that business need to assess and chose the correct architectural patters (centralized, virtualized, and distributed)

Today's Business organizations have very complex heterogeneous enterprises that contain diverse and multifaceted information. With today's ever changing global landscape, the strategic end goal in challenging times for business is business agility. The business of identity management requires enterprise's to be more agile and more responsive than ever before. The continued proliferation of networking devices (PC, tablet, PDA's, notebooks, etc.) has caused the number of devices and users to be granted access to these devices to grow exponentially. Business needs to deploy an IAM system that can account for the demands for authentication and authorizations to these devices.

Increased innovation is forcing business and organizations to centralize their identity management services. Access management needs to handle traditional web based access as well as handle new innovations around mobile, as well as address insufficient governance processes which can lead to rouge identity accounts, which can then become a source of vulnerabilities within a business’s identity platform. Risk based decisions are providing challenges to business, for an adaptive risk model to make proper access decisions via standard Web single sign on for internal and external customers,. Organizations have to move beyond simple login and passwords to address trusted relationship questions such as: Is this a trusted customer, client, or citizen? Is this a trusted employee, vendor, or partner? Is this a trusted device?

Without a solid technological foundation, organizational performance, collaboration, constituent services, or any other organizational processes will languish. A Single server location presents not only network concerns for distributed user base, but identity challenges. The network risks are centered on latency of the long trip that the traffic has to take. Other risks are a performance around availability and if the single identity server is lost, all access is lost.

As you can see, there are many reasons why performance tuning IAM will have a substantial impact on the success of your organization.  In our next installment in the series we roll up our sleeves and get into detailed tuning techniques used everyday by thought leaders in the field implementing Oracle Identity & Access Management Solutions.

Wednesday Jun 26, 2013

Taking the Plunge - or Dipping Your Toe - into the Fluffy IAM Cloud by Paul Dhanjal (Simeio Solutions)

In our last three posts, we’ve examined the revolution that’s occurring today in identity and access management (IAM). We looked at the business drivers behind the growth of cloud-based IAM, the shortcomings of the old, last-century IAM models, and the new opportunities that federation, identity hubs and other new cloud capabilities can provide by changing the way you interact with everyone who does business with you.

In this, our final post in the series, we’ll cover the key things you, the enterprise architect, should keep in mind when considering moving IAM to the cloud.

Invariably, what starts the consideration process is a burning business need: a compliance requirement, security vulnerability or belt-tightening edict. Many on the business side view IAM as the “silver bullet” – and for good reason. You can almost always devise a solution using some aspect of IAM.

The most critical question to ask first when using IAM to address the business need is, simply: is my solution complete? Typically, “business” is not focused on the big picture. Understandably, they’re focused instead on the need at hand: Can we be HIPAA compliant in 6 months? Can we tighten our new hire, employee transfer and termination processes? What can we do to prevent another password breach? Can we reduce our service center costs by the end of next quarter?

The business may not be focused on the complete set of services offered by IAM but rather a single aspect or two. But it is the job – indeed the duty – of the enterprise architect to ensure that all aspects are being met. It’s like remodeling a house but failing to consider the impact on the foundation, the furnace or the zoning or setback requirements. While the homeowners may not be thinking of such things, the architect, of course, must.

At Simeio Solutions, the way we ensure that all aspects are being taken into account – to expose any gaps or weaknesses – is to assess our client’s IAM capabilities against a five-step maturity model ranging from “ad hoc” to “optimized.” The model we use is similar to Capability Maturity Model Integration (CMMI) developed by the Software Engineering Institute (SEI) at Carnegie Mellon University. It’s based upon some simple criteria, which can provide a visual representation of how well our clients fair when evaluated against four core categories:

·         Program Governance

·         Access Management (e.g., Single Sign-On)

·         Identity and Access Governance (e.g., Identity Intelligence)

·         Enterprise Security (e.g., DLP and SIEM)

Often our clients believe they have a solution with all the bases covered, but the model exposes the gaps or weaknesses. The gaps are ideal opportunities for the cloud to enter into the conversation.

The complete process is straightforward:

1.    Look at the big picture, not just the immediate need – what is our roadmap and how does this solution fit?

2.    Determine where you stand with respect to the four core areas – what are the gaps?

3.    Decide how to cover the gaps – what role can the cloud play?

Returning to our home remodeling analogy, at some point, if gaps or weaknesses are discovered when evaluating the complete impact of the proposed remodel – if the existing foundation wouldn’t support the new addition, for example – the owners need to decide if it’s time to move to a new house instead of trying to remodel the old one.

However, with IAM it’s not an either-or proposition – i.e., either move to the cloud or fix the existing infrastructure. It’s possible to use new cloud technologies just to cover the gaps.

Many of our clients start their migration to the cloud this way, dipping in their toe instead of taking the plunge all at once. Because our cloud services offering is based on the Oracle Identity and Access Management Suite, we can offer a tremendous amount of flexibility in this regard. The Oracle platform is not a collection of point solutions, but rather a complete, integrated, best-of-breed suite. Yet it’s not an all-or-nothing proposition. You can choose just the features and capabilities you need using a pay-as-you-go model, incrementally turning on and off services as needed. Better still, all the other capabilities are there, at the ready, whenever you need them.

Spooling up these cloud-only services takes just a fraction of the time it would take a typical organization to deploy internally. SLAs in the cloud may be higher than on premise, too. And by using a suite of software that’s complete and integrated, you can dramatically lower cost and complexity.

If your in-house solution cannot be migrated to the cloud, you might consider using hardware appliances such as Simeio’s Cloud Interceptor to extend your enterprise out into the network. You might also consider using Expert Managed Services. Cost is usually the key factor – not just development costs but also operational sustainment costs. Talent or resourcing issues often come into play when thinking about sustaining a program. Expert Managed Services such as those we offer at Simeio can address those concerns head on.

In a cloud offering, identity and access services lend to the new paradigms described in my previous posts. Most importantly, it allows us all to focus on what we're meant to do – provide value, lower costs and increase security to our respective organizations. It’s that magic “silver bullet” that business knew you had all along.

If you’d like to talk more, you can find us at simeiosolutions.com.

Tuesday Jun 11, 2013

Achieving "Zero-Touch" Password Management by Steve Knott (aurionPro SENA)

Traditionally when a user is on-boarded into an organisation they are given a desktop password along with a whole host of other passwords to access the required business applications to enable them to do their job. Inevitably there will be numerous associated company information security policies that dictate that passwords should not be written down or shared with colleagues etc.

Trying to remember numerous passwords can be onerous on the end user at the best of times and can lead to a plethora of password sins committed by the end user. Whilst we can deploy some SSO technologies to relieve password fatigue, the on-boarding provisioning process often means that the user needs to know their passwords at some point – or do they?

I recently worked on a project at a leading engineering company who were in the process of deploying a large new ERP system. The end users were highly skilled engineers focusing on cutting edge technology but password security was not high on their list of priorities. Traditionally within the organisation, credentials for new applications were sent by email and sometimes they were communicated over the phone. Inevitably these were written down in text files and diaries or passwords were changed to be the same “pet’s name” type password for multiple applications.

This was a huge concern for the Chief Architect who wanted to remove end user password management and provide “zero touch” credential provisioning for the new ERP applications. He also wanted to satisfy auditing and compliance requirements by enforcing complex passwords whilst preventing unauthorised credential sharing. All this needed to be achieved without inconveniencing the users.

We discussed the tried and tested approach of using of a full blown identity management solution.  However, his response to this was that although wider identity management was on their long term roadmap, he had a hard deadline to deliver the ERP system within three months and with limited resources. With traditional user provisioning ‘out the window’ we had to come up with another approach.  Everyone would be using the new ERP system for their timesheets on the same day, and with any business impact due to unavailability therefore being potentially very significant, the customer couldn’t afford to have issues related to logging in.

One product that they already had licensed was the Oracle Enterprise Single Sign-on (ESSO) suite. Oracle ESSO is a well- known established product which provides single sign to any application at the desktop. Not so well known are the additional tools provided within the suite. One of these additional tools is Oracle ESSO Provisioning Gateway. Provisioning Gateway is a web based application that complements the other tools in the suite by enabling the provisioning of application credentials directly to the SSO agent without user interaction.

The Provisioning Gateway server exposes a web service interface that allows it to receive instructions submitted by any other provisioning server. Although Provisioning Gateway is more commonly deployed connected to an identity management system it does have command line interface (CLI) utilities supplied with the software. These utilities allow for scripted interactions with the Provision Gateway server including batch operations.

For this customer it was possible to export the user credential data out of the ERP system into a text-file format.  Then, armed only with the tools provided within the Oracle ESSO suite it was possible to script the provisioning of these user credentials in batches of 500-1000 to the Provisioning Gateway server. The server provisioned the credentials to the ESSO repository and the credentials were synchronised to the desktop SSO agent at user logon.

So far, so good.  At this stage, the users were still unaware that anything had happened.  The new ERP system wasn’t live yet, but in anticipation of its general release we now had each individual’s username and password ready to go in their SSO credential store – ready for first login.

For security reasons, the ERP system was configured to require a password change at first logon. Therefore, when the user launched the application for the first time on its launch date an application change password event was triggered. The Oracle ESSO agent was configured to recognise and respond to this change password event, automatically generating and inserting a new password leaving the user logged on with a new complex password. The end user did not know their password at any point of the on-boarding process or for subsequent logons.  Therefore the opportunity of sharing their logon details with colleagues was eliminated.  Furthermore, issues with the distribution of new passwords was avoided altogether.

The aurionPro SENA fast rollout template for Oracle ESSO enabled this customer to hit the implementation deadline of the ERP project and also address the security requirements of the organisation. ESSO Provisioning Gateway also has a management interface and this customer exploited this feature to allow the helpdesk team to apply the zero touch methodology to other applications.

As we discussed in the first blog (Putting the EASY into SSO) - Oracle ESSO provides more than just single sign-on to desktop applications.  Its use for zero-touch provisioning shows its versatility and that it can form a core part of an integrated identity and access management framework.  It’s not just a tactical tool for a single issue.  Stay tuned for next week’s blog in this series where we’ll be investigating the capabilities of Oracle ESSO still further.

Monday Jun 10, 2013

Embracing Mobility in the Workspace: Oracle API Gateway

Embracing Mobility in the Workspace using Oracle API Gateway

 

 

“In 2013, mobile devices will pass PCs to be most common Web access tools. By 2015, over 80% of handsets in mature markets will be smart phones.”

                                                                                                                                                                                                                       -Gartner Research

 

 

Across the globe, corporations are embracing the influx of mobility and the last five years have seen an expanding role of mobility in the workspace. Enterprises everywhere are coming up with innovative initiatives to support the mobility needs of personnel working for them. In addition, a variety of mobile applications and services are being offered to the workforce to make them more effective and efficient at work. Such applications and services unify different user populations within the organization, including internal workforce, partners, customers, and consumers, with the internal and external resources of the organization.

 

 

There are numerous reasons why enterprises are embracing mobility in the workspace and the chart below highlights the most important ones:

 

 

 

The devices used by the user populations are usually diverse in nature and leads to a fragmented and a disconnected landscape. As a result, IT architects and product managers of organizations are compelled to develop applications that can be ported to mobile devices of users. However, the deployed in-house applications aren’t capable of averting increasingly sophisticated identity thefts and data breaches of today.  Development and utilization of secured mobile applications is often the primary concern that bothers infrastructure & solution architects today.

 

Forrester Consulting commissioned a study on behalf of Cisco Systems in 2012 to gather information on top security concerns and compatibility issues that concern senior-level decision-makers. The chart below illustrates the results.

 

 

 

There are a lot of aspects that should be managed to effectively support mobile devices. They are:

 

·         Password and User management – Management of multiple passwords and user identities for each application

 

·         Device Management – Management of authentication and authorization of devices allowing users to access company resources securely. A high mobile device turnover by user population calls for re-registration of new devices and blacklisting/wiping-out of corporate information from older devices. Device management automates such processes in a structured manner

 

·         Application Access Management – Management of role-based access that is usually absent or is being managed locally in the application leading to unauthorized access to applications. And the local role management leads to redundant and expensive management of access to applications via roles

 

·         API Management – Management of central publishing, promoting, and monitoring of exposed APIs within a secure and scalable environment that is often missing. Many applications todays exposes web services which may not consumed by mobile devices as efficiently as possible.

 

Following section describes how the above-mentioned aspects are managed and how challenges and issues related to adoption of mobile devices are addressed by using Oracle API Gateway and a variety of other components of Oracle Access management stack.

 

·         User Management – The mentioned aspects and challenges are addressed by having a User Provisioning tool like Oracle Identity Manager (OIM). OIM streamlines user provisioning and de-provisioning, and other identity based lifecycle events in the organization. Along with that, users are also provisioned access to various target systems. Once the step of access provisioning is completed, Oracle Access Management (OAM) steps in for users who wish to access the target system by using single sign-on. The authentication can be done by binding to LDAP, but OAM brings additional advantages as it allows various policies and procedures to be defined and implemented for the users accessing target systems within the enterprise. Furthermore, access request to all resources on mobile devices are intercepted by Oracle API Gateway or OAG (deployed in DMZ) in order to enforce the policies that define the steps involved.  OAG gathers the necessary user, application, device, and network context data to enable authentication decisions and validates the gathered data using the Access Management tool as per the policies laid down.

 

However, this approach only performs user authentication and relies on Access Management tool to perform coarse grain authorization, and may not be sufficient for the detailed authorization rules defined within the application itself.

 

Please refer to the figure below for a better understanding.

 

 

 

·         Device Management – Mobile devices used by users are registered through Identity Manager as an asset and this information is provisioned to an LDAP, DB device, or an App registry. Also, Oracle API Gateway is used to perform device authentication by using the custom authentication logic it comes with. Once the device is authenticated, a device token is generated, and the same is used by mobile devices in subsequent interactions in order to fetch the desired information from the applications. This is a simple approach and can be employed to achieve the desired results in small work environments where functionalities like device profiling, blacklisting and whitelisting, knowledge based authentication, and device control is of less importance.

 

For work environments that are larger and more complex, and where the previously mentioned functionalities are important, Access Management component can be extended to include and deploy Oracle Adaptive Access Manager (OAAM) along with Mobile and Social Services components. By doing this, the desired Device Management functionality is implemented.

 

In other scenarios, device registration can also be delegated to OAAM components rather than registering it through Oracle Identity Manager against the user record. Here, mobile and social services components play a crucial role of mediating security tokens for mobile devices to access enterprise resources and cloud based applications.

 

Please refer to the figure below for a better understanding.

 

 

·         Application Access Management – The above two architectures explain how Oracle API Gateway (OAG) manages and performs user and device authentication. Oracle API gateway is Policy enforcement point for mobile devices in a similar way Web-Gates are policy enforcement for Oracle Access Management. However, the fine-grained authorization can’t be overlooked.

 

Classical approach of programming included embedding the authorization logic within the application itself, making the management and extension of application security cumbersome. And it can lead to failed audit and compliance objective requirements of certifying who has what access and at what level. This may not be acceptable in today’s world of increased scrutiny of applications and their access.

 

Fortunately, Oracle Entitlement Server (OES) comes to rescue and serves as a central policy decision/definition point where all applications can externalize authorization rules. When used with OAG, the authorization policies set by OES are enforced. In addition, the combo can also redact the data elements based on various roles of users accessing applications through mobile devices.

 

The figure below will be able to help you understand the concepts better.

 

 

 

·         API Management – Enterprises today have applications that expose web services primarily meant for either intranet use or exchanging information with business-partner applications. That paradigm has taken a major shift with the proliferation in on-boarding of mobile devices and the need to access the respective applications on these devices. Mobile devices may not be able to consume the exposed web-services as efficiently and thus, require enterprises to adopt strategies to either re-write or extend those web-services for such use-cases, or rely on Oracle API Gateway (OAG) features and functionalities.

 

OAG provides functionalities that shield these efforts and perform content transformation on the fly in order to make it adaptable for mobile device use. Oracle API Gateway provides controlled connection between APIs and applications that exposes them. OAG also allows access related metrics for any APIs managed by it. In a well laid-out architecture and implementation of OAG, enterprises can expose these services confidently with additional benefits such as Threat protection and XML Acceleration while having the same performance levels, and exceptional reporting and analytics capabilities across all services.

 

In all, mobile devices have evolved to better suit the needs of consumers but at the same time have traded of their security to ensure usability. These trade-offs increasingly contribute to security risks when such devices connect to the enterprise resources.

 

The security risks should be addressed in an effective manner to protect precious company resources and comply with increasingly strict regulations. Mobile Access management solution using Oracle API Gateway technology unifies enterprise resources and cloud-based resources across network boundaries to mobile devices. This solution assures enhanced security, regulatory compliance, improved governance, and increased productivity. 

 

Webinar

 

For more information on registration on our upcoming joint webinar with guest presenters Arun Mehta from AmerIndia, and Sid Mishra from Oracle Corporation, please go to  http://www.amerindia.net/webinars.php. Here you will be able to pre-register for this event, where we will discuss the changing face of mobile devices in today’s work environment and the risks associated with this upcoming trend. In addition, solutions available to address such risks will be described, while also highlighting solutions specific to different types of organization.

 

Author

 

 

Arun Mehta

Mobile Security Practice Leader

AmerIndia Technologies Inc.

 

Arun Mehta is Principal Solution Architect in Mobile Security, Security Solutions practice at AmerIndia Technologies Inc. In this role, Arun leads a team of specialist technical consultants and architects across North America focusing on Oracle's Security and Identity Management technology. Arun has been in the field of Security for over a decade and has experience across large and complex Identity Management projects in the North America region covering multiple industry verticals. More recently, he has been engaged on a number of projects including enterprise security platforms and mobile access management to help customers enable digital and business transformation initiatives.

  

 

 

AmerIndia Technologies Inc.

AmerIndia Technology Inc. is a full-service information security consulting firm and an Oracle Gold Partner. We specialize in security assessments, software security, mobile security, identity and access management, cloud identity management, API management, certification, regulatory compliance, and vulnerability management. AmerIndia serves clients throughout the United States.

 

Our expertise and client base spans all major verticals. Customers include Fortune 5000 companies in the financial, technology, healthcare, insurance, education and manufacturing sectors. Because of our wide range of experience and subject matter knowledge, major consulting firms also rely on AmerIndia as a trusted partner.

For more information, visit our website: www.amerindia.net

 

 

Wednesday Jun 05, 2013

The Cloud-based IAM Revolution by Paul Dhanjal (Simeio Blog Series - Ch1)

One of the most significant advancements in IT in the last few years has been the shift to cloud-based Identity and Access Management (IAM). While the word “revolution” is all-too-often used in IT, arguably it’s the right word to describe the transformation that the cloud brings to identity.

Over the next four weeks, we’ll delve into the details of this revolution, including a look at its impact on how you’ll do business, why change is needed, and what you’ll need to know to make the transition. Let’s get started by looking at the business drivers.

In just a few short years, cloud-based IAM has matured from simple portals offering single sign-on for a handful of Software-as-a-Service (SaaS) applications to sophisticated, comprehensive solutions that integrate seamlessly with virtually any directory service and application – on-premise, legacy or SaaS. They provide automated workflows for user access request submission and review, provisioning and attestation. They enable federation. And they simplify compliance with regulatory mandates.

The cloud model itself comes in a variety of flavors that provide enough flexibility to meet almost any organization’s needs, from public clouds that dramatically lower TCO through multi-tenancy to private clouds that can meet even the most stringent security and control requirements.

The drivers behind this revolution will be familiar to any CXO.

First, CXOs are facing increased pressure to reduce cost and complexity. They’re expected to follow the popular business school advice to “stick to the knitting”: focus exclusively on the core business and jettison everything else. IAM is squarely in the cross hairs, a tempting target for organizations looking to outsource services that don’t offer a clear and direct competitive advantage.

At the same time, IT is now expected to be a business enabler – to help grow the business, not just support it. This requires IT to be more flexible and nimble to meet ever-changing business demands, including the ability to quickly and easily provide employees, partners and customers with secure and role-appropriate access to a rapidly growing and evolving set of information, applications and other online resources.

User expectations, too, are rising rapidly. As users become accustomed to using more and more services online from filing their taxes to sharing their photos, they now expect the convenience of moving seamlessly between multiple services using a single set of credentials – their Facebook or Google accounts, for example.

Add to the mix the growing security, compliance and regulatory mandates tied to identity, and the challenge can seem insurmountable.

Thankfully, the cloud has offered us a clear path forward. The benefits are just as clear.

First, the cloud delivers on the promise of outsourcing: reducing capital strain and freeing the business to focus on its core competencies. It eliminates the large investment required to stand up an IAM infrastructure: the hardware costs, in many cases the software licenses, and all the configurations and integrations in between. It eliminates ongoing maintenance and upgrade costs, too.

Many cloud-based IAM solutions offer on-demand services with pay-as-you-go pricing – you get and pay for the capability when and only when you need it. They also significantly reduce operational costs so that companies have the benefit of automated IAM without the costs of implementing and maintaining an in-house IAM infrastructure.

In addition to the rise of secure and reliable ISO 27001 compliant data centers and complete, enterprise-ready solutions such as Oracle Cloud Computing, standards-based protocols have dramatically reduced the risk of making the leap to cloud-based IAM. As the saying goes, “the nice thing about standards is that there are so many to choose from.” While many of the first cloud-based IAM solutions seemed to add more to the list, today we’re seeing a real convergence toward a small set of widely adopted standards that have made implementation and integration remarkably easy, including REST-based APIs, OAuth, SAML and OpenID Connect.

While some dive in headlong, many dip their toe in the water with quick-win implementations – to address rising costs for password management by offering self-service, for example – and then progress through provisioning into a handful of core identity systems, synchronization of passwords between authoritative system, etc. This approach often allows the organization time to see that identity can be leveraged as a service for other business needs.

A large financial institution, for example, mandated that all its lines of business use a centralized in-house identity governance solution, then charged each LOB to use the service. This could be done only with a service approach to identity, which became possible once the beachhead of self-service password management had been established.

In our next post, we’ll explore the reasons why organizations must make the transition to new, cloud-based IAM models if they hope to compete in a world where business has moved online. For more information on the services and offerings at Simeio Solutions, you can learn more by going to www.simeiosolutions.com

 

Tuesday Jun 04, 2013

Putting the EASY into ESSO! by Matthew Scott (aurionPro SENA Blog Series - Ch1)

Enterprise Single Sign-On occupies an unusual position in the field of IAM. In automating the sign-on of users to their applications, it is somewhat uniquely, a client-side application. For some of our customers, the role of enterprise SSO in an IAM programme isn’t entirely clear. I’ve spoken with many security architects who view its use as somehow tantamount to cheating. Surely, they assert, if we fully integrate systems at the back-end then the need for a client component doing sign-on becomes unnecessary. Architecturally this may be true. But the realities are that users have issues with passwords right now. Enterprise single sign-on addresses problems immediately. However, it’s also much more than just a tool that signs the user on to anything from their desktop. It is a tool that can be used to solve related business problems and technical challenges just as well as it can deliver users from their credential nightmares.

In this series of four articles, we will explore how enterprise SSO can be used to deliver these additional benefits. We will cover zero touch credential provisioning, making enterprise single sign-on an integrated part of an IAM programme and the management of delegated accounts. First, however, we’ll start with an easy one… making everyone happy all at the same time!

Capturing business requirements for identity and access management projects can be an art. There are so many interested parties – technical, legal, HR, end-users, application owners to name but a few – that it’s rare to reach a speedy consensus. I was in one such meeting with a customer a while back who were trying to explore what the success criteria would be for their enterprise single sign-on initiative. Relatively straightforward, you’d think, but after five hours the customer was still going round in circles! It wasn’t until the project sponsor finally arrived at the meeting and spoke about his vision that sanity was restored. His single request? His single measure? “Make it easy for my users!” That’s all he wanted. If other benefits accrued, that was a bonus.

Oracle’s Enterprise Single Sign-non Suite Plus (Oracle ESSO) is designed to do precisely what the project sponsor wanted. It includes a number of technologies designed to relieve the pain of passwords, by reducing the number of forgotten or incorrect credentials that a user has, whilst simultaneously making it easier to provide those same credentials to users without compromising security. What’s more, these benefits can be obtained surprisingly quickly – Oracle ESSO has a very light footprint and a flexible framework approach to managing credentials for almost any application. Web, Windows, Cloud or mainframe, passwords can quickly be eliminated as a source of pain for users and IT staff alike.

Oracle ESSO takes the management of credentials away from users. It stores passwords in a secure manner so that the user cannot forget it. It manages the password lifecycle, securely updating credentials when they expire. And it streamlines the user experience – application logon is handled automatically, so the user can get to work immediately without having to fumble over the username and password.

Of course, Oracle ESSO also allows the organisation to achieve lots of other benefits if it’s implemented correctly – reduced number of calls to helpdesk, increased productivity through faster password resets and so on. But fundamentally, as a user-facing tool it has to be one that’ll gain rapid acceptance for its deployment to be heralded as a success. The additional benefits won’t appear if the users don’t adopt the new tools they’re given.

aurionPro SENA has considerable experience with the Oracle ESSO suite. In fact, we’ve got the deployment of Oracle ESSO down to a fine art. Referring back to our original customer above – speed of deployment was important. “Proof of concept in days, pilot in weeks, deployment in two months” was the mantra. All with no significant operational impact on either end-users or IT personnel. We helped the customer achieve these goals. Deploying Oracle ESSO requires a delicate balance of technical knowledge, light-touch project management and extremely well-managed engagement with the end-user community. The last element is the most important. Involving key users as early as possible when their applications are being ‘profiled’ for single sign-on helps to ensure that they buy in to the end goal. They understand how Oracle ESSO will enhance the way that they work and are keen to share this with other users. If done right, a cascade of anticipation can ripple through the user community so that, rather than fearing change as can often happen with IT projects, the users are willing the change to arrive sooner! The use of appropriate briefing tools, promotion of the new system and similar techniques can further enhance the effectiveness of the final Oracle ESSO rollout.

So, Oracle ESSO makes it easy for end-users. That’s great, that’s exactly what our customer wanted, and it’s what any user-facing application should strive to do. Deploying Oracle ESSO, when managed properly, is one of those very unusual IT projects, though. Not only does it make things easier for end-users, it also makes things easier for IT support teams, helpdesk operators, auditors and a whole range of teams within the organisation. So it’s win-win all round.

But this is just the starting point. Oracle ESSO acts as a great launch pad for customers looking to further streamline credential management, giving users a better experience whilst also improving security and providing previously unavailable audit data. Stay tuned as we demonstrate how you can unlock the potential of Oracle ESSO.

 

About

Oracle Identity Management is a complete and integrated next-generation identity management platform that provides breakthrough scalability; enables organizations to achieve rapid compliance with regulatory mandates; secures sensitive applications and data regardless of whether they are hosted on-premise or in a cloud; and reduces operational costs. Oracle Identity Management enables secure user access to resources anytime on any device.

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
3
4
5
6
7
8
11
12
13
15
17
18
19
20
21
22
24
25
26
27
28
29
30
   
       
Today