By Naresh Persaud on Jun 03, 2013
If you have downloaded Identity Management R2 PS1 and are looking for a good summary of capabilities, the presentation below by Marc Boroditsky, Vice President of Product Management, provides a good preview.
As regulatory pressure and security threats continue to rise, the Chief Security Officer (CSO) role is gaining more importance in many organizations. With security spending at an all time high, many CSO's are re-thinking their priorities and focusing on risk. A recent CSO Market Pulse survey of IT executives, finds that in most organizations IT spending is not aligned with risk.
Mary Ann Davidson, Oracle Corp CSO, joins us for this exclusive webcast to discuss the findings of the survey. One of the most important voices among computer security practitioners today, Davidson describes how CSOs and other IT leaders can use this information to reduce risk in the enterprise. To Register Click Here.
Webcast Date: Thursday, July 18, 2013
Time: 10:00 PM PST
Speaker: Mary Ann Davidson, Chief Security Officer, Oracle
Registration: Click Here
Qualcomm discusses the benefits of closed loop compliance remediation and other key features of Oracle’s latest Identity Management release, that enable them to meet business objectives, manage user access attestations, and enforce compliance.
Join us in watching this short video to understand how Oracle is enabling Qualcomm to meet and exceed their compliance goals with Oracle Identity Management. Click HERE to watch the video
If you are moving applications to the cloud or extending your applications to mobile devices, you will be concerned with securing the device interaction with users and with back end components that reside behind your perimeter. In Identity Management 11g R2 Patch Set 1, we have enhanced and released Oracle API Gateway to enable organizations to address the challenges of service oriented security, applications on mobile devices and applications in the cloud. Patch Set 1 is another step in rationalizing a platform approach to Identity and Access Management to enable organizations to modernize security. For a primer on Oracle API gateway, Apple Bagwell simplified the topic and captured it in a Prezi. Apple recently presented an overview to the Identity Architect Forum which was well received. He does a great job of simplifying and demystifying the topic. Click here to view the Prezi.
The latest docs to the Oracle API Gateway can be found here. For more resources on Identity Management R2 Patch Set 1, see the links below.
Oracle Unified Directory has set the bar for performance. Built ground up to provide elastic scale, Oracle Unified Directory (OUD) is interoperable with all directories in the Oracle Directory Services Suite.
With the Patchset 1 release OUD now combines the capabilities of Oracle Virtual Directory. With a combined directory, organizations can lower operating cost by consolidating directory silos using a single directory server. Instead of having multiple infrastructures and separate administrators, a unified solution can provide better administrative ratios and economies of scale.
A unified solution helps organizations embracing the cloud with a single solution to provide high scale reads and writes for authentication and authorization. For cloud applications, a single directory can store location data, personalization data and provide a single interface for external data.
For more information on getting started with Identity Management R2 PS1 click here for the documentation. You can learn more about Identity Management R2 PS1 from these resources:
We extend our congratulations to the team at Virgin Media for winning the award for best Identity and Access Management project at the European Identity Conference in Munich this week. Excerpt below from the European Identity Conference.
In the category “Best Identity and Access Management Project”, the award goes to Virgin Media for the implementation of highly polished access control mechanisms with IAM technologies for the WiFi network of the London Underground metro system. This project went live for the 2012 Summer Olympics and had to meet very demanding requirements for high performance user authentication.
You can learn more about the Virgin Media story by viewing this on demand webcast here.
The growing number of business applications and services that employees need to access makes it increasingly difficult for organizations to create and remove accounts and privileges in a timely fashion, and keep track of everything for compliance purposes. Help-desk costs related to manual account administration and password reset also prove challenging.
To learn more how Oracle can help your organization deal with these challenges by reducing costs, decreasing exposure and risk, and improving IT efficiencies through Identity Management, download our data sheet on Oracle On Demand Provisioning Service
Committed to developing and delivering life-changing medicine, University of
Pittsburgh Medical Center (UPMC) is a US$10 billion, integrated, global health
enterprise and one of the leading health systems in the United States. UPMC
operates more than 20 academic, community, and specialty hospitals and 400
outpatient sites; employs more than 3,200 physicians; and offers an array of
rehabilitation, retirement, and long-term care facilities. It is also
Pennsylvania’s largest employer and the first nonprofit health system to fully
adopt Sarbanes-Oxley standards.
A recognized innovator in information technology, UPMC has deployed an electronic health record across its hospitals and has implemented a semantic interoperability solution to unify information from multiple systems.
UPMC had an in-house-developed identity and access management system in place for eight years. As the healthcare organization’s identity management requirements continue to evolve and become more complex, it decided to move to a commercial, off-the-shelf offering and chose Oracle Identity and Access Management Suite. The solution will provide UPMC with the scalability it requires―managing identities and access for more than 75,000 system users, which include employees, as well as contract staff and medical students on rotation in the organization. It will also deliver the flexibility UPMC requires to continue to adapt its environment to accommodate new systems and requirements.
For the full article, click HERE
For more information on how UPMC and Oracle have partnered to help smaller hospitals with identity management, check our PRESS RELEASE.
Oracle recently worked with CSO Online to study the economics of security. Despite the the increasing IT spend on security, many organizations don't feel any safer. According to the study, organizations allocate up to 67% of their IT security spend protecting network resources. However, the biggest risk in many organizations is weak governance controls on user access and application security. According to the latest Verizon Data Breach Report 2013 , 76% of attacks utilize lost or stolen credentials as a means of entry or propagating the attack.
According to the survey, 40% believed that implementing fragmented point solutions created gaps in their security and resulted in vulnerability. Fragmentation creates latency in security processes and latency introduces risk. According to a similar study by Aberdeen Research, organizations that take an integrated platform approach had 35% fewer audit deficiencies and were more responsive.
The findings underscore the relevance of Oracle’s “security inside-out” approach which means focusing attention on the organization's most strategic assets which include applications, databases, systems, and users.
Read the details here
If you have downloaded the latest Identity Management release, then you will find these notes helpful. If you have not downloaded the latest release, you can download it here. This article is the first in a series that will explore new features in the R2 PS1 release. R2 PS1 is the latest release to continue the convergence of the Identity suite. If you are using Identity Manager for provisioning or Identity Analytics for access certification you will like the new converged Identity Auditor feature that provides integrated analytics directly in the provisioning process.
Now provisioning and analytics share a single integrated data model. This is good news for audit and compliance because it insures that the data being certified is as recent as possible. For many organizations, by the time the certification actually takes place, the data being certified may be out of date. By having a single repository, the latest data from the provisioning process is used directly in the certification review. This removes the need for a compensating control.
The integrated data model has the added benefit of close to real time certification which means that changes to user entitlements can automatically trigger certification reviews without any integration necessary. The goal is to reduce the workload of access certification and keep the organization always certified.
For more information on getting started with Identity Management R2 PS1 click here for the documentation. You can learn more about Identity Management R2 PS1 from these resources:
This year's European Identity Conference is devoted to cloud, mobile and social. This promises to be an exciting event this year. Here is a link to the conference. You will not want to miss Peter Boyle and Mike Neuenschwander. Peter's keynote is on Thursday May 16th. Peter Boyle is Head of Identity Services for BT. Below is an abstract for his talk.
If Your Customers Don't Feel Safe, They Will Leave You
More than 559 million adults have been victims of cyber-crime - that´s more than the population of the European Union. More businesses are trying to connect with customers on social and mobile but, 15% of social networking users have had accounts infiltrated and 21% have fallen prey to mobile or social attacks. Only one incident can cause a customer to shift brands. If you are trying to find new paths to market online, don´t miss this session. Securing the customer experience should be the top priority for any business initiative involving cloud, mobile and social. Faced with the need to secure a growing hosting business with more than 10,000 customers accessing services on-line, British Telecom Identity enabled their applications to secure their customer data and transactions. In this session, Peter Boyle Head of Identity Services for BT will discuss how to keep your customer safe, loyal to your brand and keep them coming back for more.
See Mike Neuenschwander will speak in the following sessions:
Educational institutions have a dynamic ecosystem with students, teachers and operational administration requiring significant IT and helpdesk resource investment. Victoria University in Melbourne, Australia embarked on an identity management project to automate and streamline access and authorization to the University’s systems for over 55,000 students and 3000 staff.
Check out the following video to see how the University simplified sign-on process for the students, empowered them with self service and, in the process, eliminated helpdesk overhead.
With the recent discovery of Richard III in a Leicester parking lot, we realize that authenticating an individual is as important as authenticating a king. Your identity is king.
The recent twitter #authchat provides a good survey of authentication techniques. Authenticating Richard required many of the same identity management techniques we use in software. Here are a few observations:
DNA evidence from two related descendants was critical in verifying the identity of the king. The same is true for the way we authenticate today. While we may use finger print readers on our laptops and in our data centers, we still rely on additional factors of authentication beyond biometrics. From the description of the battle of Bosworth, many thumbs and fingers were most likely misplaced – lots of parts everywhere. If Richard were alive today, he would have commanded, “my kingdom for a thumb!” If the researchers had tested DNA from the wrong thumb, the results would have been wrong. Biometrics are only a piece of the puzzle.
Third Party Verification
The research team had to find a descendant to verify the DNA of Richard III. DNA, like a certificate, on its own is not enough to prove who you are. A third party has to vouch for the fact that the information is correct. We may think we are advanced because we can make an instant SAML request to an identity provider to log into our 401K plan or download a ringtone, but it is perhaps more amazing that the team found an identity provider (Richard's descendant nephew) across 500+ years of the family tree, in a country thousands of miles away.
Finding the king and verifying the identity were almost equally challenging tasks. The location information from history played a role. In addition, the context of the injuries and the battle description were all indicators that helped to confirm the identity. Other factors including radio carbon dating and food consumption patterns were all part of the context used in the formula. Today, with many users with different roles accessing our systems, adaptive access and context aware security are used to complement authentication. Now, we may be a long way from using food consumption patterns to authenticate a user on a banking website, but I would not rule it out. It gives validity to the claim “you are what you eat.”
The key is that no single form of authentication is sufficient in all circumstances. Context helps to provide ongoing assurance that we are dealing with the correct user. It turns out Richard III was not the tyrant as he is remembered, but perhaps just the victim of identity fraud. Congrats to the research team – truly a remarkable accomplishment and the discovery demonstrates that “the king’s name is [still] a tower of strength”(Shakespeare,Richard III) -- especially given the amount of media exposure.
Thanks to everyone that joined us for the live webcast on January 31.
For those of you that missed it, the webcast was recorded and I will post the replay link here when it becomes available.
Webcast replay is now available here: click for replay (note: you may have to scroll down to find it)
We were not able to get to all the questions during the call, so I have retrieved the list of questions, and will send them to the Avea team to answer.
I have also posted the slides below.
There’s an accelerating trend in the workplace raising new challenges for today’s CIO: the bring your own device (BYOD) revolution. The use and acceptance of mobile devices in the workplace is a critical issue that many chief executives are considering for their corporate environment. A BYOD strategy enables an employee to use a single device with the flexibility and usability they prefer, while providing access to both their personal and business applications and data. There are also potential cost savings for the enterprise as the employee may bear the cost of the device and the ongoing mobile access plan. An enterprise should consider the extent to which BYOD will be embraced, and the challenges BYOD presents as a part of an enterprise’s overall mobile security management strategy.
Before embarking on this journey, an organization should first decide – why BYOD? Does the increased user productivity and availability of data outweigh the risk and the associated mitigation expense? There are risks introduced at the device, application and infrastructure levels that present new challenges. These challenges may vary from compliance issues, to data leaks, to malware and challenges will likely only intensify as the number of mobile devices and operating systems proliferate. Another option is that the employer can provide employees with a mobile device hoping to enhance their productivity and ability to support the organization remotely. The illustrative chart below depicts some of the Pros and Cons of an employer providing corporate mobile devices versus letting employees use their own mobile phones and tablets.
Bring Your Own
As an organization gains an understanding of the key risks that may affect the business, the next step is determining and defining the approach to a secure BYOD solution deployment. One of the primary risks of mobile devices to the enterprise is the security of data that is stored on the devices. Corporate email, financial and marketing data and any other sensitive data may leak out of the organization if the device is not encrypted and adequately protected.
Another point to consider is how the organization might prevent rogue mobile devices from accessing the network. What will prevent users from bringing in their own unpatched/unapproved devices into the environment? Network Access Control (NAC) solutions may help to solve this issue. These solutions have become a popular way to manage the risk of employee owned devices. NAC allows organizations to control which devices can access each level of the organization’s internal network. For example, NAC can limit how a device can connect to the network, what it can access, prevent downloading and potentially prohibit a device from connecting at all. A “health-check” that inspects for required security configurations and controls can be performed before allowing a device to connect to the network to keep the network safe from viruses and malware that could be on an employee owned mobile device. If a “health-check” is not performed before the device is allowed on the network, the scenario described below could occur:
When determining the desired approach, it is critical for an organization to understand the specific use cases and incorporate key business drivers and objectives. This will allow the enterprise to determine if the primary objectives from a mobile security perspective are device, or data centric or a combination of both for their BYOD program.
Mobile device management (MDM)
Minimal device data footprint
Strict device policy enforcement
Local data encryption
A device-centric approach focuses on the mobile device and associated security controls. This approach is typically centered on how the devices are managed, how policies are enforced, data encryption on the local device and solutions such as secure containers. Some key considerations supporting this approach include:
A data-centric approach focuses on the data stored or processed by the mobile device and how it is secured and transmitted. This approach considers how the data is managed on the devices, transmission security, virtualization and data integrity. Some key considerations are:
For a solid BYOD approach, not only are well defined policies and standards critical, but the technology that enforces this governance should be in place to help ensure that the standards are adhered to. Many organizations may have well defined and communicated policies, but enforcing these restrictions on their users may be a daunting task without the appropriate technology and security framework. To facilitate this approach, mobile security requirements should be defined. A gap analysis should be conducted comparing current state capabilities to the desired state. Next, an overall mobile security operations framework should be developed and the operational processes to support this framework need to be defined. If the mobile security framework is planned appropriately to support a BYOD program and the risks are mitigated throughout the lifecycle, enterprises may see increased user productivity and satisfaction.
About the Writer:
Tim Sanouvong is a Senior Manager in Deloitte & Touche LLP’s Security & Privacy practice with 13 years of experience in the information security area. He specializes in leading large security projects spanning areas such as security strategy and governance, mobile security, and identity and access management. He has consulted for several clients across diverse industries such as financial services, retail, healthcare, state government, and aerospace and defense.
This document contains general information only and Deloitte is not, by means of this document, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This document is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte shall not be responsible for any loss sustained by any person who relies on this document.About Deloitte
Copyright © 2013
Deloitte Development LLC. All rights reserved.
Member of Deloitte Touche Tohmatsu Limited
Founded in 1996, Telenet began as a European broadband services pioneer. Today, the company is a market leader in Belgium for residential high-speed internet, telephony, and digital television services. It serves 1.24 million digital television subscribers, 1.22 million internet customers, and 815,000 fixed telephony accounts. Telenet Solutions, the company’s business market division, offers a complete communications solutions portfolio for organizations and corporations, holding a commanding lead in the Belgian/Luxembourg business market.
Telenet implemented Oracle Identity Management to centralize identity management and security operations. Leveraging Oracle Identity Manager and Oracle Identity Analytics (part of Oracle Identity Governance Suite), Telenet managed to automate user account administration, streamline user access control, optimize license management and offer insight into who had access to what business applications.
For more information on Telenet’s implementation, check out the case study and the following video.
Mobile Device Policy is a hot topic for IT - everyone knows they need a policy and enforcement tools, but few companies have actually created a formal policy covering employee owned devices.
Oracle and SANS teamed up to present a comprehensive look at mobile device policy: in the first segment, security expert Tony DeLaGrange presents current trends in mobile device policy based on a recent SANS survey. In the second segment, SANS legal expert Ben Wright discusses the pros and cons of various BYOD policies from legal perspective. And in the third segment, Oracle's own Lee Howarth presents the technology and software necessary to enforce mobile device and application access policies.
Click this link to register and listen to the replay: Webcast Registration
The presentation for this webcast is posted below.
About the Writer:
Des Powley is Director of Product Management for aurionPro SENA inc. the leading global Oracle Identity and Access Management specialist delivery and product development partner.
In October 2012 aurionPro SENA announced the release of the Mobile IDM application that delivers key Identity Management functions from any mobile device.
The move towards an always on, globally interconnected world is shifting Business and Consumers alike away from traditional PC based Enterprise application access and more and more towards an ‘any device, same experience’ world. It is estimated that within five years in many developing regions of the world the PC will be obsolete, replaced entirely by cheaper mobile and tablet devices. This will give a vast amount of new entrants to the Internet their first experience of the online world, and it will only be via these newer, mobile access channels.
Designed to address this shift in working and social environments and released in October of 2012 the aurionPro SENA Mobile IDM application directly addresses this emerging market and requirement by enhancing administrators, consumers and managers Identity Management (IDM) experience by delivering a mobile application that provides rapid access to frequently used IDM services from any Mobile device.
Built on the aurionPro SENA Identity Service platform the mobile application uses Oracle’s Cloud, Mobile and Social capabilities and Oracle’s Identity Governance Suite for it’s core functions. The application has been developed using standards based API’s to ensure seamless integration with a client’s on premise IDM implementation or equally seamlessly with the aurionPro SENA Hosted Identity Service.
The solution delivers multi platform support including iOS, Android and Blackberry and provides many key features including:
• Providing easy to access view all of a users own access privileges
• The ability for Managers to approve and track requests
• Simply raising requests for new applications, roles and entitlements through the service catalogue
This application has been designed and built with convenience and security in mind. We protect access to critical applications by enforcing PIN based authentication whilst also providing the user with mobile single sign on capability.
This is just one of the many highly innovative products and services that aurionPro SENA is developing for our clients as we continually strive to enhance the value of their investment in Oracle’s class leading 11G R2 Identity and Access Management suite.
The Mobile IDM application is a key component of our Identity Services Suite that also includes Managed, Hosted and Cloud Identity Services. The Identity Services Suite has been designed and built specifically to break the barriers to delivering Enterprise, Mobile and Social Identity Management services from the Cloud.
aurionPro SENA - Building next generation Identity Services for modern enterprises.
To view the app please visit http://youtu.be/btNgGtKxovc
For more information please contact firstname.lastname@example.org
Author: Kevin Moulton
Kevin Moulton has been in the security space for more than 25 years, and with Oracle for 7 years. He manages the East EnterpriseSecurity Sales Consulting Team. He is also a Distinguished Toastmaster. Follow Kevin on Twitter at twitter.com/kevin_moulton, where he sometimes tweets about security, but might also tweet about running, beer, food, baseball, football, good books, or whatever else grabs his attention. Kevin will be a regular contributor to this blog so stay tuned for more posts from him.
It happened again! There I was, reading something interesting online, and realizing that a friend might find it interesting too. I clicked on the little email link, thinking that I could easily forward this to my friend, but no! Instead, a new screen popped up where I was asked to create an account. I was expected to create a User ID and password, not to mention providing some personally identifiable information, just for the privilege of helping that website spread their word.
Of course, I didn’t want to have to remember a new account and password, I didn’t want to provide the requisite information, and I didn’t want to waste my time. I gave up, closed the web page, and moved on to something else. I was left with a bad taste in my mouth, and my friend might never find her way to this interesting website. If you were this content provider, would this be the outcome you were looking for?
A few days later, I had a similar experience, but this one went a little differently. I was surfing the web, when I happened upon some little chotcke that I just had to have. I added it to my cart. When I went to buy the item, I was again brought to a page to create account. Groan!
But wait! On this page, I also had the option to sign in with my OpenID account, my Facebook account, my Yahoo account, or my Google Account. I have all of those! No new account to create, no new password to remember, and no personally identifiable information to be given to someone else (I’ve already given it all to those other guys, after all).
In this case, the vendor was easy to deal with, and I happily completed the transaction. That pleasant experience will bring me back again.
This is where security can grow your business. It’s a differentiator. You’ve got to have a presence on the web, and that presence has to take into account all the smart phones everyone’s carrying, and the tablets that took over cyber Monday this year. If you are a company that a customer can deal with securely, and do so easily, then you are a company customers will come back to again and again.
I recently had a need to open a new bank account. Every bank has a web presence now, but they are certainly not all the same. I wanted one that I could deal with easily using my laptop, but I also wanted 2-factor authentication in case I had to login from a shared machine, and I wanted an app for my iPad. I found a bank with all three, and that’s who I am doing business with.
Let’s say, for example, that I’m in a regular Texas Hold-em game on Friday nights, so I move a couple of hundred bucks from checking to savings on Friday afternoons. I move a similar amount each week and I do it from the same machine. The bank trusts me, and they trust my machine. Most importantly, they trust my behavior. This is adaptive authentication. There should be no reason for my bank to make this transaction difficult for me.
Now let's say that I login from a Starbucks in Uzbekistan, and I transfer $2,500. What should my bank do now? Should they stop the transaction? Should they call my home number? (My former bank did exactly this once when I was taking money out of an ATM on a business trip, when I had provided my cell phone number as my primary contact. When I asked them why they called my home number rather than my cell, they told me that their “policy” is to call the home number. If I'm on the road, what exactly is the use of trying to reach me at home to verify my transaction?)
But, back to Uzbekistan…
Should my bank assume that I am happily at home in New Jersey, and someone is trying to hack into my account? Perhaps they think they are protecting me, but I wouldn’t be very happy if I happened to be traveling on business in Central Asia.
What if my bank were to automatically analyze my behavior and calculate a risk score? Clearly, this scenario would be outside of my typical behavior, so my risk score would necessitate something more than a simple login and password. Perhaps, in this case, a one-time password to my cell phone would prove that this is not just some hacker half way around the world.
But, what if you're not a bank? Do you need this level of security? If you want to be a business that is easy to deal with while also protecting your customers, then of course you do.
You want your customers to trust you, but you also want them to enjoy doing business with you. Make it easy for them to do business with you, and they’ll come back, and perhaps even Tweet about it, or Like you, and then their friends will follow.
How can Oracle help?
Oracle has the technology and expertise to help you to grown your business with security.
will help you to prevent fraud while making it easier for your customers to do business with you by providing the risk analysis I discussed above, step-up authentication, and much more.
will help you to secure mobile access to applications by expanding on your existing back-end identity management infrastructure, and allowing your customers to transact business with you using the social media accounts they already know. You also have device fingerprinting and metrics to help you to grow your business securely.
Security is not just a cost anymore. It’s a way to set your business apart. With Oracle’s help, you can be the business that everyone’s tweeting about.
Image courtesy of Flickr user shareski
On October 25, 2012 ISACA and Oracle sponsored a webcast discussing how SUPERVALU has embraced the platform approach to IDM. Scott Bonnell, Sr. Director of Product Management at Oracle, and Phil Black, Security Director for IAM at SUPERVALU discussed how a platform strategy could be used to formulate an upgrade plan for a large SUN IDM installation.
See the webcast replay here: ISACA Webcast Replay (Requires Internet Explorer or Chrome)
Some of the main points discussed in the webcast include:
If you attended any of the recent webcasts, then you heard several customer testimonials discussing early adoption of Identity Management 11g R2. If you missed a chance to connect with product managers from Oracle in person regarding the new release, here are a few physical events that you may wish to attend.Click on a city below to register.
Atlanta IdM 11g Forum
Wednesday, December 5, 2012
Orlando IdM 11g Forum
Thursday, December 6, 2012
Scottsdale IDM 11g Forum
Tuesday, December 11, 2012
If you missed any of the customer presentations you can read the Kaiser and BT testimonials in Oracle Magazine - Security on The Move.
On October 17th, I posted a short blog and a podcast interview with Chirag Andani, talking about how Oracle IT uses its own IDM products. Blog link here.
In response, I received a comment from reader Jaime Cardoso (email@example.com) who posted:
“- You could have talked about how by deploying Oracle's Open standards base technology you were able to integrate any new system in your infrastructure in days.
- You could have talked about how by deploying federation you were enabling the business side to keep all their options open in terms of companies to buy and sell while maintaining perfect employee and customer's single view.
- You could have talked about how you are now able to cut response times to your audit and security teams into 1/10th of your former times
Instead you spent 6 minutes talking about single sign on and self provisioning? If I didn't knew your IDM offer so well I would now be wondering what its differences from Microsoft's offer was.
Sorry for not giving a positive comment here but, please your IDM suite is very good and, you simply aren't promoting it well enough”
So I decided to send Jaime a note asking him about his experience, and to get his perspective on what makes the Oracle products great. What I found out is that Jaime is a very experienced IDM Architect with several major projects under his belt.
Darin Pendergraft: Can you tell me a bit about your experience? How long have you worked in IT, and what is your IDM experience?
Jaime Cardoso: I started working in "serious" IT in 1998 when I became Netscape's technical specialist in Portugal. Netscape Portugal didn't exist so, I was working for their VAR here. Most of my work at the time was with Netscape's mail server and LDAP server.
Since that time I've been bouncing between the system's side like Sun resellers, Solaris stuff and even worked with Sun's Engineering in the making of an Hierarchical Storage Product (Sun CIS if you know it) and the application's side, mostly in LDAP and IDM.
Over the years I've been doing support, service delivery and pre-sales / architecture design of IDM solutions in most big customers in Portugal, to name a few projects:
- The first European deployment of Sun Access Manager (SAPO – Portugal Telecom)
- The identity repository of 5/5 of the Biggest Portuguese banks
- The Portuguese government federation of services project
DP: OK, in your blog response, you mentioned 3 topics:
1. Using Oracle's standards based architecture; (you) were able to integrate any new system in days: can you give an example? What systems, how long did it take, number of apps/users/accounts/roles etc.
JC: It's relatively easy to design a user management strategy for a static environment, or if you simply assume that you're an <insert vendor here> shop and all your systems will bow to that vendor's will. We've all seen that path, the use of proprietary technologies in interoperability solutions but, then reality kicks in. As an ISP I recall that I made the technical decision to use Active Directory as a central authentication system for the entire IT infrastructure. Clients, systems, apps, everything was there.
As a good part of the systems and apps were running on UNIX, then a connector became needed in order to have UNIX boxes to authenticate against AD. And, that strategy worked but, each new machine required the component to be installed, monitoring had to be made for that component and each new app had to be independently certified.
A self care user portal was an ongoing project, AD access assumes the client is inside the domain, something the ISP's customers (and UNIX boxes) weren't nor had any intention of ever being.
When the Windows 2008 rollout was done, Microsoft changed the Active Directory interface. The Windows administrators didn't have enough know-how about directories and the way systems outside the MS world behaved so, on the go live, things weren't properly tested and a general outage followed. Several hours and 1 roll back later, everything was back working.
But, the ISP still had to change all of its applications to work with the new access methods and reset the effort spent on the self service user portal. To keep with the same strategy, they would also have to trust Microsoft not to change interfaces again.
Simply by putting up an Oracle LDAP server in the middle and replicating the user info from the AD into LDAP, most of the problems went away. Even systems for which no AD connector existed had PAM in them so, integration was made at the OS level, fully supported by the OS supplier.
Sun Identity Manager already had a self care portal, combined with a user workflow so, all the clearances had to be given before the account was created or updated.
Adding a new system as a client for these authentication services was simply a new checkbox in the OS installer and, even True64 systems were, for the first time integrated also with a 5 minute work of a junior system admin.
True, all the windows clients and MS apps still went to the AD for their authentication needs so, from the start everybody knew that they weren't 100% free of migration pains but, now they had a single point of problems to look at.
If you're looking for numbers:
- 500K directory entries (users)
- 2-300 systems
After the initial setup, I personally integrated about 20 systems / apps against LDAP in 1 day while being watched by the different IT teams. The internal IT staff did the rest.
DP: 2. Using Federation allows the business to keep options open for buying and selling companies, and yet maintain a single view for both employee and customer. What do you mean by this? Can you give an example?
JC: The market is dynamic. The company that's being bought today tomorrow will be sold again. Companies that spread on different markets may see the regulator forcing a sale of part of a company due to monopoly reasons and companies that are in multiple countries have to comply with different legislations.
Our job, as IT architects, while addressing the customers and employees authentication services, is quite hard and, quite contrary. On one hand, we need to give access to all of our employees to the relevant systems, apps and resources and, we already have marketing talking with us trying to find out who's a customer of the bough company but not from ours to address.
On the other hand, we have to do that and keep in mind we may have to break up all that effort and that different countries legislation may became a problem with a full integration plan.
That's a job for user Federation. you don't want to be the one who's telling your President that he will sell that business unit without it's customer's database (making the deal worth a lot less) or that the buyer will take with him a copy of your entire customer's database. Federation enables you to start controlling permissions to users outside of your traditional authentication realm. So what if the people of that company you just bought are keeping their old logins? Do you want, because of that, to have a dedicated system for their expenses reports? And do you want to keep their sales (and pre-sales) people out of the loop in terms of your group's path?
Control the information flow, establish a Federation trust circle and give access to your apps to users that haven't (yet?) been brought into your internal login systems. You can still see your users in a unified view, you obviously control if a user has access to any particular application, either that user is in your local database or stored in a directory on the other side of the world.
DP: 3. Cut response times of audit and security teams to 1/10. Is this a real number? Can you give an example?
JC: No, I don't have any backing for this number.
One of the companies I did system Administration for has a SOX compliance policy in place (I remind you that I live in Portugal so, this definition of SOX may be somewhat different from what you're used
to) and, every time the audit team says they'll do another audit, we have to negotiate with them the size of the sample and we spend about 15 man/days gathering all the required info they ask.
I did some work with Sun's Identity auditor and, from what I've been seeing, Oracle's product is even better and, I've seen that most of the information they ask would have been provided in a few hours with the help of this tool. I do stand by what I said here but, to be honest, someone from Identity Auditor team would do a much better job than me explaining this time savings.
Jaime is right: the Oracle IDM products have a lot of business value, and Oracle IT is using them for a lot more than I was able to cover in the short podcast that I posted.
I want to thank Jaime for his comments and perspective. We want these blog posts to be informative and honest – so if you have feedback for the Oracle IDM team on any topic discussed here, please post your comments below.
Oracle Identity Management is a complete and integrated next-generation identity management platform that provides breakthrough scalability; enables organizations to achieve rapid compliance with regulatory mandates; secures sensitive applications and data regardless of whether they are hosted on-premise or in a cloud; and reduces operational costs. Oracle Identity Management enables secure user access to resources anytime on any device.